WO2001022642A2 - System and method for presorting rules for filtering packets on a network - Google Patents

System and method for presorting rules for filtering packets on a network Download PDF

Info

Publication number
WO2001022642A2
WO2001022642A2 PCT/IL2000/000591 IL0000591W WO0122642A2 WO 2001022642 A2 WO2001022642 A2 WO 2001022642A2 IL 0000591 W IL0000591 W IL 0000591W WO 0122642 A2 WO0122642 A2 WO 0122642A2
Authority
WO
WIPO (PCT)
Prior art keywords
packet
rules
network
characteristic
presorting
Prior art date
Application number
PCT/IL2000/000591
Other languages
French (fr)
Other versions
WO2001022642A3 (en
Inventor
Rony Zarom
Yarom Mizrachi
Original Assignee
Comverse Network Systems Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Comverse Network Systems Ltd. filed Critical Comverse Network Systems Ltd.
Priority to AU74435/00A priority Critical patent/AU7443500A/en
Priority to IL14883000A priority patent/IL148830A0/en
Publication of WO2001022642A2 publication Critical patent/WO2001022642A2/en
Publication of WO2001022642A3 publication Critical patent/WO2001022642A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Definitions

  • the present invention relates to a system and method for presorting rules for filtering packets on a network, and in particular for presorting such rules according a user profile.
  • a "firewall” is a software program or hardware device which attempts to provide security to an entire network, or to a portion thereof, by filtering all communication which passes through an entry point to the entire network or the portion of the network. The filtration of packets is performed according to one or more rules, such that if the packet does not conform to these rules, then the packet is blocked from entry to the entry point.
  • An example of such a firewall is disclosed in U.S. Patent No. 5.606,668, incorporated by reference as if fully set forth herein.
  • firewalls have a number of disadvantages.
  • these firewalls can be extremely slow and non-selective in terms of the application of the rules.
  • U.S. Patent No. 5,606.668 neither teaches nor suggests a step of presorting the rules according to a characteristic of the packet. Such presorting could significantly reduce the number of rules which would need to be examined in reference to the packet, and hence would greatly increase the speed of filtering packets.
  • a firewall with such presorting is not currently available.
  • FIG. 1 is a schematic block diagram of a system according to the present invention
  • FIG. 2 is a flowchart of a method according to the present invention.
  • the present invention is of a method and a system for presorting rules for filtering a packet in a network security filter according to a characteristic of the packet, preferably at least one of the source address and destination address.
  • the advantage of presorting rules before application to the packet is that the number of rules which must be examined should be significantly reduced.
  • the source address and/or destination address can be associated with a particular profile, which may be associated with a particular user for example.
  • the rules are also more easily managed according to such profiles, since the network manager or system administrator can choose a set of rules for the profile, and then amend the profile as a whole, rather than attempting to apply disparate, unrelated rules for filtering.
  • the method and system of the present invention are more efficient both for actual filtering of packets, and for management of the security network filter.
  • a method for presorting a plurality of rules for filtering a packet in network comprising the steps of: (a) selecting a characteristic for sorting the plurality of rules, the characteristic having a plurality of possible values; (b) associating each rule with at least one value for the characteristic; (c) receiving the packet; (d) at least partially analyzing information in the packet to obtain the value for the characteristic; (e) selecting at least one of the plurality of rules according to the value to form at least one selected rule; and (f) applying the selected rule to the packet, such that the packet is permitted to enter the network or alternatively is dropped.
  • network refers to a connection between any two electronic devices which permits the transmission of data.
  • security network filter also refers to firewalls and any other type of mechanism for filtering packets according to one or more rules.
  • wireless device refers to any type of electronic device which permits data transmission through a wireless channel, for example through transmission of radio waves.
  • cellular phone is a wireless device designed for the transmission of voice data and/or other data, through a connection to the PSTN (public switched telephone network) system.
  • the term "computer” includes, but is not limited to, personal computers (PC) having an operating system such as DOS, WindowsTM, OS/2TM or Linux; MacintoshTM computers; computers having JAVATM-OS as the operating system; and graphical workstations such as the computers of Sun MicrosystemsTM and Silicon GraphicsTM, and other computers having some version of the UNIX operating system such as ALXTM or SOLARISTM of Sun MicrosystemsTM; or any other known and available operating system.
  • the term "WindowsTM” includes but is not limited to Windows95TM, Windows 3.xTM in which "x" is an integer such as "1”, Windows NTTM, Windows98TM, Windows CETM and any upgraded versions of these operating systems by Microsoft Corp. (USA).
  • the method of the present invention could be described as a series of steps performed by a data processor, and as such could optionally be implemented as software, hardware or firmware, or a combination thereof.
  • a software application could be written in substantially any suitable programming language, which could easily be selected by one of ordinary skill in the art.
  • the programming language chosen should be compatible with the computer hardware and operating system according to which the software application is executed. Examples of suitable programming languages include, but are not limited to, C, C++ and Java.
  • the present invention is of a method and a system for presorting rules for filtering a packet in a network security filter according to a characteristic of the packet.
  • the characteristic is preferably at least one of the source address and destination address.
  • the advantage of presorting rules before application to the packet is that the number of rules which must be examined should be significantly reduced. Furthermore, those rules which are selected after the presorting procedure for application to the packet are therefore more relevant to that particular packet, such that the analysis of the packet is more efficient.
  • the source address and/or destination address can be associated with a particular profile, which may be associated with a particular user for example.
  • the rules are also more easily managed according to such profiles, since the network manager or system administrator can choose a set of rules for the profile, and then amend the profile as a whole, rather than attempting to apply disparate, unrelated rules for filtering. For example, different levels of user permissions may be determined according to company policy, such that a basic profile for each level of permission would be provided. The system administrator or network manager would therefore select the profile, which would already contain all of the necessary general rules. Optionally, if necessary, one or more changes to the rules could be made in order to fully optimize the rules for the particular source and/or destination address for that user. Thus, the method and system of the present invention are more efficient both for actual filtering of packets, and for management of the security network filter.
