Controlled information flow between communities via a firewall
First Claim
1. A method of controlling information flow through a firewall, said method comprising:
- determining a first incoming packet community set (PCS) of a first data packet received on an interface of said firewall;
discarding said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and
processing said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein said processing comprises;
matching said first data packet to a first rule of a plurality of rules of said firewall;
comparing said first incoming PCS to a second incoming PCS specified by the first rule;
changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS;
comparing said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community;
discarding said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and
further processing said first data packet in response to detecting said outgoing PCS is a subset of said destination community set;
wherein the determining, discarding, and processing are performed within a single node of a network.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and mechanism of controlling information flow in a firewall. A firewall controls the flow of information between different communities. The enforcement method and mechanism uses a database of associations of sets of communities corresponding to network addresses. Upon receiving an incoming data packet, a packet community set (PCS) is deterined for the data packet. If the PCS is not a subset of an interface community set (IFCS) of the interface upon which the data packet was received, the data packet is discarded. Otherwise, a firewall rule match is determined for the data packet. If a rule match is detected, a PCS attribute of the matching rule is compared to the PCS of the data packet. If the PCS attribute of the rule matches the PCS of the data packet and the rule indicates the data packet is to be forwarded, the PCS of the data packet is changed to a second PCS indicated by the matching rule. If the new PCS of the data packet is a subset of an IFCS of the interface upon which the data packet is to be output, the data packet is transmitted. Otherwise, the data packet is discarded.
27 Citations
42 Claims
-
1. A method of controlling information flow through a firewall, said method comprising:
-
determining a first incoming packet community set (PCS) of a first data packet received on an interface of said firewall; discarding said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and processing said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein said processing comprises; matching said first data packet to a first rule of a plurality of rules of said firewall; comparing said first incoming PCS to a second incoming PCS specified by the first rule; changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS; comparing said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community; discarding said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and further processing said first data packet in response to detecting said outgoing PCS is a subset of said destination community set; wherein the determining, discarding, and processing are performed within a single node of a network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A node configured to act as a firewall, wherein said node comprises:
-
a processing unit, wherein said processing unit is configured to; determine a first incoming packet community set of a first data packet received on an interface of said node; discard said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and process said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein processing the first data packet comprises; matching said first data packet to a first rule of a plurality of rules of said firewall; comparing said first incoming PCS to a second incoming PCS specified by the first rule; changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS; compare said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community; discard said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and process said first data packet for output in response to detecting said outgoing PCS is a subset of said destination community set; and a community information base coupled to said processing unit. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer network comprising:
-
a node configured to act as a firewall, wherein said node comprises; a processing unit, wherein said processing unit is configured to; determine a first incoming packet community set of a first data packet received on an interface of said node; discard said first data packet in response to detecting said first incoming PCS is not a subset of an interface community set (IFCS) of said interface; and process said first data packet in response to detecting said first incoming PCS is a subset of said IFCS, wherein processing the first data packet comprises; matching said first data packet to a first rule of a plurality of rules of said firewall; comparing said first incoming PCS to a second incoming PCS specified by the first rule; and changing the first incoming PCS in the first data packet to an outgoing PCS specified by the first rule, in response to determining the first incoming PCS matches the second incoming PCS; comparing said outgoing PCS with a destination community set of said first data packet, prior to transmitting the first data packet to said destination community; discarding said first data packet in response to detecting said outgoing PCS is not a subset of said destination community set; and further processing said first data packet in response to detecting said outgoing PCS is a subset of said destination community set; and a community information base coupled to said processing unit; a first computer network coupled to said node; and a second computer network coupled to said node. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification