Security rule database searching in a network security environment
First Claim
1. A method of searching a database of security rules for a match between the values of specified attributes of a packet and the values of corresponding attributes associated with each rule, wherein the database is searched in the order of the rules containing the most specific values of attributes to the least specific values of attributes, comprisingarranging the database into a set of relatively stable static rules and one or more sets of dynamic security rules, wherein a static rule can be a placeholder for a set of dynamic rules, searching the static rules of the database for the first static rule having attributes that match the corresponding attributes of the packet, determining if the matching static rule is a placeholder for a set of dynamic rules, if the matching static rule is a placeholder for a set of dynamic rules, searching the set of dynamic rules associated with the matching static rule for a match between the packet attributes and attributes contained in the dynamic rules, and applying security processing to the packet as specified by the matching static or dynamic rule.
2 Assignments
0 Petitions
Accused Products
Abstract
Ipsec rules are searched in order from rules containing the most specificity of attributes to those containing the least specificity of attributes. The static rules include placeholders for sets of dynamic rules. The placeholders in the static table immediately precede and point to an associated set of dynamic rules. Dynamic rules are searched only if a placeholder is found to be the first matching rule in the static table. Sets of dynamic rules are partitioned into separate groups. Within each group there is no rule order dependence. Each such group is searched with an enhanced search mechanism, such as a search tree. Searching is further improved by searching at layers higher than the IP layer.
-
Citations
16 Claims
-
1. A method of searching a database of security rules for a match between the values of specified attributes of a packet and the values of corresponding attributes associated with each rule, wherein the database is searched in the order of the rules containing the most specific values of attributes to the least specific values of attributes, comprising
arranging the database into a set of relatively stable static rules and one or more sets of dynamic security rules, wherein a static rule can be a placeholder for a set of dynamic rules, searching the static rules of the database for the first static rule having attributes that match the corresponding attributes of the packet, determining if the matching static rule is a placeholder for a set of dynamic rules, if the matching static rule is a placeholder for a set of dynamic rules, searching the set of dynamic rules associated with the matching static rule for a match between the packet attributes and attributes contained in the dynamic rules, and applying security processing to the packet as specified by the matching static or dynamic rule.
-
5. Apparatus for searching a database of security rules for a match between the values of specified attributes of a packet and the values of corresponding attributes associated with each rule, wherein the database is searched in the order of the rules containing the most specific values of attributes to the least specific values of attributes, comprising
a set of relatively stable static rules in the database and one or more sets of dynamic security rules in the database, wherein a static rule can be a placeholder for a set of dynamic rules, structure for searching the static rules of the database for the first static rule having attributes that match the corresponding attributes of the packet, structure for determining if the matching static rule is a placeholder for a set of dynamic rules, structure responsive to the determining structure for searching a set of dynamic rules associated with a matching placeholder for a match between the packet attributes and attributes contained in the dynamic rules, and security processing structure for processing the packet as specified by the matching static or dynamic rule.
-
9. A storage medium containing stored executable computer instructions for controlling a computer to search a database of security rules for a match between the values of specified attributes of a packet and the values of corresponding attributes associated with each rule, wherein the database is searched in the order of the rules containing the most specific values of attributes to the least specific values of attributes, comprising
a first code segment for arranging the database into a set of relatively stable static rules and one or more sets of dynamic security rules, wherein a static rule can be a placeholder for a set of dynamic rules, a second code segment for searching the static rules of the database for the first static rule having attributes that match the corresponding attributes of the packet, a third code segment for determining if the matching static rule is a placeholder for a set of dynamic rules, a fourth code segment responsive to the third segment for searching the set of dynamic rules associated with the matching placeholder for a match between the packet attributes and attributes contained in the dynamic rules, and a fifth code segment for applying security processing to the packet as specified by the matching static or dynamic rule.
-
13. A carrier wave embodying a computer data signal and containing stored executable computer instructions for controlling a computer to search a database of security rules for a match between the values of specified attributes of a packet and the values of corresponding attributes associated with each rule, wherein the database is searched in the order of the rules containing the most specific values of attributes to the least specific values of attributes, comprising
a first code segment for arranging the database into a set of relatively stable static rules and one or more sets of dynamic security rules, wherein a static rule can be a placeholder for a set of dynamic rules, a second code segment for searching the static rules of the database for the first static rule having attributes that match the corresponding attributes of the packet, a third code segment for determining if the matching static rule is a placeholder for a set of dynamic rules, a fourth code segment responsive to the third code segment for searching the set of dynamic rules associated with the matching placeholder for a match between the packet attributes and attributes contained in the dynamic rules, and a fifth code segment for applying security processing to the packet as specified by the matching static or dynamic rule.
Specification