WO2001022642A2 - System and method for presorting rules for filtering packets on a network - Google Patents
System and method for presorting rules for filtering packets on a network Download PDFInfo
- Publication number
- WO2001022642A2 WO2001022642A2 PCT/IL2000/000591 IL0000591W WO0122642A2 WO 2001022642 A2 WO2001022642 A2 WO 2001022642A2 IL 0000591 W IL0000591 W IL 0000591W WO 0122642 A2 WO0122642 A2 WO 0122642A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- rules
- network
- characteristic
- presorting
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Definitions
- the present invention relates to a system and method for presorting rules for filtering packets on a network, and in particular for presorting such rules according a user profile.
- a "firewall” is a software program or hardware device which attempts to provide security to an entire network, or to a portion thereof, by filtering all communication which passes through an entry point to the entire network or the portion of the network. The filtration of packets is performed according to one or more rules, such that if the packet does not conform to these rules, then the packet is blocked from entry to the entry point.
- An example of such a firewall is disclosed in U.S. Patent No. 5.606,668, incorporated by reference as if fully set forth herein.
- firewalls have a number of disadvantages.
- these firewalls can be extremely slow and non-selective in terms of the application of the rules.
- U.S. Patent No. 5,606.668 neither teaches nor suggests a step of presorting the rules according to a characteristic of the packet. Such presorting could significantly reduce the number of rules which would need to be examined in reference to the packet, and hence would greatly increase the speed of filtering packets.
- a firewall with such presorting is not currently available.
- FIG. 1 is a schematic block diagram of a system according to the present invention
- FIG. 2 is a flowchart of a method according to the present invention.
- the present invention is of a method and a system for presorting rules for filtering a packet in a network security filter according to a characteristic of the packet, preferably at least one of the source address and destination address.
- the advantage of presorting rules before application to the packet is that the number of rules which must be examined should be significantly reduced.
- the source address and/or destination address can be associated with a particular profile, which may be associated with a particular user for example.
- the rules are also more easily managed according to such profiles, since the network manager or system administrator can choose a set of rules for the profile, and then amend the profile as a whole, rather than attempting to apply disparate, unrelated rules for filtering.
- the method and system of the present invention are more efficient both for actual filtering of packets, and for management of the security network filter.
- a method for presorting a plurality of rules for filtering a packet in network comprising the steps of: (a) selecting a characteristic for sorting the plurality of rules, the characteristic having a plurality of possible values; (b) associating each rule with at least one value for the characteristic; (c) receiving the packet; (d) at least partially analyzing information in the packet to obtain the value for the characteristic; (e) selecting at least one of the plurality of rules according to the value to form at least one selected rule; and (f) applying the selected rule to the packet, such that the packet is permitted to enter the network or alternatively is dropped.
- network refers to a connection between any two electronic devices which permits the transmission of data.
- security network filter also refers to firewalls and any other type of mechanism for filtering packets according to one or more rules.
- wireless device refers to any type of electronic device which permits data transmission through a wireless channel, for example through transmission of radio waves.
- cellular phone is a wireless device designed for the transmission of voice data and/or other data, through a connection to the PSTN (public switched telephone network) system.
- the term "computer” includes, but is not limited to, personal computers (PC) having an operating system such as DOS, WindowsTM, OS/2TM or Linux; MacintoshTM computers; computers having JAVATM-OS as the operating system; and graphical workstations such as the computers of Sun MicrosystemsTM and Silicon GraphicsTM, and other computers having some version of the UNIX operating system such as ALXTM or SOLARISTM of Sun MicrosystemsTM; or any other known and available operating system.
- the term "WindowsTM” includes but is not limited to Windows95TM, Windows 3.xTM in which "x" is an integer such as "1”, Windows NTTM, Windows98TM, Windows CETM and any upgraded versions of these operating systems by Microsoft Corp. (USA).
- the method of the present invention could be described as a series of steps performed by a data processor, and as such could optionally be implemented as software, hardware or firmware, or a combination thereof.
- a software application could be written in substantially any suitable programming language, which could easily be selected by one of ordinary skill in the art.
- the programming language chosen should be compatible with the computer hardware and operating system according to which the software application is executed. Examples of suitable programming languages include, but are not limited to, C, C++ and Java.
- the present invention is of a method and a system for presorting rules for filtering a packet in a network security filter according to a characteristic of the packet.
- the characteristic is preferably at least one of the source address and destination address.
- the advantage of presorting rules before application to the packet is that the number of rules which must be examined should be significantly reduced. Furthermore, those rules which are selected after the presorting procedure for application to the packet are therefore more relevant to that particular packet, such that the analysis of the packet is more efficient.
- the source address and/or destination address can be associated with a particular profile, which may be associated with a particular user for example.
- the rules are also more easily managed according to such profiles, since the network manager or system administrator can choose a set of rules for the profile, and then amend the profile as a whole, rather than attempting to apply disparate, unrelated rules for filtering. For example, different levels of user permissions may be determined according to company policy, such that a basic profile for each level of permission would be provided. The system administrator or network manager would therefore select the profile, which would already contain all of the necessary general rules. Optionally, if necessary, one or more changes to the rules could be made in order to fully optimize the rules for the particular source and/or destination address for that user. Thus, the method and system of the present invention are more efficient both for actual filtering of packets, and for management of the security network filter.
- FIG. 1 is a schematic block diagram of an exemplary system 10 according to the present invention for filtering packets according to a plurality of presorted rules.
- System 10 features a network 12 with an entry point 14, which is preferably a computer connected to network 12. Preferably, all network traffic must pass through entry point 14 for transmission on network 12, although a plurality of such entry points 14 may optionally be present on network 12 (not shown).
- Network 12 also features a plurality of endpoint computers 16 for transmitting and receiving packets. Each such endpoint computer 16 features an address, such that each packet has a source address, which may be from an endpoint computer 16 within network 12 or from a network entity outside network 12, and a destination address, which is within network 12.
- the destination address would be for an endpoint computer 16. It is understood that the structure of network 12 has been simplified for the sake of clarity, and is not meant to be limiting in any way. Furthermore, techniques for constructing various configurations of networks are well known to those of ordinary skill in the art. The present invention is operative with any possible network configuration.
- a network security filter 18 is installed at entry point 14. As described previously, network security filter 18 may be implemented as software, hardware, firmware or a combination thereof. Network security filter 18 must have access to packets being transmitted through entry point 14. Network security filter 18 then first retrieves at least one characteristic of the packet, which is preferably at least one of a source address and a destination address of the packet, and uses this characteristic to presort a plurality of filtering rules which are stored in a rules database 20. Only those rules which are indicated as being relevant for that value of the characteristic, such as a particular source address or destination address, or combination thereof, are then applied to the packet by network security filter 18.
- the process of applying the rules involves further analysis of the packet to obtain the necessary information, and then comparing the information in the packet to the rule, such that if the rule is not fulfilled, the packet is rejected or dropped.
- the dropped packet cannot then enter network 12 through entry point 14.
- an alarm or other indication is given, and/or an entry is made in a log file, if one or more rules are violated by the packet.
- the rules contained in rules database 20 are presorted according to a plurality of possible values for the characteristic which is examined, more preferably with a default value. Therefore, when the characteristic of the packet is analyzed and the value is retrieved, network security filter 18 is able to quickly retrieve only those rules from rules database 20.
- the rules may not be presorted, but may instead be sorted separately for each incoming packet by network security filter 18.
- the characteristic which is preferably retrieved from the packet in order to sort the rules is at least one of the source address and the destination address of the packet.
- the source address and/or the destination address may be associated with a particular user, such that the permissions and restrictions placed upon the behavior of the user within network 12 are reflected in terms of the rules applied to packets associated with that user.
