System and method for dynamic retrieval loading and deletion of packet rules in a network firewall

US 6,574,666 B1
Filed: 10/22/1999
Issued: 06/03/2003
Est. Priority Date: 10/22/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method for loading a rule in a firewall, including:

a. receiving a packet;

b. determining if a rule pertinent to the packet is loaded in the firewall;

c. if a rule pertinent to the packet is not loaded in the firewall, then;

i. retrieving a rule that is pertinent to the packet based upon a header parameter of the packet; and

ii. loading the rule that is pertinent to the packet into the firewall, at least one of said retrieving and said loading being implemented at a kernel layer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for loading a filtering rule at a firewall. A firewall receives a packet and determines if a rule that pertains to the packet is loaded at the firewall. If a pertinent rule is found, it is implemented and the action prescribed by the rule for the packet is performed. If no pertinent rule is found, then a pertinent rule is retrieved from a source external to the firewall, and loaded at the firewall. The rule is then implemented for the packet. After the rule expires, e.g., when the user logs off, the rule is deleted from the firewall.

75 Citations

View as Search Results

17 Claims

1. A method for loading a rule in a firewall, including:
- a. receiving a packet;
  
  b. determining if a rule pertinent to the packet is loaded in the firewall;
  
  c. if a rule pertinent to the packet is not loaded in the firewall, then;
  
  i. retrieving a rule that is pertinent to the packet based upon a header parameter of the packet; and
  
  ii. loading the rule that is pertinent to the packet into the firewall, at least one of said retrieving and said loading being implemented at a kernel layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, said header parameter comprising at least one of a source address, source port, destination address, destination port and protocol number.
  - 3. The method of claim 1, said retrieving the rule further comprising:
4. The method of claim 3, wherein the rule is retrieved from a database at a remote location in relation to the firewall.
5. The method of claim 1, further comprising implementing the rule that is pertinent to the packet.
6. The method of claim 5, said implementing the rule further including:
- performing a DROP action on the packet.
7. The method of claim 6, said implementing the rule further including:
- performing a PASS action on the packet.
8. The method of claim 1, further comprising deleting the loaded rule when the rule expires.
9. The method of claim 8, wherein the rule expires when a user logs off.

10. An apparatus for loading a firewall rule, comprising:
- a. a processor;
  
  b. a memory coupled to said processor, the memory for storing at least one rule and rule instructions adapted to be executed by said processor for directing the processor to receive from a sender a packet addressed to a destination, determine if a rule pertinent to the packet is loaded in a firewall, and if a rule pertinent to the packet is not determined to be loaded in the firewall, then to retrieve a rule that is pertinent to the packet and load the rule that is pertinent to the packet in the firewall, at least one of said retrieval of the rule and loading of the rule being implemented at a kernel layer;
  
  c. means for coupling said processor and said memory to a sender and a destination.
- View Dependent Claims (11, 12, 13)
- - 11. The apparatus of claim 10, wherein said rule instructions are further adapted to be executed by said processor to implement the rule for the packet by performing at least one of a PASS and a DROP action with respect to the packet.
  - 12. The apparatus of claim 10, wherein said rule instructions comprise firewall instructions and fetching instructions, wherein said firewall instructions are implemented at the kernel layer and said fetching instructions are implemented at an application layer, and wherein said firewall instructions are adapted to be executed by said processor to pass a packet for which no pertinent rule is loaded in the firewall to the fetching instructions executing on said processor, said fetching instructions being adapted to be executed on said processor to retrieve a pertinent rule from a database, and load the rule at the firewall.
  - 13. The apparatus of claim 12, wherein said firewall instructions are further adapted to be executed by said processor to implement a rule for a packet by performing at least one of a PASS and a DROP action with respect to the packet.

14. A medium that stores processing instructions defining a method adapted to be executed by a processor, the method comprising:
- a. receiving a packet;
  
  b. determining if a rule pertinent to the packet is loaded in the firewall;
  
  c. if a rule pertinent to the packet is not loaded in the firewall, then;
  
  i. retrieving a rule that is pertinent to the packet; and
  
  ii. loading the rule that is pertinent to the packet in the firewall, at least one of said retrieving and said loading being implemented at a kernel layer.
- View Dependent Claims (15)
- - 15. The medium of claim 14, wherein said instructions are further adapted to be executed by said processor to implement the rule for the packet by performing at least one of a PASS and a DROP action with respect to the packet.

16. A system for loading a rule at a firewall, comprising:
- a. means for retrieving a packet;
  
  b. means for determining if a rule pertinent to the packet is loaded in the firewall;
  
  c. means for retrieving the rule that is pertinent to the packet; and
  
  d. means for loading the rule that is pertinent to the packet in the firewall, at least one of said means for retrieving and said means for loading being implemented at a kernel layer.
- View Dependent Claims (17)
- - 17. The system of claim 16, further comprising means for implementing the rule for the packet by performing at least one of a PASS and a DROP action with respect to the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Vrsalovic, Dalibor F., Dutta, Partha P.
Primary Examiner(s)
Barot, Bharat

Application Number

US09/422,954
Time in Patent Office

1,320 Days
Field of Search

709/223, 709/224, 709/225, 709/227-229, 713/200-202, 713/150-154, 713/160-162, 713/164
US Class Current

709/227
CPC Class Codes

H04L 63/0263 Rule management

System and method for dynamic retrieval loading and deletion of packet rules in a network firewall

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamic retrieval loading and deletion of packet rules in a network firewall

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links