WO2001065343A1 - System, device and method for rapid packet filtering and processing - Google Patents
System, device and method for rapid packet filtering and processing Download PDFInfo
- Publication number
- WO2001065343A1 WO2001065343A1 PCT/US2001/005925 US0105925W WO0165343A1 WO 2001065343 A1 WO2001065343 A1 WO 2001065343A1 US 0105925 W US0105925 W US 0105925W WO 0165343 A1 WO0165343 A1 WO 0165343A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- firewall
- permitted
- connection
- filtering module
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Definitions
- the present invention is of a system, a device and method for rapid packet filtering on a packet-switched network, and in particular, to such a system, a device and method in which the efficiency of packet filtration is increased by session-based filtering.
- Connectivity and security are two conflicting objectives in the computing environment of most organizations.
- the typical modern computing system is built around network communications, supplying transparent access to a multitude of services.
- the global availability of these services is perhaps the single most important feature of modern computing solutions.
- Demand for connectivity comes both from within organizations and from outside them.
- Protecting network services from unauthorized usage is of paramount importance to any organization.
- Packet filtering is a method which allows connectivity yet provides security by controlling the traffic being passed, thus preventing illegal communication attempts, both within single networks and between connected networks.
- the flow of packets is controlled through packet filtering, performed according to a user-generated rule base which is then converted into a set of filter language instructions.
- Each rule in the rule base includes a source, destination, service, whether to accept or reject the packet and whether to log, encrypt and/or authenticate the event.
- the set of filter language instructions are installed and execute on inspection engines which are placed on computers acting as firewalls. The inspection engines perform stateful inspection in order to determine whether a packet should be permitted to enter through the firewall.
- the firewalls are positioned in the computer network such that all traffic to and from the network to be protected is forced to pass through the firewall. Thus, packets are filtered as they flow into and out of the network in accordance with the rules comprising the rule base.
- the inspection engine acts as a virtual packet filtering machine which determines on a packet by packet basis whether to reject or accept a packet. If a packet is rejected, it is dropped. If it is accepted, the packet may then be modified. Modification may include encryption, decryption, signature generation, signature verification or address translation. All modifications are performed in accordance with the contents of the rule base.
- the present invention is of a system, a device, and a method for accelerating packet filtration on a packet-switched network, preferably an IP network, by supplementing a firewall with a pre-filtering module.
- the pre-filtering module performs a limited set of actions with regard to the packets, according to whether the packets are received from a connection which has been previously permitted by the firewall. If the packets are received from such a permitted connection, then the pre-filtering module forwards the packets to their destination, optionally performing one or more actions on the packets. Otherwise, the packets are forwarded to the firewall for handling.
- the firewall does not receive further packets from this connection until a timeout occurs for the connection, or a packet is received with a particular session-control field value which indicates that the session is finished, such that the connection is closed.
- such a session-control field value is a FIN/RST flag which is set for the packet.
- the firewall can optionally be supplemented by hardware acceleration.
- hardware acceleration has the advantage of being much more rapid than software-based packet processing, and can therefore significantly increase the efficiency of the firewall system.
- hardware acceleration of the modification process can maintain the ability to rapidly and efficiently modify packets, since the modification process requires less "intelligence" for modifying the packets but faster processing, while the opposite characteristics are true for the process of packet analysis.
- the pre-filtering module is implemented as hardware.
- a system for accelerated packet filtering comprising: (a) a source node for transmitting a packet; (b) a destination node for receiving the packet; (c) a firewall interposed between the source node and the destination node for performing packet filtering according to at least one rule; and (d) a pre-filtering module being in communication with the firewall, for receiving at least one instruction from the firewall and for receiving the packet before the firewall, such that if the packet is permitted according to the at least one instruction, the pre-filtering module handles the packet, and alternatively the pre-filtering module forwards the packet to the firewall for handling.
- a system for accelerated filtering of a packet on a network comprising: (a) a firewall located on the network for performing packet filtering on the packet according to at least one rule; and (b) a pre-filtering module located on the network and in communication with the firewall, for receiving at least one instruction from the firewall, the at least one instruction determining a simple comparison, and for receiving a packet transmitted on the network before the firewall, such that if the packet is permitted according to the simple comparison, the pre-filtering module at least transmits the packet on the network.
- the system featuring a network for transmitting a packet and a firewall on the network for filtering the packet, a device for receiving the packet before the firewall, the device comprising: (a) a memory for storing at least one instruction for analyzing at least one parameter of the packet from the firewall, the at least one instruction including the at least one parameter for identifying the packet; and (b) a classification engine for analyzing at least a portion of the packet and for comparing the at least a portion of the packet to the at least one parameter according to the at least one instruction.
- a method for accelerated packet filtering on a network in conjunction with a firewall comprising the steps of: (a) providing a pre-filtering module for receiving a packet before the firewall; (b) receiving the packet by the pre-filtering module; (c) determining whether the packet is permitted; and (d) if the packet is permitted, handling the packet by the pre-filtering module.
- network includes a connection between any two or more computational devices which permits the transmission of data.
- computational device includes, but is not limited to, personal computers (PC) having an operating system such as WindowsTM, or Linux; MacintoshTM computers; computers having JAVATM-OS as the operating system; workstations such as the computers of Sun MicrosystemsTM and Silicon GraphicsTM, and other computers having some version of the UNIX operating system such as AIXTM or SOLARISTM of Sun MicrosystemsTM; any other known and available operating system; any type of computer; any device which can be connected to a packet switched network and which has an operating system, including but not limited to VxWorksTM and PSOSTM; or any device which can be so connected to a packet switched network, which is capable of transmitting and receiving packets, and which has at least a data processor, such as a network processor for example, including but not limited to, a bridge, a switch or a router.
- WindowsTM includes but is not limited to Windows NTTM, Windows98TM, Windows2000TM, Windows CETM and any upgraded versions of these
- the method of the present invention could be described as a series of steps performed by a data processor, and as such could optionally be implemented as software, hardware or firmware, or a combination thereof.
- a software application could be written in substantially any suitable programming language, which could easily be selected by one of ordinary skill in the art.
- the programming language chosen should be compatible with the computational device according to which the software application is executed. Examples of suitable programming languages include, but are not limited to, C, C++ and Java.
- FIG. 1 is a schematic block diagram of a system according to the present invention
- FIG. 2 is a schematic block diagram of an exemplary but preferred embodiment of the pre-filtering module of Figure 1 according to the present invention.
- FIG. 3 is a flowchart of an exemplary method according to the present invention.
- the present invention is of a system, a device and a method for accelerating packet filtration by supplementing a firewall with a pre-filtering module.
- the pre-filtering module performs a simple comparison with regard to the packets, for example according to whether the packets are received from a connection which has been previously permitted by the firewall. If the packets are received from such a permitted connection, then the pre-filtering module forwards the packets to their destination, optionally performing one or more actions on the packets. Otherwise, the packets are forwarded to the firewall for handling. In addition, preferably packets are forwarded to the firewall for handling if these packets have particular session-control field values which require intervention by the firewall.
- such session-control field values include a set SYN/FIN/RST flag for the packet.
- Such session-control field values are indicative of packets which carry information about the connection state, and are therefore important for the firewall to receive and analyze, in order to determine the state of the connection.
- fragment packets are also forwarded to the firewall if the pre-filtering module is not able to perform certain functions, such as virtual defragmentation for the preferred embodiment of the present invention with IP networks, and in particular with IP traffic.
- the firewall preferably sends a message to the pre-filtering module with the details of the new permitted packets.
- the firewall does not receive further packets from this connection until a timeout occurs for the connection, or a packet is received with particular session-control field values indicating that the session is finished, for example by having the FIN/RST flag set for the preferred implementation with IP networks, such that the connection is closed.
- a "timeout" occurs if a packet has not been received by the firewall for a predefined period of time.