  • FIG. 1 is a schematic block diagram of an exemplary system 10 according to the present invention for filtering packets according to a plurality of presorted rules.
  • System 10 features a network 12 with an entry point 14, which is preferably a computer connected to network 12. Preferably, all network traffic must pass through entry point 14 for transmission on network 12, although a plurality of such entry points 14 may optionally be present on network 12 (not shown).
  • Network 12 also features a plurality of endpoint computers 16 for transmitting and receiving packets. Each such endpoint computer 16 features an address, such that each packet has a source address, which may be from an endpoint computer 16 within network 12 or from a network entity outside network 12, and a destination address, which is within network 12.
  • the destination address would be for an endpoint computer 16. It is understood that the structure of network 12 has been simplified for the sake of clarity, and is not meant to be limiting in any way. Furthermore, techniques for constructing various configurations of networks are well known to those of ordinary skill in the art. The present invention is operative with any possible network configuration.
  • a network security filter 18 is installed at entry point 14. As described previously, network security filter 18 may be implemented as software, hardware, firmware or a combination thereof. Network security filter 18 must have access to packets being transmitted through entry point 14. Network security filter 18 then first retrieves at least one characteristic of the packet, which is preferably at least one of a source address and a destination address of the packet, and uses this characteristic to presort a plurality of filtering rules which are stored in a rules database 20. Only those rules which are indicated as being relevant for that value of the characteristic, such as a particular source address or destination address, or combination thereof, are then applied to the packet by network security filter 18.
  • the process of applying the rules involves further analysis of the packet to obtain the necessary information, and then comparing the information in the packet to the rule, such that if the rule is not fulfilled, the packet is rejected or dropped.
  • the dropped packet cannot then enter network 12 through entry point 14.
  • an alarm or other indication is given, and/or an entry is made in a log file, if one or more rules are violated by the packet.
  • the rules contained in rules database 20 are presorted according to a plurality of possible values for the characteristic which is examined, more preferably with a default value. Therefore, when the characteristic of the packet is analyzed and the value is retrieved, network security filter 18 is able to quickly retrieve only those rules from rules database 20.
  • the rules may not be presorted, but may instead be sorted separately for each incoming packet by network security filter 18.
  • the characteristic which is preferably retrieved from the packet in order to sort the rules is at least one of the source address and the destination address of the packet.
  • the source address and/or the destination address may be associated with a particular user, such that the permissions and restrictions placed upon the behavior of the user within network 12 are reflected in terms of the rules applied to packets associated with that user.
  • Using the source address and/or the destination address as the characteristic for sorting the rules has the advantage that users who are located at computers outside of network 12 (not shown) may be accorded certain privileges for entry through entry point 14. Thus, a user who is working at home, while traveling, or at a remote office, for example, may be granted certain privileges in terms of the permitted behavior of the packet.
  • a packet enters entry point 14 and passes through layers 1 and 2 of the ISO (International Standardization Organization) model of communication protocol layers for a network.
  • the packet is then diverted to network security filter 18.
  • Network security filter 18 then analyzes information contained within the packet, which may for example optionally include information in one of the headers or alternatively the data being carried by the packet.
  • the packet is analyzed from the uppermost header, which is the IP (Internet Protocol) header, to the data being carried, such that each layer of information is retrieved from the packet and compared to one or more rules. If at least one rule is violated, then either network security filter 18 drops the packet, or at least indicates the presence of a rules violation. If network security filter 18 determines that a terminal violation has occurred, such that the packet is forbidden to enter network 12 because of the particular violation, the analysis is preferably stopped and the packet is dropped.
  • IP Internet Protocol
  • Figure 2 is a flowchart of an exemplary method for preparing a user profile, and for then applying the presorted rules to a received packet.
  • the characteristic for sorting the rules is selected.
  • the characteristic is at least one of the source address of the packet and the destination address of the packet, and is more preferably a combination thereof.
  • a plurality of rules are constructed.
  • a rule may be simple, such that no incoming connections to a particular port associated with a particular service are permitted.
  • a rule may be complex, involving a variety of factors such as the source address of the packet, the type of application generating the data contained in the packet and so forth.
  • step 3 optionally users who are associated with a value for the characteristic are given a particular level of permissions and privileges, which then constitute the user profile. For example, users at a certain level may not have permission to receive HTML (HyperText Mark-up Language) documents, such that they cannot download Web pages.
  • HTML HyperText Mark-up Language
  • each rule is associated with at least one value for the selected characteristic, and preferably is associated with a plurality of such values.
  • each rule may be associated with at least one source address, or a class of such source addresses which may be defined by grouping the users associated with those addresses into certain levels of permissions, as previously described. If a user profile is available, preferably the restrictions and privileges contained therein are used to associate each rule with one or more values for the selected characteristic.
  • the rules are presorted according to the associated value or values for the selected characteristic, in order to facilitate later application of the rule to information contained in the packet.
  • step 6 a packet is received by the network security filter.
  • step 7 the information contained in the packet is at least partially analyzed in order to obtain the value for each characteristic which is used to sort the rules. As previously described, this characteristic is preferably at least one of the source address and destination address.
  • step 8 the value or values are used to selected the rule(s) which are to be applied.
  • step 9 the rules are applied, such that the packet is either permitted to enter the network or is dropped.

