Method, systems, and computer program products for implementing function-parallel network firewall

US 8,037,517 B2
Filed: 12/22/2005
Issued: 10/11/2011
Est. Priority Date: 12/22/2004
Status: Active Grant

First Claim

Patent Images

1. A function-parallel firewall comprising:

(a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and

(b) at least one second firewall node for filtering packets using a second portion of the rule set, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set, wherein the first and second firewall nodes are configured to implement a gateless design wherein the rules are distributed among the first and second firewall nodes such that for any given packet, only one of the first and the at least one second firewall nodes accepts the packet and the other of the first and at least one second firewall nodes always denies the packet, wherein each of the packets is replicated to each of the firewall nodes and wherein the first firewall node is adapted to forward packets that pass one of the rules in the first portion to an internal network in a manner that bypasses the at least one second firewall node.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for providing function-parallel firewalls are disclosed. According to one aspect, a function-parallel firewall includes a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules. The first portion includes less than all of the rules in the rule set. At least one second firewall node filters packets using a second portion of the rule set. The second portion includes at least one rule in the rule set that is not present in the first portion. The first and second portions together include all of the rules in the rule set.

105 Citations

View as Search Results

46 Claims

1. A function-parallel firewall comprising:
- (a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and
  
  (b) at least one second firewall node for filtering packets using a second portion of the rule set, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set, wherein the first and second firewall nodes are configured to implement a gateless design wherein the rules are distributed among the first and second firewall nodes such that for any given packet, only one of the first and the at least one second firewall nodes accepts the packet and the other of the first and at least one second firewall nodes always denies the packet, wherein each of the packets is replicated to each of the firewall nodes and wherein the first firewall node is adapted to forward packets that pass one of the rules in the first portion to an internal network in a manner that bypasses the at least one second firewall node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The function-parallel firewall of claim 1 wherein the first and second portions respectively include rules present in first and second levels of a firewall hierarchy.
  - 3. The function-parallel firewall of claim 2 wherein the first and second firewall nodes are connected to each other such that the rules in the first level are applied to received packets before the rules in the second level.
  - 4. The function-parallel firewall of claim 3 wherein the first firewall node is adapted to discard packets that fail one of the rules in the first portion.
  - 5. The function-parallel firewall of claim 3 wherein the rules in the second portion are more processor-intensive than the rules in the first portion.
  - 6. The function-parallel firewall of claim 1 wherein the first and second firewall nodes implement rules of the same hierarchical level.
  - 7. The function-parallel firewall of claim 1 wherein at least one of the rules in the first portion is present in the second portion to provide redundancy.
  - 8. The function-parallel firewall of claim 1 wherein the first and second firewall nodes are implemented on different physical machines.
  - 9. The function-parallel firewall of claim 1 wherein the first and second firewall nodes are implemented on different processors in the same machine.
  - 10. The function-parallel firewall of claim 1 wherein the first and second firewall nodes are adapted to simultaneously process copies of the same packets.
  - 11. The function-parallel firewall of claim 1 wherein the rule set includes firewall rules for filtering packets based on packet headers.
  - 12. The function-parallel firewall of claim 1 wherein the rule set includes intrusion detection rules for filtering packets based on packet payloads.
  - 13. The function-parallel firewall of claim 1 wherein the rule set includes intrusion protection rules for filtering packets based on a combination of packet headers and packet payloads.

14. A stateful function-parallel firewall system comprising:
- (a) a first function-parallel firewall subsystem including a plurality of firewall nodes implementing a first rule set for filtering packets arriving in a network, wherein the first function-parallel firewall subsystem includes at least first and second firewall nodes respectively implementing first and second portions of the first rule set, the first portion including at least one rule that is not present in the second portion; and
  