- Using the source address and/or the destination address as the characteristic for sorting the rules has the advantage that users who are located at computers outside of network 12 (not shown) may be accorded certain privileges for entry through entry point 14. Thus, a user who is working at home, while traveling, or at a remote office, for example, may be granted certain privileges in terms of the permitted behavior of the packet.
- a packet enters entry point 14 and passes through layers 1 and 2 of the ISO (International Standardization Organization) model of communication protocol layers for a network.
- the packet is then diverted to network security filter 18.
- Network security filter 18 then analyzes information contained within the packet, which may for example optionally include information in one of the headers or alternatively the data being carried by the packet.
- the packet is analyzed from the uppermost header, which is the IP (Internet Protocol) header, to the data being carried, such that each layer of information is retrieved from the packet and compared to one or more rules. If at least one rule is violated, then either network security filter 18 drops the packet, or at least indicates the presence of a rules violation. If network security filter 18 determines that a terminal violation has occurred, such that the packet is forbidden to enter network 12 because of the particular violation, the analysis is preferably stopped and the packet is dropped.
- IP Internet Protocol
- Figure 2 is a flowchart of an exemplary method for preparing a user profile, and for then applying the presorted rules to a received packet.
- the characteristic for sorting the rules is selected.
- the characteristic is at least one of the source address of the packet and the destination address of the packet, and is more preferably a combination thereof.
- a plurality of rules are constructed.
- a rule may be simple, such that no incoming connections to a particular port associated with a particular service are permitted.
- a rule may be complex, involving a variety of factors such as the source address of the packet, the type of application generating the data contained in the packet and so forth.
- step 3 optionally users who are associated with a value for the characteristic are given a particular level of permissions and privileges, which then constitute the user profile. For example, users at a certain level may not have permission to receive HTML (HyperText Mark-up Language) documents, such that they cannot download Web pages.
- HTML HyperText Mark-up Language
- each rule is associated with at least one value for the selected characteristic, and preferably is associated with a plurality of such values.
- each rule may be associated with at least one source address, or a class of such source addresses which may be defined by grouping the users associated with those addresses into certain levels of permissions, as previously described. If a user profile is available, preferably the restrictions and privileges contained therein are used to associate each rule with one or more values for the selected characteristic.
- the rules are presorted according to the associated value or values for the selected characteristic, in order to facilitate later application of the rule to information contained in the packet.
- step 6 a packet is received by the network security filter.
- step 7 the information contained in the packet is at least partially analyzed in order to obtain the value for each characteristic which is used to sort the rules. As previously described, this characteristic is preferably at least one of the source address and destination address.
- step 8 the value or values are used to selected the rule(s) which are to be applied.
