Using packet filters and network virtualization to restrict network communications

US 7,093,288 B1
Filed: 10/24/2000
Issued: 08/15/2006
Est. Priority Date: 10/24/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A computing device comprising:

a set of filters;

a mapping of virtual addresses to network addresses; and

a controller, coupled to the set of filters and the mapping, to,access, upon receipt of a data packet requested to be sent from the computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device,replace, based on the mapping, the target address in the data packet with a corresponding target network address;

forward the data packet to the target device at the target network address if it is determined the data packet can be sent to the target device;

prevent the computing device from modifying any of the filters in the set of filters, but allow the set of filters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, a first of the plurality of remote devices being a cluster operations management console for managing hardware operations of the computing device, a second of the plurality of remote devices being an application operations management console for managing software operations of the computing device; and

prevent the application operations management console from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management console.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network mediator corresponding to a computing device uses packet filters to restrict network communications. The network mediator includes a set of one or more filters, each filter having parameters that are compared to corresponding parameters of a data packet to be passed through the network mediator. The network mediator determines whether to allow the data packet through based on whether the data packet parameters match any filter parameters. The set of filters can be modified by a remote device, but cannot be modified by the computing device whose communications are being restricted. When a data packet is sent from the computing device, the data packet will include the virtual address which is changed to the network address by the network mediator prior to forwarding the packet on the network, and vice versa. By virtualizing the addresses, the computing device is restricted in accessing other devices over the network.

254 Citations

41 Claims

1. A computing device comprising:
- a set of filters;
  
  a mapping of virtual addresses to network addresses; and
  
  a controller, coupled to the set of filters and the mapping, to,access, upon receipt of a data packet requested to be sent from the computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device,replace, based on the mapping, the target address in the data packet with a corresponding target network address;
  
  forward the data packet to the target device at the target network address if it is determined the data packet can be sent to the target device;
  
  prevent the computing device from modifying any of the filters in the set of filters, but allow the set of filters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, a first of the plurality of remote devices being a cluster operations management console for managing hardware operations of the computing device, a second of the plurality of remote devices being an application operations management console for managing software operations of the computing device; and
  
  prevent the application operations management console from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management console.
- View Dependent Claims (2, 4)
- - 2. A computing device as recited in claim 1, wherein the controller is to make the computing device aware of the virtual addresses in the mapping but to hide the network addresses in the mapping from the computing device.
  - 4. A computing device as recited in claim 1, the computing device including a processor that supports multiple privilege levels, and the controller being implemented in a most privileged level of the multiple privilege levels.

3. A computing device as recited in 1, further comprising allowing the set of filters to be modified by a lower managerial level remote device only if the modifications are not less restrictive than modifications imposed by a higher managerial level remote device.

5. A method comprising:
- maintaining, at a computing device, a set of filters that restrict the ability of the computing device to communicate with other computing devices;
  
  allowing the set of fitters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device, and an application operations management device for managing software operations of the computing device;
  
  preventing the application operations management device from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management device; and
  
  preventing the computing device from modifying the set of filters.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. A method as recited in claim 5, wherein restriction of the ability of the computing device to communicate with other computing devices comprises restricting the computing device from transmitting data packets to one or more other computing devices.
  - 7. A method as recited in claim 5, wherein modification of the set of filters includes one or more of:
    - adding a new filter to the set of filters, deleting a filter from the set of filters, and changing one or more parameters of a filter in the set of filters.
  - 8. A method as recited in claim 5, wherein one or more filters in the set of filters restrict one or more of the transmission of data packets of a particular type from the computing device and reception of data packets of a particular type at the computing device.
  - 9. A method as recited in claim 5, wherein one or more filters in the set of filters restrict one or more of the transmission of Internet Protocol (IP) data packets from the computing device and reception of IP data packets at the computing device based on one or more of:
    - a source address, a destination IP address, a source port, a destination port, and a protocol.
  - 10. A method as recited in claim 5, wherein one or more filters in the set of filters identifies that a data packet targeting a particular address can be transmitted from the computing device to the addressed device, and further identifies a new address that the particular address from the data packet is to be changed to prior to being communicated to the addressed device.
  - 11. A method as recited in claim 5, wherein one of the filters in the set of filters is a permissive filter that indicates a data packet can be passed to its targeted destination device if the data packet parameters match corresponding parameters of the filter.
  - 12. A method as recited in claim 5, wherein one of the filters in the set of filters is an exclusionary filter that indicates a data packet cannot be passed to its targeted destination device if the data packet parameters match corresponding parameters of the filter.
  - 13. A method as recited in claim 5, wherein each filter includes a plurality of filter parameters, and wherein each of the plurality of filter parameters can include wildcard values.
  - 14. A method as recited in claim 5, wherein the set of filters restrict the ability of the computing device to communicate with other computing devices on a per-data packet basis, wherein each filter includes a plurality of filter parameters, and wherein each filter parameter includes a filter value and a mask value indicating which portions of the filter value must match a corresponding parameter in a data packet for the data packet to satisfy the filter.
  - 15. One or more computer-readable memories containing a computer program that is executable by a processor to perform the method recited in claim 5.

