Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device

US 7,302,700 B2
Filed: 09/28/2001
Issued: 11/27/2007
Est. Priority Date: 09/28/2001
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. An L2 device comprising:

at least one port to couple to a terminal unit included in a first security zone;

at least one port to couple to a terminal unit included in a second security zone that is distinct from the first security zone;

a controller to determine for each packet received from either the first security zone or the second security zone whether the received packet is an inter-zone packet destined for the other of the first security zone or the second security zone;

a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and

an L2 switching engine to transfer to a port associated with intra-zone transfer, without inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, and to transfer to a port associated with inter-zone transfer, inter-zone packets that are retained after the inspection by the firewall engine.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

84 Citations

View as Search Results

24 Claims

1. An L2 device comprising:
- at least one port to couple to a terminal unit included in a first security zone;
  
  at least one port to couple to a terminal unit included in a second security zone that is distinct from the first security zone;
  
  a controller to determine for each packet received from either the first security zone or the second security zone whether the received packet is an inter-zone packet destined for the other of the first security zone or the second security zone;
  
  a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and
  
  an L2 switching engine to transfer to a port associated with intra-zone transfer, without inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, and to transfer to a port associated with inter-zone transfer, inter-zone packets that are retained after the inspection by the firewall engine.

2. An L2 device comprising:
- a controller to determine for each packet received whether the received packet is to be transferred intra-zone or inter-zone, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering and exiting an associated zone;
  
  a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and
  
  an L2 switching engine operable to;
  
  route to an intra-zone port, without the inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, androute to an inter-zone port inspected inter-zone packets that are retained after the inspection by the firewall engine.

3. An L2 device comprising:
- a controller to determine for each packet received whether the received packet is to be transferred inter-zone or intra-zone, inter-zone being between a plurality of zones and intra-zone being between a single one of the zones, each zone representing a distinct security domain; and
  
  a firewall engine to inspect and filter inter-zone packets using a zone specific policy prior to permitting inter-zone routing using L2 protocols, wherein intra-zone packets are not inspected by the firewall engine.

4. An L2 device comprising:
- a controller to determine for each packet received whether the received packet is an inter-zone packet that is permitted to be transferred from a first distinct security domain to a second distinct security domain subject to a security inspection or an intra-zone packet that is permitted to be transferred within the first or second distinct security domain without being subjected to a security inspection; and
  
  an inspection device to inspect and filter inter-zone packets using a zone specific policy prior to inter-zone routing using L2 protocols.

5. An L2 device comprising:
- a controller to determine for each packet received whether the received packet is to be inspected against a security policy;
  
  an inspection device to inspect and filter only those packets identified by the controller as needing inspection based on a zone specific policy; and
  
  an L2 controller to transfer inspected packets from a first security zone to a second security zone in accordance with L2 header information using L2 protocols, and transfer non-inspected packets within the first or second security zones.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The device of claim 5 wherein the inspection device is a firewall.
  - 7. The device of claim 5 wherein the inspection device is a layer 3 firewall device.
  - 8. The device of claim 5 wherein the inspection device is a layer 4 firewall device.
  - 9. The device of claim 5 wherein the inspection device is a layer 7 firewall device.
  - 10. The device of claim 5 wherein the inspection device is a firewall that filters based on layer information other than layer 2 header information.
  - 11. The device of claim 5 wherein the controller determines each packet that is to pass between security zones and the inspection device only processes inter-zone traffic.
  - 12. The device of claim 5 wherein the controller determines each packet that is to remain in a single security zone and transfers intra-zone packets to the L2 controller, bypassing the inspection device.
  - 13. The device of claim 12 wherein the device uses a MAC address in the layer 2 header of a given packet to determine an egress port on the device to which the packet is to be transferred.
  - 14. The device of claim 5 further comprising a storage element for storing packets that are to be inspected and an L2 controller transferring packets through the device including determining an egress port for transferring a given packet using a destination MAC address in the given packet and a MAC address table that includes a mapping of MAC addresses and associated egress nodes.
  - 15. The device of claim 14 wherein the memory element includes a first and second portion, the first portion storing packets to be transferred through the device, and the second portion storing packets waiting for inspection.
  - 16. The device of claim 5 wherein the device is an L2 switch.
  - 17. The device of claim 5 wherein the device is an L2 bridge.

18. A method for transferring packets in a communication network, the method comprising:
- receiving a packet at an L2 device;
  
  determining whether the received packet is an intra-zone packet to be transferred within a single zone or an inter-zone packet to be transferred between zones, each zone representing a distinct security domain;
  
  inspecting and filtering inter-zone packets using a zone specific policy prior to inter-zone routing of the inter-zone packets using L2 protocols; and
  
  routing the ultra-zone packets without being subject to security inspection or filtering.

19. A method for transferring packets in a communication network, the method comprising:
- receiving a packet at an L2 device;
  
  determining whether the received packet is to be inspected against a security policy;
  
  inspecting and filtering identified packets using a zone specific policy prior to transferring the packet from a first security zone through the L2 device using L2 protocols to a second security zone distinct from the first security zone; and
  
  transferring non-inspected packets either from the first security zone to the first security zone, or from the second security zone to the second security zone.

20. A method for switching packets in a communication network including plural zones, each zone representing a distinct security domain, the method comprising:
- receiving a packet at an interface of an L2 device;
  
  determining if a destination MAC address associated with the received packet is known; and
  
  if not,holding the received packet a predetermined amount of time without transferring the packet to any port of the L2 device,creating a probe packet that includes the unknown MAC address, andbroadcasting the probe packet to all interfaces except the receiving interface.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method of claim 20 wherein the probe packet includes a time to life (TTL) field in an IP header and the method includes setting a value of the TTL field such that a downstream node having the unknown MAC address and receiving the probe packet will return an expired message to the L2 device.
  - 22. The method of claim 20 further comprising dropping the packet after the expiration of the predetermined amount of time.
  - 23. The method of claim 20 wherein the packet is dropped if the MAC address is unknown.
  - 24. The method of claim 20 further comprising receiving a response from one of the broadcast interfaces and updating a table indicating a previously unknown MAC address is associated with the responding interface.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Huang, Guangsong, Cheung, Lee Chik, Mao, Yu Ming, Lian, Roger Jia-Jyi
Primary Examiner(s)
Revak; Christopher
Assistant Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US09/967,878
Publication Number

US 20030065944A1
Time in Patent Office

2,251 Days
Field of Search

709220-230, 713200-205, 713/150, 370400-401, 726/13, 726/14, 726/11
US Class Current

726/11
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/04   for providing a confidentia...

H04L 63/102   Entity profiles

H04L 63/162   at the data link layer

Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device

First Claim

2 Assignments

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

84 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

84 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links