- step 9 the rules are applied, such that the packet is either permitted to enter the network or is dropped.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU74435/00A AU7443500A (en) | 1999-09-24 | 2000-09-24 | System and method for presorting rules for filtering packets on a network |
IL14883000A IL148830A0 (en) | 1999-09-24 | 2000-09-24 | System and method for presorting rules for filtering packets on a network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15556899P | 1999-09-24 | 1999-09-24 | |
US60/155,568 | 1999-09-24 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2001022642A2 true WO2001022642A2 (en) | 2001-03-29 |
WO2001022642A3 WO2001022642A3 (en) | 2002-05-30 |
Family
ID=22555950
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL2000/000591 WO2001022642A2 (en) | 1999-09-24 | 2000-09-24 | System and method for presorting rules for filtering packets on a network |
Country Status (3)
Country | Link |
---|---|
AU (1) | AU7443500A (en) |
IL (1) | IL148830A0 (en) |
WO (1) | WO2001022642A2 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2425912A (en) * | 2005-05-04 | 2006-11-08 | Psytechnics Ltd | Packet filtering |
WO2007081727A3 (en) * | 2006-01-04 | 2007-12-06 | Starent Networks Corp | Selecting application session services to process packet data streams based on profile information |
US8014750B2 (en) | 2006-12-07 | 2011-09-06 | Starent Networks Llc | Reducing call setup delays from non-call related signaling |
US8755342B2 (en) | 2011-10-05 | 2014-06-17 | Cisco Technology, Inc. | System and method for dynamic bearer selection for immersive video collaboration in mobile wireless networks |
US8903955B2 (en) | 2011-12-02 | 2014-12-02 | Cisco Technology, Inc. | Systems and methods for intelligent video delivery and cache management |
US9241190B2 (en) | 2010-08-24 | 2016-01-19 | Cisco Technology, Inc. | Generating a response to video content request including dynamically processed video content |
US9521439B1 (en) | 2011-10-04 | 2016-12-13 | Cisco Technology, Inc. | Systems and methods for correlating multiple TCP sessions for a video transfer |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998026555A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
WO1998026552A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for access control in a distributed multiserver network environment |
US5844620A (en) * | 1995-08-11 | 1998-12-01 | General Instrument Corporation | Method and apparatus for displaying an interactive television program guide |
US6070242A (en) * | 1996-12-09 | 2000-05-30 | Sun Microsystems, Inc. | Method to activate unregistered systems in a distributed multiserver network environment |
US6092110A (en) * | 1997-10-23 | 2000-07-18 | At&T Wireless Svcs. Inc. | Apparatus for filtering packets using a dedicated processor |
US6158008A (en) * | 1997-10-23 | 2000-12-05 | At&T Wireless Svcs. Inc. | Method and apparatus for updating address lists for a packet filter processor |
US6160545A (en) * | 1997-10-24 | 2000-12-12 | General Instrument Corporation | Multi-regional interactive program guide for television |
-
2000
- 2000-09-24 AU AU74435/00A patent/AU7443500A/en not_active Abandoned
- 2000-09-24 IL IL14883000A patent/IL148830A0/en unknown
- 2000-09-24 WO PCT/IL2000/000591 patent/WO2001022642A2/en active Application Filing
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5844620A (en) * | 1995-08-11 | 1998-12-01 | General Instrument Corporation | Method and apparatus for displaying an interactive television program guide |
WO1998026555A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
WO1998026552A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for access control in a distributed multiserver network environment |
US5835727A (en) * | 1996-12-09 | 1998-11-10 | Sun Microsystems, Inc. | Method and apparatus for controlling access to services within a computer network |
US5848233A (en) * | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US6070242A (en) * | 1996-12-09 | 2000-05-30 | Sun Microsystems, Inc. | Method to activate unregistered systems in a distributed multiserver network environment |
US6092110A (en) * | 1997-10-23 | 2000-07-18 | At&T Wireless Svcs. Inc. | Apparatus for filtering packets using a dedicated processor |
US6158008A (en) * | 1997-10-23 | 2000-12-05 | At&T Wireless Svcs. Inc. | Method and apparatus for updating address lists for a packet filter processor |
US6160545A (en) * | 1997-10-24 | 2000-12-12 | General Instrument Corporation | Multi-regional interactive program guide for television |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2425912A (en) * | 2005-05-04 | 2006-11-08 | Psytechnics Ltd | Packet filtering |
