System, method and computer program product for updating the states of a firewall

US 7,877,599 B2
Filed: 05/26/2005
Issued: 01/25/2011
Est. Priority Date: 05/28/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for use in managing a communication, comprising:

changing, by a first computing device, at least one of a network address or a port number;

determining a session identifier that identifies a filtering mechanism to update in a security device;

determining a filter identifier that identifies an existing filter rule within the filtering mechanism to update;

determining an action to be performed on the filter rule;

determining a value attribute with which to update the filter rule;

generating a message, wherein the message includes the session identifier, the filter identifier, the action, and the value attribute; and

providing the message to the security device to enable a dynamic update of the filter rule such that the security device is configured to allow the first computing device to communicate with a second computing device while the first computing device changes at least one of a network address, or a port number,wherein at least a portion of the communication is routed to the security device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The preferred instance of the present invention is a method and computer program product that specifies an array of elements to be incorporated into a firewall configuration protocol. When added to the configuration protocol, these added attributes allow the existing packet filtering mechanism to accommodate a terminal device that has moved and received a new IP address in a timely and efficient manner.

13 Citations

View as Search Results

18 Claims

1. A method for use in managing a communication, comprising:
- changing, by a first computing device, at least one of a network address or a port number;
  
  determining a session identifier that identifies a filtering mechanism to update in a security device;
  
  determining a filter identifier that identifies an existing filter rule within the filtering mechanism to update;
  
  determining an action to be performed on the filter rule;
  
  determining a value attribute with which to update the filter rule;
  
  generating a message, wherein the message includes the session identifier, the filter identifier, the action, and the value attribute; and
  
  providing the message to the security device to enable a dynamic update of the filter rule such that the security device is configured to allow the first computing device to communicate with a second computing device while the first computing device changes at least one of a network address, or a port number,wherein at least a portion of the communication is routed to the security device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the message further includes an indication of ownership associated with the first computing device.
  - 3. The method of claim 1, further comprising:
    - providing, with the message, an indication of ownership of the message; and
      
      when the first computing device changes at least one of the network address or port number, providing to the security device the indication of ownership.
  - 4. The method of claim 3, wherein the indication of ownership further comprises at least one of a token, a signature, a cryptographically generated address (CGA), or a cookie.
  - 5. The method of claim 1, wherein the security device employs the message to update the filtering mechanism by updating a packet filtering rule, the packet filtering rule enabling at least one of a drop, a pass, or a log action.
  - 6. The method of claim 1, wherein the filtering mechanism employs a policy-based rule.
  - 7. The method of claim 1, wherein the message further comprises at least one of a source IP address, destination IP address, transport protocol, source port number, and a destination port address.
  - 8. The method of claim 1, wherein the action indicates a substitution of one or more filtering rules.
  - 9. The method of claim 1, wherein the security device is at least one of a firewall or a network address translator.

10. A method for use in managing a communication over a network, comprising:
- changing, by a first computing device, at least one of a network address or a port number used to communicate over the network;
  
  determining a plurality of attributes associated with an update to an existing filter in a security device for use in managing the communication between the first computing device and a second computing device, the attributes including a session identifier, a filter identifier, an action to be performed on the filter and a value attribute, at least a portion of the communication being routed to the security device; and
  
  providing the plurality of attributes to the security device,wherein the security device employs the attributes to dynamically update the filter such that the security device is configured to maintain the communication between the first and second communications devices while the first computing device changes a network location.
- View Dependent Claims (11)
- - 11. The method of claim 10, wherein the plurality of attributes further comprises at least one of a session identifier that identifies the filter to update, a filter identifier that identifies a filter rule within the filter to update, an action to be performed on the filter rule, and a value attribute with which to update the filter rule.

12. A system for use in managing an update to a security device comprising:
- a transceiver for receiving and sending content over the network;
  
  a processor in communication with the transceiver; and
  
  a memory in communication with the processor and for use in storing data and machine instructions that cause the processor to perform a plurality of operations, including;
  
  changing at least one of a network address or a port number associated with a first computing device and used by the first computing device to communicate over the network;
  
  generating a message, wherein the message comprises;
  
  a session identifier that recognizes a set of filters within the security device,an indicator of an existing packet filter within the set of filters to update,an action performable on the packet filter; and
  
  a value useable to update the indicated packet filter; and
  
  providing the message to the security device to dynamically update the security device so as to allow the first computing device to communicate with a second computing device while the first computing device changes a network location, the communication being routed to the security device.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein providing the message includes providing the message to the security device to dynamically update the security device so as to allow a first computing device to communicate over a wireless network.
  - 14. The system of claim 12, wherein to allow a first computing device to communicate with a second computing device further comprises at least one of enabling an initial communication or maintaining an existing communication while the dynamic update is performed.
  - 15. The system of claim 12, wherein the processor and machine instructions are included within the first computing device.
  - 16. The system of claim 12, wherein the message further comprises an options field that includes a proof of ownership that associates the message to the first computing device, and wherein the proof of ownership further comprises at least one of a token, a certificate, a cookie, or a signature.

17. A system for use in updating a state of a security device, comprising:
- a mobile terminal that is configured to perform actions, including;
  
  establish a communication, via a security device, with a second computing device, wherein the communication employs at least one of a network address or a port number associated with the mobile terminal;
  
  changing at least one of the network address or the port number associated with the mobile terminal;
  
  determining a plurality of attributes associated with an update to the state of the security device to manage the communication between the mobile terminal and the second computing device, at least a portion of the communication being routable to the security device; and
  
  providing a message including a session identifier, a filter identifier of an existing filter, an action to be performed on the filter and a value attribute to the security device; and
  
  the security device being in communication with the mobile terminal and configured to perform actions, including;
  
  receiving the message including the plurality of attributes, employing an enhanced configuration protocol that allows the security device to accommodate a change in the mobile terminal'"'"'s network address;
  
  verifying an authenticity of the message by confirming that the mobile terminal owns the message; and
  
  if the message is verified, dynamically updating the state based on information within the message including the plurality of attributes, to allow the mobile terminal to maintain the communication with the second computing device while the mobile device changes a network location and at least a portion of the communication is routed to the security device.

18. An apparatus useable in managing an update to a security device comprising:
- a transceiver for receiving and sending content over the network;
  
  a means for changing at least one of a network address or a port number associated with a first computing device;
  
  a means for determining a message, wherein the message comprises;
  
  a session identifier indicating a set of filters within the security device, an indicator of an existing packet filter with the set of filters to update, an action performable on the packet filter; and
  
  a value useable to update the indicated packet filter; and
  
  a means for providing the message to the security device to dynamically update the security device and allow the first computing device to communicate with a second computing device while the first computing device changes a network location, the communication being routed to the security device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trinityeco
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Faccin, Stefano, Le, Franck
Primary Examiner(s)
Simitoski; Michael J

Application Number

US11/138,764
Publication Number

US 20050268335A1
Time in Patent Office

2,070 Days
Field of Search

713/154, 726/11, 726/13, 709/228
US Class Current

713/154
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0823   using certificates cryptogr...

System, method and computer program product for updating the states of a firewall

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for updating the states of a firewall

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links