16. A network mediator comprising:
- a set of filters; and
  
  a controller, coupled to the set of filters, to,access, upon receipt of a data packet requested to be sent from a computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device,prevent the computing device from modifying any of the filters in the set of filters but allow the set of filters to be modified by a remote cluster operations management console for managing hardware operations of the computing device and by a remote application operations management console for managing software operations of the computing device, andprevent the remote application operations management console from modifying the set of filters to be less restrictive than filters added by the remote cluster operations management console.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. A network mediator as recited in claim 16, wherein the controller is further to access, upon receipt of another data packet from another target device via the network, the set of filters and determine whether the data packet can be received at the computing device based on whether the computing device is allowed to receive communications from the other target device.
  - 18. A network mediator as recited in claim 16, wherein the modifying the set of filters includes one or more of:
    - adding a new filter to the set of filters, deleting a filter from the set of filters, and changing one or more parameters of a filter in the set of filters.
  - 19. A network mediator as recited in claim 16, wherein the network mediator is coupled to the computing device.
  - 20. A network mediator as recited in claim 16, wherein the computing device includes the network mediator.
  - 21. A network mediator as recited in claim 16, wherein each filter in the set of filters includes a plurality of filter parameters, and wherein each filter parameter includes a filter value and a mask value indicating which portions of the filter value must match a corresponding parameter in the data packet for the data packet to satisfy the filter.
  - 22. A network mediator as recited in claim 21, wherein the controller is to allow the data packet to be forwarded to the target device if the data packet satisfies the filter.
  - 23. A network mediator as recited in claim 21, wherein the controller is to prevent the data packet from being forwarded to the target device if the data packet satisfies the filter.

24. A method comprising:
- maintaining a set of filters that restrict the ability of a computing device to communicate with other computing devices;
  
  allowing multiple remote computing devices, each corresponding to a different managerial level, to modify the set of filters, the multiple remote computing devices including a cluster operations management device for managing hardware operations of the computing device, and an application operations management device for managing software operations of the computing device; and
  
  preventing the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device.
- View Dependent Claims (25, 27, 28, 29, 30)
- - 25. A method as recited in claim 24, wherein the preventing comprises:
    - receiving a request from the application operations management device to modify the set of filters;
      
      determining whether the request to modify would result in a violation of a filter previously added to the set of filters by the cluster operations management device; and
      
      performing the request to modify when the request to modify would not result in a violation, and otherwise not performing the request to modify.
  - 27. A method as recited in claim 24, wherein the violation occurs when the request to modify would result in a filter being less restrictive than the filter added by the cluster operations management device.
  - 28. A method as recited in claim 24, further comprising preventing the computing device from modifying the set of filters.
  - 29. A method as recited in claim 24, wherein the set of filters restrict the ability of the computing device to communicate with other computing devices on a per-data packet basis, wherein each filter includes a plurality of filter parameters, and wherein each filter parameter includes a filter value and a mask value indicating which portions of the filter value must match a corresponding parameter in a data packet for the data packet to satisfy the filter.
  - 30. One or more computer-readable memories containing a computer program that is executable by a processor to perform the method recited in claim 24.

26. A method as recited in 25, wherein the request to modify comprises one or more of:
- adding a filter to the set of filters, modifying a filter in the set of filters, and deleting a filter from the set of filters.

