System and method for propagating filters

US 7,779,126 B1
Filed: 03/31/2006
Issued: 08/17/2010
Est. Priority Date: 10/26/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for propagating filters in a network comprising a first network device and a second network device, said second network device located upstream of said first network device such that network traffic passes through said second network device before arriving at said first network device, the method comprising:

generating and installing a first filter at said first network device;

sending filter information from said first network device to said second network device;

requesting said second network device to install a second filter so that said network traffic is filtered closer to a source of said network traffic, said second filter configured to filter said network traffic forwarded to said first network device without filtering traffic to other downstream nodes;

receiving filter statistics from said second network device at said first network device;

analyzing said filter statistics and said network traffic received from said second network device at said first network device, refining said first filter based on said analyzed filter statistics, and sending updated filter information to said second network device so that said second network device can refine said second filter installed thereon; and

removing said first filter from the first network device and sending a request to said second network device to remove said second filter, if a network flow requiring said filter is no longer present based on said received filter statistics.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for propagating filters to an upstream device. The method includes generating a filter at a first network device and sending information on the filter to a second network device located upstream from the first network device. The first network device then requests the second network device to install the filter.

Citations

27 Claims

1. A method for propagating filters in a network comprising a first network device and a second network device, said second network device located upstream of said first network device such that network traffic passes through said second network device before arriving at said first network device, the method comprising:
- generating and installing a first filter at said first network device;
  
  sending filter information from said first network device to said second network device;
  
  requesting said second network device to install a second filter so that said network traffic is filtered closer to a source of said network traffic, said second filter configured to filter said network traffic forwarded to said first network device without filtering traffic to other downstream nodes;
  
  receiving filter statistics from said second network device at said first network device;
  
  analyzing said filter statistics and said network traffic received from said second network device at said first network device, refining said first filter based on said analyzed filter statistics, and sending updated filter information to said second network device so that said second network device can refine said second filter installed thereon; and
  
  removing said first filter from the first network device and sending a request to said second network device to remove said second filter, if a network flow requiring said filter is no longer present based on said received filter statistics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein generating a filter at a first network device comprises automatically generating said first filter based on network flow entering the device.
  - 3. The method of claim 1 further comprising requesting said upstream device to remove said second filter, wherein requesting comprises transmitting a message utilizing an inter-switch filter propagation protocol.
  - 4. The method of claim 1 wherein sending filter information comprises utilizing a filter propagation protocol configured to specify the network traffic that is not to be forwarded.
  - 5. The method of claim 1 wherein generating said first filter comprises detecting potentially harmful network flows and generating said first filter to prevent packets corresponding to said detected potentially harmful network flows from passing through said network device.
  - 6. The method of claim 5 wherein generating said first filter further comprises classifying network flow based on a source device sending a packet.
  - 7. The method of claim 6 wherein the network flow is classified based on an address of the source device.
  - 8. The method of claim 1 wherein generating said first filter comprises analyzing network flow entering said first network device.
  - 9. The method of claim 8 wherein analyzing said network flow is performed by software.
  - 10. The method of claim 8 comprising selecting a class of network flows to analyze based on previously analyzed network flows.

11. A computer readable storage medium encoded with a computer program for propagating a filter in a network comprising a first network device and a second network device, said second network device located upstream of said first network device such that network traffic passes through said second network device before arriving at said first network device, the computer program comprising:
- code that generates and installs a first filter at said first network device;
  
  code that sends filter information to said second network device;
  
  code that requests said second network device to install a second filter so that said network traffic is filtered closer to a source of said network traffic, said second filter configured to filter said network traffic forwarded to said first network device without filtering traffic to other downstream nodes;
  
  code that receives filter statistics from said second network device at said first network device;
  
  code that analyzes said filter statistics and said network traffic received from said second network device at said first network device, refines said first filter based on said analyzed filter statistics, and sends updated filter information to said second network device so that said second network device can refine said second filter installed thereon; and
  
