Method and apparatus for a distributed firewall

US 7,051,365 B1
Filed: 06/30/1999
Issued: 05/23/2006
Est. Priority Date: 06/30/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method executed within a processing unit for filtering packets, comprising the steps of:

receiving a packet that includes an encrypted identifier and an unencrypted remainder of said packet, for verifying identity of a first device that sent said packet;

authenticating said identifier;

determining whether to forward said packet to a second device based on result of said authenticating, and a policy relative to said source device; and

forwarding said packet to said second device in accordance with said determination.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for a implementing a distributed firewall is described. A packet filter processor receives a packet sent from a first device to a second device. The packet filter processor authenticates an identifier for the packet. For example, authentication could be performed using a cryptographically-verifiable identifier. The packet filter processor determines whether to send the packet to the second device, based on the authentication and a set of policy rules. The packet filter processor sends the packet to the second device in accordance with the determination.

90 Citations

View as Search Results

23 Claims

1. A method executed within a processing unit for filtering packets, comprising the steps of:
- receiving a packet that includes an encrypted identifier and an unencrypted remainder of said packet, for verifying identity of a first device that sent said packet;
  
  authenticating said identifier;
  
  determining whether to forward said packet to a second device based on result of said authenticating, and a policy relative to said source device; and
  
  forwarding said packet to said second device in accordance with said determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21, 22, 23)
- - 2. The method of claim 1, wherein said step of determining comprises:
    - comparing authenticated identifier yielded by said step of authenticating to a list of identifiers;
      
      retrieving at least one policy rule relative to said authenticated identifier;
      
      determining whether to send said packet to said second device in accordance with said policy rule.
  - 3. The method of claim 1, wherein said authenticating is performed in accordance with IPSEC standards.
  - 4. The method of claim 1, wherein said authenticating comprises:
    - retrieving a pointer to a security association from an authentication header from said packet;
      
      retrieving a key associated with said security association; and
      
      determining whether said packet is authentic using said key.
  - 5. The method of claim 4, further comprising the step of sending a first message to a third device indicating said identifier is not authentic when said step of authenticating so determines.
  - 6. The method of claim 4 wherein said authentication header is an IPSEC authentication header.
  - 7. The method of claim 1, wherein said packet is, in addition, encrypted, and said method further comprises decrypting said packet prior to authenticating.
  - 8. The method of claim 7, wherein said packet is encrypted and decrypted using one of group of cryptographic techniques comprising DES, triple DES, HMAC and RSA.
  - 9. The method of claim 1, wherein said policy rule is stored in a policy configuration file at said processing unit.
  - 21. The method of claim 1 where said identifier relates to hardware.
  - 22. The method of claim 1 where said identifier relates to an IP source address.
  - 23. The method of claim 1 where said receiving a packet is unsolicited.

10. A machine-readable memory whose contents cause a computer system to perform packet filtering, by performing the steps of:
- receiving a packet that includes an encrypted identifier for verifying identity of a first device that sent said packet, while remainder of said packet unencrypted;
  
  authenticating said identifier;
  
  determining whether to forward said packet to a second device based on result of said authenticating, and a policy relative to said source device; and
  
  forwarding said packet to said second device in accordance with said determination.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The machine-readable memory of claim 10, wherein said determining comprises:
    - comparing authenticated identifier yielded by said step of authenticating to a list of identifiers;
      
      retrieving at least one policy rule relative to said authenticated identifier;
      
      determining whether to send said packet to said second device in accordance with said comparison and said policy rule.
  - 12. The machine-readable memory of claim 10, wherein said authenticating is performed in accordance with IPSEC standards.
  - 13. The machine-readable memory of claim 10, wherein said authenticating comprises:
    - retrieving a pointer to a security association from an authentication header from said packet;
      
      retrieving a key associated with said security association; and
      
      determining whether said packet is authentic using said key.
  - 14. The machine-readable memory of claim 13, further comprising the step of sending a first message to a third device indicating said identifier is not authentic when said step of authenticating so determines.
  - 15. The machine-readable memory of claim 13 wherein said authentication header is an IPSEC authentication header.
  - 16. The machine-readable memory of claim 10, wherein said packet is, in addition, encrypted, and said method further comprises decrypting said packet prior to authenticating.
  - 17. The machine-readable memory of claim 16, wherein said packet is encrypted and decrypted using one of group of cryptographic techniques comprising DES, triple DES, HMAC and RSA.
  - 18. The machine-readable memory of claim 10, wherein said policy rule is stored in a policy configuration file at said processing unit.

19. A packet filter for a distributed firewall, comprising:
- an input means coupled to said first network for receiving a data packet from a first device, said data packet having an encrypted common host identifier for verifying identity of a first device that sent said packet via a decryption process, while remainder of said packet unencrypted;
  
  a first buffer coupled to said input means for storing said received packet;
  
  a first memory segment containing a list of common host identifiers and at least one policy rule;
  
  a second memory segment for storing a program for decrypting said common host identifier, authenticating said common host identifier, and determining whether to send said packet to a second device based on said list and said policy rule;
  
  a processor coupled to said first buffer, said first memory segment and said second memory segment for executing said program; and
  
  an output means coupled to said first buffer for forwarding said compared data packet to said second device based on said comparison.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, further comprising a second buffer for storing said compared data packet prior to forwarding said compared data packet to the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Bellovin, Steven Michael
Primary Examiner(s)
Moise, Emmanuel L.
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US09/343,464
Time in Patent Office

2,519 Days
Field of Search

713/160, 713/162, 713/153, 713/201, 709/225, 709/226
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/08   for authentication of entit...

Method and apparatus for a distributed firewall

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for a distributed firewall

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links