- the pre-filtering module is preferably implemented as hardware, in order to take advantage of hardware acceleration. Such hardware acceleration has the advantage of being much more rapid than software-based packet processing. Therefore, the pre-filtering module is preferably implemented as a hardware-based device, although the pre-filtering module could alternatively be implemented as software or firmware. Optionally, the pre-filtering module and the firewall could be implemented as a combined device, which could be a "black box" added to, or alternatively as a replacement for, the gateway node of a network, for ease of installation and operation.
- FIG. 1 is a schematic block diagram of a system according to the present invention.
- a system 10 features a protected network 12, which is a packet-switched network, such that data is transmitted in the form of packets.
- Protected network 12 is separated from an external packet-switched network 14 by a gateway 16, which could optionally be any type of computational device, also termed herein an "intermediate node".
- External network 14 could optionally be the Internet, for example.
- Gateway 16 is connected to each of external network 14 and protected network 12 through a hardware connector, shown herein as a NIC 17.
- Gateway 16 operates a firewall 18 for performing packet analysis and packet filtering. Packets which are permitted to pass through gateway 16 from external network 14 are then received by one of a plurality of protected nodes 20, which are connected to protected network 12. Such network traffic is typically bi-directional, such that packets are received by gateway 16 from protected network 12 for transmission to external network 14 and vice versa.
- Firewall 18 is preferably implemented as previously described in U.S. Patent Nos. 5,835,726 and 5,606,668. Firewall 18 features a packet filter 22 for performing packet filtration. Packet filter 22 in turn is preferably composed of an analysis module 24 for analyzing packets and a rule base 26. Rule base 26 preferably contains one or more rules which are defined according to the preferences of the system administrator or other controlling user. Analysis module 24 extracts and compares the contents of the analyzed packets to the rules in rule base 26. If the result of the comparison is such that the packet is permitted according to rule base 26, then packet filter 22 permits the packet to enter protected network 12.
- the packet is optionally dropped.
- the packet may also optionally be determined to be not permitted if rule base 26 does not specifically allow the packet to be passed.
- packet filter 22 features a modification module 28 for modifying the packet, if the packet is accepted.
- firewall 18 includes an ability to perform accounting for the packets, in order to determine the amount of data being transferred on all packets which belong to a specific connection; the ability to modify address(es) within the packet; and the ability to encrypt the packets.
- Packet encryption in particular has been previously described in U.S. Patent No. 5,835,726. Briefly, packets can optionally be encrypted for transmission between two firewalls 18, such that the packets are encrypted for passing through external network 14. Encryption is also optionally used for communication between firewall 18 and a node from external network 14, for example. The encrypted packets are then decrypted by the receiving firewall 18, and passed to protected network 12.
- the processes of encryption and transmission are automated, and can be performed in a manner which is transparent to the communicating software.
- gateway 16 also features a pre-filtering module 30 which receives the packets before firewall 18, but which is preferably directly connected to protected network 12.
- Pre-filtering module 30 also preferably receives instructions from firewall 18, concerning packets which are permitted to enter protected network 12. These instructions are more preferably determined by firewall 18 from an analysis of one or more previously received and related packets, such that if a previously received and related packet has been permitted to enter protected network 12, then the current packet should also be permitted to enter protected network 12. Thus, if pre-filtering module 30 determines that the current packet is permitted to enter, then preferably pre-filtering module 30 passes the packet directly through to protected network 12.
- pre-filtering module 30 can only perform restricted analysis of each packet. Specifically, more preferably only a portion of each packet is analyzed by pre-filtering module 30. Most preferably, pre-filtering module 30 analyzes each packet only with regard to a simple comparison.
- simple comparison it is meant that the information is extracted in the form of one or more predefined parameters which are compared to a predefined pattern of such parameters.
- the packet is only analyzed until pre-filtering module 30 is able to determine whether the packet has been received from a permitted data transmission.
- a permitted transmission may be termed a connection, between a source node which initiates the connection, for example from external network 14, to a destination node which accepts the connection, for example a protected node 20. It is understood that once the connection has been established, communication between the source node and destination may optionally be bi-directional.
- a "connection" is defined according to at least one, and preferably a plurality of, parameters which describe the data transmission to which the packet belongs. Examples of these parameters include but are not limited to, the source address and port of the packet; the destination address and port of the packet; the protocol of the packet and the interface from which the packet was received.
- the connection is used to classify the packet, and to determine whether the packet is permitted to enter to, or to leave from, protected network 12.
- Firewall 18 defines each connection from an analysis of one or more previously received and examined packets. Firewall 18 inspects the contents of such packet or packets, and based upon the output of analysis module 24 with rulebase 26, determines whether packets from the corresponding connection should be permitted to enter and/or leave protected network 12. In addition, from the rules which are stored in rule base 26, analysis module 24 is able to determine one or more actions which should be associated with each connection. Examples of such actions include, but are not limited to, performing an accounting action in order to count the amount of data in the packet, encrypting/decrypting the packet, performing network address translation (NAT) by rewriting the address fields, and so forth.
- a preferred example for modifying the packet is to mark the packet, by assigning a priority number to the packet by pre-filtering module 30, according to the instructions of firewall 18. This priority number determines the order of transmission of the packet, and hence its "priority".
- Firewall 18 then passes the relevant instructions concerning at least whether the packet is permitted to enter protected network 12, and more preferably, the actions which should be taken with subsequent packets from this connection, to pre-filtering module 30.
- pre-filtering module 30 performs an anti-spoofing method. Since pre-filtering module 30 may optionally be connected to a plurality of networks, packets can come from any one of these networks.
- the anti-spoofing method determines whether an IP packet, indicated as originating from a certain network, has indeed arrived from that network. As pre-filtering module 30 knows which network is connected to which interface, pre-filtering module 30 can determine whether a packet received from a particular interface is permitted.
- pre-filtering module 30 The easiest way to implement the anti-spoofing method in an accelerator, such as pre-filtering module 30, is to include information regarding the network interface as part of the connection information which is available to pre-filtering module 30. Thus, if a packet comes from an allowed source node, is to be sent to an allowed destination, and has arrived through the expected interface, the packet can be processed by pre-filtering module 30. Alternatively and optionally, even if only the interface is not correct, pre-filtering module 30 may determine that the packet represents a violation which should be further inspected by firewall 18 for validity. There are other ways to implement an anti-spoofing method, without including information concerning the interface as part of the stored instructions for pre-filtering module 30, which are also considered to be within the scope of the present invention.
- pre-filtering module 30 is embodied in hardware, or at the very least firmware, rather than purely as software.
- the advantage of hardware is that is is much faster than software for performing the required actions.
- the schematic block diagram of Figure 2 is a logic-based, rather than structural, illustration of the components of pre-filtering module 30.
- the physical connections between components are not specified, and may be for example, a PCI bus on which all of the components are located.
- the components may be connected with substantially any type of internal and/or external bus, for example.
- pre-filtering module 30 may be described as a "device", preferably featuring a memory 36.
- Pre-filtering module 30 features a connection database 32 for storing the relevant instructions from firewall 18, which is stored in memory 36.
- Connection database 32 stores at least the parameter or parameters of the packet which are required to define the connection, but also preferably stores at least one action to be performed on packets from that connection.
- Pre-filtering module 30 also preferably features a classification engine 38, including a data processor, for at least partially analyzing the information from the packet and for retrieving information from connection database 32. Pre-filtering module 30 also preferably features a modifier 34, for performing the associated action or actions for packets from that connection, which is preferably stored in connection database 32 as previously described. Pre-filtering module 30 also optionally and preferably communicates certain, selected information concerning at least one packet to firewall 18. The selected information optionally includes at least one of, but is not limited to, the previously described parameters for analyzing the packet. The communication between pre-filtering module 30 and firewall 18 is optionally and preferably performed according to one of a number of embodiments.
- pre-filtering module 30 actively notifies firewall 18 upon the receipt of such information, in a state or event driven implementation.
- firewall 18 queries pre-filtering module 30, in a polling implementation.
- the polling may optionally be performed after a particular interval of time has passed, or alternatively according to a user query for such information, for example from a system administrator.
- pre-filtering module 30 also preferably features at least one, and preferably a plurality of, network interfaces, shown as MAC (media access control) 40, which is hardware for sending and receiving packets from the physical network (not shown).
