System and method for dynamic retrieval loading and deletion of packet rules ...

6,141,749 A * 10/2000 Coss et al 713/162

6,154,775 A * 11/2000 Coss et al 709/225

6,170,012 Bl * 1/2001 Coss et al 709/229

6,212,184 Bl * 4/2001 Venkatachary et al 370/392

6,233,686 Bl * 5/2001 Zenchelsky et al 713/201

6,308,276 Bl * 10/2001 Ashdown et al 713/201

6,321,338 Bl * 11/2001 Porras et al 709/224

FOREIGN PATENT DOCUMENTS

EP 0 762 707 A3 8/1997 H04L/29/06

WO 95/05549 2/1996 G06F/1/00

OTHER PUBLICATIONS

Bellovin, S..M., "Network Firewalls", IEEE Communications Magazine, vol. 32, No. 9, Sep. 1, 1994, pp. 50-57, XP000476555; p. 52, col. 1, In. 60; p. 54, col. 2, In 30.

* cited by examiner

Primary Examiner—Bharat Barot

(57) ABSTRACT

A system and method for loading a filtering rule at a firewall. A firewall receives a packet and determines if a rule that pertains to the packet is loaded at the firewall. If a pertinent rule is found, it is implemented and the action prescribed by the rule for the packet is performed. If no pertinent rule is found, then a pertinent rule is retrieved from a source external to the firewall, and loaded at the firewall. The rule is then implemented for the packet. After the rule expires, e.g., when the user logs off, the rule is deleted from the firewall.

17 Claims, 2 Drawing Sheets

1

SYSTEM AND METHOD FOR DYNAMIC
RETRIEVAL LOADING AND DELETION OF
PACKET RULES IN A NETWORK
FIREWALL

CROSS REFERENCE TO RELATED
APPLICATION

This application claims priority to provisional application No. 60/105,197 entitled "SYSTEM AND METHOD FOR DEMAND-DRIVEN LOADING OF RULES IN A FIREWALL," filed Oct. 22, 1998, the contents of which are incorporated herein by reference.

FIELD OF THE INVENTION

The field of the invention is information systems access control, and in particular the dynamic loading of a rule in a firewall.

BACKGROUND OF THE INVENTION

A firewall regulates the flow of packetized information. A packet includes a header and a payload. The header includes header parameters, such as a source address and destination address for the packet, as well as source and destination port numbers and a protocol number, flags, priority parameters, security information, etc. The payload includes the data meant to be conveyed by the packet from its source to its intended destination. Aknown firewall is placed between the packet's source and intended destination, where it intercepts the packet. The known firewall filters a packet based upon the packet's header parameters and a rule loaded into the firewall. The rule correlates a pattern in the header of a packet with a prescribed action, either PASS or DROP. The filter identifies the rule that applies to the packet based upon the packet's header, and then implements the rule's prescribed action. When a DROP action is performed, the packet is blocked (deleted), and does not reach its intended destination. When a PASS action is performed, the packet is passed onto ward its intended destination. The set of rules loaded into a firewall reflect a security policy, which prescribes what type of information is permissible to pass through the firewall, e.g., from which source, to which destination, for which applications, etc.

The set of rules loaded into a known firewall is static. The rules must typically be loaded with the intervention of a system administrator, and any changes to the rule set (additions, deletions, modifications) must also be implemented by the administrator. This disadvantageously limits the flexibility of the firewall to respond to changes in the security policy which it implements. Also, the firewall must disadvantageously store the entire set of rules implementing the security policy because the rules must be loaded manually. This is inefficient because it can require a large amount of memory resources, and increase the processor time needed to search for and locate a rule that applies to a given packet.

U.S. patent application Ser. No. 08/785,501, System and Method for Providing Peer-Level Access control on a Network, filed Jan. 17, 1997 now U.S. Pat. No. 6,233,686, discloses a firewall that dynamically loads a rule pertinent to the security policy of a peer when the peer is authenticated (e.g., logs on), and then deletes the rule when the peer logs off. Thus, for example, the rules pertaining to a peer are only stored at the firewall when the peer is logged on. This economically saves memory resources and reduces the search time and processor load to find a rule for a given

2

packet. It also allows for greater flexibility because the peer rule set can be changed (e.g., by the peer) between the times it is loaded into the firewall.

Although the Peer-Level Access invention is more effi

5 cient and flexible than known firewalls, further improvements are needed in both areas. For example, while the peer's rule set is loaded at the filter, only a small fraction of the rules may actually be implemented, depending upon the type of packets received at the firewall. The rules that are

1° loaded but not needed during a session (e.g., the time between peer logon and log off) disadvantageously increase processor time during rule searches and absorb memory resources at the firewall unnecessarily.

15 SUMMARY OF THE INVENTION

In accordance with an embodiment of the present invention, a rule is loaded at a firewall when it is needed to prescribe an action with respect to a packet that is received.

20 When the packet is received, the rules loaded at the firewall are searched for a rule that is pertinent to the received packet. If no such rule is found, then a pertinent rule is retrieved from a source external to the firewall, and loaded at the firewall. The firewall then implements the rule with

25 respect to the packet. In one embodiment, the packet is either allowed to pass on to its intended destination, or dropped, in accordance with the action prescribed by the retrieved rule. When the rule expires (e.g., no further packets are received that correspond to the rule), the rule is deleted. This advan

30 tageously minimizes the amount of memory resources required to keep a current set of rules at the firewall. It also advantageously reduces the load on the processor at the firewall by reducing the number of rules that must be searched to find a rule that pertains to a received packet.

35 Latency is advantageously reduced because a pertinent rule can be found more quickly when it is stored at the firewall.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart illustrating the method in accor40 dance with one embodiment of the present invention.

FIG. 2 shows an apparatus in accordance with an embodiment of the present invention.

FIG. 3 shows a system in accordance with an embodiment 45 of the present invention.

DETAILED DESCRIPTION

An embodiment of the method of the present invention is shown in FIG. 1. Apacket is received at a firewall, step 101.

50 As discussed above, a packet is a discrete unit of information. In one embodiment of the present invention, a packet includes a header and a payload. The header includes header parameters, such as source address, source port, destination address, destination port and protocol number. The payload

55 of the packet includes data being conveyed by the packet, e.g., a connection request, document data, etc. An example of a packet is an Internet Protocol packet, described in RFC 791, <library.ucg.ie/CIE/RFC/791/index.htm, visited Sep. 23, 1998>.

60 After receiving the packet, the rules that are loaded at the firewall are searched to determine if they include a rule that is pertinent to the packet step 102. A rule is"pertinent" to a packet when the pattern of header parameters in the packet corresponds to a pattern in the rule. For example, a rule can

65 be formulated to be pertinent to all packets. A rule can be pertinent to a packet from a given source address, regardless of its destination. Likewise, a rule can be formulated only to