Dynamic packet filter utilizing session tracking
First Claim
1. A method of filtering an input packet stream, said method comprising the steps of:
- establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
opening a new session upon receipt of a socket not previously stored in said session database;
recognizing a session associated with a received packet in accordance with its associated socket;
establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored the tail and least recently used sessions are stored at the head;
processing the session data corresponding to said received packet in accordance with a plurality of predefined rules to generate processing results; and
deciding whether to allow or deny said received packet in accordance with said processing results.
3 Assignments
0 Petitions
Accused Products
Abstract
A novel and useful dynamic packet filter that can be incorporated in a hardware based firewall suitable for use in portable computing devices such as cellular telephones and wireless connected PDAs adapted to connect to the Internet. The invention performs dynamic packet filtering on packets received over an input packet stream. The dynamic filter checks dynamic protocol behavior using information extracted from the received packet. Sessions are created and stored in a session database to track the state of communications between the source and destination. Recognition of a session is accelerated by use of a hash table to quickly determine the corresponding session record in the session database. Session related data is read from the session database and the received packet is checked against a set of rules to determine whether to allow or deny the packet.
-
Citations
40 Claims
-
1. A method of filtering an input packet stream, said method comprising the steps of:
-
establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
opening a new session upon receipt of a socket not previously stored in said session database;
recognizing a session associated with a received packet in accordance with its associated socket;
establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored the tail and least recently used sessions are stored at the head;
processing the session data corresponding to said received packet in accordance with a plurality of predefined rules to generate processing results; and
deciding whether to allow or deny said received packet in accordance with said processing results. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
storing session data related to said new session in said session database;
calculating a hash value on the socket associated with said new session; and
storing said hash value in a hash table.
-
-
10. The method according to claim 1, wherein said step of recognizing a session comprises the steps of:
-
calculating a hash value on the socket associated with the session to be recognized;
looking up a hash pointer in a hash table using hash result as an index;
retrieving socket data from said session database in accordance with said hush pointer; and
recognizing said session if the retrieved socket matches the socket associated with the received session.
-
-
11. The method according to claim 1, wherein said step of processing the session data comprises tracking the state of a transmission control protocol (TCP) opening handshake if the session comprises a TCP opening session.
-
12. The method according to claim 1, wherein said step of processing the session data comprises tracking the state of a transmission control protocol (TCP) closing handshake if the session comprises a TCP closing session.
-
13. The method according to claim 1, wherein said step of processing the session data comprises tracking the sequence and acknowledge of said session against a window if said session comprises a transmission control protocol (TCP) session.
-
14. A method of monitoring the state of a communications session, said method comprising the steps of:
-
establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
recognizing a session in accordance with a first hash calculation on the socket associated with a received packet;
establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head;
recognizing a hole session in accordance with a second hash calculation on a partial socket associated with said received packet;
reading session data from said session database, said session data associated with either a recognized session or a recognized hole session;
tracking a connection state of said session and checking said state against a plurality of rules to determine whether to allow or deny said received pack; and
writing updated session data back into said session database. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
storing session data related to said new session in said session database;
calculating a hash value on the socket associated with said new session; and
storing said hash value in a hash table.
-
-
20. The method according to claim 14, wherein said step of recognizing a session comprises the steps of:
-
calculating said first hash value on the socket associated with the session to be recognized;
looking up a hash pointer in a hash table using said first hush result as an index;
retrieving socket data from said session database in accordance with said hash pointer; and
recognizing said session if the retrieved socket matches the socket associated with the received session.
-
-
21. The method according to claim 14, wherein said step of recognizing a hole session comprises the steps of:
-
calculating said second hash value on said partial socket associated with the session to be recognized;
looking up a hash pointer in a hash table using said second hash result as an index;
retrieving partial socket data from said session database in accordance with said hash pointer; and
recognizing said hole session if the retrieved partial socket matches the partial socket associated with the received session.
-
-
22. The method according to claim 14, wherein said step of tracking said connection state comprises tracking a transmission control protocol (TCP) opening handshake if the session comprises a TCP opening session.
-
23. The method according to claim 14, wherein said step of tracking said connection state comprises tracking a transmission control protocol (TCP) closing handshake if the session comprises a TCP closing session.
-
24. The method according to claim 14, wherein said step of tracking said connection state comprises tracking the sequence and acknowledge of said session against a window if said session comprises a transmission control protocol (TCP) session.
-
25. A dynamic filter for filtering an input packet stream, comprising
session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket; -
a session recognition module adapted to search said session database for a session whose associated socket matches that of a received packet;
a session management module adapted to maintain said session database including adding, deleting and modifying sessions in said session database, and adapted to establish and maintain a least recently used (LRU) doubly linked list for tracking session use having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head; and
a main filter module operative to track a connection state of the session corresponding to a receive packet and checking said connection state against a plurality of rules to determine whether to allow or deny said received packet. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
store session data related to said new session in said session database;
calculate a hash value on the socket associated with said new session; and
store said hash value in a hash table.
-
-
33. The dynamic filter according to claim 25, wherein said session recognition module comprises means adapted to:
-
calculate a hash value on the socket associated with the session to be recognized;
look up a hash pointer in a hash table using hash result as an index;
retrieve socket data from said session database in accordance with said hash pointer; and
recognize said session if the retrieved socket matches the socket associated with the received session.
-
-
34. The dynamic filter according to claim 25, wherein said main filter comprises means for tracking the state of a transmission control protocol (TCP) opening handshake if the session comprises a TCP opening session.
-
35. The dynamic filter according to claim 25, wherein said main filter comprises means for tracking the state of a transmission control protocol (TCP) closing handshake if the session comprises a TCP closing session.
-
36. The dynamic filter according to claim 25, wherein said main filter comprises means for tracking the sequence and acknowledge of said session against a window if said session comprises a transmission control protocol (TCP) session.
-
37. The dynamic filter according to claim 25, wherein said dynamic filter is implemented in a field programmable gate array (FPGA).
-
38. The dynamic filter according to claim 25, wherein said dynamic filter is implemented in an application specific integrated circuit (ASIC).
-
39. A digital computing apparatus, comprising:
-
communication means adapted to connect said apparatus to a wide area network (WAN);
memory means comprising volatile and non-volatile memory, said non-volatile memory adapted to store one or more application programs;
a processor coupled to said memory means and said communication means for executing said one or more application programs; and
a dynamic packet filter for filtering an input packet stream, comprising;
a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
a session recognition module adapted to search said session database for a session whose associated socket matches that of a received packet;
a session management module adapted to both maintain said session database including adding, deleting and modifying sessions in said session database and to establish and maintain a least recently used (LRU) doubly linked list for tracking session use having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head; and
a main filter module operative to track a connection state of the session corresponding to a receive packet and checking said connection state against a plurality of rules to determine whether to allow or deny said received packet.
-
-
40. A computer readable storage medium having a computer program embodied thereon for causing a suitably programmed system to search for a plurality of strings by performing the following steps when such program is executed on said system;
-
establishing a session database adapted to store session related data for a plurality of sessions, each session corresponding to a socket;
opening a new session upon receipt of a socket not previously stored in said session database;
recognizing a session associated with a received packet in accordance with its associated socket;
establishing and maintaining a least recently used (LRU) doubly linked list having a head and tail wherein most recently used sessions are stored at the tail and least recently used sessions are stored at the head;
processing the session data corresponding to said received packet in accordance with a plurality of predefined rules to generate processing results; and
deciding whether to allow or deny said received packet in accordance with said processing results.
-
Specification