System, device and method for rapid packet filtering and processing
First Claim
Patent Images
1. A system for accelerated packet filtering, the system comprising:
- (a) a source node for transmitting a packet;
(b) a destination node for receiving said packet;
(c) a firewall interposed between said source node and said destination node for performing packet filtering according to at least one rule; and
(d) a pre-filtering module separate from said firewall and being in communication with said firewall, for receiving at least one instruction from said firewall and for receiving said packet before said firewall, such that if said packet is permitted according to said at least one instruction, said pre-filtering module handles said packet, and alternatively said pre-filtering module forwards said packet to said firewall for handling.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, a device and a method for accelerating packet filtration by supplementing a firewall with a pre-filtering module. The pre-filtering module performs a limited set of actions with regard to the packets, according to whether the packets are received from a connection which has been previously permitted by the firewall. If the packets are received from such a permitted connection, then the pre-filtering module forwards the packets to their destination, optionally performing one or more actions on the packets. Otherwise, the packets are forwarded to the firewall for handling. Preferably, once the firewall has transferred responsibility for the connection to the pre-filtering module, or “off-loaded” the connection, the firewall does not receive further packets from this connection until a timeout occurs for the connection, or a packet is received with particular session-control field values, such that the connection is closed. Optionally and preferably, the pre-filtering module is implemented as hardware.
369 Citations
30 Claims
-
1. A system for accelerated packet filtering, the system comprising:
-
(a) a source node for transmitting a packet;
(b) a destination node for receiving said packet;
(c) a firewall interposed between said source node and said destination node for performing packet filtering according to at least one rule; and
(d) a pre-filtering module separate from said firewall and being in communication with said firewall, for receiving at least one instruction from said firewall and for receiving said packet before said firewall, such that if said packet is permitted according to said at least one instruction, said pre-filtering module handles said packet, and alternatively said pre-filtering module forwards said packet to said firewall for handling. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
(i) a connection database for storing said at least one parameter of said packet for identifying said permitted connection.
-
-
9. The system of claim 8, wherein said pre-filtering module further comprises:
(ii) a classification engine for analyzing at least a portion of said packet and for comparing said at least a portion of said packet to said at least one parameter.
-
10. The system of claim 9, wherein said pre-filtering module further comprises:
(iii) a modifier for performing at least one action on said packet if said packet is received from said permitted connection, said at least one action being defined according to an instruction from said firewall.
-
11. The system of claim 10, wherein said pre-filtering module is implemented as a hardware device.
-
12. The system of claim 10, further comprising:
(e) a computational device interposed between said source node and said destination node, wherein said pre-filtering module and said firewall are operated by said computational device.
-
13. A system for accelerated filtering of a packet on a network, the system comprising:
-
(a) a firewall located on the network for performing packet filtering on the packet according to at least one rule; and
(b) a pre-filtering module, separate from said firewall, located on the network and in communication with said firewall, for receiving at least one instruction from said firewall, said at least one instruction determining a simple comparison, and for receiving a packet transmitted on the network before said firewall, such that if the packet is permitted according to said simple comparison, said pre-filtering module at least transmits the packet on the network. - View Dependent Claims (14, 15, 16)
(c) a source node for transmitting the packet; and
(d) a destination node for receiving the packet;
wherein packet transmission between said source node and said destination node forms a connection, and said firewall determines whether said connection is permitted, such that said at least one instruction includes at least one parameter of the packet for identifying a permitted connection, such that if said connection is permitted, said pre-filtering module at least transmits the packet on the network.
-
-
16. The system of claim 15, wherein if said connection is not a permitted connection, said pre-filtering module drops the packet.
-
17. For use in a system for accelerated packet filtration, the system featuring a network for transmitting a packet and a firewall on the network for filtering the packet, a pre-filtering module for receiving the packet before the firewall, the pre-filtering module comprising:
-
(a) a memory for storing at least one instruction for analyzing at least one parameter of the packet from the firewall, said at least one instruction including said at least one parameter for identifying the packet; and
(b) a classification engine for analyzing at least a portion of the packet and for comparing said at least a portion of the packet to said at least one parameter according to said at least one instruction. - View Dependent Claims (18)
(c) a modifier for performing at least one action on the packet if the packet is permitted, said at least one action being declined according to said at least one instruction from the firewall.
-
-
19. A method for accelerated packet filtering on a network in conjunction with a firewall, the method comprising the steps of:
-
(a) providing a pre-filtering module for receiving a packet before the firewall;
(b) receiving said packet by said pre-filtering module;
(c) determining whether said packet is permitted; and
(d) if said packet is permitted, handling said packet by said pre-filtering module. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
(e) alternatively, forwarding said packet to the firewall.
-
-
21. The method of claim 20, wherein step (e) is performed if said packet is received from the network.
-
22. The method of claim 21, wherein if said packet is received from the firewall, dropping said packet.
-
23. The method of claim 19, wherein step (d) includes the step of marking said packet with a priority number.
-
24. The method of claim 19, wherein if the packet is received as a plurality of fragments, step (d) includes the step of determining if a fragment is a duplicate fragment, such that if said fragment is a duplicate fragment, the method further comprises the step of:
(e) dropping said duplicate fragment.
-
25. The method of claim 19, wherein step (c) is determined according to at least one instruction received from the firewall.
-
26. The method of claim 25, wherein said packet has a destination address and wherein step (d) includes the step of forwarding said packet to said destination address.
-
27. The method of claim 26, wherein step (d) includes the step of performing at least one action on said packet by said pre-filtering module, said at least one action being determined according to an instruction from the firewall.
-
28. The method of claim 25, wherein said packet features at least one parameter, and said at least one instruction identifies said packet as a permitted packet according to said at least one parameter, such that step (c) includes the step of analyzing said packet to retrieve said at least one parameter.
-
29. The method of claim 28, wherein the firewall classifies at least one previously received packet according to at least a source address and a destination address of said at least one previously received packet, said source address and said destination address together forming a connection, such that the firewall sends said source address and said destination address for identifying said connection as a permitted connection to said pre-filtering module as said at least one instruction.
-
30. The method of claim 29, wherein the network communicates with a plurality of interfaces, and pre-filtering module is connected to each of said plurality of interfaces, such that step (c) includes the step of determining whether said packet is received from said permitted connection and from a permitted interface, such that said packet is permitted only if said packet is received from said permitted connection through said permitted interface.
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCheck Point Software Technologies Limited
-
Original AssigneeCheck Point Software Technologies Limited
-
InventorsHarush, Amir, Fink, Gonen
-
Primary Examiner(s)Wright, Norman M.
-
Application NumberUS09/517,276Time in Patent Office1,020 DaysField of Search713/200, 713/201, 709/229, 709/228, 709/224, 709/225, 370/85US Class Current726/13CPC Class CodesH04L 63/0254 Stateful filteringH04L 63/1466 Active attacks involving in...