- MAC media access control
- Pre-filtering module 30 more preferably features a firewall interface 42 for transferring packets to, and receiving packets from, the firewall (not shown).
- Packets are optionally received from MAC 40, labeled "MAC one", which are then passed to classification engine 38.
- classification engine 38 With the help of information and instructions retrieved from database 32 in memory 36, classification engine 38 then analyzes at least a portion of the information in each packet, and determines whether the packet is permitted. If the packet is permitted, then it is passed to modifier 34 for optional modification according to at least one instruction from the firewall (not shown), such that if modification is not necessary, then the at least one relevant instruction is not sent from the firewall.
- the firewall may optionally determine an interface to which a packet should be sent, for example to a particular MAC 40. However, it should be noted that although the firewall may instruct pre-filtering module 30 for sending the packet to a particular interface, if routing is supported, then such routing would be used to route the packet, and not the instructions from the firewall (not shown).
- the packet may be optionally and preferably forwarded to the firewall.
- the packet may be dropped, particularly with regard to packets received from firewall interface 42, which are optionally similarly analyzed.
- information regarding one or more "default" packet types may be stored in database 32, such that if such information is not stored in database 32, the packet is defined as being "not permitted".
- ARP address resolution protocol
- packets may optionally arrive at pre-filtering module 30 from an external source, such as MAC 40 for example, or alternatively may be received from firewall interface 42. If the packet is received from firewall interface 42, it may have been generated by the firewall itself, or alternatively may have been forwarded or generated by the IP stack of the host. Therefore, optionally and more preferably, for such packets which are received through firewall interface 42, pre-filtering module 30 is able to drop such packets if they are not permitted, rather than forwarding them to the firewall. Thus, the determination of whether to drop or forward packets by pre-filtering module 30 is optionally and preferably performed at least partially according to the interface through which the packets are received. Of course, other implementations of pre-filtering module 30 are possible and are considered to be within the scope of the present invention .
- FIG. 3 is a flowchart of an exemplary method for operating the present invention.
- a packet is received by the pre-filtering module.
- at least one parameter of the packet is retrieved by the pre-filtering module.
- the at least one parameter is used for examining the known connections, preferably by performing a look-up in a table of such known connections.
- step 4a if an entry is found for the packet, then the action or actions defined for this connection are performed by the pre-filtering module.
- step 5a the packet is forwarded to its destination. Steps 4a and 5a are not performed if the packet has certain session-control field values, such as a set S YN/FIN/RST flag for a packet transmitted over an IP network, in which case the packet is preferably forwarded to the firewall for handling.
- session-control field values are indicative of packets which carry information about the connection state, and are therefore important for the firewall to receive and analyze, in order to determine the state of the connection.
- fragmented packets are also forwarded to the firewall if the pre-filtering module is not able to perform certain functions, such as virtual defragmentation for the preferred embodiment of the present invention with IP networks, and in particular with TCP/IP traffic.
- Virtual defragmentation is performed after an IP packet has become too large to be transmitted, and is therefore divided into a plurality of smaller packets, called fragments.
- Virtual defragmentation is the process by which all of the received fragments are reassembled into the original big packet.
- the pre-filtering module of the present invention preferably drops duplicate packet fragments. In other words, if a previously received fragment is received again, that fragment is dropped.
- step 4b if an entry for the packet is not found in the table of connections, then the packet is forwarded to the firewall for handling.
- step 5b if the firewall determines that the connection to which the packet belongs is permitted, then the firewall optionally sends a message to the pre-filtering module with the necessary information concerning the new connection.
- a message preferably includes a key for identifying the new connection, information concerning address translation and optionally information concerning encryption, both of which are processes which involve the modification of the packet itself.
- the key for identifying the new connection preferably includes such information as the source IP address and port, the destination IP address and port, the protocol field and optionally the interface(s) from which a packet is expected to be received, for anti-spoofing protection.
- the address translation information includes the translated source IP address and port, the destination IP address and port.
- the connection is "offloaded" to the pre-filtering module, such that the firewall no longer receives any packets for this connection.
- the firewall does not receive any further packets until a packet with certain session-control field values is received for this connection, indicating that the session is finished.
- certain session-control field values include having a set FIN/RST flag.
- a timeout occurs when no packet has been received for a particular connection within a certain period of time. Since the firewall does not see any packets for the offloaded connection, the firewall queries the pre-filtering module about the last time that a packet was received for the connection.
- the firewall determines whether to keep or delete the connection. If the firewall deletes the connection, the connection is preferably deleted from the tables of the pre-filtering module. According to other preferred embodiments of the present invention, the firewall receives updated accounting information from the pre-filtering module at regular intervals. This information is optionally and preferably pushed to the firewall by the pre-filtering module, rather than by having the firewall poll the pre-filtering module.
- the accounting information preferably includes the number of packets and of bytes which have been received by the pre-filtering module for a particular connection since the last time that the accounting information was updated, and the last time that a packet was received by the pre-filtering module for this particular connection. This information is then reset within the pre-filtering module.
- the pre-filtering module deletes the connection, then the pre-filtering module pushes the last accounting information about this connection to the firewall.
Abstract
Description
Claims
Priority Applications (15)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020027011384A KR20020092972A (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
EP01912998A EP1266277B1 (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
AT01912998T ATE312463T1 (en) | 2000-03-02 | 2001-02-26 | SYSTEM, DEVICE AND METHOD FOR RAPID PACKET FILTERING AND PROCESSING |
EA200200814A EA004423B1 (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
JP2001563973A JP3954385B2 (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and packet processing |