31. One or more computer-readable media having stored thereon a computer program to implement a multiple-level filter administration scheme and including a plurality of instructions that, when executed by one or more processors, causes the one or more processors to perform acts including:
- allowing a cluster operations management device for managing hardware operations of a filtered device to modify a set of filters corresponding to the filtered device, the cluster operations management device operating at a first of the multiple levels; and
  
  allowing an application operations management device for managing software operations of the filtered device to modify the set of filters only if the modification is at least as restrictive as the filters imposed by the first computing device, the application operations management device operating at a second of the multiple levels.
- View Dependent Claims (32, 33, 34)
- - 32. One or more computer-readable media as recited in claim 31, wherein the plurality of instructions further include instructions that, when executed by the one or more processors, causes the one or more processors to perform acts including allowing the cluster operations management device to remove a filter from the set of filters imposed by the cluster operations management device but not allowing the application operations management device to remove the filter.
  - 33. One or more computer-readable media as recited in claim 31, wherein allowing the cluster operations management device or the application operations management device to modify the set of filters comprises one or more of:
    - adding a new filter to the set of filters, removing a filter from the set of filters, and changing parameters of a filter in the set of filters.
  - 34. One or more computer-readable media as recited in claim 31, wherein the plurality of instructions further include instructions that, when executed by the one or more processors, causes the one or more processors to perform acts including preventing the filtered device from modifying the set of filters.

35. A method comprising:
- maintaining an association of virtual addresses and corresponding network addresses;
  
  making a computing device aware of the virtual addresses;
  
  hiding the network addresses from the computing device;
  
  receiving, from the computing device, a data packet intended for a target computing device corresponding to a target virtual address;
  
  replacing, based on the target virtual address, the target virtual address with the corresponding target network address;
  
  forwarding the data packet to the target computing device at the target network address;
  
  maintaining, at the computing device, a set of filters that further restrict the ability of the computing device to communicate with other computing devices;
  
  allowing the set of filters to be modified from a plurality of remote devices, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device and an application operations management device for managing software operations of the computing device;
  
  preventing the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device; and
  
  preventing the computing device from modifying the set of filters.
- View Dependent Claims (36, 37, 38)
- - 36. A method as recited in claim 35, wherein the replacing comprises performing the replacing transparent to the computing device.
  - 37. A method as recited in claim 35, further comprising:
    - receiving, from a source device, another data packet that is intended for the computing device, wherein the other data packet includes a network address of the source device; and
      
      replacing, based on the network address of the source device, the network address of the source device with a corresponding virtual address.
  - 38. One or more computer-readable memories containing a computer program that is executable by a processor to perform the method recited in claim 35.

39. A network mediator comprising:
- a mapping of virtual addresses to network addresses;
  
  a set of filters that restrict the ability of the computing device to communicate with other computing devices; and
  
  a controller, coupled to the mapping, to,make a corresponding computing device aware of the virtual addresses,hide the network addresses from the computing device,receive, from the computing device, a data packet intended for a target computing device corresponding to a target virtual address,replace, based on the target virtual address, the target virtual address with the corresponding target network address,forward the data packet to the target computing device at the target network address,allow the set of filters to be modified from a plurality of remote devices, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device and an application operations management device for managing software operations of the computing device,prevent the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device, andprevent the computing device from modifying the set of filters.
- View Dependent Claims (40, 41)
- - 40. A network mediator as recited in claim 39, wherein the network mediator is communicatively coupled to the computing device.
  - 41. A network mediator as recited in claim 39, wherein the computing device includes the network mediator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tabbara, Bassam, Hunt, Galen C., Welland, Robert V., Hydrie, Aamer, Levi, Steven P.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
CHEN, SHIN HON

Application Number

US09/695,821
Time in Patent Office

2,121 Days
Field of Search

713200-202, 713/162, 713/151, 709/245, 709/244, 709/227, 709/238, 709/229, 370/401, 370/216, 370/353, 726/3, 726/11, 726 12- 15
US Class Current

726/13
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/0263 Rule management

Using packet filters and network virtualization to restrict network communications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

254 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Using packet filters and network virtualization to restrict network communications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

254 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others