Controlled information flow between communities via a firewall

US 7,296,291 B2
Filed: 08/07/2001
Issued: 11/13/2007
Est. Priority Date: 12/18/2000
Status: Active Grant

First Claim

Patent Images

1. A method of controlling information flow through a firewall, said method comprising:

determining a first incoming packet community set (PCS) of a first data packet received on an interface of said firewall;

discarding said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and

processing said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein said processing comprises;

matching said first data packet to a first rule of a plurality of rules of said firewall;

comparing said first incoming PCS to a second incoming PCS specified by the first rule;

changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS;

comparing said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community;

discarding said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and

further processing said first data packet in response to detecting said outgoing PCS is a subset of said destination community set;

wherein the determining, discarding, and processing are performed within a single node of a network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and mechanism of controlling information flow in a firewall. A firewall controls the flow of information between different communities. The enforcement method and mechanism uses a database of associations of sets of communities corresponding to network addresses. Upon receiving an incoming data packet, a packet community set (PCS) is deterined for the data packet. If the PCS is not a subset of an interface community set (IFCS) of the interface upon which the data packet was received, the data packet is discarded. Otherwise, a firewall rule match is determined for the data packet. If a rule match is detected, a PCS attribute of the matching rule is compared to the PCS of the data packet. If the PCS attribute of the rule matches the PCS of the data packet and the rule indicates the data packet is to be forwarded, the PCS of the data packet is changed to a second PCS indicated by the matching rule. If the new PCS of the data packet is a subset of an IFCS of the interface upon which the data packet is to be output, the data packet is transmitted. Otherwise, the data packet is discarded.

27 Citations

View as Search Results

42 Claims

1. A method of controlling information flow through a firewall, said method comprising:
- determining a first incoming packet community set (PCS) of a first data packet received on an interface of said firewall;
  
  discarding said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and
  
  processing said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein said processing comprises;
  
  matching said first data packet to a first rule of a plurality of rules of said firewall;
  
  comparing said first incoming PCS to a second incoming PCS specified by the first rule;
  
  changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS;
  
  comparing said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community;
  
  discarding said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and
  
  further processing said first data packet in response to detecting said outgoing PCS is a subset of said destination community set;
  
  wherein the determining, discarding, and processing are performed within a single node of a network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein said determining comprises determining a source network address community set (NACS) of said first data packet.
  - 3. The method of claim 1, wherein said determining comprises determining a source network service community set (NSCS) of said first data packet.
  - 4. The method of claim 1, wherein said incoming PCS is encoded in a header of said first data packet, and wherein said determining comprises decoding said incoming PCS from said header of said first data packet.
  - 5. The method of claim 1, wherein said processing further comprises discarding the first data packet, in response to determining the first incoming PCS does not match the second incoming PCS.
  - 6. The method of claim 5, wherein changing said first incoming PCS to the outgoing PCS is in further response to determining that said first rule includes the action of forwarding said first data packet.
  - 7. The method of claim 1, wherein said destination community set is a network address community set (NACS).
  - 8. The method of claim 1, wherein said destination community set is a network service community set (NSCS).
  - 9. The method of claim 1, wherein said further processing comprises:
    - transmitting said first data packet via an output interface of said firewall in response to detecting said outgoing PCS is a subset of the interface community set (IFCS) of said output interface; and
      
      discarding said first data packet in response to detecting said outgoing PCS is not a subset of said IFCS.
  - 10. The method of claim 9, wherein said further processing further comprises encoding said outgoing PCS in a header of said first data packet.
  - 11. The method of claim 10, further comprising recording an event corresponding to said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set.
  - 12. The method of claim 9, further comprising recording an event corresponding to said first data packet in response to detecting said first data packet is discarded.
  - 13. The method of claim 1, further comprising consulting a community information base (CIB).
  - 14. The method of claim 13, wherein said CIB includes community set information corresponding to network addresses, network services, and interfaces.

15. A node configured to act as a firewall, wherein said node comprises:
- a processing unit, wherein said processing unit is configured to;
  
  determine a first incoming packet community set of a first data packet received on an interface of said node;
  
  discard said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and
  
  process said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein processing the first data packet comprises;
  
  matching said first data packet to a first rule of a plurality of rules of said firewall;
  
  comparing said first incoming PCS to a second incoming PCS specified by the first rule;
  
  changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS;
  
  compare said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community;
  
  discard said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and
  
  process said first data packet for output in response to detecting said outgoing PCS is a subset of said destination community set; and
  