AU4171701A AU4171701A (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
IL15152201A IL151522A0 (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
HU0300039A HUP0300039A2 (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
NZ520984A NZ520984A (en) | 2000-03-02 | 2001-02-26 | System for rapid packet filtering and processing using a pre-filtering module to supplement the firewall |
CA002401577A CA2401577C (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
DE60115615T DE60115615T2 (en) | 2000-03-02 | 2001-02-26 | SYSTEM, DEVICE AND METHOD FOR FAST PACKAGE FILTERING AND PROCESSING |
BR0109035-6A BR0109035A (en) | 2000-03-02 | 2001-02-26 | System, device and method for fast packet filtering and processing of a network |
AU2001241717A AU2001241717B2 (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
IL151522A IL151522A (en) | 2000-03-02 | 2002-08-28 | Firewall with rapid packet filtering |
NO20024113A NO324958B1 (en) | 2000-03-02 | 2002-08-29 | System, device and method for rapid filtering of data packets |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/517,276 | 2000-03-02 | ||
US09/517,276 US6496935B1 (en) | 2000-03-02 | 2000-03-02 | System, device and method for rapid packet filtering and processing |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2001065343A1 true WO2001065343A1 (en) | 2001-09-07 |
Family
ID=24059131
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2001/005925 WO2001065343A1 (en) | 2000-03-02 | 2001-02-26 | System, device and method for rapid packet filtering and processing |
Country Status (17)
Country | Link |
---|---|
US (1) | US6496935B1 (en) |
EP (1) | EP1266277B1 (en) |
JP (1) | JP3954385B2 (en) |
KR (1) | KR20020092972A (en) |
CN (1) | CN100474213C (en) |
AT (1) | ATE312463T1 (en) |
AU (2) | AU2001241717B2 (en) |
BR (1) | BR0109035A (en) |
CA (1) | CA2401577C (en) |
DE (1) | DE60115615T2 (en) |
EA (1) | EA004423B1 (en) |
HU (1) | HUP0300039A2 (en) |
IL (2) | IL151522A0 (en) |
NO (1) | NO324958B1 (en) |
NZ (1) | NZ520984A (en) |
PL (1) | PL357181A1 (en) |
WO (1) | WO2001065343A1 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1357722A1 (en) * | 2002-04-23 | 2003-10-29 | Huawei Technologies Co., Ltd. | Method for controlling network access for fragments |
WO2004015586A1 (en) | 2002-08-12 | 2004-02-19 | Tippingpoint Technologies, Inc. | Multi-level packet screening with dynamically selected filtering criteria |
KR100452143B1 (en) * | 2001-10-16 | 2004-10-08 | 주식회사 플랜티넷 | apparatus and method for web filtering using asymmetry traffic flow mode |
DE10025929B4 (en) * | 2000-05-26 | 2006-02-16 | Harman Becker Automotive Systems (Becker Division) Gmbh | Method for transmitting data |
CN1324502C (en) * | 2002-04-24 | 2007-07-04 | 微软公司 | Method for discriminating invited latent member to take part in group |
GB2452473A (en) * | 2004-09-17 | 2009-03-11 | Jeroen Oostendorp | E-mail filter with pre-filtering |
JP2009278635A (en) * | 2002-05-01 | 2009-11-26 | Firebridge Systems Pty Ltd | Firewall with stateful inspection |
JP2010011206A (en) * | 2008-06-27 | 2010-01-14 | Mitsubishi Electric Corp | Gateway device and packet filtering method |
WO2012163587A1 (en) * | 2011-05-31 | 2012-12-06 | Alcatel Lucent | Distributed access control across the network firewalls |
EP2600577A1 (en) * | 2011-11-30 | 2013-06-05 | Broadcom Corporation | System and method for integrating line-rate application recognition in a swich ASIC |
US8681794B2 (en) | 2011-11-30 | 2014-03-25 | Broadcom Corporation | System and method for efficient matching of regular expression patterns across multiple packets |
Families Citing this family (184)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7089588B2 (en) * | 2000-01-19 | 2006-08-08 | Reynolds And Reynolds Holdings, Inc. | Performance path method and apparatus for exchanging data among systems using different data formats |
US6854063B1 (en) * | 2000-03-03 | 2005-02-08 | Cisco Technology, Inc. | Method and apparatus for optimizing firewall processing |
US6732209B1 (en) * | 2000-03-28 | 2004-05-04 | Juniper Networks, Inc. | Data rate division among a plurality of input queues |
US7120931B1 (en) * | 2000-08-31 | 2006-10-10 | Cisco Technology, Inc. | System and method for generating filters based on analyzed flow data |
US7487232B1 (en) * | 2000-09-13 | 2009-02-03 | Fortinet, Inc. | Switch management system and method |
US8250357B2 (en) | 2000-09-13 | 2012-08-21 | Fortinet, Inc. | Tunnel interface for securing traffic over a network |
US7111072B1 (en) | 2000-09-13 | 2006-09-19 | Cosine Communications, Inc. | Packet routing system and method |
US7272643B1 (en) | 2000-09-13 | 2007-09-18 | Fortinet, Inc. | System and method for managing and provisioning virtual routers |
US7389358B1 (en) * | 2000-09-13 | 2008-06-17 | Fortinet, Inc. | Distributed virtual system to support managed, network-based services |
US7574495B1 (en) | 2000-09-13 | 2009-08-11 | Fortinet, Inc. | System and method for managing interworking communications protocols |
US7054930B1 (en) * | 2000-10-26 | 2006-05-30 | Cisco Technology, Inc. | System and method for propagating filters |
US6922786B1 (en) * | 2000-10-31 | 2005-07-26 | Nortel Networks Limited | Real-time media communications over firewalls using a control protocol |
US7131140B1 (en) * | 2000-12-29 | 2006-10-31 | Cisco Technology, Inc. | Method for protecting a firewall load balancer from a denial of service attack |
US6731652B2 (en) * | 2001-02-14 | 2004-05-04 | Metro Packet Systems Inc. | Dynamic packet processor architecture |
JP3917076B2 (en) * | 2001-02-20 | 2007-05-23 | アイボール ネットワークス インコーポレイテッド | Method and apparatus for enabling data transmission through a firewall |
US7664119B2 (en) * | 2001-03-30 | 2010-02-16 | Intel Corporation | Method and apparatus to perform network routing |
US7277953B2 (en) * | 2001-04-18 | 2007-10-02 | Emc Corporation | Integrated procedure for partitioning network data services among multiple subscribers |
US6816455B2 (en) * | 2001-05-09 | 2004-11-09 | Telecom Italia S.P.A. | Dynamic packet filter utilizing session tracking |
JP2002358239A (en) * | 2001-06-04 | 2002-12-13 | Fuji Electric Co Ltd | Copyright protection system |
US7181547B1 (en) | 2001-06-28 | 2007-02-20 | Fortinet, Inc. | Identifying nodes in a ring network |
US20040001433A1 (en) * | 2001-07-18 | 2004-01-01 | Gram Charles Andrew | Interactive control of network devices |
US7134012B2 (en) * | 2001-08-15 | 2006-11-07 | International Business Machines Corporation | Methods, systems and computer program products for detecting a spoofed source address in IP datagrams |
EP1433066B1 (en) * | 2001-09-14 | 2010-08-11 | Nokia Inc. | Device and method for packet forwarding |
US7409706B1 (en) | 2001-10-02 | 2008-08-05 | Cisco Technology, Inc. | System and method for providing path protection of computer network traffic |
JP2003242714A (en) * | 2001-10-24 | 2003-08-29 | Fuji Electric Co Ltd | Information recording medium, manufacturing method therefor, information processor and copyright management system |
US9392002B2 (en) * | 2002-01-31 | 2016-07-12 | Nokia Technologies Oy | System and method of providing virus protection at a gateway |
US7216260B2 (en) * | 2002-03-27 | 2007-05-08 | International Business Machines Corporation | Method, system and program product for dynamically detecting errant data sequences and performing corresponding actions |
US7185365B2 (en) * | 2002-03-27 | 2007-02-27 | Intel Corporation | Security enabled network access control |
US20030200463A1 (en) * | 2002-04-23 | 2003-10-23 | Mccabe Alan Jason | Inter-autonomous system weighstation |
US20030212901A1 (en) * | 2002-05-13 | 2003-11-13 | Manav Mishra | Security enabled network flow control |
US7161904B2 (en) * | 2002-06-04 | 2007-01-09 | Fortinet, Inc. | System and method for hierarchical metering in a virtual router based network switch |