Abstract

A method and a system for presorting rules for packet filtering in a network security filter according to characteristics of the packet. The method uses presorting rules (steps 3-5) to limit the number of packet sorting rules that must be examined (step 9). The method provides an efficient means of managing profiles for the network manager of the security filter.

Description

SYSTEM AND METHOD FOR PRESORTING RULES FOR FILTERING PACKETS ON A NETWORK
FIELD AND BACKGROUND OF THE INVENTION The present invention relates to a system and method for presorting rules for filtering packets on a network, and in particular for presorting such rules according a user profile.
Security of information is extremely important for modern society, particularly since the advent of the Internet. Unauthorized exposure of such information, and/or unintended or unauthorized use of information may significantly damage organizations and individuals. Damage may also be caused by lost, corrupted or misused information. Thus, appropriate security measures are required in order to protect information from such damaging actions, while still maintaining the availability of such information to authorized individuals and or organizations.
Currently, flexibility and ease of access to information are highly valued, particularly through the Internet and organizational intranets, which provide connections between computers through a network. Accessing information through a network enables users at physically separate locations to share information, but also increases the possibility of unauthorized or unintended access to the information. Various attempts to provide a solution to the problem of security for electronically stored information are known in the art, but all of these attempted solutions have various drawbacks.
For example, a "firewall" is a software program or hardware device which attempts to provide security to an entire network, or to a portion thereof, by filtering all communication which passes through an entry point to the entire network or the portion of the network. The filtration of packets is performed according to one or more rules, such that if the packet does not conform to these rules, then the packet is blocked from entry to the entry point. An example of such a firewall is disclosed in U.S. Patent No. 5.606,668, incorporated by reference as if fully set forth herein.
Unfortunately, currently available firewalls have a number of disadvantages. In particular, these firewalls can be extremely slow and non-selective in terms of the application of the rules. For example, U.S. Patent No. 5,606.668 neither teaches nor suggests a step of presorting the rules according to a characteristic of the packet. Such presorting could significantly reduce the number of rules which would need to be examined in reference to the packet, and hence would greatly increase the speed of filtering packets. Unfortunately, a firewall with such presorting is not currently available.
There is thus a need for, and it would be useful to have, a system and a method for presorting rules for application to a packet as part of a network security filter according to a characteristic of the packet, and preferably according to at least one of the source address and destination address, thereby reducing the number of rules which must be applied to the packet in order to increase the rate of filtering.
BRIEF DESCRIPTION OF THE DRAWINGS The foregoing and other objects, aspects and advantages will be better understood from the following detailed description of a preferred embodiment of the invention with reference to the drawings, wherein:
FIG. 1 is a schematic block diagram of a system according to the present invention; and FIG. 2 is a flowchart of a method according to the present invention.
SUMMARY OF THE INVENTION
The present invention is of a method and a system for presorting rules for filtering a packet in a network security filter according to a characteristic of the packet, preferably at least one of the source address and destination address. The advantage of presorting rules before application to the packet is that the number of rules which must be examined should be significantly reduced. In addition, the source address and/or destination address can be associated with a particular profile, which may be associated with a particular user for example. The rules are also more easily managed according to such profiles, since the network manager or system administrator can choose a set of rules for the profile, and then amend the profile as a whole, rather than attempting to apply disparate, unrelated rules for filtering. Thus, the method and system of the present invention are more efficient both for actual filtering of packets, and for management of the security network filter.
According to the present invention, there is provided a method for presorting a plurality of rules for filtering a packet in network, the method comprising the steps of: (a) selecting a characteristic for sorting the plurality of rules, the characteristic having a plurality of possible values; (b) associating each rule with at least one value for the characteristic; (c) receiving the packet; (d) at least partially analyzing information in the packet to obtain the value for the characteristic; (e) selecting at least one of the plurality of rules according to the value to form at least one selected rule; and (f) applying the selected rule to the packet, such that the packet is permitted to enter the network or alternatively is dropped.
Hereinafter, the term "network" refers to a connection between any two electronic devices which permits the transmission of data. Hereinafter, the term "security network filter" also refers to firewalls and any other type of mechanism for filtering packets according to one or more rules.
