Method and apparatus for optimizing firewall processing

US 6,854,063 B1
Filed: 03/03/2000
Issued: 02/08/2005
Est. Priority Date: 03/03/2000
Status: Expired due to Term

First Claim

Patent Images

1. In a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, a firewall system comprising:

a) a session manager operating in said firewall services component, said session manager structured and configured to instantiate a plurality of sessions in said firewall services component and a plurality of mini-sessions in said switching process component, each of said plurality of sessions having header and payload information related to a corresponding data transfer within the firewall device, each of said plurality of mini-sessions corresponding to a session and including header information related the corresponding data transfer within the firewall device, wherein said plurality of mini-sessions comprises instantiated software modules residing in the same address space as said switching process component; and

b) a firewall module operating in said switching process coupled to said plurality of mini-sessions, said firewall module configured to intercept data packets received into the interfaces, said firewall module further configured to track session context of said data packets.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall system and method which optimizes the performance of the firewall process by reducing overhead associated with ACL verification and firewall application-level authorization. The firewall system comprises a session manager operating in the firewall services component and a firewall module operating in the switching process component. In one embodiment, the firewall module is configured to provide certain “non-application” level inspection of data packets and update the context of “sessions” associated with the data packets without sending the packets to the firewall services component using session information provided by the session manager.

Citations

25 Claims

1. In a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, a firewall system comprising:
- a) a session manager operating in said firewall services component, said session manager structured and configured to instantiate a plurality of sessions in said firewall services component and a plurality of mini-sessions in said switching process component, each of said plurality of sessions having header and payload information related to a corresponding data transfer within the firewall device, each of said plurality of mini-sessions corresponding to a session and including header information related the corresponding data transfer within the firewall device, wherein said plurality of mini-sessions comprises instantiated software modules residing in the same address space as said switching process component; and
  
  b) a firewall module operating in said switching process coupled to said plurality of mini-sessions, said firewall module configured to intercept data packets received into the interfaces, said firewall module further configured to track session context of said data packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The firewall system of claim 1, wherein said session manager is further structured and configured to manage said plurality of sessions and said plurality of mini-sessions.
  - 3. The firewall system of claim 1, wherein said session manager is further structured and configured to delete said plurality of sessions and said plurality of mini-sessions.
  - 4. The firewall system of claim 1, wherein said firewall module is further configured to intercept data packets before reception by said packet filtering component, said firewall module further configured to set a “
    - pass”
      
      flag in data packets according matching header information in intercepted data packets and said header information in said plurality of mini-sessions.
  - 5. The firewall system of claim 4, wherein said packet filtering component is configured to bypass “
    - Access Control List”
      
      authorization of data packets having a “
      
      pass”
      
      flag.
  - 6. The firewall system of claim 1, wherein said firewall module is further configured to intercept data packets before reception by said packet filtering component, said firewall module further configured to set a “
    - do not divert”
      
      flag in data packets when packet inspection of said intercepted data packets does not require application-level inspection.
  - 7. The firewall system of claim 6, wherein said firewall module is configured to bypass authorization of data packets having a “
    - do not divert”
      
      flag with said firewall services component.

8. In a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, a method for optimizing firewall processing comprising:
- a) providing a session manager in the firewall services component;
  
  b) providing a firewall module in the switching process component;
  
  c) instantiating a session, by said session manager, for data transfers within the firewall device, said sessions having header and payload information related to data transfers within the firewall device; and
  
  d) instantiating a mini-session, by said session manager, corresponding to said instantiated session, said mini-session having header information related to data transfers within the firewall device, wherein said mini-session comprises instantiated software modules residing in the same address space as said switching process component.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, further comprising:
    - a) intercepting data packets having a header and a payload component, by said firewall module, before reception by the packet filtering component; and
      
      b) setting a “
      
      pass”
      
      flag in the intercepted data packets when said header component is the intercepted data packets matches said header information in said mini-session.
  - 10. The method of claim 8, further comprising:
    - a) checking data packets for a “
      
