Method and apparatus for providing policy-based services for internal applications
First Claim
1. In a packet-forwarding device running an internal application and having a first interface and a second interface, a method for providing policy-based services, said method comprising the steps of:
- said internal application generating internally-generated packets;
applying a first policy to said internally-generated packets;
forwarding said internally-generated packets to said first interface;
receiving second incoming packets at said second interface, said second incoming packets having destination addresses;
classifying said second incoming packets as internally-destined packets if said destination addresses of said second incoming packets are in a first set of one or more addresses and classifying said second incoming packets as second external packets if said destination addresses of said second incoming packets are in a second set of one or more addresses; and
forwarding said second external packets to said first interface without applying said first policy to said second external packets.
6 Assignments
0 Petitions
Accused Products
Abstract
A packet-forwarding device for providing policy-based services has at least a first interface, a second interface, and a packet forwarder for forwarding external packets between the first and second interfaces. The packet-forwarding device also runs internal applications that may be remotely accessed. The first and second interfaces transmit and receive internal and external packets, the internal packets being those packets generated or received by the internal applications during remote access, and the external packets being those packets destined for devices other than the packet-forwarding device. The packet forwarder forwards external packets between the first and second interfaces. An internal interface forwards internal packets between the internal applications and the first and second interfaces, and a policy engine logically connected to the internal interface applies a policy to the internal packets.
-
Citations
48 Claims
-
1. In a packet-forwarding device running an internal application and having a first interface and a second interface, a method for providing policy-based services, said method comprising the steps of:
-
said internal application generating internally-generated packets;
applying a first policy to said internally-generated packets;
forwarding said internally-generated packets to said first interface;
receiving second incoming packets at said second interface, said second incoming packets having destination addresses;
classifying said second incoming packets as internally-destined packets if said destination addresses of said second incoming packets are in a first set of one or more addresses and classifying said second incoming packets as second external packets if said destination addresses of said second incoming packets are in a second set of one or more addresses; and
forwarding said second external packets to said first interface without applying said first policy to said second external packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
examining at least one selector field in each one of said internally-generated packets; and
handling said internally-generated packets in a predetermined manner if said selector fields of said internally-generated packets meet predetermined criteria.
-
-
3. The method of claim 2, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
-
4. The method of claim 2, wherein said step of handling said internally-generated packets in a predetermined manner includes the step of dropping said internally-generated packets.
-
5. The method of claim 2, wherein said step of handling said internally-generated packets in a predetermined manner includes the step of translating the source addresses and destination addresses of said internally-generated packets.
-
6. The method of claim 2, wherein said step of handling said intenally-generated packets in a predetermined manner includes the step of encrypting said internally-generated packets.
-
7. The method of claim 2, wherein said step of handling said internally-generated packets in a predetermined manner includes the step of prioritizing said internally-generated packets.
-
8. The method of claim 1, further comprising the step of:
applying a second policy to said second external packets, said second policy differing from said first policy.
-
9. The method of claim 1, further comprising the steps of:
-
applying a third policy to said internally-destined packets; and
forwarding said internally-destined packets to said internal application.
-
-
10. The method of claim 9, wherein said step of applying a third policy to said internally-destined packets includes the steps of:
-
examining at least one selector field in each one of said internally-destined packets; and
handling said internally-destined packets in a predetermined manner if said selector fields of said internally-destined packets meet predetermined criteria.
-
-
11. The method of claim 10, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
-
12. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of dropping said internally-destined packets.
-
13. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of translating the source addresses and destination addresses of said internally-destined packets.
-
14. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of decrypting said internally-destined packets.
-
15. The method of claim 10, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of prioritizing said internally-destined packets.
-
16. The method of claim 8, further comprising the steps of:
-
receiving first incoming packets at said first interface, said first incoming packets having destination addresses;
classifying said first incoming packets as internally-destined packets if said destination addresses of said first incoming packets are in said first set of one or more addresses and classifying said first incoming packets as first external packets if said destination addresses of said first incoming packets are in said second set of one or more addresses; and
applying a fourth policy to said first external packets, said fourth policy differing from said first policy.
-
-
17. The method of claim 1, wherein said second set of one or more addresses includes at least one address assigned to said packet-forwarding device.
