Method and apparatus for datastream analysis and blocking
First Claim
1. A method in a network access device comprising:
- without proxying, analyzing each of a stream of packets traversing a single connection through the network access device from an external host to a protected host;
forwarding each allowed packet of the stream of packets as long as the connection is active, wherein forwarding each allowed packet comprises transmitting a message indicating that each allowed packet is allowed; and
if one of the stream of packets is determined to be disallowed by said analyzing, then discarding the disallowed packet and terminating the connection, causing the protected host to discard those packets received on the terminated connection.
23 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for datastream analysis and blocking. According to one embodiment of the invention, a network access device, analyzes (without proxying) each of a stream of packets traversing a single connection through the network access device from an external host to a protected host. In addition, the network access device forwards each allowed packet of the stream of packets as long as the connection is active. However, if one of the stream of packets is determined to be disallowed as a result of the analyzing, then the network access device discards the disallowed packet and terminates the connection, causing the protected host to discard those packets received on the terminated connection.
-
Citations
44 Claims
-
1. A method in a network access device comprising:
-
without proxying, analyzing each of a stream of packets traversing a single connection through the network access device from an external host to a protected host; forwarding each allowed packet of the stream of packets as long as the connection is active, wherein forwarding each allowed packet comprises transmitting a message indicating that each allowed packet is allowed; and if one of the stream of packets is determined to be disallowed by said analyzing, then discarding the disallowed packet and terminating the connection, causing the protected host to discard those packets received on the terminated connection. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer implemented method comprising:
-
copying a packet payload of each of a plurality of packets received on a single connection between an external host and a protected host that carries a stream of packets the stream of packets including the plurality of packets; forwarding all but the last of the plurality of packets to the protected host; reassembling the copied packet payloads into a file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, said maintaining comprising copying each of the plurality of packets but the last packet before forwarding each of the plurality of packets, and holding the last packet and repeatedly forwarding the last copied packet; if the file is allowed, then forwarding the last packet to the protected host; and if the file is determined to be disallowed, then dropping the last packet and terminating the connection. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A computer implemented method comprising:
-
copying a packet payload of each of a plurality of packets received on a single connection between an external host and a protected host that carries a stream of packets the stream of rackets including the plurality of packets; forwarding all but the last of the plurality of packets to the protected host; reassembling the copied packet payloads into a file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, wherein maintaining the connection comprises; decapsulating the last packet'"'"'s payload, fragmenting the last packet'"'"'s payload into subparts, encapsulating each subpart, and forwarding each subpart until analysis is complete; if the file is allowed, then forwarding the last packet to the protected host; and if the file is determined to be disallowed, then dropping the last packet and terminating the connection.
-
-
14. A computer implemented method comprising:
-
copying a packet payload of each of a plurality of packets received on a single connection between an external host and a protected host that carries a stream of packets the stream of packets including the plurality of packets; forwarding all but the last of the plurality of packets to the protected host; reassembling the copied packet payloads into a file; analyzing the file to determine if the file is allowed or disallowed; if the file is allowed, then forwarding the last packet to the protected host, wherein forwarding each of the plurality of packets comprises transmitting a message indicating that each of the of the plurality of packets is allowed; and if the file is determined to be disallowed, then dropping the last packet and terminating the connection.
-
-
15. A computer implemented method comprising:
-
supporting a connection from an external host to a protected host; analyzing a header of each packet received over the connection from the external host; terminating the connection if a first packet received over the connection is determined to be disallowed and discarding the first packet; if the connection is not terminated, copying the first packet'"'"'s payload; analyzing the first packet'"'"'s payload; terminating the connection if said first packet'"'"'s payload is determined to be disallowed and discarding the first packet; if the connection has not been terminated and if said first packet'"'"'s payload is not a last block of a file, then forwarding said first packet to the protected host; if said first packet'"'"'s payload is the last block of a file, then reassembling the first packet'"'"'s payload with a set of one or more previously copied packet payloads into the file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, said maintaining comprising copying each of the plurality of packets but the last packet before forwarding each of the plurality of packets, and holding the last packet and repeatedly forwarding the last copied packet; if the file is disallowed then dropping the first packet and terminating the connection; and if the file is allowed then forwarding the first packet. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer implemented method comprising:
-
supporting a connection from an external host to a protected host; analyzing a header of each packet received over the connection from the external host; terminating the connection if a first packet received over the connection is determined to be disallowed and discarding the first packet; if the connection is not terminated, copying the first packet'"'"'s payload; analyzing the first packet'"'"'s payload; terminating the connection if said first packet'"'"'s payload is determined to be disallowed and discarding the first packet; if the connection has not been terminated and if said first packet'"'"'s payload is not a last block of a file, then forwarding said first packet to the protected host; if said first packet'"'"'s payload is the last block of a file, then reassembling the first packet'"'"'s payload with a set of one or more previously copied packet payloads into the file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, wherein maintaining the connection comprises; decapsulating the last packet'"'"'s payload, fragmenting the last packet'"'"'s payload into subparts, encapsulating each subpart, and forwarding each subpart until analysis is complete; if the file is disallowed then dropping the first packet and terminating the connection; and if the file is allowed then forwarding the first packet.
