Methods and apparatus for a computer network firewall with multiple domain support

US 7,143,438 B1
Filed: 09/12/1997
Issued: 11/28/2006
Est. Priority Date: 09/12/1997
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method for validating a packet in a computer network, comprising the steps of:

deriving a session key for said packet;

selecting at least one of a plurality of security policies as a function of the session key, wherein a security policy comprises multiple rules; and

using the selected at least one of the security policies in validating said packet.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

The invention provides improved computer network firewalls which include one or more features for increased processing efficiency. A firewall in accordance with the invention can support multiple security policies, multiple users or both, by applying any one of several distinct sets of access rules. The firewall can also be configured to utilize “stateful” packet filtering which involves caching rule processing results for one or more packets, and then utilizing the cached results to bypass rule processing for subsequent similar packets. To facilitate passage to a user, by a firewall, of a separate later transmission which is properly in response to an original transmission, a dependency mask can be set based on session data items such as source host address, destination host address, and type of service. The mask can be used to query a cache of active sessions being processed by the firewall, such that a rule can be selected based on the number of sessions that satisfy the query. Dynamic rules may be used in addition to pre-loaded access rules in order to simplify rule processing. To unburden the firewall of application proxies, the firewall can be enabled to redirect a network session to a separate server for processing.

Citations

26 Claims

1. A method for validating a packet in a computer network, comprising the steps of:
- deriving a session key for said packet;
  
  selecting at least one of a plurality of security policies as a function of the session key, wherein a security policy comprises multiple rules; and
  
  using the selected at least one of the security policies in validating said packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the session key includes items derived from header information appended to data in said packet.
  - 3. The method of claim 1 wherein the session key includes at least one item from a set consisting of (i) a source address, (ii) a destination address, (iii) a next-level protocol, (iv) a source port associated with a protocol, and (v) a destination port associated with the protocol.
  - 4. The method of claim 1 wherein the session key includes at least one item from a set consisting of (i) an Internet protocol (IP) source address, (ii) an IP destination address, (iii) a next-level protocol, (iv) the source port associated with the protocol, and (v) the destination port associated with the protocol.
  - 5. The method of claim 3 wherein the next-level protocol is transmission control protocol (TCP) or universal datagram protocol (UDP).
  - 6. The method of claim 1 wherein the network includes a plurality of network interfaces, and wherein the selecting step comprises the step of determining the interface at which the request was received.
  - 7. The method of claim 1 wherein the network includes a plurality of network interfaces, and wherein the selecting step comprises the step of determining the interface to which the request is to be sent.

8. A method for validating a packet in a computer network,comprising the steps of:
- designating a plurality of independent security policies, wherein a security policy comprises multiple rules;
  
  determining which security policy is appropriate for the packet; and
  
  validating the packet using at least a portion of the multiple rules of the determined security policy.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8 wherein at least a subset of the security policies correspond to different groups associated with a single firewall.
  - 10. The method of claim 8 wherein at least a subset of the security policies correspond to different sub-groups within a given group.
  - 11. The method of claim 8 wherein only an administrator for a given group has access to modify rules of a security policy for that group.

12. An apparatus for use in validating a packet in a firewall of a computer network, the firewall designating a plurality of independent security policies, the apparatus comprising:
- a processor associated with the firewall and operative (i) to process the packet to determine which of the security policies is appropriate for the packet, wherein a security policy comprises multiple rules, and (ii) to validate the packet using at least a portion of the multiple rules of the determined security policy.
- View Dependent Claims (13, 14, 15)
- - 13. The apparatus of claim 12 wherein at least a subset of the security policies correspond to different groups associated with a single firewall.
  - 14. The apparatus of claim 12 wherein at least a subset of the security policies correspond to different sub-groups within a given group.
  - 15. The apparatus of claim 12 wherein only an administrator for a given group has access to modify rules of a security policy for that group.

16. A method of providing a firewall in a computer network, comprising the steps of:
- segmenting a plurality of security policies into a plurality of domains, wherein a domain comprises at least one security policy and a security policy comprises multiple rules, and further wherein a plurality of administrators are associated with the plurality of domains; and
  
  administering the multiple rules such that only an administrator for a given domain is permitted to modify rules of a security policy for that domain.

17. A computer system for packet validation in a computer network, comprising:
- means for obtaining at least one data item from a request for a session;
  
  means for selecting at least one of a plurality of security policies as a function of the data item, wherein a security policy comprises multiple rules; and
  
  means for using the selected at least one of the security policies in validating packets of the session.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The computer system of claim 17 wherein the network includes a plurality of network interfaces, and wherein the means for selecting comprises means for determining the interface at which the request was received.
  - 19. The computer system of claim 18 wherein the means for determining comprises means for referring to a source IP address contained in the request.
  - 20. The computer system of claim 17 wherein the network includes a plurality of network interfaces, and wherein the means for selecting comprises means for determining the interface to which the request is to be sent.
  - 21. The computer system of claim 20 wherein the means for determining comprises means for referring to a destination IP address contained in the request.

22. A method for packet validation in a computer network, comprising the steps of:
- obtaining at least one data item from a request for a session;
  
  selecting at least one of a plurality of security policies as a function of the data item, wherein a security policy comprises multiple rules; and
  
  using the selected at least one of the security policies in validating packets of the session.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method of claim 22 wherein the network includes a plurality of network interfaces, and the selecting step includes determining the interface at which the request was received.
  - 24. The method of claim 23 wherein the determining step includes referring to a source IP address contained in the request.
  - 25. The method of claim 22 wherein the network includes a plurality of network interfaces, and the selecting step includes determining the interface to which the request is to be sent.
  - 26. The method of claim 25 wherein the determining step includes referring to a destination IP address contained in the request.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Sharp, Ronald L., Coss, Michael John, Majette, David L.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US08/927,382
Time in Patent Office

3,364 Days
Field of Search

713/201, 713/200, 713150-154, 713/160, 713/161, 709223-229, 709/245, 709/246, 709/200, 395/187.01, 380/25
US Class Current

726/11
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 9/40   Network security protocols

Methods and apparatus for a computer network firewall with multiple domain support

First Claim

3 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for a computer network firewall with multiple domain support

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links