System and method for propagating filters

US 7,054,930 B1
Filed: 10/26/2000
Issued: 05/30/2006
Est. Priority Date: 10/26/2000
Status: Active Grant

First Claim

Patent Images

1. A method for propagating filters to an upstream device comprising:

generating and installing a filter at a first network device;

sending information on said filter to a second network device located upstream from said first network device;

requesting said second network device to install a filter so that data is filtered closer to a source of said data;

sending routing information from said first network device to said second network device so that the filter installed on said second network device filters traffic forwarded to said first network device without filtering traffic to other downstream nodes; and

analyzing new data received from said second network device at said first network device and sending filter information to said second network device based on the analyzed data so that said second network device can refine the filter installed thereon.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for propagating filters to an upstream device. The method includes generating a filter at a first network device and sending information on the filter to a second network device located upstream from the first network device. The first network device then requests the second network device to install the filter.

210 Citations

40 Claims

1. A method for propagating filters to an upstream device comprising:
- generating and installing a filter at a first network device;
  
  sending information on said filter to a second network device located upstream from said first network device;
  
  requesting said second network device to install a filter so that data is filtered closer to a source of said data;
  
  sending routing information from said first network device to said second network device so that the filter installed on said second network device filters traffic forwarded to said first network device without filtering traffic to other downstream nodes; and
  
  analyzing new data received from said second network device at said first network device and sending filter information to said second network device based on the analyzed data so that said second network device can refine the filter installed thereon.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The method of claim 1 wherein generating a filter at a first network device comprises automatically generating said filter based on network flow entering the device.
  - 3. The method of claim 1 further comprising receiving information based on monitored network flow and removing said filter from the first network device when the network flow requiring said filter is no longer present.
  - 4. The method of claim 3 further comprising requesting said upstream device to remove said filter.
  - 5. The method of claim 1 further comprising refining said filter at said first network device based on said monitored network flow.
  - 6. The method of claim 5 further comprising requesting the upstream network device to refine said filter.
  - 7. The method of claim 1 wherein generating a filter comprises detecting potentially harmful network flows and generating a filter to prevent packets corresponding to said detected potentially harmful network flows from passing through said second network device.
  - 8. The method of claim 7 wherein generating filters further comprises classifying network flow based on a source device sending a packet.
  - 9. The method of claim 8 wherein the network flow is classified based on an address of the source device.
  - 10. The method of claim 1 wherein generating filters comprises analyzing network flow entering said first network device.
  - 11. The method of claim 10 wherein analyzing said network flow is performed by software.
  - 12. The method of claim 10 comprising selecting a class of network flows to analyze based on previously analyzed network flows.
  - 13. The method of claim 1 wherein receiving filter information comprises using a filter propagation protocol.
  - 14. The method of claim 13 wherein the filter propagation protocol is operable to create, remove, or modify existing filters.
  - 15. The method of claim 13 wherein the filter propagation protocol uses negative routing.
  - 16. The method of claim 1 wherein said flow information includes a packet and byte count of packets received and dropped at the upstream device.
  - 17. The method of claim 1 further comprising:
    - classifying network flow received at the second network device;
      
      performing a lookup in a flow cache;
      
      building a new entry in the flow cache if the network flow is not found;
      
      generating a flow record based on the network flow;
      
      analyzing the flow record along with previous generated flow records;
      
      modifying said filter installed at the second network device based on said analyzed flow records; and
      