-
-
21. An apparatus comprising:
-
a forwarding module to forward packets of a datastream along a connection between a protected host and an external host; and a datastream analysis module coupled with the forwarding module, the datastream analysis module to analyze each of the packets to determine if each of the packets are allowed or disallowed and to terminate the connection upon determining one of the packets to be disallowed and to discard the disallowed packet, causing the protected host to discard packets received on the terminated connection prior to the disallowed packet, wherein the forwarding module is operable to maintain the connection while the analysis module is analyzing the packets by copying each of the packets but the last packet before forwarding each of the packets, and holding the last packet and repeatedly forwarding the last copied packet. - View Dependent Claims (22, 23)
-
-
24. A readable storage medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
-
without proxying, analyzing each of a stream of packets traversing a single connection through the network access device from an external host to a protected host; forwarding each allowed packet of the stream of packets as long as the connection is active, wherein forwarding each allowed packet comprises transmitting a message indicating that each allowed packet is allowed; and if one of the stream of packets is determined to be disallowed by said analyzing, then discarding the disallowed packet and terminating the connection, causing the protected host to discard those packets received on the terminated connection. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A readable storage medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
-
copying a packet payload of each of a plurality of packets received on a single connection between an external host and a protected host that carries a stream of packets the stream of packets including the plurality of packets; forwarding all but the last of the plurality of packets to the protected host, wherein forwarding each of the plurality of packets comprises transmitting a message indicating that each of the of the plurality of packets is allowed; reassembling the copied packet payloads into a file; analyzing the file to determine if the file is allowed or disallowed; if the file is allowed, then forwarding the last packet to the protected host; and if the file is determined to be disallowed, then dropping the last packet and terminating the connection. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
-
-
37. A readable storage medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
-
copying a racket payload of each of a plurality of rackets received on a single connection between an external host and a protected host that carries a stream of packets the stream of packets including the plurality of packets; forwarding all but the last of the plurality of packets to the protected host; reassembling the copied packet payloads into a file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, wherein maintaining the connection comprises; decapsulating the last packet'"'"'s payload, fragmenting the last packet'"'"'s payload into subparts, encapsulating each subpart, and forwarding each subpart until analysis is complete; if the file is allowed, then forwarding the last racket to the protected host; and
if the file is determined to be disallowed, then dropping the last packet and terminating the connection.
-
-
38. A readable storage medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
-
copying a packet payload of each of a plurality of packets received on a single connection between an external host and a protected host that carries a stream of packets the stream of packets including the plurality of packets; forwarding all but the last of the plurality of packets to the protected host; reassembling the copied packet payloads into a file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, wherein maintaining the connection comprises; copying each of the plurality of packets but the last packet before forwarding each of the plurality of packets, and holding the last packet and repeatedly forwarding the last copied packet; if the file is allowed, then forwarding the last packet to the protected host; and if the file is determined to be disallowed, then dropping the last packet and terminating the connection.
-
-
39. A readable storage medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
-
supporting a connection from an external host to a protected host; analyzing a header of each packet received over the connection from the external host; terminating the connection if a first packet received over the connection is determined to be disallowed and discarding the first packet; if the connection is not terminated, copying the first packet'"'"'s payload; analyzing the first packet'"'"'s payload; terminating the connection if said first packet'"'"'s payload is determined to be disallowed and discarding the first packet; if the connection has not been terminated and if said first packet'"'"'s payload is not a last block of a file, then forwarding said first packet to the protected host; if said first packet'"'"'s payload is the last block of a file, then reassembling the first packet'"'"'s payload with a set of one or more previously copied packet payloads into the file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, said maintaining comprising decapsulating the last packet'"'"'s payload, fragmenting the last packet'"'"'s payload into subparts, encapsulating each subpart, and forwarding each subpart until analysis is complete; if the file is disallowed then dropping the first packet and terminating the connection; and if the file is allowed then forwarding the first packet. - View Dependent Claims (40, 41, 42, 43)
-
-
44. A readable storage medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
-
supporting a connection from an external host to a protected host; analyzing a header of each packet received over the connection from the external host; terminating the connection if a first racket received over the connection is determined to be disallowed and discarding the first packet; if the connection is not terminated, copying the first packet'"'"'s payload; analyzing the first packet'"'"'s payload; terminating the connection if said first packet'"'"'s payload is determined to be disallowed and discarding the first packet; if the connection has not been terminated and if said first packet'"'"'s payload is not a last block of a file, then forwarding said first racket to the protected host; if said first packet'"'"'s payload is the last block of a file, then reassembling the first packet'"'"'s payload with a set of one or more previously copied racket payloads into the file; analyzing the file to determine if the file is allowed or disallowed; maintaining the connection while analyzing the file, wherein maintaining the connection comprises; copying each of the plurality of packets but the last packet before forwarding each of the plurality of packets, and holding the last packet and repeatedly forwarding the last copied packet; if the file is disallowed then dropping the first packet and terminating the connection; and if the file is allowed then forwarding the first packet.
-
Specification