Systems and methods for implementing a protocol-aware network firewall
First Claim
Patent Images
1. A method comprising:
- receiving packets in a first network device;
storing a first table including first criteria, wherein the first criteria identify session initiation packets used to create a session or session termination packets used to terminate the session, wherein the first criteria include a destination IP address and an associated destination port;
storing a second table including second criteria, wherein the second criteria identify packets in the session created by the session initiation packets, wherein the second criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port;
determining, in a first processor, whether each of the received packets meets the first criteria in the first table;
determining, in the first processor, that each of a first set of the received packets meets the first criteria;
transmitting each of the first set of the received packets that the first processor has determined meets the first criteria to a second network device including a second processor different than the first processor;
determining, in the first processor, that each of a second set of the received packets does not meet the first criteria;
determining, in the first processor in response to each determination that the corresponding received packet in the second set does not meet the first criteria, whether the corresponding received packet in the second set meets the second criteria; and
transmitting, in response to each determination that the corresponding received packet in the second set meets the second criteria, the corresponding packet toward a destination.
2 Assignments
0 Petitions
Accused Products
Abstract
A method may include receiving a first packet; determining, in a first processor, whether the first packet meets a criterion to be forwarded to a destination indicated in the first packet; receiving a second packet; determining whether the second packet is of a type for changing the criterion and sending the second packet to a second processor if the second packets is of the type for changing the criterion; receiving instructions, based on the second packet sent to the second processor, to change the criterion; and changing the criterion.
-
Citations
19 Claims
-
1. A method comprising:
-
receiving packets in a first network device; storing a first table including first criteria, wherein the first criteria identify session initiation packets used to create a session or session termination packets used to terminate the session, wherein the first criteria include a destination IP address and an associated destination port; storing a second table including second criteria, wherein the second criteria identify packets in the session created by the session initiation packets, wherein the second criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port; determining, in a first processor, whether each of the received packets meets the first criteria in the first table; determining, in the first processor, that each of a first set of the received packets meets the first criteria; transmitting each of the first set of the received packets that the first processor has determined meets the first criteria to a second network device including a second processor different than the first processor; determining, in the first processor, that each of a second set of the received packets does not meet the first criteria; determining, in the first processor in response to each determination that the corresponding received packet in the second set does not meet the first criteria, whether the corresponding received packet in the second set meets the second criteria; and transmitting, in response to each determination that the corresponding received packet in the second set meets the second criteria, the corresponding packet toward a destination. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system comprising:
-
an input port to receive a packet; a memory to store criteria for determining whether the packet should be forwarded to a destination on a network, wherein the memory includes a first table including static criteria for determining whether the packet should be forwarded to the destination, wherein the static criteria include a destination IP address and an associated destination port, and a second table including dynamic criteria for determining whether the packet should be forwarded to the destination, wherein the second criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port; an output port to forward the packet; and a processor configured to determine whether or not the packet matches the static criteria in the first table, wherein when the processor determines that the packet matches the static criteria the output port is configured to forward the packet to the destination, wherein the processor is configured to determine, in response to the processor having determined that the packet does not match the static criteria, whether the packet matches the dynamic criteria, and wherein, in response to the processor determining that the packet matches the dynamic criteria, the output port is configured to forward the packet to the destination. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
receiving packets on an input port from a first network comprising a first device; transmitting packets on an output port to a second network comprising a second device; storing a first table and a second table in a memory, wherein the first table includes static criteria for determining whether the received packets should be forwarded to destinations, and wherein the static criteria include a destination IP address and an associated destination port, and wherein the second table includes dynamic criteria for determining whether the received packets should be forwarded to destinations, and wherein the dynamic criteria include a source IP address and an associated source port, and a destination IP address and an associated destination port; determining, in a first processor, whether each of the received packets matches the static criteria, including determining that each of a first set of the received packets matches the static criteria and determining that each of a second set of the received packets does not match the static criteria; transmitting each of the first set of the received packets that the first processor determined matches the static criteria toward a device having a second processor different than the first processor; and determining, in the second processor, that one or more of the first set of the received packets establishes or terminates a session between the first device and the second device; changing the dynamic criteria based on the one or more of the first set of the received packets determined to establish or terminate the session between the first device and the second device; determining, in the first processor in response to each determination that the second set of the received packets does not match the static criteria, whether the corresponding received packet matches the dynamic criteria; and transmitting, in response to each determination that the corresponding packet matches the dynamic criteria, the corresponding packet toward the destination. - View Dependent Claims (17, 18, 19)
-
Specification