System and method for filtering network traffic

US 9,882,904 B2
Filed: 06/04/2014
Issued: 01/30/2018
Est. Priority Date: 09/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

maintaining protocol status information for a network protocol, whereinthe protocol status information comprises protocol information for the network protocol,the protocol status information is generated by a protocol server,the protocol status information is used to determine an access control rule, andthe access control rule is applied to a message;

performing a security action associated with the access control rule to determine whether the message sent from the protocol server to a protocol client comprises a protocol message, whereinthe security action comprises verifying that information in the message matches the protocol status information;

based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and

updating a binding table entry comprising protocol status information associated with the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protocol status information is used to perform traffic filtering by dropping messages that are not consistent with the protocol status information. In one embodiment, a method involves comparing message information and protocol status information. The message information is associated with a first message. The protocol status information is obtained in response to one or more second messages, which are conveyed according to a protocol used to assign network addresses to clients. The method also involves determining whether to discard the first message, based on an outcome of the comparison of the message information and the protocol status information. For example, it can be determined that the first message should be discarded, if the message information does not match the protocol status information.

25 Citations

24 Claims

1. A method comprising:
- maintaining protocol status information for a network protocol, whereinthe protocol status information comprises protocol information for the network protocol,the protocol status information is generated by a protocol server,the protocol status information is used to determine an access control rule, andthe access control rule is applied to a message;
  
  performing a security action associated with the access control rule to determine whether the message sent from the protocol server to a protocol client comprises a protocol message, whereinthe security action comprises verifying that information in the message matches the protocol status information;
  
  based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and
  
  updating a binding table entry comprising protocol status information associated with the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 22)
- - 2. The method of claim 1, whereinthe message comprises message information comprising a source address, a destination address, and a virtual local area network (VLAN),the message information is used to select the access control rule,the access control rule is calculated using protocol status information,the protocol status information is maintained for a network protocol,the protocol status information is obtained in response to one or more protocol messages sent between at least one client and the protocol server,the protocol status information is generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list.
  - 3. The method of claim 2 wherein,maintaining the protocol status information for the network protocol comprises:
    - network traffic information indicative of how many messages are conveyed from the protocol client to a network, andupdating both the protocol status information and the network traffic information in response to intercepting the protocol message being conveyed between the client and the protocol server.
  - 4. The method of claim 3, comprisingintercepting the protocol message being communicated via the network, andupon updating both the protocol status information and the network traffic information, performing the security action in response to the protocol message dependent on the network traffic information, and a type of the protocol message.
  - 5. The method of claim 2, whereinthe maintaining of the protocol status information is performed by a network switch,the protocol status information indicates which one or a plurality of interfaces comprised in the network switch is coupled to convey messages to and from a particular client,at least some of the plurality of interfaces are logical interfaces, andthe plurality of interfaces are implemented in a hierarchy.
  - 6. The method of claim 1, comprisingperforming the security action in response to intercepting a subsequent protocol message dependent on the protocol status information.
  - 7. The method of claim 6, whereinif the subsequent protocol message is a protocol reply from the protocol server to the protocol client, performing the security action comprisesunicasting the protocol reply to the protocol client.
  - 8. The method of claim 1, whereinthe unicasting is performed by a snooping agent, andunicasting the protocol message to the protocol client instead of forwarding the message normally, inhibits an ability of a device other than the protocol client to snoop information being provided to the protocol client by the protocol server.
  - 22. The method of claim 1, whereinthe protocol status information is used to calculate an access control rule,the access control rule is applied to the message,the access control rule indicates performance of the security action, andas a result of the unicasting, only the protocol client receives the protocol message.

9. A system comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors, wherein the memory stores program instructions executable by the one or more processors to;
  
  maintain protocol status information for a network protocol, whereinthe protocol status information comprises protocol information for the network protocol,the protocol status information is generated by a protocol serverthe protocol status information is used to determine an access control rule, andthe access control rule is applied to a message;
  
  perform a security action associated with the access control rule to determine whether a message sent from the protocol server to a protocol client comprises a protocol message, whereinthe security action comprises verifying that information in the message matches the protocol status information;
  