  a community information base coupled to said processing unit.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The node of claim 15, wherein said processing unit is configured to determine said incoming PCS by determining a source network address community set (NACS) of said first data packet.
  - 17. The node of claim 15, wherein said processing unit is configured to determine said incoming PCS by determining a source network service community set (NSCS) of said first data packet.
  - 18. The node of claim 15, wherein said incoming PCS is encoded in a header of said first data packet, and wherein said processing unit is configured to determine said incoming PCS by decoding said incoming PCS from said header of said first data packet.
  - 19. The node of claim 15, wherein processing the first data packet further comprises discarding the first data packet, in response to determining the first incoming PCS does not match the second incoming PCS.
  - 20. The node of claim 19, wherein changing said first incoming PCS to the outgoing PCS is in further response to detecting that said first rule includes the action of forwarding said first data packet.
  - 21. The node of claim 15, wherein said destination community set is a network address community set (NACS).
  - 22. The node of claim 15, wherein said destination community set is a network service community set (NSCS).
  - 23. The node of claim 15, wherein said processing said first data packet for output comprises:
    - transmitting said first data packet via an output interface of said firewall in response to detecting said outgoing PCS is a subset of the interface community set (IFCS) of said output interface; and
      
      discarding said first data packet in response to detecting said outgoing PCS is not a subset of said IFCS.
  - 24. The node of claim 23, wherein said processing unit is further configured to encode said outgoing PCS in a header of said first data packet prior to said transmitting.
  - 25. The node of claim 24, wherein said processing unit is further configured to record an event corresponding to said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set.
  - 26. The node of claim 23, further comprising recording an event corresponding to said first data packet in response to detecting said first data packet is discarded.
  - 27. The node of claim 15, wherein said processing unit is configured to consult said community information base (CIB).
  - 28. The node of claim 27, wherein said CIB includes community set information corresponding to network addresses, network services, and interfaces.

29. A computer network comprising:
- a node configured to act as a firewall, wherein said node comprises;
  
  a processing unit, wherein said processing unit is configured to;
  
  determine a first incoming packet community set of a first data packet received on an interface of said node;
  
  discard said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and
  
  process said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein processing the first data packet comprises;
  
  matching said first data packet to a first rule of a plurality of rules of said firewall;
  
  comparing said first incoming PCS to a second incoming PCS specified by the first rule; and
  
  changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS;
  
  comparing said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community;
  
  discarding said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and
  
  further processing said first data packet in response to detecting said outgoing PCS is a subset of said destination community set; and
  
  a community information base coupled to said processing unit;
  
  a first computer network coupled to said node; and
  
  a second computer network coupled to said node.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 30. The computer network of claim 29, wherein said node is configured to determine said incoming PCS by determining a source network address community set (NACS) of said first data packet.
  - 31. The computer network of claim 29, wherein said node is configured to determine said incoming PCS by determining a source network service community set (NSCS) of said first data packet.
  - 32. The computer network of claim 29, wherein said incoming PCS is encoded in a header of said first data packet, and wherein said node is configured to determine said incoming PCS by decoding said incoming PCS from said header of said first data packet.
  - 33. The computer network of claim 29, wherein processing the first data packet further comprises discarding the first data packet, in response to determining the first incoming PCS does not match the second incoming PCS.
  - 34. The computer network of claim 33, wherein changing said first incoming PCS to the outgoing PCS is in further response to detecting that said first rule includes the action of forwarding said first data packet.
  - 35. The computer network of claim 29, wherein said destination community set is a network address community set (NACS).
  - 36. The computer network of claim 29, wherein said destination community set is a network service community set (NSCS).
  - 37. The computer network of claim 29, wherein said processing said first data packet for output comprises:
    - transmitting said first data packet via an output interface of said firewall in response to detecting said outgoing PCS is a subset of the interface community set (IFCS) of said output interface; and
      
      discarding said first data packet in response to detecting said outgoing PCS is not a subset of said IFCS.
  - 38. The computer network of claim 37, wherein said node is further configured to encode said outgoing PCS in a header of said first data packet prior to said transmitting.
  - 39. The computer network of claim 38, wherein said node is further configured to record an event corresponding to said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set.
  - 40. The computer network of claim 37, further comprising recording an event corresponding to said first data packet in response to detecting said first data packet is discarded.
  - 41. The computer network of claim 29, wherein said node is configured to consult said community information base (CIB).
  - 42. The computer network of claim 41, wherein said CIB includes community set information corresponding to network addresses, network services, and interfaces.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Tahan, Thomas E.
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US09/923,588
Publication Number

US 20020078370A1
Time in Patent Office

2,289 Days
Field of Search

370/289, 713/200, 713/154, 726/11
US Class Current

726/11
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

Controlled information flow between communities via a firewall

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Controlled information flow between communities via a firewall

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links