Methods for packet filtering including packet invalidation if packet validity determination not timely made

US 7,013,482 B1
Filed: 07/07/2000
Issued: 03/14/2006
Est. Priority Date: 07/07/2000
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A method for communicating data between an external computing system and an internal computing system over a packet-based network, wherein data is transmitted and received in the form of a plurality of packets, the method comprising the steps of:

receiving a packet from the external computing system over the network, the packet having at least a first portion and an end portion, and transmitting the packet to the internal computing system;

in parallel with the step of receiving and transmitting the packet, determining characteristics of the packet from the first portion;

in parallel with the step of receiving and transmitting the packet, performing a plurality of checks on the packet, wherein at least certain of the plurality of checks are performing in parallel with other of the plurality of checks;

in parallel with the step of receiving and transmitting the packet, determining if the packet should be a valid packet or an invalid packet based on the plurality of checks; and

after receiving the end portion of the packet, selectively altering the end portion of the packet based on whether the packet has been determined to be a valid packet or an invalid packet, wherein the packet is selectively altered to be invalid if it was determined that the packet should be an invalid packet, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Methods and systems for firewall/data protection that filters data packets in real time and without packet buffering are disclosed. A data packet filtering hub, which may be implemented as part of a switch or router, receives a packet on one link, reshapes the electrical signal, and transmits it to one or more other links. During this process, a number of filters checks are performed in parallel, resulting in a decision about whether each packet should or should not be invalidated by the time that the last bit is transmitted. To execute this task, the filtering hub performs rules-based filtering on several levels simultaneously, preferably with a programmable logic or other hardware device. Various methods for packet filtering in real time and without buffering with programmable logic are disclosed. The system may include constituent elements of a stateful packet filtering hub, such as microprocessors, controllers, and integrated circuits. The system may be reset, enabled, disabled, configured, and/or reconfigured with toggles or other physical switches. Audio and visual feedback may be provided regarding the operation and status of the system.

Citations

66 Claims

1. A method for communicating data between an external computing system and an internal computing system over a packet-based network, wherein data is transmitted and received in the form of a plurality of packets, the method comprising the steps of:
- receiving a packet from the external computing system over the network, the packet having at least a first portion and an end portion, and transmitting the packet to the internal computing system;
  
  in parallel with the step of receiving and transmitting the packet, determining characteristics of the packet from the first portion;
  
  in parallel with the step of receiving and transmitting the packet, performing a plurality of checks on the packet, wherein at least certain of the plurality of checks are performing in parallel with other of the plurality of checks;
  
  in parallel with the step of receiving and transmitting the packet, determining if the packet should be a valid packet or an invalid packet based on the plurality of checks; and
  
  after receiving the end portion of the packet, selectively altering the end portion of the packet based on whether the packet has been determined to be a valid packet or an invalid packet, wherein the packet is selectively altered to be invalid if it was determined that the packet should be an invalid packet, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method of claim 1, wherein the packet is analyzed in real time to determine if the packet should be valid or invalid while the packet is being concurrently transmitted to the internal computing system.
  - 3. The method of claim 1, wherein the packet is analyzed to determine if the packet is valid without the packet having been completely received and buffered.
  - 4. The method of claim 1, wherein the packet is determined to be an invalid packet if it is determined that the packet contains a virus, is unauthorized or presents a risk of harm to the internal computing system.
  - 5. The method of claim 1, wherein the plurality of checks are at least in part selectively performed based on a state of a physical switch.
  - 6. The method of claim 5, wherein the physical switch comprises one or more user-controlled switches, wherein the plurality of checks are selectively performed based on a user-defined state of the one or more user-controlled switches.
  - 7. The method of claim 6, wherein the one or more user-controlled switches comprise at least one user-controlled switch that controls a configuration or reconfiguration of a circuit that performs the plurality of checks.
  - 8. The method of claim 7, wherein the configuration or reconfiguration of the circuit that performs the plurality of checks is performed without requiring user entry of configuration commands via software running on the internal computing system.
  - 9. The method of claim 7, wherein the circuit that performs the plurality of checks is configured or reconfigured based on commands from the internal computing system and based on a state of the at least one user-controlled switch.
  - 10. The method of claim 5, wherein at least a subset of the plurality of checks are selectively enabled or disabled based on the user-defined state of the user-controlled switches.
  - 11. The method of claim 1, wherein the plurality of checks are performed with a programmable logic device, wherein logic within the programmable logic device is selectively programmed to perform the plurality of checks in parallel with the receiving and transmitting of the packet.
  - 12. The method of claim 11, wherein a first physical interface circuit receives the packet from the network, wherein the packet is coupled to the programmable logic device, wherein the packet is coupled from the programmable logic device to a second physical interface circuit for transmission to the internal computing system.
  - 13. The method of claim 12, wherein the programmable logic device performs the plurality of checks while the packet is being coupled from the first physical interface to the second physical interface.
  - 14. The method of claim 1, wherein the plurality of checks are selectively performed based on a communication state between the external computing system and the internal computing system.
  - 15. The method of claim 14, wherein the communication state comprises one or more network addresses and/or one or more port numbers.
  - 16. The method of claim 15, wherein the network address comprises an IP address for the external computing system and/or the internal computing system.
  - 17. The method of claim 1, further comprising the step of providing visual or audio feedback with one or more visual or audio feedback devices, wherein the one or more visual or audio feedback devices selectively provide visual or audio feedback of the operation or status of a packet filter process.
  - 18. The method of claim 17, wherein the one or more visual or audio feedback devices provide visual or audio feedback that a system performing the packet filter process is powered or operational.
  - 19. The method of claim 18, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system performing the packet filter process is subjecting a packet to filtering criteria.
  - 20. The method of claim 18, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system performing the packet filter process has rejected one or more packets.
  - 21. The method of claim 17, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the internal computing system is suspected to be under attack.
  - 22. The method of claim 21, wherein the one or more visual or audio feedback devices provide visual or audio feedback of an estimated severity of the attack.
  - 23. The method of claim 18, wherein the one or more visual or audio feedback devices provide visual or audio feedback of a state of the system performing the packet filter process until the one or more visual or audio feedback devices are reset by a user.
  - 24. The method of claim 23, wherein the one or more visual or audio feedback devices are reset by the state of a physical switch.
  - 25. The method of claim 18, wherein the one or more visual or audio feedback devices comprise at least one light source, wherein the light source is selectively controlled to provide information indicative of the operation or status of the system performing the packet filter process.
  - 26. The method of claim 25, wherein the light source is controlled to have a first color or a second color depending on the operation or status of the system performing the packet filter process.
  - 27. The method of claim 25, wherein the light source is controlled to selectively blink depending on the operation or status of the system performing the packet filter process.
  - 28. The method of claim 27, wherein the light source is controlled to selectively blink at a rate that is indicative of a severity level of a suspected attack on the internal computing system.
  - 29. The method of claim 25, wherein the at least one light source comprises an LED.
  - 30. The method of claim 17, wherein the one or more visual or audio feedback devices comprise a speaker.

31. A system for filtering packets of data between at least an external network and an internal network, wherein data is transmitted and received in the form of a plurality of packets, comprising:
- a first interface circuit for coupling data packets to and from the external network;
  
  a second interface circuit for coupling data packets to and from the internal network;
  
  a programmable logic device coupled between the first interface circuit and the second interface circuit;
  
  wherein, as a packet is being received and transmitted between the first and second interface circuits, the packet is simultaneously subjected to a plurality of filtering criteria by the programmable logic device, wherein an end portion of the packet is selectively altered by the programmable logic device based on the filtering criteria, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 32. The system of claim 31, wherein the filtering criteria determine whether the packet is to be a valid packet or an invalid packet, wherein the packet is selectively altered to be invalid if it was determined that the packet should be an invalid packet.
  - 33. The system of claim 31, wherein the programmable logic circuit includes at least first logic for determining characteristics of the packet being received and transmitted between the first and second interface circuits and at least a filter portion that subjects the packet to the plurality of filtering criteria while the packet is being received and transmitted between the first and second interface circuits.
  - 34. The system of claim 33, wherein the filter portion includes at least a stateful filter portion and a non-stateful filter portion.
  - 35. The system of claim 34, wherein the stateful filter portion subjects the packet to one or more stateful filtering criterion and the non-stateful filter portion subjects the packet to one or more non-stateful filtering criterion.
  - 36. The system of claim 34, wherein the stateful filter portion subjects the packet to one or more stateful filtering criterion while the non-stateful filter portion subjects the packet to one or more non-stateful filtering criterion.
  - 37. The system of claim 34, wherein a result aggregator logic receives one or more signals from the stateful filter portion and the non-stateful filter portion, wherein based on the received signals the result aggregator logic controls whether the packet is selectively altered to be invalid.
  - 38. The system of claim 37, wherein the result aggregator logic receives a completion signal that indicates whether the stateful and/or non-stateful filter portions have subjected the packet to all of the filtering criteria.
  - 39. The system of claim 38, wherein, if the completion signal is not received by the result aggregator logic by a time when the end portion of the packet has been received, then the packet is selectively altered by the programmable logic device to be invalid.
  - 40. The system of claim 31, wherein the packet is subjected to the plurality of filtering criteria in parallel with the packet being received and transmitted between the first and second interface circuits, wherein a decision is made whether to selectively alter the packet to be invalid by a time when the end portion of the packet has been received.
  - 41. The system of claim 31, wherein the packet is subjected to the plurality of filtering criteria in real time with the packet being received and transmitted between the first and second interface circuits.
  - 42. The system of claim 31, further comprising one or more physical switches, wherein the packet is selectively subjected to the filtering criteria based on the state of the one or more physical switches.
  - 43. The system of claim 42, wherein the state of the one or more physical switches selectively enable or disable a predetermined portion of the filtering criteria.
  - 44. The system of claim 42, wherein the state of the one or more physical switches selectively enable or disable a predetermined portion of the filtering criteria based on whether a computer coupled to the internal network is controlled to operate in a client mode or a server mode.
  - 45. The system of claim 42, wherein the state of the one or more physical switches selectively controls a configuration or reconfiguration operation of the programmable logic device.
  - 46. The system of claim 42, wherein the state of the one or more physical switches selectively controls a reset operation of the programmable logic device.
  - 47. The system of claim 31, further comprising one or more visual or audio feedback devices, wherein the one or more visual or audio feedback devices selectively provide visual or audio feedback of the operation or status of the system.
  - 48. The system of claim 47, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system is powered or operational.
  - 49. The system of claim 47, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system is subjecting a packet to the filtering criteria.
  - 50. The system of claim 47, wherein the one or more visual or audio feedback devices provide visual or audio feedback that the system has rejected one or more packets.
  - 51. The system of claim 47, wherein the one or more visual or audio feedback devices provide visual or audio feedback that a computer coupled to the internal network is suspected to be under attack.
  - 52. The system of claim 51, wherein the one or more visual or audio feedback devices provide visual or audio feedback of an estimated severity of the attack.
  - 53. The system of claim 47, wherein the one or more visual or audio feedback devices provide visual or audio feedback of a state of the system until the one or more visual or audio feedback devices are reset by a user.
  - 54. The system of claim 53, wherein the one or more visual or audio feedback devices are reset by the state of a physical switch.
  - 55. The system of claim 47, wherein the one or more visual or audio feedback devices comprise at least one light source, wherein the light source is selectively controlled to provide information indicative of the operation or status of the system.
  - 56. The system of claim 55, wherein the light source is controlled to have a first color or a second color depending on the operation or status of the system.
  - 57. The system of claim 55, wherein the light source is controlled to selectively blink depending on the operation or status of the system.
  - 58. The system of claim 57, wherein the light source is controlled to selectively blink at a rate that is indicative of a severity level of a suspected attack on a computer coupled to the internal network.
  - 59. The system of claim 55, wherein the at least one light source comprises an LED.
  - 60. The system of claim 47, wherein the one or more visual or audio feedback devices comprise a speaker.
  - 61. The system of claim 36, wherein the stateful filtering criteria are dependent upon physical switch position, packet characteristics, clock time and/or user-specified criteria.
  - 62. The system of claim 61, wherein the user-specified criteria are entered via a physical input device.
  - 63. The system of claim 62, wherein the physical input device comprises one or more switches, an audio input device, or display input device.
  - 64. The system of claim 61, wherein the user specified criteria are entered via a configuration software.
  - 65. The system of claim 64, wherein the user specified criteria are transferred from the configuration software to the system using a network protocol, infrared port or cable attachment.
  - 66. The system of claim 63, wherein the one or more switches comprise a toggle switch, button switch or multi-state switch.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
802 Systems Inc.
Original Assignee
802 Systems, LLC
Inventors
Krumel, Andrew K.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Simitoski, Michael J.

Application Number

US09/611,775
Time in Patent Office

2,076 Days
Field of Search

713/201, 713/154, 709/229, 709/249, 709/225, 370/356, 370/389, 370/392, 370/395.21, 370/395.32, 370/401, 726/13, 726/11
US Class Current

726/13
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Methods for packet filtering including packet invalidation if packet validity determination not timely made

First Claim

3 Assignments

Litigations

1 Petition

Accused Products

Abstract

Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for packet filtering including packet invalidation if packet validity determination not timely made

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links