Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
DCFirst Claim
Patent Images
1. An L2 device comprising:
- at least one port to couple to a terminal unit included in a first security zone;
at least one port to couple to a terminal unit included in a second security zone that is distinct from the first security zone;
a controller to determine for each packet received from either the first security zone or the second security zone whether the received packet is an inter-zone packet destined for the other of the first security zone or the second security zone;
a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and
an L2 switching engine to transfer to a port associated with intra-zone transfer, without inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, and to transfer to a port associated with inter-zone transfer, inter-zone packets that are retained after the inspection by the firewall engine.
2 Assignments
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.
84 Citations
24 Claims
-
1. An L2 device comprising:
-
at least one port to couple to a terminal unit included in a first security zone; at least one port to couple to a terminal unit included in a second security zone that is distinct from the first security zone; a controller to determine for each packet received from either the first security zone or the second security zone whether the received packet is an inter-zone packet destined for the other of the first security zone or the second security zone; a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and an L2 switching engine to transfer to a port associated with intra-zone transfer, without inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, and to transfer to a port associated with inter-zone transfer, inter-zone packets that are retained after the inspection by the firewall engine.
-
-
2. An L2 device comprising:
-
a controller to determine for each packet received whether the received packet is to be transferred intra-zone or inter-zone, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering and exiting an associated zone; a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and an L2 switching engine operable to; route to an intra-zone port, without the inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, and route to an inter-zone port inspected inter-zone packets that are retained after the inspection by the firewall engine.
-
-
3. An L2 device comprising:
-
a controller to determine for each packet received whether the received packet is to be transferred inter-zone or intra-zone, inter-zone being between a plurality of zones and intra-zone being between a single one of the zones, each zone representing a distinct security domain; and a firewall engine to inspect and filter inter-zone packets using a zone specific policy prior to permitting inter-zone routing using L2 protocols, wherein intra-zone packets are not inspected by the firewall engine.
-
-
4. An L2 device comprising:
-
a controller to determine for each packet received whether the received packet is an inter-zone packet that is permitted to be transferred from a first distinct security domain to a second distinct security domain subject to a security inspection or an intra-zone packet that is permitted to be transferred within the first or second distinct security domain without being subjected to a security inspection; and an inspection device to inspect and filter inter-zone packets using a zone specific policy prior to inter-zone routing using L2 protocols.
-
-
5. An L2 device comprising:
-
a controller to determine for each packet received whether the received packet is to be inspected against a security policy; an inspection device to inspect and filter only those packets identified by the controller as needing inspection based on a zone specific policy; and an L2 controller to transfer inspected packets from a first security zone to a second security zone in accordance with L2 header information using L2 protocols, and transfer non-inspected packets within the first or second security zones. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for transferring packets in a communication network, the method comprising:
-
receiving a packet at an L2 device; determining whether the received packet is an intra-zone packet to be transferred within a single zone or an inter-zone packet to be transferred between zones, each zone representing a distinct security domain; inspecting and filtering inter-zone packets using a zone specific policy prior to inter-zone routing of the inter-zone packets using L2 protocols; and routing the ultra-zone packets without being subject to security inspection or filtering.
-
-
19. A method for transferring packets in a communication network, the method comprising:
-
receiving a packet at an L2 device; determining whether the received packet is to be inspected against a security policy; inspecting and filtering identified packets using a zone specific policy prior to transferring the packet from a first security zone through the L2 device using L2 protocols to a second security zone distinct from the first security zone; and transferring non-inspected packets either from the first security zone to the first security zone, or from the second security zone to the second security zone.
-
-
20. A method for switching packets in a communication network including plural zones, each zone representing a distinct security domain, the method comprising:
-
receiving a packet at an interface of an L2 device; determining if a destination MAC address associated with the received packet is known; and if not, holding the received packet a predetermined amount of time without transferring the packet to any port of the L2 device, creating a probe packet that includes the unknown MAC address, and broadcasting the probe packet to all interfaces except the receiving interface. - View Dependent Claims (21, 22, 23, 24)
-
Specification