US7177311B1 (en) * | 2002-06-04 | 2007-02-13 | Fortinet, Inc. | System and method for routing traffic through a virtual router-based network switch |
US7116665B2 (en) * | 2002-06-04 | 2006-10-03 | Fortinet, Inc. | Methods and systems for a distributed provider edge |
US7376125B1 (en) | 2002-06-04 | 2008-05-20 | Fortinet, Inc. | Service processing switch |
US7203192B2 (en) | 2002-06-04 | 2007-04-10 | Fortinet, Inc. | Network packet steering |
US7340535B1 (en) * | 2002-06-04 | 2008-03-04 | Fortinet, Inc. | System and method for controlling routing in a virtual router system |
US9088494B2 (en) * | 2002-06-26 | 2015-07-21 | Avaya Communication Israel Ltd. | Packet fragmentation prevention |
US7146638B2 (en) * | 2002-06-27 | 2006-12-05 | International Business Machines Corporation | Firewall protocol providing additional information |
US7096383B2 (en) * | 2002-08-29 | 2006-08-22 | Cosine Communications, Inc. | System and method for virtual router failover in a network routing system |
US20100138909A1 (en) * | 2002-09-06 | 2010-06-03 | O2Micro, Inc. | Vpn and firewall integrated system |
US7315890B2 (en) * | 2002-10-02 | 2008-01-01 | Lockheed Martin Corporation | System and method for managing access to active devices operably connected to a data network |
US7440573B2 (en) * | 2002-10-08 | 2008-10-21 | Broadcom Corporation | Enterprise wireless local area network switching system |
US20040078422A1 (en) * | 2002-10-17 | 2004-04-22 | Toomey Christopher Newell | Detecting and blocking spoofed Web login pages |
US7266120B2 (en) | 2002-11-18 | 2007-09-04 | Fortinet, Inc. | System and method for hardware accelerated packet multicast in a virtual routing system |
TW200412101A (en) * | 2002-12-23 | 2004-07-01 | Shaw-Hwa Hwang | Directly peer-to peer transmission protocol between two virtual network |
MY141160A (en) * | 2003-01-13 | 2010-03-31 | Multimedia Glory Sdn Bhd | System and method of preventing the transmission of known and unknown electronic content to and from servers or workstations connected to a common network |
JP4257151B2 (en) * | 2003-02-28 | 2009-04-22 | 富士通株式会社 | Packet control system, packet control device, packet relay device, and packet control program |
TW200420021A (en) * | 2003-03-19 | 2004-10-01 | Etrunk Technologies Inc | Network packet routing control device |
US7325002B2 (en) * | 2003-04-04 | 2008-01-29 | Juniper Networks, Inc. | Detection of network security breaches based on analysis of network record logs |
US7900240B2 (en) | 2003-05-28 | 2011-03-01 | Citrix Systems, Inc. | Multilayer access control security system |
US7760729B2 (en) | 2003-05-28 | 2010-07-20 | Citrix Systems, Inc. | Policy based network address translation |
US7260840B2 (en) * | 2003-06-06 | 2007-08-21 | Microsoft Corporation | Multi-layer based method for implementing network firewalls |
US7308711B2 (en) * | 2003-06-06 | 2007-12-11 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
US7509673B2 (en) * | 2003-06-06 | 2009-03-24 | Microsoft Corporation | Multi-layered firewall architecture |
US6985920B2 (en) * | 2003-06-23 | 2006-01-10 | Protego Networks Inc. | Method and system for determining intra-session event correlation across network address translation devices |
US7620070B1 (en) * | 2003-06-24 | 2009-11-17 | Nvidia Corporation | Packet processing with re-insertion into network interface circuitry |
US20050022017A1 (en) | 2003-06-24 | 2005-01-27 | Maufer Thomas A. | Data structures and state tracking for network protocol processing |
US7305705B2 (en) * | 2003-06-30 | 2007-12-04 | Microsoft Corporation | Reducing network configuration complexity with transparent virtual private networks |
US20050144290A1 (en) * | 2003-08-01 | 2005-06-30 | Rizwan Mallal | Arbitrary java logic deployed transparently in a network |
US7522594B2 (en) * | 2003-08-19 | 2009-04-21 | Eye Ball Networks, Inc. | Method and apparatus to permit data transmission to traverse firewalls |
US7720095B2 (en) | 2003-08-27 | 2010-05-18 | Fortinet, Inc. | Heterogeneous media packet bridging |
US7464181B2 (en) * | 2003-09-11 | 2008-12-09 | International Business Machines Corporation | Method for caching lookups based upon TCP traffic flow characteristics |
US7594018B2 (en) * | 2003-10-10 | 2009-09-22 | Citrix Systems, Inc. | Methods and apparatus for providing access to persistent application sessions |
US20050100019A1 (en) * | 2003-11-10 | 2005-05-12 | Sahita Ravi L. | Rule based packet processing engine |
US7978716B2 (en) | 2003-11-24 | 2011-07-12 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
US7792147B1 (en) * | 2004-02-09 | 2010-09-07 | Symantec Corporation | Efficient assembly of fragmented network traffic for data security |
KR100609170B1 (en) * | 2004-02-13 | 2006-08-02 | 엘지엔시스(주) | system of network security and working method thereof |
US6972226B2 (en) * | 2004-03-31 | 2005-12-06 | Infineon Technologies Ag | Charge-trapping memory cell array and method for production |
US20050268331A1 (en) * | 2004-05-25 | 2005-12-01 | Franck Le | Extension to the firewall configuration protocols and features |
US8495305B2 (en) | 2004-06-30 | 2013-07-23 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
US7757074B2 (en) | 2004-06-30 | 2010-07-13 | Citrix Application Networking, Llc | System and method for establishing a virtual private network |
US8739274B2 (en) | 2004-06-30 | 2014-05-27 | Citrix Systems, Inc. | Method and device for performing integrated caching in a data communication network |
EP2264956B1 (en) | 2004-07-23 | 2017-06-14 | Citrix Systems, Inc. | Method for securing remote access to private networks |
AU2005266943C1 (en) | 2004-07-23 | 2011-01-06 | Citrix Systems, Inc. | Systems and methods for optimizing communications between network nodes |
US7865944B1 (en) * | 2004-09-10 | 2011-01-04 | Juniper Networks, Inc. | Intercepting GPRS data |
US7499419B2 (en) | 2004-09-24 | 2009-03-03 | Fortinet, Inc. | Scalable IP-services enabled multicast forwarding with efficient resource utilization |
US8613048B2 (en) | 2004-09-30 | 2013-12-17 | Citrix Systems, Inc. | Method and apparatus for providing authorized remote access to application sessions |
US7748032B2 (en) | 2004-09-30 | 2010-06-29 | Citrix Systems, Inc. | Method and apparatus for associating tickets in a ticket hierarchy |
US7711835B2 (en) | 2004-09-30 | 2010-05-04 | Citrix Systems, Inc. | Method and apparatus for reducing disclosure of proprietary data in a networked environment |
KR100624483B1 (en) * | 2004-10-06 | 2006-09-18 | 삼성전자주식회사 | Apparatus and method for intrusion detection in network |
US7808904B2 (en) * | 2004-11-18 | 2010-10-05 | Fortinet, Inc. | Method and apparatus for managing subscriber profiles |
JP2006174350A (en) * | 2004-12-20 | 2006-06-29 | Fujitsu Ltd | Communication apparatus |
US8549149B2 (en) | 2004-12-30 | 2013-10-01 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
US8954595B2 (en) | 2004-12-30 | 2015-02-10 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering |
US7810089B2 (en) | 2004-12-30 | 2010-10-05 | Citrix Systems, Inc. | Systems and methods for automatic installation and execution of a client-side acceleration program |
US8700695B2 (en) | 2004-12-30 | 2014-04-15 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP pooling |
US8706877B2 (en) | 2004-12-30 | 2014-04-22 | Citrix Systems, Inc. | Systems and methods for providing client-side dynamic redirection to bypass an intermediary |
US8255456B2 (en) | 2005-12-30 | 2012-08-28 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US8024568B2 (en) | 2005-01-28 | 2011-09-20 | Citrix Systems, Inc. | Method and system for verification of an endpoint security scan |
US7665128B2 (en) | 2005-04-08 | 2010-02-16 | At&T Corp. | Method and apparatus for reducing firewall rules |
