Systems and methods for implementing a protocol-aware network firewall

US 9,077,685 B2
Filed: 09/22/2011
Issued: 07/07/2015
Est. Priority Date: 11/08/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving packets in a first network device;

storing a first table including first criteria, wherein the first criteria identify session initiation packets used to create a session or session termination packets used to terminate the session, wherein the first criteria include a destination IP address and an associated destination port;

storing a second table including second criteria, wherein the second criteria identify packets in the session created by the session initiation packets, wherein the second criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port;

determining, in a first processor, whether each of the received packets meets the first criteria in the first table;

determining, in the first processor, that each of a first set of the received packets meets the first criteria;

transmitting each of the first set of the received packets that the first processor has determined meets the first criteria to a second network device including a second processor different than the first processor;

determining, in the first processor, that each of a second set of the received packets does not meet the first criteria;

determining, in the first processor in response to each determination that the corresponding received packet in the second set does not meet the first criteria, whether the corresponding received packet in the second set meets the second criteria; and

transmitting, in response to each determination that the corresponding received packet in the second set meets the second criteria, the corresponding packet toward a destination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method may include receiving a first packet; determining, in a first processor, whether the first packet meets a criterion to be forwarded to a destination indicated in the first packet; receiving a second packet; determining whether the second packet is of a type for changing the criterion and sending the second packet to a second processor if the second packets is of the type for changing the criterion; receiving instructions, based on the second packet sent to the second processor, to change the criterion; and changing the criterion.

Citations

19 Claims

1. A method comprising:
- receiving packets in a first network device;
  
  storing a first table including first criteria, wherein the first criteria identify session initiation packets used to create a session or session termination packets used to terminate the session, wherein the first criteria include a destination IP address and an associated destination port;
  
  storing a second table including second criteria, wherein the second criteria identify packets in the session created by the session initiation packets, wherein the second criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port;
  
  determining, in a first processor, whether each of the received packets meets the first criteria in the first table;
  
  determining, in the first processor, that each of a first set of the received packets meets the first criteria;
  
  transmitting each of the first set of the received packets that the first processor has determined meets the first criteria to a second network device including a second processor different than the first processor;
  
  determining, in the first processor, that each of a second set of the received packets does not meet the first criteria;
  
  determining, in the first processor in response to each determination that the corresponding received packet in the second set does not meet the first criteria, whether the corresponding received packet in the second set meets the second criteria; and
  
  transmitting, in response to each determination that the corresponding received packet in the second set meets the second criteria, the corresponding packet toward a destination.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - receiving instructions, based on the first set of the packets sent to the second network device, to change the second criteria in the second table; and
      
      changing the second criteria based on the instructions.
  - 3. The method of claim 2, further comprising:
    - receiving packets in the second network device;
      
      determining whether the packets received in the second network device establish or terminate the session between user devices; and
      
      generating the instructions, based on the determination of whether the packets received in the second network device establish or the terminate session between user devices, andtransmitting the instructions to the first network device for changing the second criteria.
  - 4. The method of claim 3, wherein the packets to establish or terminate the session include Session Initiation Protocol (SIP) packets.
  - 5. The method of claim 4, wherein storing the second table includes storing the second table in a Content Addressable Memory (CAM).
  - 6. The method of claim 2, wherein receiving the packets in the first network device includes receiving the packets on a first input port, the method further comprising receiving the instructions on a second input port different than the first input port.

7. A system comprising:
- an input port to receive a packet;
  
  a memory to store criteria for determining whether the packet should be forwarded to a destination on a network, wherein the memory includesa first table including static criteria for determining whether the packet should be forwarded to the destination, wherein the static criteria include a destination IP address and an associated destination port, anda second table including dynamic criteria for determining whether the packet should be forwarded to the destination, wherein the second criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port;
  
  an output port to forward the packet; and
  
  a processor configured to determine whether or not the packet matches the static criteria in the first table,wherein when the processor determines that the packet matches the static criteria the output port is configured to forward the packet to the destination,wherein the processor is configured to determine, in response to the processor having determined that the packet does not match the static criteria, whether the packet matches the dynamic criteria, andwherein, in response to the processor determining that the packet matches the dynamic criteria, the output port is configured to forward the packet to the destination.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The system of claim 7, wherein the static criteria identify session initiation packets used to create a session or session termination packets used to terminate the session, and wherein the dynamic criteria identify packets in the session created by the session initiation packets.
  - 9. The system of claim 8, wherein the processor is a first processor, wherein the output port is configured to send the packet to a second processor different than the first processor when the first processor determines that the packet meets the static criteria, wherein the first processor is configured to receive instructions, based on the packet sent to the second processor, to change the dynamic criteria;
    - and wherein the first processor is configured to change the dynamic criteria based on the instructions.
  - 10. The system of claim 9, wherein the session initiation packets or the session termination packets include a Session Initiation Protocol (SIP) INVITE message, a SIP OK message, or a SIP BYE message.
  - 11. The system of claim 10, wherein the static criteria include a destination internet protocol (IP) address and an associated destination port.
  - 12. The system of claim 10, wherein the dynamic criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port.
  - 13. The system of claim 9, further comprising a dedicated input port to receive the instructions.
  - 14. The system of claim 9, further comprising an access control list (ACL) to authenticate a source of the instructions.
  - 15. The system of claim 9, farther comprising a cryptographic authenticator to receive the instructions.

16. A method comprising:
- receiving packets on an input port from a first network comprising a first device;
  
  transmitting packets on an output port to a second network comprising a second device;
  
  storing a first table and a second table in a memory,wherein the first table includes static criteria for determining whether the received packets should be forwarded to destinations, and wherein the static criteria include a destination IP address and an associated destination port, andwherein the second table includes dynamic criteria for determining whether the received packets should be forwarded to destinations, and wherein the dynamic criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port;
  
  determining, in a first processor, whether each of the received packets matches the static criteria, including determining that each of a first set of the received packets matches the static criteria and determining that each of a second set of the received packets does not match the static criteria;
  
  transmitting each of the first set of the received packets that the first processor determined matches the static criteria toward a device having a second processor different than the first processor; and
  
  determining, in the second processor, that one or more of the first set of the received packets establishes or terminates a session between the first device and the second device;
  
  changing the dynamic criteria based on the one or more of the first set of the received packets determined to establish or terminate the session between the first device and the second device;
  
  determining, in the first processor in response to each determination that the second set of the received packets does not match the static criteria, whether the corresponding received packet matches the dynamic criteria; and
  
  transmitting, in response to each determination that the corresponding packet matches the dynamic criteria, the corresponding packet toward the destination.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, further comprising determining, based on the static criteria, whether the one or more of the received packets are a type to establish or terminate the session between the first device and the second device.
  - 18. The method of claim 17, wherein the type of packet to establish or terminate a session is a Session Initiation Protocol (SIP) packet.
  - 19. The method of claim 18,wherein the static criteria include a destination internet protocol (IP) address and an associated destination port;
    - andwherein the dynamic criteria comprise a source IP address and an associated source port and a destination IP address and an associated destination port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Ormazabal, Gaston S., Schulzrinne, Henning G., Yardeni, Eilon, Lennox, Jonathan
Primary Examiner(s)
MILLS, DONALD L

Application Number

US13/239,986
Publication Number

US 20120008624A1
Time in Patent Office

1,384 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

Systems and methods for implementing a protocol-aware network firewall

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for implementing a protocol-aware network firewall

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links