      transmitting data from the second network device to the first network device so that the first network device can modify the filter installed thereon.
  - 18. The method of claim 17 wherein classifying network flow comprises classifying said network flow based on an access control list.
  - 19. The method of claim 17 wherein classifying network flow is performed on only a limited number of packets received in said network flow.
  - 20. The method of claim 17 wherein analyzing said flow records comprises analyzing aggregate summary records.
  - 21. The method of claim 17 wherein analyzing said flow records comprises monitoring statistics associated with said filter installed on the second network device.
  - 22. The method of claim 1 further comprising utilizing reverse path forwarding at said second network device.
  - 23. The method of claim 1 wherein a filter propagation protocol is utilized to exchange information between said first and second network devices and modify said filters installed on said network devices.
  - 24. The method of claim 1 wherein the first network device is a firewall and the second network device is a router.
  - 25. The method of claim 1 wherein sending routing information from said first network device to said second network device comprises utilizing an inter-router filter propagation protocol.
  - 26. The method of claim 25 wherein the filter information is automatically propagated upstream to filter data close to the source of the data.
  - 27. The method of claim 1 further comprising detecting harmful network flows using a network directory and flow analyzer.
  - 28. The method of claim 1 wherein the first network device is an enterprise switch and the second network device is a router.
  - 29. The method of claim 1 further comprising sending filter information from the second network device to the first network device.
  - 30. The method of claim 29 wherein sending said filter information comprises limiting the number of filters that the first network device can request the second network device to install.
  - 31. The method of claim 29 wherein sending said filter information comprises requesting the first network device to install filters.

32. A computer program product for propagating a filter to an upstream device, comprising:
- code that generates and installs a filter at a first network device;
  
  code that sends information on said filter to a second network device located upstream from said first network device;
  
  code that requests said second network device to install said filter;
  
  code that sends routing information from the first network device to the second network device so that the filter installed on the second network device filters traffic forwarded to the first network device without filtering traffic to other downstream nodes;
  
  code that analyzes new data received at the first network device from the second network device and sends filter information to the second network device based on the analyzed data so that the second network device can refine the filter installed thereon; and
  
  a computer-readable storage medium for storing the codes.
- View Dependent Claims (33, 34, 35, 36)
- - 33. The computer program product of claim 32 wherein the computer readable medium is selected from the group consisting of CD-ROM, floppy disk, tape, flash memory, system memory, hard drive, and data signal embodied in a carrier wave.
  - 34. The computer program product of claim 32 wherein the code that generates said filter comprises code that analyzes network flows and detects potentially harmful network flows.
  - 35. The computer program product of claim 32 further comprising code that removes said filter from the first network device when no longer required.
  - 36. The computer program product of claim 32 further comprising code that requests said upstream device to remove said filter.

37. A system for propagating filters to an upstream device, comprising:
- means for generating and installing a filter at a first network device;
  
  means for sending information on said filter to a second network device located upstream from said first network device;
  
  means for requesting said second network device to install said filter;
  
  means for sending routing information from the first network device to the second network device so that the filter installed on the second network device filters traffic forwarded to the first network device without filtering traffic to other downstream nodes; and
  
  means for analyzing new data received at the first network device from the second network device and sending filter information to the second network device based on the analyzed data so that the second network device can refine the filter installed thereon.

38. A method for installing filters on connected network devices, comprising:
- analyzing network flows received at a first network device having a filter installed thereon;
  
  generating a filter at a second network device based on said analyzed flows;
  
  propagating said filter from the second network device to the first network device;
  
  generating filter statistics at the second network device;
  
  sending said filter statistics to the first network device; and
  
  utilizing a filter propagation protocol to exchange information directly between the first and second network devices to refine said filter.
- View Dependent Claims (39, 40)
- - 39. The method of claim 38 wherein propagating said filter comprises propagating filter information upstream such that said filter is positioned closer to a source of said flows.
  - 40. The method of claim 38 further comprising reinstalling said filter at predefined intervals to extend the lifetime of said filter and return packet and byte count statistics for said filter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cheriton, David
Primary Examiner(s)
PWU, JEFFREY C

Application Number

US09/698,968
Time in Patent Office

2,042 Days
Field of Search

709223-235, 713/153, 713/154, 713/163, 713/200, 713/201, 713/190, 370390-401, 726/13
US Class Current

709/226
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 67/34   involving the movement of s...

System and method for propagating filters

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

210 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for propagating filters

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

210 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links