  (b) a second function-parallel firewall sub-system including a second set of firewall nodes implementing a second rule set for filtering packets departing from the network, wherein the second function-parallel firewall subsystem includes at least third and fourth firewall nodes, the third and fourth firewall nodes implementing first and second portions of the second rule set, the first portion of the second rule set including at least one rule that is not present in the second portion of the second rule set, wherein the first and second function-parallel firewall subsystems share state information regarding connections established through the first and second sets of firewall nodes, wherein the first and second function-parallel firewall subsystems each include a gateless design wherein rules are distributed among individual firewall nodes such that any given packet is accepted by a only single firewall node and is always denied by all of the remaining firewall nodes, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The stateful function-parallel firewall system of claim 14 comprising a database node coupled to the first and second function-parallel firewall subsystems, wherein the database node stores the state information, wherein the first set of firewall nodes obtains state information regarding connections established through the second set of firewall nodes from the database node, and wherein the second set of firewall nodes obtains state information regarding connections established through the first set of firewall nodes from the database node.
  - 16. The stateful function-parallel firewall system of claim 15 wherein the first and second sets of firewall nodes store copies of the state information maintained by the database node.
  - 17. The stateful function-parallel firewall system of claim 14 wherein the firewall nodes of the first subsystem are adapted to simultaneously process copies of the same packets arriving in the network and wherein the firewall nodes in the second subsystem are adapted to simultaneously process copies of packets departing from the network.
  - 18. The stateful function-parallel firewall system of claim 14 wherein the first and second rule sets include firewall rules for filtering packets based on packet header information.
  - 19. The stateful function-parallel firewall system of claim 14 wherein the first and second rule sets include intrusion detection rules for filtering packets based on payloads of the packets.
  - 20. The stateful function-parallel firewall system of claim 14 wherein the first and second rule sets include intrusion protection rules for filtering packets based on a combination of packet header and packet payload information.

21. A firewall grid comprising:
- (a) a plurality of firewall nodes being physically connected to each other via a network for filtering packets; and
  
  (b) a controller for controlling logical connections between the firewall nodes, wherein the controller is adapted to configure the firewall nodes in a logical firewall hierarchy without changing physical connections between the firewall nodes, wherein the firewall nodes are configured to implement a gateless design wherein the rules are distributed among the firewall nodes such that for any given packet, only one of the firewall nodes accepts the packet and all of the remaining firewall nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
- View Dependent Claims (22, 23, 24)
- - 22. The firewall grid of claim 21 wherein the firewall nodes are adapted to simultaneously process copies of the same packets.
  - 23. The firewall grid of claim 21 wherein the logical firewall hierarchy comprises a function-parallel hierarchy where individual firewall nodes implement different portions of a rule set.
  - 24. The firewall grid of claim 21 wherein the controller is adapted to detect congestion at a first level in the firewall hierarchy and is adapted to reconfigure the logical connections between the firewall nodes to add a firewall node from another level in the firewall hierarchy to the level at which congestion was detected.

25. A system for providing network access control based on a function-parallel policy, the system comprising:
- (a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and
  
  (b) at least one second firewall node for filtering packets using a second portion of the rule, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set, wherein the first and second nodes are configured to implement a gateless design wherein the rules are distributed among the first and second firewall nodes such that for any given packet, only one of the first and second firewall nodes accepts the packet and the other of the first and second firewall nodes always denies the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
- View Dependent Claims (26, 27, 28)
- - 26. The system of claim 25 wherein the rule set includes firewall rules for filtering packets based on packet header information.
  - 27. The system of claim 25 wherein the rule set includes intrusion detection rules for filtering packets based on packet payload information.
  - 28. The system of claim 25 wherein the rule set includes intrusion protection rules for filtering packets based on a combination of packet header and packet payload information.

29. A method for controlling access to a network based on a set of packet filtering rules distributed in a function-parallel manner, the method comprising:
- (a) distributing packet filtering rules of a rule set among a plurality of different firewall nodes in a function-parallel manner so that at least some of the different nodes implement different portions of the rule set;
  
  (b) replicating packets to each of the nodes; and
  
  (c) applying the rules to filter the packets, wherein distributing the packet filtering rule set among the plurality of firewall nodes includes distributing the rules such that for any given packet, only one of the firewall nodes accepts the packet and all of the remaining nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The method of claim 29 wherein the packet filtering rules comprise firewall rules for filtering packets based on packet header information.
  - 31. The method of claim 30 comprising, at the other nodes, ceasing processing of the first packet.
  - 32. The method of claim 29 wherein the packet filtering rules comprise intrusion detection rules for filtering packets based on packet payload information.
  - 33. The method of claim 29 wherein the packet filtering rules comprise intrusion protection rules for filtering packets based on a combination of packet header and packet payload information.
  - 34. The method of claim 29 comprising, receiving a first packet at a first node, determining whether the packet matches a first rule implemented by the first node, and, in response to determining that a match occurs, notifying the other nodes of the match.

