VLAN router with firewall supporting multiple security layers
First Claim
1. A method for analyzing a packet using a firewall which creates a plurality of trust levels for a plurality of computer networks, the method comprising:
- using a single router containing the firewall and a switch to service each of the plurality of computer networks by performing the steps of;
determining a destination of the packet from a packet header;
accessing a plurality of rules;
determining the appropriate rules to use to analyze the packet;
analyzing the packet using the rules;
determining if the packet is permitted under the rules;
responsive to a determination that the rules permit the packet, permitting the packet to pass to the destination only when the destination does not have a trust level higher than a trust level of a source of the packet;
responsive to a determination that the rules deny the packet, denying the packet;
wherein a trust level is a security level associated with a particular set of rules in the firewall; and
wherein the trust level reduces the time required for the firewall to analyze and either permit or deny the packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A router containing a firewall capable of supporting a plurality of different security levels. The router of the present invention creates a plurality of Virtual Local Area Networks (VLANs) using a network switch. The VLAN Rules Table (VRT) allows a network administrator to designate a trust level for each VLAN. The trust level may be different for every VLAN and the administrator may designate different rules for each VLAN. The Security Program (SP) analyzes each packet passing through the firewall and determines if the packet is permitted under the rules for the VLAN trust level. An alterative embodiment in which the switch in the router is divided into a plurality of sub-switches is also disclosed. In the alternative embodiment, the firewall need only compare the packet to rules which were not applied in the lower trust levels, eliminating the redundant rules from the comparison process.
37 Citations
7 Claims
-
1. A method for analyzing a packet using a firewall which creates a plurality of trust levels for a plurality of computer networks, the method comprising:
-
using a single router containing the firewall and a switch to service each of the plurality of computer networks by performing the steps of; determining a destination of the packet from a packet header; accessing a plurality of rules; determining the appropriate rules to use to analyze the packet; analyzing the packet using the rules; determining if the packet is permitted under the rules; responsive to a determination that the rules permit the packet, permitting the packet to pass to the destination only when the destination does not have a trust level higher than a trust level of a source of the packet; responsive to a determination that the rules deny the packet, denying the packet; wherein a trust level is a security level associated with a particular set of rules in the firewall; and wherein the trust level reduces the time required for the firewall to analyze and either permit or deny the packet. - View Dependent Claims (2, 3)
-
-
4. A method for analyzing a packet using a firewall which creates a plurality of trust levels for a plurality of computer networks, the method comprising:
-
using a single router containing the firewall and a plurality of sub-switches to service each of the plurality of computer networks by performing the steps of; determining a sub-switch location of a packet; determining a source and a destination of the packet from a packet header; determining if the packet is attempting to go to a destination with a higher trust level than a trust level of the source; and responsive to a determination that the packet is not attempting to go to a higher trust level, permitting the packet to pass the destination; wherein a trust level is a security level associated with a particular set of rules in the firewall; and wherein the trust level reduces the time required for the firewall to analyze and either permit or deny a packet. - View Dependent Claims (5, 6, 7)
-
Specification
-
- Resources
-
Current AssigneeTrend Micro Inc.
-
Original AssigneeInternational Business Machines Corporation
-
InventorsChang, Kyusun, Mims, John Alan, Wilson, Allen Keith
-
Primary Examiner(s)LAFORGIA, CHRISTIAN A
-
Application NumberUS10/682,402Publication NumberTime in Patent Office1,860 DaysField of Search726/11, 726/12, 726/13US Class Current726/15CPC Class CodesH04L 63/0236 Filtering by address, proto...H04L 63/105 Multiple levels of security