Hereinafter, the term "wireless device" refers to any type of electronic device which permits data transmission through a wireless channel, for example through transmission of radio waves. Hereinafter, the term "cellular phone" is a wireless device designed for the transmission of voice data and/or other data, through a connection to the PSTN (public switched telephone network) system.
Hereinafter, the term "computer" includes, but is not limited to, personal computers (PC) having an operating system such as DOS, Windows™, OS/2™ or Linux; Macintosh™ computers; computers having JAVA™-OS as the operating system; and graphical workstations such as the computers of Sun Microsystems™ and Silicon Graphics™, and other computers having some version of the UNIX operating system such as ALX™ or SOLARIS™ of Sun Microsystems™; or any other known and available operating system. Hereinafter, the term "Windows™" includes but is not limited to Windows95™, Windows 3.x™ in which "x" is an integer such as "1", Windows NT™, Windows98™, Windows CE™ and any upgraded versions of these operating systems by Microsoft Corp. (USA).
The method of the present invention could be described as a series of steps performed by a data processor, and as such could optionally be implemented as software, hardware or firmware, or a combination thereof. For the present invention, a software application could be written in substantially any suitable programming language, which could easily be selected by one of ordinary skill in the art. The programming language chosen should be compatible with the computer hardware and operating system according to which the software application is executed. Examples of suitable programming languages include, but are not limited to, C, C++ and Java.
DETAILED DESCRIPTION OF THE INVENTION
The present invention is of a method and a system for presorting rules for filtering a packet in a network security filter according to a characteristic of the packet. The characteristic is preferably at least one of the source address and destination address. The advantage of presorting rules before application to the packet is that the number of rules which must be examined should be significantly reduced. Furthermore, those rules which are selected after the presorting procedure for application to the packet are therefore more relevant to that particular packet, such that the analysis of the packet is more efficient. In addition, the source address and/or destination address can be associated with a particular profile, which may be associated with a particular user for example. The rules are also more easily managed according to such profiles, since the network manager or system administrator can choose a set of rules for the profile, and then amend the profile as a whole, rather than attempting to apply disparate, unrelated rules for filtering. For example, different levels of user permissions may be determined according to company policy, such that a basic profile for each level of permission would be provided. The system administrator or network manager would therefore select the profile, which would already contain all of the necessary general rules. Optionally, if necessary, one or more changes to the rules could be made in order to fully optimize the rules for the particular source and/or destination address for that user. Thus, the method and system of the present invention are more efficient both for actual filtering of packets, and for management of the security network filter.
The principles and operation of a system and a method according to the present invention may be better understood with reference to the drawings and the accompanying description, it being understood that these drawings are given for illustrative purposes only and are not meant to be limiting.
Referring now to the drawings, Figure 1 is a schematic block diagram of an exemplary system 10 according to the present invention for filtering packets according to a plurality of presorted rules. System 10 features a network 12 with an entry point 14, which is preferably a computer connected to network 12. Preferably, all network traffic must pass through entry point 14 for transmission on network 12, although a plurality of such entry points 14 may optionally be present on network 12 (not shown). Network 12 also features a plurality of endpoint computers 16 for transmitting and receiving packets. Each such endpoint computer 16 features an address, such that each packet has a source address, which may be from an endpoint computer 16 within network 12 or from a network entity outside network 12, and a destination address, which is within network 12. In the simplified network shown, the destination address would be for an endpoint computer 16. It is understood that the structure of network 12 has been simplified for the sake of clarity, and is not meant to be limiting in any way. Furthermore, techniques for constructing various configurations of networks are well known to those of ordinary skill in the art. The present invention is operative with any possible network configuration.
A network security filter 18 is installed at entry point 14. As described previously, network security filter 18 may be implemented as software, hardware, firmware or a combination thereof. Network security filter 18 must have access to packets being transmitted through entry point 14. Network security filter 18 then first retrieves at least one characteristic of the packet, which is preferably at least one of a source address and a destination address of the packet, and uses this characteristic to presort a plurality of filtering rules which are stored in a rules database 20. Only those rules which are indicated as being relevant for that value of the characteristic, such as a particular source address or destination address, or combination thereof, are then applied to the packet by network security filter 18. The process of applying the rules involves further analysis of the packet to obtain the necessary information, and then comparing the information in the packet to the rule, such that if the rule is not fulfilled, the packet is rejected or dropped. The dropped packet cannot then enter network 12 through entry point 14. Optionally and additionally, an alarm or other indication is given, and/or an entry is made in a log file, if one or more rules are violated by the packet.
