System and method for filtering network traffic
First Claim
1. A method comprising:
- maintaining protocol status information for a network protocol, whereinthe protocol status information comprises protocol information for the network protocol,the protocol status information is generated by a protocol server,the protocol status information is used to determine an access control rule, andthe access control rule is applied to a message;
performing a security action associated with the access control rule to determine whether the message sent from the protocol server to a protocol client comprises a protocol message, whereinthe security action comprises verifying that information in the message matches the protocol status information;
based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and
updating a binding table entry comprising protocol status information associated with the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client.
0 Assignments
0 Petitions
Accused Products
Abstract
Protocol status information is used to perform traffic filtering by dropping messages that are not consistent with the protocol status information. In one embodiment, a method involves comparing message information and protocol status information. The message information is associated with a first message. The protocol status information is obtained in response to one or more second messages, which are conveyed according to a protocol used to assign network addresses to clients. The method also involves determining whether to discard the first message, based on an outcome of the comparison of the message information and the protocol status information. For example, it can be determined that the first message should be discarded, if the message information does not match the protocol status information.
25 Citations
24 Claims
-
1. A method comprising:
-
maintaining protocol status information for a network protocol, wherein the protocol status information comprises protocol information for the network protocol, the protocol status information is generated by a protocol server, the protocol status information is used to determine an access control rule, and the access control rule is applied to a message; performing a security action associated with the access control rule to determine whether the message sent from the protocol server to a protocol client comprises a protocol message, wherein the security action comprises verifying that information in the message matches the protocol status information; based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and updating a binding table entry comprising protocol status information associated with the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 22)
-
-
9. A system comprising:
-
one or more processors; and a memory coupled to the one or more processors, wherein the memory stores program instructions executable by the one or more processors to; maintain protocol status information for a network protocol, wherein the protocol status information comprises protocol information for the network protocol, the protocol status information is generated by a protocol server the protocol status information is used to determine an access control rule, and the access control rule is applied to a message; perform a security action associated with the access control rule to determine whether a message sent from the protocol server to a protocol client comprises a protocol message, wherein the security action comprises verifying that information in the message matches the protocol status information; based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and updating a binding table entry comprising protocol status information associated with the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client. - View Dependent Claims (10, 11, 12, 13, 14, 15, 23)
-
-
16. A non-transitory computer-readable storage medium
storing program instructions executable to: -
maintain protocol status information for a network protocol, wherein the protocol status information comprises protocol information for the network protocol, the protocol status information is generated by a protocol server, the protocol status information is used to determine an access control rule, and the access control rule is applied to a message; perform a security action associated with the access control rule to determine whether a message sent from the protocol server to a protocol client comprises a protocol message, wherein the security action comprises verifying that information in the message matches the protocol status information; based on a determination that the message comprises the protocol message, unicasting the message to the protocol client instead of broadcasting, multicasting, or flooding the message to multiple recipients; and updating a binding table entry comprising protocol status information corresponding to the protocol client, the protocol status information comprising information identifying an Internet Protocol (IP) address of the client, a Media Access Control address (MAC) of the client, and an interface coupled to the client. - View Dependent Claims (17, 18, 19, 20, 21, 24)
-
Specification