US7634584B2 (en) | 2005-04-27 | 2009-12-15 | Solarflare Communications, Inc. | Packet validation in virtual network interface architecture |
US20070097976A1 (en) * | 2005-05-20 | 2007-05-03 | Wood George D | Suspect traffic redirection |
US7881291B2 (en) * | 2005-05-26 | 2011-02-01 | Alcatel Lucent | Packet classification acceleration using spectral analysis |
US8631483B2 (en) * | 2005-06-14 | 2014-01-14 | Texas Instruments Incorporated | Packet processors and packet filter processes, circuits, devices, and systems |
CN100448227C (en) * | 2005-08-30 | 2008-12-31 | 杭州华三通信技术有限公司 | Business flow idnetifying method |
KR100753815B1 (en) * | 2005-08-31 | 2007-08-31 | 한국전자통신연구원 | Apparatus and method for packet filtering |
US8347373B2 (en) | 2007-05-08 | 2013-01-01 | Fortinet, Inc. | Content filtering of remote file-system access protocols |
DE602006014192D1 (en) | 2005-12-02 | 2010-06-17 | Citrix Systems Inc | CERTIFICATION CERTIFICATES FROM A PROXY SERVER FOR A VIRTUALIZED CALCULATION ENVIRONMENT TO ACCESS A REMOTE RESOURCE |
JP4545085B2 (en) * | 2005-12-08 | 2010-09-15 | 富士通株式会社 | Firewall device |
US8730834B2 (en) * | 2005-12-23 | 2014-05-20 | General Electric Company | Intelligent electronic device with embedded multi-port data packet controller |
US8301839B2 (en) | 2005-12-30 | 2012-10-30 | Citrix Systems, Inc. | System and method for performing granular invalidation of cached dynamically generated objects in a data communication network |
US7921184B2 (en) | 2005-12-30 | 2011-04-05 | Citrix Systems, Inc. | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
US8584226B2 (en) | 2006-01-26 | 2013-11-12 | Iorhythm, Inc. | Method and apparatus for geographically regulating inbound and outbound network communications |
US7606225B2 (en) * | 2006-02-06 | 2009-10-20 | Fortinet, Inc. | Integrated security switch |
US7784086B2 (en) * | 2006-03-08 | 2010-08-24 | Panasonic Corporation | Method for secure packet identification |
JP4823728B2 (en) * | 2006-03-20 | 2011-11-24 | 富士通株式会社 | Frame relay device and frame inspection device |
US8151323B2 (en) * | 2006-04-12 | 2012-04-03 | Citrix Systems, Inc. | Systems and methods for providing levels of access and action control via an SSL VPN appliance |
US8122492B2 (en) * | 2006-04-21 | 2012-02-21 | Microsoft Corporation | Integration of social network information and network firewalls |
US8079073B2 (en) * | 2006-05-05 | 2011-12-13 | Microsoft Corporation | Distributed firewall implementation and control |
US8176157B2 (en) * | 2006-05-18 | 2012-05-08 | Microsoft Corporation | Exceptions grouping |
US7603333B2 (en) * | 2006-06-14 | 2009-10-13 | Microsoft Corporation | Delayed policy evaluation |
US7865878B2 (en) * | 2006-07-31 | 2011-01-04 | Sap Ag | Method and apparatus for operating enterprise software from a detachable storage device |
US8533846B2 (en) | 2006-11-08 | 2013-09-10 | Citrix Systems, Inc. | Method and system for dynamically associating access rights with a resource |
US7688821B2 (en) * | 2006-11-21 | 2010-03-30 | O2Micro International Ltd. | Method and apparatus for distributing data packets by using multi-network address translation |
US8984620B2 (en) * | 2007-07-06 | 2015-03-17 | Cyberoam Technologies Pvt. Ltd. | Identity and policy-based network security and management system and method |
US10540651B1 (en) | 2007-07-31 | 2020-01-21 | Intuit Inc. | Technique for restricting access to information |
US8060927B2 (en) * | 2007-10-31 | 2011-11-15 | Microsoft Corporation | Security state aware firewall |
JP5223376B2 (en) * | 2008-02-29 | 2013-06-26 | 日本電気株式会社 | Remote access system, method and program |
US20090235355A1 (en) * | 2008-03-17 | 2009-09-17 | Inventec Corporation | Network intrusion protection system |
US8146147B2 (en) * | 2008-03-27 | 2012-03-27 | Juniper Networks, Inc. | Combined firewalls |
US7908376B2 (en) * | 2008-07-31 | 2011-03-15 | Broadcom Corporation | Data path acceleration of a network stack |
US8769665B2 (en) * | 2009-09-29 | 2014-07-01 | Broadcom Corporation | IP communication device as firewall between network and computer system |
CN105376167A (en) * | 2009-10-28 | 2016-03-02 | 惠普公司 | Distributed packet stream inspection and processing |
US8656492B2 (en) * | 2011-05-16 | 2014-02-18 | General Electric Company | Systems, methods, and apparatus for network intrusion detection |
US8881258B2 (en) * | 2011-08-24 | 2014-11-04 | Mcafee, Inc. | System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy |
US9503327B2 (en) * | 2012-07-24 | 2016-11-22 | Nec Corporation | Filtering setting support device, filtering setting support method, and medium |
WO2014077614A1 (en) * | 2012-11-19 | 2014-05-22 | Samsung Sds Co., Ltd. | Anti-malware system, method of processing data in the same, and computing device |
US9319351B1 (en) * | 2012-11-26 | 2016-04-19 | Marvell Israel (M.I.S.L.) Ltd. | Mechanism for wire-speed stateful packet inspection in packet processors |
US10033693B2 (en) | 2013-10-01 | 2018-07-24 | Nicira, Inc. | Distributed identity-based firewalls |
US9215214B2 (en) | 2014-02-20 | 2015-12-15 | Nicira, Inc. | Provisioning firewall rules on a firewall enforcing device |
US9384033B2 (en) | 2014-03-11 | 2016-07-05 | Vmware, Inc. | Large receive offload for virtual machines |
US9742682B2 (en) | 2014-03-11 | 2017-08-22 | Vmware, Inc. | Large receive offload for virtual machines |
US9755981B2 (en) | 2014-03-11 | 2017-09-05 | Vmware, Inc. | Snooping forwarded packets by a virtual machine |
US9906494B2 (en) | 2014-03-31 | 2018-02-27 | Nicira, Inc. | Configuring interactions with a firewall service virtual machine |
US9503427B2 (en) | 2014-03-31 | 2016-11-22 | Nicira, Inc. | Method and apparatus for integrating a service virtual machine |
US9215210B2 (en) | 2014-03-31 | 2015-12-15 | Nicira, Inc. | Migrating firewall connection state for a firewall service virtual machine |
US9774707B2 (en) | 2014-06-04 | 2017-09-26 | Nicira, Inc. | Efficient packet classification for dynamic containers |
US9729512B2 (en) | 2014-06-04 | 2017-08-08 | Nicira, Inc. | Use of stateless marking to speed up stateful firewall rule processing |
US10110712B2 (en) | 2014-06-04 | 2018-10-23 | Nicira, Inc. | Efficient packet classification for dynamic containers |
US9825913B2 (en) | 2014-06-04 | 2017-11-21 | Nicira, Inc. | Use of stateless marking to speed up stateful firewall rule processing |
WO2015187201A1 (en) * | 2014-06-04 | 2015-12-10 | Nicira, Inc. | Use of stateless marking to speed up stateful firewall rule processing |
US9692698B2 (en) | 2014-06-30 | 2017-06-27 | Nicira, Inc. | Methods and systems to offload overlay network packet encapsulation to hardware |
US9419897B2 (en) | 2014-06-30 | 2016-08-16 | Nicira, Inc. | Methods and systems for providing multi-tenancy support for Single Root I/O Virtualization |
US9692727B2 (en) | 2014-12-02 | 2017-06-27 | Nicira, Inc. | Context-aware distributed firewall |
US9891940B2 (en) | 2014-12-29 | 2018-02-13 | Nicira, Inc. | Introspection method and apparatus for network access filtering |
US9680706B2 (en) | 2015-06-30 | 2017-06-13 | Nicira, Inc. | Federated firewall management for moving workload across data centers |
US10324746B2 (en) | 2015-11-03 | 2019-06-18 | Nicira, Inc. | Extended context delivery for context-based authorization |
EP3443432A4 (en) | 2016-04-12 | 2020-04-01 | Guardknox Cyber Technologies Ltd. | Specially programmed computing systems with associated devices configured to implement secure lockdowns and methods of use thereof |
US10135727B2 (en) | 2016-04-29 | 2018-11-20 | Nicira, Inc. | Address grouping for distributed service rules |
US10348685B2 (en) | 2016-04-29 | 2019-07-09 | Nicira, Inc. | Priority allocation for distributed service rules |
US11425095B2 (en) | 2016-05-01 | 2022-08-23 | Nicira, Inc. | Fast ordering of firewall sections and rules |
US11171920B2 (en) | 2016-05-01 | 2021-11-09 | Nicira, Inc. | Publication of firewall configuration |