35. A method for distributing rules in a function-parallel firewall, the method comprising:
- (a) defining a rule set for a function-parallel firewall;
  
  (b) assigning rules in the rule set to nodes and branches in a trie data structure, wherein each node in the trie data structure corresponds to a data field and each branch represents a value for each data field to be compared to values in corresponding fields in received packets;
  
  (c) pruning the trie data structure in a manner that preserves ordering of the rules in the rule set; and
  
  (d) assigning rules to firewall nodes such that one node is assigned a rule that will accept a given packet and the remaining firewall nodes of the firewall are assigned rules that will deny the packet, wherein the firewall nodes implement a gateless design such that for any given packet only one node accepts the packet and all of the remaining nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
- View Dependent Claims (36, 37, 38)
- - 36. The method of claim 35 wherein pruning the trie data structure includes pushing a rule to its descendants and deleting the original rule.
  - 37. The method of claim 35 comprising reducing the depth of the trie using level reordering.
  - 38. The method of claim 35 wherein assigning rules in the rule set to nodes and branches in the trie data structure includes assigning rules requiring longer processing time to lower levels in the trie.

39. A method for assigning rules to a plurality of firewall nodes, the method comprising:
- (a) assigning packet filtering rules to nodes in a directed acyclical graph (DAG);
  
  (b) representing relationships between rules by edges in the DAG; and
  
  (c) distributing the rules among a plurality of firewall nodes using the DAG such that different firewall nodes implement different rules and such that relationships between the rules specified in the DAG are preserved, wherein distributing the rules among a plurality of firewall nodes includes distributing the rules such that for a given packet, only one of the firewall nodes accepts the packet and all of the remaining firewall nodes always deny the packet, wherein the firewall nodes implement a gateless design, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The method of claim 39 wherein distributing the rules among a plurality of firewall nodes using the DAG includes distributing the rules such that intersecting accept rules are not present in more than one firewall node.
  - 41. The method of claim 39 wherein distributing the rules among a plurality of firewall nodes using the DAG includes distributing the rules such that the edges to not span multiple firewall nodes.
  - 42. The method of claim 39 wherein distributing the rules among a plurality of firewall nodes using the DAG includes replicating deny rules in each of the firewall nodes.
  - 43. The method of claim 42 comprising eliminating a deny rule implemented by a first firewall node in response to determining that the deny rule for the first firewall node includes no inbound edges and outbound edges from the first deny rule terminate only in a superset deny rule.

44. A computer program product comprising computer executable instructions embodied in a non-transitory computer readable medium for performing steps comprising:
- (a) distributing packet filtering rules of a rule set among a plurality of different firewall nodes in a function-parallel manner so that at least some of the different firewall nodes implement different portions of the rule set;
  
  (b) replicating packets to each of the firewall nodes; and
  
  (c) applying the rules to filter the packets, wherein distributing the rules among a plurality of nodes includes distributing the rules among the nodes which implement a gateless design, where, for any given packet, only one of the nodes accepts the packet and all of the remaining nodes always deny the packet and wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.

45. A computer program product comprising computer executable instructions embodied in a non-transitory computer readable medium for performing steps comprising:
- (a) defining a rule set for a function-parallel firewall;
  
  (b) assigning rules in the rule set to nodes and branches in a trie data structure, wherein each node in the trie data structure corresponds to a data field and each branch represents a value for each data field to be compared to values in corresponding fields in received packets;
  
  (c) pruning the trie data structure in a manner that preserves ordering of the rules in the rule set; and
  
  (d) assigning rules to firewall nodes such that only one node is assigned a rule that accepts a given packet and all of the remaining firewall nodes of the firewall are assigned rules that always deny the packet, wherein the firewall nodes implement a gateless design, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.

46. A computer program product comprising computer executable instructions embodied in a non-transitory computer readable medium for performing steps comprising:
- (a) assigning rules to nodes in a directed acyclical graph (DAG);
  
  (b) representing relationships between rules by edges in the DAG; and
  
  (c) distributing the rules among a plurality of firewall nodes using the DAG such that the relationships between the rules specified in the DAG are preserved, wherein distributing the rules among a plurality of firewall nodes includes distributing the rules among the nodes, which implement a gateless design, where, for any given packet, only one of the firewall nodes accepts the packet and all of the remaining firewall nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wake Forest University
Original Assignee
Wake Forest University
Inventors
Farley, Ryan J., Fulp, Errin W.
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
Gelagay; Shewaye

Application Number

US11/316,331
Publication Number

US 20060195896A1
Time in Patent Office

2,119 Days
Field of Search

726/11
US Class Current

726/11
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/0263 Rule management

Method, systems, and computer program products for implementing function-parallel network firewall

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Method, systems, and computer program products for implementing function-parallel network firewall

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links