  based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and
  
  updating a binding table entry comprising protocol status information associated with the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 23)
- - 10. The system of claim 9, whereinthe message comprises message information comprising a source address, a destination address, and a virtual local area network (VLAN),the message information is used to select the access control rule,the access control rule is calculated using protocol status information,the protocol status information is maintained for a network protocol,the protocol status information is obtained in response to one or more protocol messages sent between at least one client and the protocol server,the protocol status information is generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list.
  - 11. The system of claim 10 wherein,maintaining the protocol status information for the network protocol comprises:
    - network traffic information indicative of how many messages are conveyed from the protocol client to a network, andupdating both the protocol status information and the network traffic information in response to intercepting the protocol message being conveyed between the client and the protocol server.
  - 12. The system of claim 11, comprisingintercepting the protocol message being communicated via the network, andupon updating both the protocol status information and the network traffic information, performing the security action in response to the protocol message dependent on the network traffic information, and a type of the protocol message.
  - 13. The system of claim 10, whereinthe maintaining of the protocol status information is performed by a network switch,the protocol status information indicates which one or a plurality of interfaces comprised in the network switch is coupled to convey messages to and from a particular client,at least some of the plurality of interfaces are logical interfaces, andthe plurality of interfaces are implemented in a hierarchy.
  - 14. The system of claim 9, comprisingperforming the security action in response to intercepting a subsequent protocol message dependent on the protocol status information;
    - andif the subsequent protocol message is a protocol reply from the protocol server to the protocol client, performing the security action comprisesunicasting the protocol reply to the protocol client.
  - 15. The system of claim 9, whereinthe unicasting is performed by a snooping agent, andunicasting the protocol message to the protocol client instead of forwarding the message normally, inhibits an ability of a device other than the protocol client to snoop information being provided to the protocol client by the protocol server.
  - 23. The system of claim 9, whereinthe protocol status information is used to calculate an access control rule,the access control rule is applied to the message,the access control rule indicates performance of the security action, andas a result of the unicasting, only the protocol client receives the protocol message.

16. A non-transitory computer-readable storage mediumstoring program instructions executable to:
- maintain protocol status information for a network protocol, whereinthe protocol status information comprises protocol information for the network protocol,the protocol status information is generated by a protocol server,the protocol status information is used to determine an access control rule, andthe access control rule is applied to a message;
  
  perform a security action associated with the access control rule to determine whether a message sent from the protocol server to a protocol client comprises a protocol message, whereinthe security action comprises verifying that information in the message matches the protocol status information;
  
  based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and
  
  updating a binding table entry comprising protocol status information corresponding to the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client.
- View Dependent Claims (17, 18, 19, 20, 21, 24)
- - 17. The non-transitory computer readable storage medium of claim 16, whereinthe message comprises message information comprising a source address, a destination address, and a virtual local area network (VLAN),the message information is used to select the access control rule,the access control rule is calculated using protocol status information,the protocol status information is maintained for a network protocol,the protocol status information is obtained in response to one or more protocol messages sent between at least one client and the protocol server,the protocol status information is generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list.
  - 18. The non-transitory computer readable storage medium of claim 17, whereinmaintaining the protocol status information for the network protocol comprises:
    - network traffic information indicative of how many messages are conveyed from the protocol client to a network, andupdating both the protocol status information and the network traffic information in response to intercepting the protocol message being conveyed between the client and the protocol server;
      
      the maintaining of the protocol status information is performed by a network switch;
      
      the protocol status information indicates which one or a plurality of interfaces comprised in the network switch is coupled to convey messages to and from a particular client;
      
      at least some of the plurality of interfaces are logical interfaces; and
      
      the plurality of interfaces are implemented in a hierarchy.
  - 19. The non-transitory computer readable storage medium of claim 18, comprisingintercepting the protocol message being communicated via the network, andupon updating both the protocol status information and the network traffic information, performing the security action in response to the protocol message dependent on the network traffic information, and a type of the protocol message.
  - 20. The non-transitory computer readable storage medium of claim 16, comprisingperforming the security action in response to intercepting a subsequent protocol message dependent on the protocol status information;
    - andif the subsequent protocol message is a protocol reply from the protocol server to the protocol client, performing the security action comprisesunicasting the protocol reply to the protocol client.
  - 21. The non-transitory computer readable storage medium of claim 16, whereinthe unicasting is performed by a snooping agent, andunicasting the protocol message to the protocol client instead of forwarding the message normally, inhibits an ability of a device other than the protocol client to snoop information being provided to the protocol client by the protocol server.
  - 24. The non-transitory computer readable storage medium of claim 16, whereinthe protocol status information is used to calculate an access control rule,the access control rule is applied to the message,the access control rule indicates performance of the security action, andas a result of the unicasting, only the protocol client receives the protocol message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Huang, Dehua, Sweeney, Adam J., Sudame, Pradeep S., Dobrota, Silviu, Jonnala, Premkumar
Primary Examiner(s)
Wang, Harris C

Application Number

US14/296,087
Publication Number

US 20140289800A1
Time in Patent Office

1,336 Days
Field of Search

726 3
US Class Current
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/10 for controlling access to d...

System and method for filtering network traffic

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

System and method for filtering network traffic

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others