WO2007081727A3 (en) * | 2006-01-04 | 2007-12-06 | Starent Networks Corp | Selecting application session services to process packet data streams based on profile information |
US7813759B2 (en) | 2006-01-04 | 2010-10-12 | Starent Networks Llc | Method and system for inlining services within a network access device |
US8483685B2 (en) | 2006-12-07 | 2013-07-09 | Cisco Technology, Inc. | Providing location based services for mobile devices |
US8018955B2 (en) | 2006-12-07 | 2011-09-13 | Starent Networks Llc | Providing dynamic changes to packet flows |
US8213913B2 (en) | 2006-12-07 | 2012-07-03 | Cisco Technology, Inc. | Providing location based services for mobile devices |
US8250634B2 (en) | 2006-12-07 | 2012-08-21 | Cisco Technology, Inc. | Systems, methods, media, and means for user level authentication |
US8300629B2 (en) | 2006-12-07 | 2012-10-30 | Cisco Technology, Inc. | Device and method for providing interaction management for communication networks |
US8014750B2 (en) | 2006-12-07 | 2011-09-06 | Starent Networks Llc | Reducing call setup delays from non-call related signaling |
US8724463B2 (en) | 2006-12-07 | 2014-05-13 | Cisco Technology, Inc. | Scalability of providing packet flow management |
US8929360B2 (en) | 2006-12-07 | 2015-01-06 | Cisco Technology, Inc. | Systems, methods, media, and means for hiding network topology |
US10103991B2 (en) | 2006-12-07 | 2018-10-16 | Cisco Technology, Inc. | Scalability of providing packet flow management |
US9241190B2 (en) | 2010-08-24 | 2016-01-19 | Cisco Technology, Inc. | Generating a response to video content request including dynamically processed video content |
US9521439B1 (en) | 2011-10-04 | 2016-12-13 | Cisco Technology, Inc. | Systems and methods for correlating multiple TCP sessions for a video transfer |
US8755342B2 (en) | 2011-10-05 | 2014-06-17 | Cisco Technology, Inc. | System and method for dynamic bearer selection for immersive video collaboration in mobile wireless networks |
US8903955B2 (en) | 2011-12-02 | 2014-12-02 | Cisco Technology, Inc. | Systems and methods for intelligent video delivery and cache management |
Also Published As
Publication number | Publication date |
---|---|
WO2001022642A3 (en) | 2002-05-30 |
AU7443500A (en) | 2001-04-24 |
IL148830A0 (en) | 2002-09-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7954155B2 (en) | Identifying unwanted electronic messages | |
US6292900B1 (en) | Multilevel security attribute passing methods, apparatuses, and computer program products in a stream | |
US7592906B1 (en) | Network policy evaluation | |
US7404205B2 (en) | System for controlling client-server connection requests | |
US8112536B2 (en) | System and method for dynamic security provisioning of computing resources | |
US7305703B2 (en) | Method and system for enforcing a communication security policy | |
US8135687B2 (en) | Rule validator of an attribute rule enforcer for a directory | |
US8306994B2 (en) | Network attached device with dedicated firewall security | |
US5845068A (en) | Multilevel security port methods, apparatuses, and computer program products | |
US8544099B2 (en) | Method and device for questioning a plurality of computerized devices | |
US8266670B1 (en) | System and method for dynamic security provisioning of data resources | |
US8261340B2 (en) | Using statistical analysis to generate exception rules that allow legitimate messages to pass through application proxies and gateways | |
US20060164199A1 (en) | Network appliance for securely quarantining a node on a network | |
US8336092B2 (en) | Communication control device and communication control system | |
KR20070103774A (en) | Communication control device and communication control system | |
US10380374B2 (en) | System and method for preventing identity theft or misuse by restricting access | |
US20070300306A1 (en) | Method and system for providing granular data access control for server-client applications | |
KR20070103502A (en) | Communication control device | |
US20090119745A1 (en) | System and method for preventing private information from leaking out through access context analysis in personal mobile terminal | |
US20080244711A1 (en) | System and Method for Specifying Access to Resources in a Mobile Code System | |
US7248563B2 (en) | Method, system, and computer program product for restricting access to a network using a network communications device | |
WO2001022642A2 (en) | System and method for presorting rules for filtering packets on a network | |
CA2596948A1 (en) | Communication control device and communication control system | |
CN116886449B (en) | Method for intelligently identifying and intercepting domain name | |
CN117499071A (en) | Data processing method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 148830 Country of ref document: IL |
|
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |