Method, apparatus and computer program product for a network firewall
First Claim
Patent Images
1. A method of screening data units, performed by a network device, the method comprising:
- first filtering, by the network device and using a first set of rules that correspond to first criteria, data units based on first information in the data units corresponding to the first criteria to determine ones of the first-filtered data units to be denied or allowed;
generating, by the network device and based on second information from at least one of the allowed first-filtered data units, a second set of rules that corresponds to second criteria; and
second filtering, by the network device and using the second set of rules, denied first-filtered data units based on second information in the denied first-filtered data units corresponding to the second criteria.
0 Assignments
0 Petitions
Accused Products
Abstract
An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.
48 Citations
20 Claims
-
1. A method of screening data units, performed by a network device, the method comprising:
-
first filtering, by the network device and using a first set of rules that correspond to first criteria, data units based on first information in the data units corresponding to the first criteria to determine ones of the first-filtered data units to be denied or allowed; generating, by the network device and based on second information from at least one of the allowed first-filtered data units, a second set of rules that corresponds to second criteria; and second filtering, by the network device and using the second set of rules, denied first-filtered data units based on second information in the denied first-filtered data units corresponding to the second criteria. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A firewall engine comprising:
one or more devices configured to; perform a first comparison of some content of each of a plurality of data units to a first set of rules, sort, based on the first comparison, each of the data units as being allowed or denied, generate a second set of rules using other content of at least some of the allowed data units, wherein the some content and the other content differ, and perform a second comparison of additional content of the denied data units using the second set of rules. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A network firewall device comprising:
-
means for determining that a first data unit meets a first set of access control requirements based on first matching criteria associated with the first data unit and that a second data unit fails to meet the first set of access control requirements based on first matching criteria associated with the second data unit; means for generating a second set of access control requirements based on second matching criteria associated with the first data unit; and means for determining whether the second data unit meets the second set of access control requirements based on second matching criteria associated with the second data unit. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification