Methods for packet filtering including packet invalidation if packet validity determination not timely made
DCFirst Claim
1. A method for communicating data between an external computing system and an internal computing system over a packet-based network, wherein data is transmitted and received in the form of a plurality of packets, the method comprising the steps of:
- receiving a packet from the external computing system over the network, the packet having at least a first portion and an end portion, and transmitting the packet to the internal computing system;
in parallel with the step of receiving and transmitting the packet, determining characteristics of the packet from the first portion;
in parallel with the step of receiving and transmitting the packet, performing a plurality of checks on the packet, wherein at least certain of the plurality of checks are performing in parallel with other of the plurality of checks;
in parallel with the step of receiving and transmitting the packet, determining if the packet should be a valid packet or an invalid packet based on the plurality of checks; and
after receiving the end portion of the packet, selectively altering the end portion of the packet based on whether the packet has been determined to be a valid packet or an invalid packet, wherein the packet is selectively altered to be invalid if it was determined that the packet should be an invalid packet, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received.
3 Assignments
Litigations
1 Petition
Accused Products
Abstract
Methods and systems for firewall/data protection that filters data packets in real time and without packet buffering are disclosed. A data packet filtering hub, which may be implemented as part of a switch or router, receives a packet on one link, reshapes the electrical signal, and transmits it to one or more other links. During this process, a number of filters checks are performed in parallel, resulting in a decision about whether each packet should or should not be invalidated by the time that the last bit is transmitted. To execute this task, the filtering hub performs rules-based filtering on several levels simultaneously, preferably with a programmable logic or other hardware device. Various methods for packet filtering in real time and without buffering with programmable logic are disclosed. The system may include constituent elements of a stateful packet filtering hub, such as microprocessors, controllers, and integrated circuits. The system may be reset, enabled, disabled, configured, and/or reconfigured with toggles or other physical switches. Audio and visual feedback may be provided regarding the operation and status of the system.
-
Citations
66 Claims
-
1. A method for communicating data between an external computing system and an internal computing system over a packet-based network, wherein data is transmitted and received in the form of a plurality of packets, the method comprising the steps of:
-
receiving a packet from the external computing system over the network, the packet having at least a first portion and an end portion, and transmitting the packet to the internal computing system; in parallel with the step of receiving and transmitting the packet, determining characteristics of the packet from the first portion; in parallel with the step of receiving and transmitting the packet, performing a plurality of checks on the packet, wherein at least certain of the plurality of checks are performing in parallel with other of the plurality of checks; in parallel with the step of receiving and transmitting the packet, determining if the packet should be a valid packet or an invalid packet based on the plurality of checks; and after receiving the end portion of the packet, selectively altering the end portion of the packet based on whether the packet has been determined to be a valid packet or an invalid packet, wherein the packet is selectively altered to be invalid if it was determined that the packet should be an invalid packet, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A system for filtering packets of data between at least an external network and an internal network, wherein data is transmitted and received in the form of a plurality of packets, comprising:
-
a first interface circuit for coupling data packets to and from the external network; a second interface circuit for coupling data packets to and from the internal network; a programmable logic device coupled between the first interface circuit and the second interface circuit; wherein, as a packet is being received and transmitted between the first and second interface circuits, the packet is simultaneously subjected to a plurality of filtering criteria by the programmable logic device, wherein an end portion of the packet is selectively altered by the programmable logic device based on the filtering criteria, wherein the packet is selectively altered to be invalid if a determination has not been made as to whether the packet is valid or invalid by the time the end portion of the packet is received. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
-
Specification