      pass”
      
      flag, by said packet filtering component; and
      
      b) bypassing “
      
      access control list”
      
      check, if a “
      
      pass”
      
      flag is found in said checked data packets.
  - 11. The method of claim 8, further comprising:
    - a) intercepting data packets having a header and a payload component, by said firewall module, before reception by the packet filtering component; and
      
      b) setting a “
      
      do not divert”
      
      flag in the intercepted data packets when packet inspection does not require application-level inspection.
  - 12. The method of claim 8, further comprising:
    - a) checking data packets for a “
      
      do not divert”
      
      flag, by said firewall module; and
      
      b) bypassing “
      
      access control list”
      
      check, if a “
      
      do not divert”
      
      flag is found in said checked data packets.
  - 13. The method of claim 8, further comprising bypassing authorization with the firewall services component, by the firewall module, for data packets header information matching header information in said mini-sessions.
  - 14. The method of claim 8, further comprising deleting said session and associated mini-session when data transfer associated with said sessions and mini-session is completed.
  - 15. The method of claim 8, further comprising deleting said session and associated mini-session when data transfer associated with said sessions and mini-session is idle past a predetermined timeout period.
  - 16. The method of claim 8, further comprising updating context of said mini-session, by said firewall module, without sending packets to said firewall services component.

17. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for optimizing firewall processing in a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, said method comprising:
- a) providing a session manager in the firewall services component;
  
  b) providing a firewall module in the switching component;
  
  c) instantiating a session, by said session manager, for data transfers within the firewall device, said sessions having header and payload information related to data transfers within the firewall device; and
  
  d) instantiating a mini-session, by said session manager, corresponding to said instantiated session, said mini-session having header information related to data transfers within the firewall device, wherein said mini-session comprises instantiated software modules residing in the same address space as said switching process component.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The program storage device of claim 17, said method further comprising:
    - a) intercepting data packets having a header and a payload component, by said firewall module, before reception by the packet filtering component; and
      
      b) setting a “
      
      pass”
      
      flag in the intercepted data packets when said header component is the intercepted data packets matches said header information in said mini-session.
  - 19. The program storage device of claim 17, said method further comprising:
    - a) checking data packets for a “
      
      pass”
      
      flag, by said packet filtering component; and
      
      b) bypassing “
      
      access control list”
      
      check, if a “
      
      pass”
      
      flag is found in said checked data packets.
  - 20. The program storage device of claim 17, said method further comprising:
    - a) intercepting data packets having a header and a payload component, by said firewall module, before reception by the packet filtering component; and
      
      b) setting a “
      
      do not divert”
      
      flag in the intercepted data packets when said intercepted data packets packet inspection does not require application-level inspection.
  - 21. The program storage device of claim 17, said method further comprising:
    - a) checking data packets for a “
      
      do not divert”
      
      flag, by said firewall module; and
      
      b) bypassing “
      
      access control list”
      
      check, if a “
      
      do not divert”
      
      flag is found in said checked data packets.
  - 22. The program storage device of claim 17, said method further comprising bypassing authorization with the firewall services component, by the firewall module, for data packets header information matching header information in said mini-sessions.
  - 23. The program storage device of claim 17, said method further comprising deleting said session and associated mini-session when data transfer associated with said sessions and mini-session is completed.
  - 24. The program storage device of claim 17, said method further comprising said session and associated mini-session when data transfer associated with said sessions and mini-session is idle past a predetermined timeout period.
  - 25. The program storage device of claim 17, said method further comprising updating context of said mini-session, by said firewall module, without sending packets to said firewall services component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Li, Kevin, Fan, Seren, Truong, Steve, Boutros, Sami, Qu, Diheng
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/517,961
Time in Patent Office

1,803 Days
Field of Search

713/201, 370/392, 709/238
US Class Current

726/13
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/101   Access control lists [ACL]

Method and apparatus for optimizing firewall processing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for optimizing firewall processing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links