-
18. In a packet-forwarding device running an internal application and having a first interface and a second interface, a method for providing policy-based services, said method comprising the steps of:
-
receiving incoming packets at said first interface, each one of said incoming packets having an address;
classifying said incoming packets as internally-destined packets if said addresses of said incoming packets are in a first set of addresses and classifying said incoming packets as first external packets if said addresses of said incoming packets are in a second set of addresses;
applying a first policy to said internally-destined packets;
forwarding said internally-destined packets to said internal application;
forwarding said first external packets to said second interface without applying said first policy to said first external packets. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
examining at least one selector field in each one of said internally-destined packets; and
handling said internally-destined packets in a predetermined manner if said selector fields of said internally-destined packets meet predetermined criteria.
-
-
20. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of dropping said internally-destined packets.
-
21. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of translating the source addresses and destination addresses of said internally-destined packets.
-
22. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of encrypting said internally-destined packets.
-
23. The method of claim 19, wherein said step of handling said internally-destined packets in a predetermined manner includes the step of prioritizing said internally-destined packets.
-
24. The method of claim 18, further comprising the step of:
applying a second policy to said first external packets, said second policy differing from said first policy.
-
25. The method of claim 18, further comprising the steps of:
-
said internal application generating internally-generated packets;
applying a third policy to said internally-generated packets;
forwarding said internally-generated packets to said first interface;
receiving second external packets at said second interface; and
forwarding said second external packets to said first interface without applying said third policy to said second external packets.
-
-
26. The method of claim 25, further comprising the step of applying a fourth policy to said second external packets, said fourth policy differing from said third policy.
-
27. The method of claim 19, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
-
28. The method of claim 18, wherein said second set of addresses includes at least one address assigned to said packet-forwarding device.
-
29. A packet-forwarding device comprising:
-
a first interface for transmitting first outgoing and receiving first incoming packets;
a second interface for transmitting second outgoing and receiving second incoming packets;
an internal application running on said packet-forwarding device, said internal application generating internally-generated packets and using internally-destined packets;
an internal interface logically connected to said internal application, said internal interface forwarding said internally-generated packets to said first interface, said internal interface forwarding said internally-destined packets to said internal application;
a packet forwarder logically connected to said first interface and to said second interface, said packet forwarder forwarding packets between said first and second interfaces;
a first packet classifier logically connected to said first interface, said internal interface, and said packet forwarder, said first packet classifier classifying said first incoming packets as first internally-destined packets if destination addresses in said first incoming packets are in a first set of one or more addresses and classifying said first incoming packets as first external packets if destination addresses in said first incoming packets are in a second set of one or more addresses, said first packet classifier forwarding said first internally-destined packets to said internal interface, said packet classifier forwarding said first external packets to said packet forwarder;
a second packet classifier logically connected to said second interface, said internal interface, and said packet forwarder, said second packet classifier classifying said second incoming packets as second internally-destined packets if destination addresses in said second incoming packets are in said first set of one or more addresses and classifying said second incoming packets as second external packets if destination addresses in said second incoming packets are in said second set of one or more addresses, said second packet classifier forwarding said second internally-destined packets to said internal interface, said packet classifier forwarding said second external packets to said packet forwarder, and a first policy engine logically connected to said internal interface and to said internal application, said first policy engine applying a first policy to internal packets, said internal packets being selected from the group consisting of said internally-generated packets and said internally-destined packets. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. In a packet-forwarding device having a first interface, a second interface, a packet forwarder forwarding packets between said first and second interfaces, and running an internal application, said internal application generating internally-generated packets and using internally-destined packets, an improvement comprising:
-
at least one packet classifier logically connected to said first and second interfaces, said at least one packet classifier classifying received packets received by said first and second interfaces as internal packets or external packets based on destination addresses in said received packets;
an internal interface logically connected to said internal application and said at least one packet classifier; and
a policy engine logically connected to said internal interface, said policy engine applying a policy to said internal packets. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48)
said policy engine examines at least one selector field in each of one of said internal packets and handles said internal packets in a predetermined manner if said selector fields of said internal packets meets predetermined criteria. -
43. The improvement of claim 42, wherein said at least one selector field is selected from the group consisting of source address, destination address, source port, destination port, and protocol type.
-
44. The improvement of claim 42, wherein said policy engine drops said internal packets if said selector fields of said internal packets meet predetermined criteria.
-
45. The improvement of claim 42, wherein said policy engine translates the source and destination addresses of said internal packets if said selector fields of said internal packets meet predetermined criteria.
-
46. The improvement of claim 42, wherein said policy engine encrypts said internal packets if said selector fields of said internal packets meet predetermined criteria.
-
47. The improvement of claim 42, wherein said policy engine decrypts said internal packets if said selector fields of said internal packets meet predetermined criteria.
-
48. The improvement of claim 42, wherein said policy engine prioritizes said internal packets if said selector fields of said internal packets meet predetermined criteria.
-
Specification