  code that removes said first filter from the first network device and sends a request to said second network device to remove said second filter, if a network flow requiring said filter is no longer present based on said received filter statistics.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer readable storage medium of claim 11 wherein code that generates said first filter comprises code that classifies network flow based on a source device sending a packet.
  - 13. The computer readable storage medium of claim 11 wherein code that generates said first filter comprises code that analyzes network flows and detects potentially harmful network flows.
  - 14. The computer readable storage medium of claim 11 further comprising code that removes said first filter from the first network device when no longer required.
  - 15. The computer readable storage medium of claim 14 further comprising code that requests said upstream device to remove said second filter.
  - 16. The computer readable storage medium of claim 11 further comprising code that utilizes a filter propagation protocol to exchange information between said first and second network devices.

17. A system for propagating filters in a network comprising a first network device and a second network device, said second network device located upstream of said first network device such that network traffic passes through said second network device before arriving at said first network device, the system comprising:
- means for generating and installing a first filter at said first network device;
  
  means for sending filter information from said first network device to said second network device;
  
  means for requesting said second network device to install a second filter so that said network traffic is filtered closer to a source of said network traffic, said second filter configured to filter said network traffic forwarded to said first network device without filtering traffic to other downstream nodes;
  
  means for receiving filter statistics from said second network device at said first network device;
  
  means for analyzing said filter statistics and said network traffic received from said second network device at said first network device, refining said first filter based on said analyzed filter statistics, and sending updated filter information to said second network device so that said second network device can refine said second filter installed thereon; and
  
  means for removing said first filter from the first network device and sending a request to said second network device to remove said second filter, if a network flow requiring said filter is no longer present based on said received filter statistics.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17 wherein means for generating said first filter comprises automatically generating said first filter based on network flow entering the device.
  - 19. The system of claim 17 further comprising means for receiving information based on monitored network flow and means for removing said first filter from the first network device when the network flow requiring said filter is no longer present.
  - 20. The system of claim 19 further comprising means for requesting said upstream device to remove said second filter.
  - 21. The system of claim 17 wherein the first network device is a firewall and the second network device is a router.

22. Apparatus for propagating filters in a network comprising a first network device and a second network device, said second network device located upstream of said first network device such that network traffic passes through said second network device before arriving at said first network device, the system comprising:
- one or more processors; and
  
  a memory that stores instructions to be executed by said one or more processors, said instructions comprising;
  
  code that generates and installs a first filter at said first network device;
  
  code that sends filter information from said first network device to said second network device;
  
  code that requests said second network device to install a second filter so that said network traffic is filtered closer to a source of said network traffic, said second filter configured to filter traffic forwarded to said first network device without filtering traffic to other downstream nodes;
  
  code that receives filter statistics from said second network device at said first network device;
  
  code that analyzes said filter statistics and said network traffic received from said second network device at said first network device, refines said first filter based on said analyzed filter statistics, and sends updated filter information to said second network device so that said second network device can refine said second filter installed thereon; and
  
  code that removes said first filter from the first network device and sends a request to said second network device to remove said second filter, if a network flow requiring said filter is no longer present based on said received filter statistics.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The apparatus of claim 22 wherein code that generates said first filter comprises code that classifies network flow based on a source device sending a packet.
  - 24. The apparatus of claim 22 wherein the code that generates said first filter comprises code that analyzes network flows and detects potentially harmful network flows.
  - 25. The apparatus of claim 22 further comprising code that removes said first filter from the first network device when no longer required.
  - 26. The apparatus of claim 25 further comprising code that requests said upstream device to remove said second filter.
  - 27. The apparatus of claim 22 further comprising code that utilizes a filter propagation protocol to exchange information between said first and second network devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cheriton, David
Primary Examiner(s)
Pwu; Jeffrey
Assistant Examiner(s)
LI, GUANG W

Application Number

US11/395,329
Time in Patent Office

1,600 Days
Field of Search

709/206, 375/204.29
US Class Current

709/226
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 67/34   involving the movement of s...

System and method for propagating filters

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for propagating filters

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links