Methods and systems for firewalling virtual private networks

US 7,533,409 B2
Filed: 01/16/2003
Issued: 05/12/2009
Est. Priority Date: 03/22/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method, comprising the steps of:

receiving a first packet from a first network;

identifying in the first packet information for routing the first packet;

detecting a second packet encapsulated within the first packet based on a first set of rules for processing the first packet and the information for routing the first packet;

identifying in the first packet information for routing the second packet;

determining an index based on the information for routing the second packet;

determining a second set of rules for processing the second packet based on the index and the information for routing the second packet; and

filtering the second packet based on the index, the second set of rules, and the information for routing the second packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatus, and systems are provided for processing packets between a first and a second network. When a packet is received from the first network, information for routing the first packet is identified. Based on a first set of rules for processing the first packet and the information for routing the first packet, a second packet encapsulated within the first packet is detected. In the first packet, information for routing the second packet is identified based on which a second set of rules for processing the second packet and an index are determined. The second packet is then filtered based on the index, the second set of rules, and the information for routing the second packet. In addition, the index is associated with any additional packets encapsulated within the second packet. The additional packets are also filtered based on the index and the second set of rules.

Citations

24 Claims

1. A method, comprising the steps of:
- receiving a first packet from a first network;
  
  identifying in the first packet information for routing the first packet;
  
  detecting a second packet encapsulated within the first packet based on a first set of rules for processing the first packet and the information for routing the first packet;
  
  identifying in the first packet information for routing the second packet;
  
  determining an index based on the information for routing the second packet;
  
  determining a second set of rules for processing the second packet based on the index and the information for routing the second packet; and
  
  filtering the second packet based on the index, the second set of rules, and the information for routing the second packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising the step of:
    - forwarding the second packet to a second network interfacing the first network based on the information for routing the second packet.
  - 3. The method of claim 1, wherein the step of filtering the second packet comprises discarding the second packet when the second packet fails to meet at least one of the second set of rules.
  - 4. The method of claim 1, further comprising the steps of:
    - receiving information from a processor interfacing the first network; and
      
      determining the first and second set of rules based on the information received from the processor.
  - 5. The method of claim 1, wherein the step of detecting the second packet encapsulated within the first packet comprises identifying a port number in the information for routing the first packet.
  - 6. The method of claim 5, wherein the step of identifying the port umber in the information for routing the first packet comprises identifying a transport control protocol port number.
  - 7. The method of claim 5, wherein the step of identifying the port number in the information for routing the first packet comprises identifying a user datagram protocol port number.
  - 8. The method of claim 1, wherein the step of identifying the information for routing the second packet comprises identifying a virtual address that is routable in a second network interfacing the first network.
  - 9. The method of claim 1, wherein the step of identifying the information for routing the second packet comprises:
    - selecting a portion of the first packet;
      
      identifying an encryption key; and
      
      decrypting the portion of the first packet based on the encryption key.
  - 10. The method of claim 1, wherein the step of determining the second set of rules comprises:
    - identifying a source address of the second packet; and
      
      determining the second set of rules based on the source address.
  - 11. The method of claim 10, wherein the step of identifying the source address of the second packet comprises determining a consent on behalf of the second network to accept one or more packets from at least one other network.
  - 12. The method of claim 1, wherein the step of determining the index comprises:
    - identifying a virtual address of a processor interfacing the first network; and
      
      determining the index based on the virtual address.
  - 13. The method of claim 1, wherein the step of determining the index comprises:
    - identifying a source of the second packet based on the information for routing the second packet; and
      
      determining the index based on the identified source of the second packet.
  - 14. The method of claim 1, wherein the step of determining the index comprises:
    - identifying a destination of the second packet based on the information for routing the second packet; and
      
      determining the index based on the identified destination of the second packet.
  - 15. The method of claim 1, wherein the step of determining the second set of rules comprises:
    - identifying stored sets of rules; and
      
      selecting one of the stored sets of rules based on the index.
  - 16. The method of claim 1, further comprising:
    - detecting at least one additional packet encapsulated within the second packet;
      
      identifying information for routing the at least one additional packet;
      
      associating the index with the at least one additional packet; and
      
      filtering the at least one additional packet based on the index, the second set of rules, and the information for routing the at least one additional packet.

17. An apparatus, comprising:
- means for receiving a first packet from a first network;
  
  means for identifying in the first packet information for routing the first packet;
  
  means for detecting a second packet encapsulated within the first packet based on a first set of rules for processing the first packet and the information for routing the first packet;
  
  means for identifying in the first packet information for routing the second packet;
  
  means for determining an index based on the information for routing the second packet;
  
  means for determining a second set of rules for processing the second packet based on the index and the information for routing the second packet; and
  
  means for filtering the second packet based on the index and the second set of rules and the information for routing the second packet.

18. A method, comprising the steps of:
- providing to a processor a first set of rules for filtering at least a first packet from a network;
  
  providing to the processor a second set of rules for filtering at least a second packet encapsulated within the first packet and received through a tunnel established through the network;
  
  establishing an association between the second packet and the second set of rules based on information for routing the second packet;
  
  selecting at least a portion of the second set of rules; and
  
  filtering the second packet based on the association, the first set of rules, and second set of rules.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The method of claim 18, wherein the step of filtering the second packet comprises discarding the second packet when the second packet fails to meet at least one of the first and second set of rules.
  - 20. The method of claim 18, further comprising the step of forwarding the second packet to at least one other network when the second packet satisfies the first and second set of rules.
  - 21. The method of claim 20, wherein the step of providing to the processor the second set of rules for filtering the second packet comprises providing one or more firewall rules for routing the second packet in the at least one other network.
  - 22. The method of claim 18, wherein the step of providing to the processor the second set of rules for filtering the second packet comprises providing the second set of rules to a gateway that includes the processor and interfaces the network.
  - 23. The method of claim 18, wherein the step of filtering the second packet comprises:
    - determining an index indicating the association; and
      
      filtering the second packet based on the index.
  - 24. The method of claim 18, further comprising:
    - filtering at least one additional packet encapsulated within the second packet based on the association and the second set of rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle Systems Corporation (Oracle Corporation)
Original Assignee
Corente, Inc. (Oracle Corporation)
Inventors
Macey, Christopher, Bendinelli, Samuel, Keane, John
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Okeke; Izunna

Application Number

US10/345,145
Publication Number

US 20030131263A1
Time in Patent Office

2,308 Days
Field of Search

None
US Class Current

726/13
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0856   by backing up or archiving ...

H04L 61/00   Network arrangements, proto...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Methods and systems for firewalling virtual private networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for firewalling virtual private networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links