US11258761B2 (en) | 2016-06-29 | 2022-02-22 | Nicira, Inc. | Self-service firewall configuration |
US11088990B2 (en) | 2016-06-29 | 2021-08-10 | Nicira, Inc. | Translation cache for firewall configuration |
US11115385B1 (en) * | 2016-07-27 | 2021-09-07 | Cisco Technology, Inc. | Selective offloading of packet flows with flow state management |
US10938837B2 (en) | 2016-08-30 | 2021-03-02 | Nicira, Inc. | Isolated network stack to manage security for virtual machines |
US9762619B1 (en) | 2016-08-30 | 2017-09-12 | Nicira, Inc. | Multi-layer policy definition and enforcement framework for network virtualization |
US10193862B2 (en) | 2016-11-29 | 2019-01-29 | Vmware, Inc. | Security policy analysis based on detecting new network port connections |
US10609160B2 (en) | 2016-12-06 | 2020-03-31 | Nicira, Inc. | Performing context-rich attribute-based services on a host |
US10802857B2 (en) | 2016-12-22 | 2020-10-13 | Nicira, Inc. | Collecting and processing contextual attributes on a host |
US10812451B2 (en) | 2016-12-22 | 2020-10-20 | Nicira, Inc. | Performing appID based firewall services on a host |
US10581960B2 (en) | 2016-12-22 | 2020-03-03 | Nicira, Inc. | Performing context-rich attribute-based load balancing on a host |
US10805332B2 (en) | 2017-07-25 | 2020-10-13 | Nicira, Inc. | Context engine model |
US11032246B2 (en) | 2016-12-22 | 2021-06-08 | Nicira, Inc. | Context based firewall services for data message flows for multiple concurrent users on one machine |
US10803173B2 (en) | 2016-12-22 | 2020-10-13 | Nicira, Inc. | Performing context-rich attribute-based process control services on a host |
US10313926B2 (en) | 2017-05-31 | 2019-06-04 | Nicira, Inc. | Large receive offload (LRO) processing in virtualized computing environments |
US10778651B2 (en) | 2017-11-15 | 2020-09-15 | Nicira, Inc. | Performing context-rich attribute-based encryption on a host |
US10862773B2 (en) | 2018-01-26 | 2020-12-08 | Nicira, Inc. | Performing services on data messages associated with endpoint machines |
US10802893B2 (en) | 2018-01-26 | 2020-10-13 | Nicira, Inc. | Performing process control services on endpoint machines |
US11388141B1 (en) * | 2018-03-28 | 2022-07-12 | Juniper Networks, Inc | Apparatus, system, and method for efficiently filtering packets at network devices |
US11310202B2 (en) | 2019-03-13 | 2022-04-19 | Vmware, Inc. | Sharing of firewall rules among multiple workloads in a hypervisor |
US11539718B2 (en) | 2020-01-10 | 2022-12-27 | Vmware, Inc. | Efficiently performing intrusion detection |
US11962518B2 (en) | 2020-06-02 | 2024-04-16 | VMware LLC | Hardware acceleration techniques using flow selection |
US11108728B1 (en) | 2020-07-24 | 2021-08-31 | Vmware, Inc. | Fast distribution of port identifiers for rule processing |
US20220038372A1 (en) * | 2020-08-02 | 2022-02-03 | Mellanox Technologies Tlv Ltd. | Stateful filtering systems and methods |
US11875172B2 (en) | 2020-09-28 | 2024-01-16 | VMware LLC | Bare metal computer for booting copies of VM images on multiple computing devices using a smart NIC |
US11636053B2 (en) | 2020-09-28 | 2023-04-25 | Vmware, Inc. | Emulating a local storage by accessing an external storage through a shared port of a NIC |
US11716383B2 (en) | 2020-09-28 | 2023-08-01 | Vmware, Inc. | Accessing multiple external storages to present an emulated local storage through a NIC |
US11593278B2 (en) | 2020-09-28 | 2023-02-28 | Vmware, Inc. | Using machine executing on a NIC to access a third party storage not supported by a NIC or host |
US11606310B2 (en) | 2020-09-28 | 2023-03-14 | Vmware, Inc. | Flow processing offload using virtual port identifiers |
US11863376B2 (en) | 2021-12-22 | 2024-01-02 | Vmware, Inc. | Smart NIC leader election |
US11899594B2 (en) | 2022-06-21 | 2024-02-13 | VMware LLC | Maintenance of data message classification cache on smart NIC |
US11928367B2 (en) | 2022-06-21 | 2024-03-12 | VMware LLC | Logical memory addressing for network devices |
US11928062B2 (en) | 2022-06-21 | 2024-03-12 | VMware LLC | Accelerating data message classification with smart NICs |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998026555A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
WO1998026552A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for access control in a distributed multiserver network environment |
US5844620A (en) * | 1995-08-11 | 1998-12-01 | General Instrument Corporation | Method and apparatus for displaying an interactive television program guide |
US6070242A (en) * | 1996-12-09 | 2000-05-30 | Sun Microsystems, Inc. | Method to activate unregistered systems in a distributed multiserver network environment |
US6092110A (en) * | 1997-10-23 | 2000-07-18 | At&T Wireless Svcs. Inc. | Apparatus for filtering packets using a dedicated processor |
US6158008A (en) * | 1997-10-23 | 2000-12-05 | At&T Wireless Svcs. Inc. | Method and apparatus for updating address lists for a packet filter processor |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5400331A (en) * | 1993-04-28 | 1995-03-21 | Allen-Bradley Company, Inc. | Communication network interface with screeners for incoming messages |
US5623601A (en) * | 1994-11-18 | 1997-04-22 | Milkway Networks Corporation | Apparatus and method for providing a secure gateway for communication and data exchanges between networks |
US5802320A (en) * | 1995-05-18 | 1998-09-01 | Sun Microsystems, Inc. | System for packet filtering of data packets at a computer network interface |
US5648965A (en) * | 1995-07-07 | 1997-07-15 | Sun Microsystems, Inc. | Method and apparatus for dynamic distributed packet tracing and analysis |
US6147976A (en) * | 1996-06-24 | 2000-11-14 | Cabletron Systems, Inc. | Fast network layer packet filter |
US5828833A (en) * | 1996-08-15 | 1998-10-27 | Electronic Data Systems Corporation | Method and system for allowing remote procedure calls through a network firewall |
US6119236A (en) * | 1996-10-07 | 2000-09-12 | Shipley; Peter M. | Intelligent network security device and method |
US6073178A (en) * | 1996-12-09 | 2000-06-06 | Sun Microsystems, Inc. | Method and apparatus for assignment of IP addresses |
US6208651B1 (en) * | 1997-06-10 | 2001-03-27 | Cornell Research Foundation, Inc. | Method and system for masking the overhead of protocol layering |
WO1999048261A2 (en) * | 1998-03-18 | 1999-09-23 | Secure Computing Corporation | System and method for controlling interactions between networks |
US6092108A (en) * | 1998-03-19 | 2000-07-18 | Diplacido; Bruno | Dynamic threshold packet filtering of application processor frames |
AU5567499A (en) * | 1998-08-17 | 2000-03-06 | Vitesse Semiconductor Corporation | Packet processing architecture and methods |
-
2000
- 2000-03-02 US US09/517,276 patent/US6496935B1/en not_active Expired - Lifetime
-
2001
- 2001-02-26 AU AU2001241717A patent/AU2001241717B2/en not_active Ceased
- 2001-02-26 AU AU4171701A patent/AU4171701A/en active Pending
- 2001-02-26 NZ NZ520984A patent/NZ520984A/en unknown
- 2001-02-26 BR BR0109035-6A patent/BR0109035A/en not_active Application Discontinuation
- 2001-02-26 CN CNB018058892A patent/CN100474213C/en not_active Expired - Fee Related
- 2001-02-26 EA EA200200814A patent/EA004423B1/en not_active IP Right Cessation
- 2001-02-26 CA CA002401577A patent/CA2401577C/en not_active Expired - Fee Related
- 2001-02-26 WO PCT/US2001/005925 patent/WO2001065343A1/en active IP Right Grant
- 2001-02-26 JP JP2001563973A patent/JP3954385B2/en not_active Expired - Lifetime
- 2001-02-26 PL PL01357181A patent/PL357181A1/en unknown
- 2001-02-26 EP EP01912998A patent/EP1266277B1/en not_active Expired - Lifetime
- 2001-02-26 AT AT01912998T patent/ATE312463T1/en not_active IP Right Cessation
- 2001-02-26 DE DE60115615T patent/DE60115615T2/en not_active Expired - Lifetime
- 2001-02-26 KR KR1020027011384A patent/KR20020092972A/en not_active Application Discontinuation
- 2001-02-26 HU HU0300039A patent/HUP0300039A2/en unknown
- 2001-02-26 IL IL15152201A patent/IL151522A0/en active IP Right Grant
-
2002
- 2002-08-28 IL IL151522A patent/IL151522A/en unknown
- 2002-08-29 NO NO20024113A patent/NO324958B1/en not_active IP Right Cessation
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5844620A (en) * | 1995-08-11 | 1998-12-01 | General Instrument Corporation | Method and apparatus for displaying an interactive television program guide |
WO1998026555A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
WO1998026552A1 (en) * | 1996-12-09 | 1998-06-18 | Sun Microsystems, Inc. | Method and apparatus for access control in a distributed multiserver network environment |
US5835727A (en) * | 1996-12-09 | 1998-11-10 | Sun Microsystems, Inc. | Method and apparatus for controlling access to services within a computer network |
US5848233A (en) * | 1996-12-09 | 1998-12-08 | Sun Microsystems, Inc. | Method and apparatus for dynamic packet filter assignment |
US6070242A (en) * | 1996-12-09 | 2000-05-30 | Sun Microsystems, Inc. | Method to activate unregistered systems in a distributed multiserver network environment |
US6092110A (en) * | 1997-10-23 | 2000-07-18 | At&T Wireless Svcs. Inc. | Apparatus for filtering packets using a dedicated processor |
US6158008A (en) * | 1997-10-23 | 2000-12-05 | At&T Wireless Svcs. Inc. | Method and apparatus for updating address lists for a packet filter processor |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE10025929B4 (en) * | 2000-05-26 | 2006-02-16 | Harman Becker Automotive Systems (Becker Division) Gmbh | Method for transmitting data |
KR100452143B1 (en) * | 2001-10-16 | 2004-10-08 | 주식회사 플랜티넷 | apparatus and method for web filtering using asymmetry traffic flow mode |
EP1357722A1 (en) * | 2002-04-23 | 2003-10-29 | Huawei Technologies Co., Ltd. | Method for controlling network access for fragments |
CN1324502C (en) * | 2002-04-24 | 2007-07-04 | 微软公司 | Method for discriminating invited latent member to take part in group |
JP2009278635A (en) * | 2002-05-01 | 2009-11-26 | Firebridge Systems Pty Ltd | Firewall with stateful inspection |
EP1540502A1 (en) * | 2002-08-12 | 2005-06-15 | Tippingpoint Technologies, Inc. | Multi-level packet screening with dynamically selected filtering criteria |
EP1540502A4 (en) * | 2002-08-12 | 2009-11-25 | Tippingpoint Technologies Inc | Multi-level packet screening with dynamically selected filtering criteria |
WO2004015586A1 (en) | 2002-08-12 | 2004-02-19 | Tippingpoint Technologies, Inc. | Multi-level packet screening with dynamically selected filtering criteria |
GB2452473A (en) * | 2004-09-17 | 2009-03-11 | Jeroen Oostendorp | E-mail filter with pre-filtering |
JP2010011206A (en) * | 2008-06-27 | 2010-01-14 | Mitsubishi Electric Corp | Gateway device and packet filtering method |
WO2012163587A1 (en) * | 2011-05-31 | 2012-12-06 | Alcatel Lucent | Distributed access control across the network firewalls |
EP2600577A1 (en) * | 2011-11-30 | 2013-06-05 | Broadcom Corporation | System and method for integrating line-rate application recognition in a swich ASIC |
US8681794B2 (en) | 2011-11-30 | 2014-03-25 | Broadcom Corporation | System and method for efficient matching of regular expression patterns across multiple packets |
US8724496B2 (en) | 2011-11-30 | 2014-05-13 | Broadcom Corporation | System and method for integrating line-rate application recognition in a switch ASIC |
TWI477106B (en) * | 2011-11-30 | 2015-03-11 | Broadcom Corp | System and method for line-rate application recognition integrated in a switch asic |
US9258225B2 (en) | 2011-11-30 | 2016-02-09 | Broadcom Corporation | System and method for efficient matching of regular expression patterns across multiple packets |
Also Published As
Publication number | Publication date |
---|---|
DE60115615D1 (en) | 2006-01-12 |
NO324958B1 (en) | 2008-01-14 |
DE60115615T2 (en) | 2006-07-06 |
NZ520984A (en) | 2003-02-28 |
AU4171701A (en) | 2001-09-12 |
EP1266277A1 (en) | 2002-12-18 |
IL151522A0 (en) | 2003-04-10 |
BR0109035A (en) | 2003-06-03 |
JP2003525557A (en) | 2003-08-26 |
CN100474213C (en) | 2009-04-01 |
EA004423B1 (en) | 2004-04-29 |
HUP0300039A2 (en) | 2003-05-28 |
IL151522A (en) | 2007-12-03 |
KR20020092972A (en) | 2002-12-12 |
EP1266277B1 (en) | 2005-12-07 |
EP1266277A4 (en) | 2003-07-02 |
CA2401577C (en) | 2007-09-18 |
US6496935B1 (en) | 2002-12-17 |
NO20024113D0 (en) | 2002-08-29 |
PL357181A1 (en) | 2004-07-26 |
EA200200814A1 (en) | 2003-02-27 |
CN1406351A (en) | 2003-03-26 |
JP3954385B2 (en) | 2007-08-08 |
CA2401577A1 (en) | 2001-09-07 |
ATE312463T1 (en) | 2005-12-15 |
NO20024113L (en) | 2002-11-01 |
AU2001241717B2 (en) | 2005-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6496935B1 (en) | System, device and method for rapid packet filtering and processing | |
AU2001241717A1 (en) | System, device and method for rapid packet filtering and processing | |
EP1634175B1 (en) | Multilayer access control security system | |
US7260840B2 (en) | Multi-layer based method for implementing network firewalls | |
US7509673B2 (en) | Multi-layered firewall architecture | |
US9094372B2 (en) | Multi-method gateway-based network security systems and methods | |
US7127739B2 (en) | Handling information about packet data connections in a security gateway element | |
US8175271B2 (en) | Method and system for security protocol partitioning and virtualization | |
JP2004304752A (en) | System and method of defending attack | |
JP2020017809A (en) | Communication apparatus and communication system | |
US20080077694A1 (en) | Method and system for network security using multiple virtual network stack instances | |
EP1574009B1 (en) | Systems and apparatuses using identification data in network communication | |
JP2007166514A (en) | Device and method for processing communication | |
JP4319609B2 (en) | Attack path analysis device, attack path analysis method and program | |
WO2007034535A1 (en) | Network device, data relaying method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 520984 Country of ref document: NZ Ref document number: 2001241717 Country of ref document: AU |
|
WWE | Wipo information: entry into national phase |
Ref document number: 151522 Country of ref document: IL Ref document number: 2401577 Country of ref document: CA Ref document number: 200206903 Country of ref document: ZA |
|
WWE | Wipo information: entry into national phase |
Ref document number: PV2002-2944 Country of ref document: CZ Ref document number: 018058892 Country of ref document: CN Ref document number: 1020027011384 Country of ref document: KR Ref document number: 200200814 Country of ref document: EA |
|
ENP | Entry into the national phase |
Ref document number: 2001 563973 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: IN/PCT/2002/1382/CHE Country of ref document: IN Ref document number: PA/A/2002/008564 Country of ref document: MX |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2001912998 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 1020027011384 Country of ref document: KR |
|
WWP | Wipo information: published in national office |
Ref document number: 2001912998 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWP | Wipo information: published in national office |
Ref document number: 520984 Country of ref document: NZ |
|
WWG | Wipo information: grant in national office |
Ref document number: 520984 Country of ref document: NZ |
|
WWR | Wipo information: refused in national office |
Ref document number: PV2002-2944 Country of ref document: CZ |
|
WWG | Wipo information: grant in national office |
Ref document number: 2001912998 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 2001241717 Country of ref document: AU |