Preferably, the rules contained in rules database 20 are presorted according to a plurality of possible values for the characteristic which is examined, more preferably with a default value. Therefore, when the characteristic of the packet is analyzed and the value is retrieved, network security filter 18 is able to quickly retrieve only those rules from rules database 20.
Alternatively, the rules may not be presorted, but may instead be sorted separately for each incoming packet by network security filter 18.
As previously described, and as described in greater detail below with regard to Figure 2, the characteristic which is preferably retrieved from the packet in order to sort the rules is at least one of the source address and the destination address of the packet. The source address and/or the destination address may be associated with a particular user, such that the permissions and restrictions placed upon the behavior of the user within network 12 are reflected in terms of the rules applied to packets associated with that user. Using the source address and/or the destination address as the characteristic for sorting the rules has the advantage that users who are located at computers outside of network 12 (not shown) may be accorded certain privileges for entry through entry point 14. Thus, a user who is working at home, while traveling, or at a remote office, for example, may be granted certain privileges in terms of the permitted behavior of the packet. With regard to the actual application of the rules to the packets, as well as of the construction of the rules themselves, these aspects of filtering the packets are known in the background art. In particular, these functions are described in U.S. Patent No. 5,606,668, previously incorporated by reference. Briefly, a packet enters entry point 14 and passes through layers 1 and 2 of the ISO (International Standardization Organization) model of communication protocol layers for a network. The packet is then diverted to network security filter 18. Network security filter 18 then analyzes information contained within the packet, which may for example optionally include information in one of the headers or alternatively the data being carried by the packet. Preferably, the packet is analyzed from the uppermost header, which is the IP (Internet Protocol) header, to the data being carried, such that each layer of information is retrieved from the packet and compared to one or more rules. If at least one rule is violated, then either network security filter 18 drops the packet, or at least indicates the presence of a rules violation. If network security filter 18 determines that a terminal violation has occurred, such that the packet is forbidden to enter network 12 because of the particular violation, the analysis is preferably stopped and the packet is dropped.
Figure 2 is a flowchart of an exemplary method for preparing a user profile, and for then applying the presorted rules to a received packet. In step 1 , the characteristic for sorting the rules is selected. Preferably, the characteristic is at least one of the source address of the packet and the destination address of the packet, and is more preferably a combination thereof. In step 2, a plurality of rules are constructed. For example, a rule may be simple, such that no incoming connections to a particular port associated with a particular service are permitted. Optionally, a rule may be complex, involving a variety of factors such as the source address of the packet, the type of application generating the data contained in the packet and so forth. In step 3, optionally users who are associated with a value for the characteristic are given a particular level of permissions and privileges, which then constitute the user profile. For example, users at a certain level may not have permission to receive HTML (HyperText Mark-up Language) documents, such that they cannot download Web pages.
In step 4, each rule is associated with at least one value for the selected characteristic, and preferably is associated with a plurality of such values. For example, each rule may be associated with at least one source address, or a class of such source addresses which may be defined by grouping the users associated with those addresses into certain levels of permissions, as previously described. If a user profile is available, preferably the restrictions and privileges contained therein are used to associate each rule with one or more values for the selected characteristic. In step 5, optionally and preferably, the rules are presorted according to the associated value or values for the selected characteristic, in order to facilitate later application of the rule to information contained in the packet.
In step 6, a packet is received by the network security filter. In step 7, the information contained in the packet is at least partially analyzed in order to obtain the value for each characteristic which is used to sort the rules. As previously described, this characteristic is preferably at least one of the source address and destination address. In step 8, the value or values are used to selected the rule(s) which are to be applied. In step 9, the rules are applied, such that the packet is either permitted to enter the network or is dropped.
It will be appreciated that the above descriptions are intended only to serve as examples, and that many other embodiments are possible within the spirit and the scope of the present invention.

Claims

WHAT IS CLAIMED IS:
1. A method for presorting a plurality of rules for filtering a packet in network, the method comprising the steps of:
(a) selecting a characteristic for sorting the plurality of rules, said characteristic having a plurality of possible values;
(b) associating each rule with at least one value for said characteristic;
(c) receiving the packet;
(d) at least partially analyzing information in the packet to obtain said value for said characteristic;
(e) selecting at least one of the plurality of rules according to said value to form at least one selected rule; and
(f) applying said selected rule to the packet, such that the packet is permitted to enter the network or alternatively is dropped.
2. The method of claim 1 , wherein the plurality of rules are presorted according each value for said characteristic.
3. The method of claim 2, wherein said characteristic is at least one of a source address of the packet and a destination address of the packet.
4. The method of claim 3, wherein said characteristic is a combination of said source address of the packet and said destination address of the packet.
5. The method of claim 3, wherein a user is associated with each value of said characteristic, such that step (b) further comprises the steps of:
(i) assigning at least one privilege to said user; and
(ii) determining whether to associate each rule with said value of said characteristic according to said at least one privilege.
6. The method of claim 5, wherein step (i) further comprises the step of determining a user profile of associated rules according to said at least one privilege.
7. The method of claim 6, wherein said user profile is further associated with a group profile, such that a plurality of values for said characteristic is associated with said associated rules of said group profile.
PCT/IL2000/000591 1999-09-24 2000-09-24 System and method for presorting rules for filtering packets on a network WO2001022642A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU74435/00A AU7443500A (en) 1999-09-24 2000-09-24 System and method for presorting rules for filtering packets on a network
IL14883000A IL148830A0 (en) 1999-09-24 2000-09-24 System and method for presorting rules for filtering packets on a network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15556899P 1999-09-24 1999-09-24
US60/155,568 1999-09-24

Publications (2)

Publication Number Publication Date
WO2001022642A2 true WO2001022642A2 (en) 2001-03-29
WO2001022642A3 WO2001022642A3 (en) 2002-05-30

Family

ID=22555950

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2000/000591 WO2001022642A2 (en) 1999-09-24 2000-09-24 System and method for presorting rules for filtering packets on a network

Country Status (3)

Country Link
AU (1) AU7443500A (en)
IL (1) IL148830A0 (en)
WO (1) WO2001022642A2 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2425912A (en) * 2005-05-04 2006-11-08 Psytechnics Ltd Packet filtering
WO2007081727A3 (en) * 2006-01-04 2007-12-06 Starent Networks Corp Selecting application session services to process packet data streams based on profile information
US8014750B2 (en) 2006-12-07 2011-09-06 Starent Networks Llc Reducing call setup delays from non-call related signaling
US8755342B2 (en) 2011-10-05 2014-06-17 Cisco Technology, Inc. System and method for dynamic bearer selection for immersive video collaboration in mobile wireless networks
US8903955B2 (en) 2011-12-02 2014-12-02 Cisco Technology, Inc. Systems and methods for intelligent video delivery and cache management
US9241190B2 (en) 2010-08-24 2016-01-19 Cisco Technology, Inc. Generating a response to video content request including dynamically processed video content
US9521439B1 (en) 2011-10-04 2016-12-13 Cisco Technology, Inc. Systems and methods for correlating multiple TCP sessions for a video transfer

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998026555A1 (en) * 1996-12-09 1998-06-18 Sun Microsystems, Inc. Method and apparatus for dynamic packet filter assignment
WO1998026552A1 (en) * 1996-12-09 1998-06-18 Sun Microsystems, Inc. Method and apparatus for access control in a distributed multiserver network environment
US5844620A (en) * 1995-08-11 1998-12-01 General Instrument Corporation Method and apparatus for displaying an interactive television program guide
US6070242A (en) * 1996-12-09 2000-05-30 Sun Microsystems, Inc. Method to activate unregistered systems in a distributed multiserver network environment
US6092110A (en) * 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor
US6158008A (en) * 1997-10-23 2000-12-05 At&T Wireless Svcs. Inc. Method and apparatus for updating address lists for a packet filter processor
US6160545A (en) * 1997-10-24 2000-12-12 General Instrument Corporation Multi-regional interactive program guide for television

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5844620A (en) * 1995-08-11 1998-12-01 General Instrument Corporation Method and apparatus for displaying an interactive television program guide
WO1998026555A1 (en) * 1996-12-09 1998-06-18 Sun Microsystems, Inc. Method and apparatus for dynamic packet filter assignment
WO1998026552A1 (en) * 1996-12-09 1998-06-18 Sun Microsystems, Inc. Method and apparatus for access control in a distributed multiserver network environment
US5835727A (en) * 1996-12-09 1998-11-10 Sun Microsystems, Inc. Method and apparatus for controlling access to services within a computer network
US5848233A (en) * 1996-12-09 1998-12-08 Sun Microsystems, Inc. Method and apparatus for dynamic packet filter assignment
US6070242A (en) * 1996-12-09 2000-05-30 Sun Microsystems, Inc. Method to activate unregistered systems in a distributed multiserver network environment
US6092110A (en) * 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor
US6158008A (en) * 1997-10-23 2000-12-05 At&T Wireless Svcs. Inc. Method and apparatus for updating address lists for a packet filter processor
US6160545A (en) * 1997-10-24 2000-12-12 General Instrument Corporation Multi-regional interactive program guide for television

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2425912A (en) * 2005-05-04 2006-11-08 Psytechnics Ltd Packet filtering
WO2007081727A3 (en) * 2006-01-04 2007-12-06 Starent Networks Corp Selecting application session services to process packet data streams based on profile information
US7813759B2 (en) 2006-01-04 2010-10-12 Starent Networks Llc Method and system for inlining services within a network access device
US8483685B2 (en) 2006-12-07 2013-07-09 Cisco Technology, Inc. Providing location based services for mobile devices
US8018955B2 (en) 2006-12-07 2011-09-13 Starent Networks Llc Providing dynamic changes to packet flows
US8213913B2 (en) 2006-12-07 2012-07-03 Cisco Technology, Inc. Providing location based services for mobile devices
US8250634B2 (en) 2006-12-07 2012-08-21 Cisco Technology, Inc. Systems, methods, media, and means for user level authentication
US8300629B2 (en) 2006-12-07 2012-10-30 Cisco Technology, Inc. Device and method for providing interaction management for communication networks
US8014750B2 (en) 2006-12-07 2011-09-06 Starent Networks Llc Reducing call setup delays from non-call related signaling
US8724463B2 (en) 2006-12-07 2014-05-13 Cisco Technology, Inc. Scalability of providing packet flow management
US8929360B2 (en) 2006-12-07 2015-01-06 Cisco Technology, Inc. Systems, methods, media, and means for hiding network topology
US10103991B2 (en) 2006-12-07 2018-10-16 Cisco Technology, Inc. Scalability of providing packet flow management
US9241190B2 (en) 2010-08-24 2016-01-19 Cisco Technology, Inc. Generating a response to video content request including dynamically processed video content
US9521439B1 (en) 2011-10-04 2016-12-13 Cisco Technology, Inc. Systems and methods for correlating multiple TCP sessions for a video transfer
US8755342B2 (en) 2011-10-05 2014-06-17 Cisco Technology, Inc. System and method for dynamic bearer selection for immersive video collaboration in mobile wireless networks
US8903955B2 (en) 2011-12-02 2014-12-02 Cisco Technology, Inc. Systems and methods for intelligent video delivery and cache management

Also Published As

Publication number Publication date
WO2001022642A3 (en) 2002-05-30
AU7443500A (en) 2001-04-24
IL148830A0 (en) 2002-09-12

Similar Documents

Publication Publication Date Title
US7954155B2 (en) Identifying unwanted electronic messages
US6292900B1 (en) Multilevel security attribute passing methods, apparatuses, and computer program products in a stream
US7592906B1 (en) Network policy evaluation
US7404205B2 (en) System for controlling client-server connection requests
US8112536B2 (en) System and method for dynamic security provisioning of computing resources
US7305703B2 (en) Method and system for enforcing a communication security policy
US8135687B2 (en) Rule validator of an attribute rule enforcer for a directory
US8306994B2 (en) Network attached device with dedicated firewall security
US5845068A (en) Multilevel security port methods, apparatuses, and computer program products
US8544099B2 (en) Method and device for questioning a plurality of computerized devices
US8266670B1 (en) System and method for dynamic security provisioning of data resources
US8261340B2 (en) Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways
US20060164199A1 (en) Network appliance for securely quarantining a node on a network
US8336092B2 (en) Communication control device and communication control system
KR20070103774A (en) Communication control device and communication control system
US10380374B2 (en) System and method for preventing identity theft or misuse by restricting access
US20070300306A1 (en) Method and system for providing granular data access control for server-client applications
KR20070103502A (en) Communication control device
US20090119745A1 (en) System and method for preventing private information from leaking out through access context analysis in personal mobile terminal
US20080244711A1 (en) System and Method for Specifying Access to Resources in a Mobile Code System
US7248563B2 (en) Method, system, and computer program product for restricting access to a network using a network communications device
WO2001022642A2 (en) System and method for presorting rules for filtering packets on a network
CA2596948A1 (en) Communication control device and communication control system
CN116886449B (en) Method for intelligently identifying and intercepting domain name
CN117499071A (en) Data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 148830

Country of ref document: IL

AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP