(12) United States Patent
`Taylor et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,728,885 B1
`Apr. 27, 2004
`
`US006728885B1
`
`(54) SYSTEM AND METHOD FOR NETWORK
`ACCESS CONTROL USING ADAPTIVE
`PROXIES
`
`(75)
`
`Inventors: Kevin R. Thylor, Ellicott City, MD
`(US); Ganesh Murugesan, Reston, VA
`(US); Homayoon Tttjalll, Ellicott City,
`MD (US)
`
`Networks. T. Ramteke, Prentice Hall, 1994, Chapter 19, pp.
`430-436.
`
`Computer Network, A. Tanenbaum, Prentice Hall, 1981, pp.
`15-21.
`
`‘ cited by examiner
`
`(73) Assignee: Networks Associates Technology, Inc.,
`Santa Clara, CA (US)
`
`Primary Examiner—Gilberto Barron
`Assistant Examiner—-A. Nobahar
`
`( ‘ ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 1S4(b) by 0 days.
`
`(21) Appl. No.: 09/414,711
`
`(22) Filed:
`
`Oct.8, 1999
`
`(60)
`
`Related US. Application Data
`Provisional application No. 60/103,837, filed on Oct. 9,
`1998.
`
`(51) 1m.c1.’ ........................... 11041.9/32;co61= 11/30;
`G06F 12/14
`
`...................... .. 713/201; 709/238; 709/249
`(52) US. Cl.
`(58) Field of Search ............................... .. 713/201, 200;
`709/238, 249
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`2/1997 Shwed .................. 395/2(IJ.l1
`5,6(b,668 A
`3/1999 Baehr etal.
`.............. .. 713/201
`5,884,025 A '
`4/1999 Wesinger etal.
`......... .. 713/201
`5,898,830 A ‘
`5,968,176 A ‘ 10/1999 Nessett etal.
`............ .. 713/201
`6,128,298 A ‘ 10/ZJ00 Wootton etal.
`.......... .. 370/392
`
`OTHER PUBLICATIONS
`
`Firewall Software for NT and Unix, D. Seachrist et al., Byte,
`Jun. 1997, pp. 130-134.
`Applied Cryptography, Second Edition, Protocols, Algo-
`rithnn, and Source Code in C, B. Schneier, John Wiley &
`Sons, 1996, Chapters 8 and 24. pp. 185-187 and 574-579.
`
`(74) Attorney, Agent, or Fir-m—Silicon Valley lP Group,
`PC; Kevin J. Zilka; Christopher J. Hamaty
`
`(57)
`
`ABSTRACT
`
`A method, system and computer program for providing
`multilevel security to a computer network. The method
`comprkes the step of receiving a first communication packet
`on at
`least one network interface port from an outside
`network. The method further includes the steps of filtering
`the first packet in one of at least two levels of security
`comprising a first
`level of security which examines the
`content information of the packet and a second level of
`security which examines the first packet excluding the
`content infonnation of the packet. The system includes a
`first packet filter configured to filter its input packets by
`examining content information of its packets and a second
`packet filter configured to filter its input packets by exam-
`ining the header information without examining the content
`information of its packets. The system further includes a
`third filter which is configured to forward a number of
`packets to one of the first and second filters, thereby pro-
`viding security to the computer network. The computer
`program includes a first module located in an application
`layer, a second module located in a network layer, and a third
`module located in a kernel space and configured to examine
`a number of packets received by the computer network from
`at least one outside network and to forward the number of
`
`packets to one of the first and second modules after exam-
`ining the number of packets.
`
`29 Claims, 7 Drawing Sheets
`
`
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 1
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 1
`
`

`
`U.S. Patent
`
`Apr. 27,2004
`
`Sheet 1 of 7
`
`US 6,728,885 B1
`
`125
`
`105
`
`125
`
`'/
`
`107
`
`109
`
`FIG. 1
`(PRIOR ART)
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 2
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 2
`
`

`
`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 2 of 7
`
`US 6,728,885 B1
`
`User Defined
`
`Tramp —«
`Packet Filte:
`
`FIG. 2
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 3
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 3
`
`

`
`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 3 of 7
`
`US 6,728,885 B1
`
`
`Is the packet
`a connection
`
`control packet?
`
`
`
`253
`
`
`
`a connection
`
` Is the packet
`
`
`
`establishing
`packet?
`
`25 5
`
`
`
`Disconnect the
`
`connection or put
`the connection
`on hold
`
`FIG 3
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 4
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 4
`
`

`
`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 4 of 7
`
`US 6,728,885 B1
`
`
`
`Is the port
`on which the
`
`packet was
`received
`
`registered?
`
`303
`
`
`
`Yes
`
`
`
`No
`
`(1) Send relevant
`information to the
`
`registered proxy
`
`(2) wait instructions
`
`from the proxy
`
`N0
`
`Apply Transparency
`
`Yes
`
`Apply the matched
`
`mle on the packet
`
`323
`
`FIG. 4
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 5
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 5
`
`

`
`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 5 of 7
`
`US 6,728,885 B1
`
`Does the
`Does the
`
`packet nutch
`packet much
`with any user
`with any user
`specified mles?
`specified rules?
`
`
`
`
`
`331
`
`343
`
`FIG. 5
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 6
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 6
`
`

`
`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 6 of 7
`
`US 6,728,885 B1
`
`Is the
`
`transparency
`on?
`
`
`packet to its
`packet to proxy
`
`destination
`
`Forward the
`
`
`
`
`Forward the
`
`405
`
`403
`
`FIG. 6
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 7
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 7
`
`

`
`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 7 of 7
`
`US 6,728,885 B1
`
`
`
`E
`
`8
`
`E
`
`%
`
`E’
`g
`
`455
`
`III
`
`N
`
`«:9
`u.
`
`III
`
`461
`
`201
`
`451
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 8
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 8
`
`

`
`US 6,728,885 B1
`
`1
`SYSTEM AND METHOD FOR NETWORK
`ACCESS CONTROL USING ADAPTIVE
`PROXIES
`
`CROSS REFERENCE TO RELATED
`APPLICATIONS
`
`'l11is application claims the benefit of U.S. Provisional
`Application No. 60/103,837, filed Oct. 9. 1998.
`
`FIELD OF INVEN'I'ION
`
`This invention relates to providing security in communi-
`cation networks. In particular, the invention relates to fire-
`wall technology in packet switched networks for adaptively
`providing a plurality of security levels.
`BACKGROUND OF THE INVEN'I'ION
`
`Referring to FIG. 1, a typical firewall 101 is placed
`between a Local Area Network (LAN) 103 and outside
`networks 111, 115. LAN 103 may include a plurality of
`internal hosts 105, 107, 109. Outside networks 111 can be
`networked through the Internet 117. Outside network 115
`may also include its own firewall 117. lntemal hosts 105,
`107, 109 and remote hosts 119, 121 are computers, e.g.,
`personal computers (PC) or computer workstations. Firewall
`101 includes a combination of computer hardware and
`software components configured to protect LAN 103, i.e.,
`preventing unwanted intrusions from outside networks 111,
`115.
`
`In order to exchange information, e.g., sending a message
`from remote host 119 to internal host 105, a connection 125
`is established by sending a plurality of packets therebe-
`tween. A packet is a basic mesage unit routed between a
`source computer and a destination computer, e.g., remote
`host 119 and internal host 105, respectively, in a packet-
`switched network depicted in FIG. 1. For example, when a
`file, e.g., an e-mail message, HTML file, or other similar
`message, is sent from a source computer to a destination
`computer, the file is broken into a plurality of packets. (Here,
`HTML, Hypertext Markup Language, is a set of “markup”
`symbols or codes, which instructs a Web browser how to
`display a Web page’s words and images.)
`More specifically, a Transport Control Protocol (TCP)
`module of a TCP/IP layer in a source computer divides the
`file into packets of an efiicient size for transmitting over the
`network. Each packet includes header information, e.g., a
`destination address and a source addres, and content
`information, i.e., the broken up message file. Further, the
`plurality of packets from the file includes a plurality of
`connection control packets and data tramfer packets. The
`connection control packets include at least one connection
`establishing packet, e.g., a SYN packet, and at least one
`connection disconnection packet, e.g., RST, FIN, FIN-ACK
`packets. The data transfer packets include the pieces of the
`broken up file. Individual packets for a given file may travel
`different routes through the packet switching network. When
`the packets from one file have all arrived at their destination
`computer, they are reassembled into the original file by a
`TCP module in the destination computer.
`Here, the TCP module is a communication protocol used
`along with the Internet Protocol (IP) to send data in the form
`of packets between a source and destination computers.
`While the IP module performs the actual delivery of the data,
`the TCP module keeps track of the individual packets that a
`file is divided into for efiicient routing through the Internet.
`OSI (Open Systems Interconnection) is briefly described
`here to provide the context in which the present invention is
`
`2
`discumed later. OS] is a reference model for the layer of
`common functions in a communicatiom system. Although
`many existing hardware and software products have been
`developed on a slightly diflerent model, the OSI model is
`often med as a guideline when new products are designed
`and serves as a common reference for understanding any
`particular design or comparing it with others.
`OS] includes seven layers:
`The application layer (layer 7) is a layer at which a user
`interacts with a computer to view messages or send
`data requests or responses.
`The presentation layer (layer 6) is a layer, usually pan of
`an operating system, that converts incoming and out-
`going data from one presentation format to another
`(e.g., converting a text stream into a popup window
`with a newly arrived text string).
`The sesion layer (layer 5) manages the establishment of
`a continuing series of requests and responses between
`the applications at each end of a communication con-
`nection.
`
`layer (layer 4) manages the end-to-end
`The transport
`control (e.g., detennining whether all packets have
`arrived) and error-checking.
`The network layer (layer 3) handles the routing of the data
`(sending it in the right direction to the right destination
`on outgoing transmissions and receiving incoming
`transmissions at the packet level).
`The link (or data-link) layer (layer 2) provides error
`control and synchronization for the physical level and
`does bit-stufiing for strings of 1’s in excess of 5.
`The physical
`layer (layer 1) conveys the bit stream
`through the network at the electrical and mechanical
`level.
`
`Referring back to FIG. 1, the basic task of firewall 101 is
`to separate internal network 103 from outside networks 117,
`115 and enforce security policies with a set of rules. The
`most common firewall features include: securing internal
`network 103 access with a perimeter defense, controlling all
`connections into and out of internal network 103, filtering
`packets according to previously defined rules, “authenticat-
`ing” or making sure users and applications are permitted to
`access resources, logging of activities, and actively notifying
`the appropriate people when suspicious events occur.
`Conventional firewalls include only one of a packet filter,
`an application proxy and a stateful inspection.
`A packet filter examines each incoming packet and
`decides what actions to take by checking against a table of
`access control rules. The packet
`filter,
`in its simpler
`embodiments, examines the header information of each
`incoming packet and makes pass/fail decisions based on
`their source and destination addresses. A weaknes of such
`
`a firewall is that the content information of the packets is
`unknown to the firewall. More specifically, because packet
`filters perform their checking at the network access layer,
`there is no real knowledge of application level vulnerabili-
`ties. As a result, direct connections are allowed between a
`source and destination computers through firewall 101,
`exposing internal hosts 105, 107, 109 to direct attacks.
`An application proxy does not allow direct contact
`between a ‘trusted’ and ‘untnrsted’ networks. Each of the
`
`20
`
`35
`
`45
`
`50
`
`65
`
`packets pmsing through th's type of firewall is examined at
`the application layer—meaning the application proxies
`understand the destination and contents of packets. Such a
`firewall, for example, distinguishes between “FTP Put" and
`“Get” commands. A typical application proxy includes a
`built-in proxy function also known as a transparency func-
`
`|PR2015-O1856 CAP CO, Ltd. Exhibit 2005 Page 9
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 9
`
`

`
`US 6,728,885 B1
`
`3
`tion. The transparency function replaces the IP addres of a
`host on the internal protected network with its own IP
`address for all
`traflic passing through. The transparency
`function provides added security, because it hides the
`addresses of internal hosts. This makes it more dilficult for
`
`hackers on the outside to target specific devices inside such
`a firewall. For this higher security, however, the application
`proxy requires large amounts of processing power and a
`corresponding loss of performance.
`Finally, a stateful packet filter examines packets without
`examining the packets as well as that of an application
`proxy. After a packet filter firewall or stateful inspection
`firewall has decided to allow a connection to be made, it
`allows data to travel directly between the networks without
`further inspection. Once a session is opened, the nature of
`the session can be changed without being detected. This
`allows for more speed, but also creates potential security
`risks as well. Again, making internal hosts 105, 107, 109
`vulnerable to attacks from outside.
`
`Accordingly, there exists a need for a firewall method
`which makes it possible to dynamically select
`the best
`procedures from existing firewall methods to achieve the
`required level of security while meeting performance con-
`straints.
`Further, the definitions of network communication terms
`and phases can be found in Andrew S. Tannenbaum, “Com-
`puter Networks ” 2"” ed., (1989), the contents of which are
`herein incorporated by reference. Information on network
`programming can also be found in W. Richard Stevers,
`“Unix Network Programming” (1990),
`the contents of
`which are herein incorporated by reference.
`SUMMARY OF THE INVENTION
`
`The firewall of the present invention combines the advan-
`tages provided in the conventional firewall
`technologies
`described above while eliminating short comings thereof. In
`other words, the firewall of the present invention is just as
`secure as a proxy firewall, but
`it
`is more flexible and
`eflicient.
`
`35
`
`More specifically, the firewall of the present invention is
`provided between an internal computer network to be pro-
`tected by the firewall and at least one outside network. The
`firewall includes a dynamic packet filter which communi-
`cates with a proxy. The proxy registers with the dynamic
`packet filter for notifications of request to establish new data
`communication connections through physical connections
`between the internal and outside computer networks. When
`a connection establishing request is received, in the form of
`a SYN packet, the dynamic packet filter notifies the proxy
`and provides attribute information thereto. The attribute
`information includes the source and destination addresses
`
`and the physical connection on which the packet was
`received.
`
`In order to detennine whether to allow the requested data
`communication connection, the proxy compares the attribute
`information with rules in a configuration information file.
`The niles in the configuration information file are entered by
`a user to set forth whether to allow data communication
`
`connections for certain physical connections. If the rule is to
`allow the data communication connection and forward the
`packets at the packet level, the dynamic packet filter creates
`a connection rule so as to apply the connection rule to
`packets having the same attribute information. Subsequent
`packets received with the same attrflaute information are
`then automatically forwarded without consulting the proxy.
`Once the connection terminates,
`the connection rule is
`removed and the proxy is notified. However, if the decision
`
`45
`
`50
`
`60
`
`65
`
`4
`is to absorb, the dynamic packet filter sends the packets up
`a TCP/IP stack in the firewall, where they will be accepted
`by the proxy.
`the proxy acts as the server to the
`In other words,
`incoming connection and initiates a new connection, acting
`as a client,
`to the ultimate destination. In between, the
`necessary application-level filtering is performed.
`An added benefit of the present invention, beyond the
`performance improvement, is the flexibility it gives its users.
`Within the adaptive proxy model, a firewall can be config-
`ured to follow more or less stringent security rules, fine-
`tuning performance even more.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`20
`
`FIG. 1 is a schematic illustration of a conventional
`communication network;
`FIG. 2 is a schematic illustration of internal modules of
`the firewall of the present invention;
`FIGS. 3-6 are flow charts a plurality of functions per-
`formed by the firewall of the present invention; and
`FIG. 7 is a schematic illustration of the traparency
`function of the present invention.
`
`DETAILED DESCRIPITON
`
`Referring to FIG. 2, there is illustrated an overall block
`diagram of a firewall 201 of the present
`invention that
`includes a Network Interface Card (NIC) 203 coupled to at
`least one outside network. NIC 203 is also coupled to a
`Network Addres Translation module (NAT) 205 which in
`turn is coupled to a Dynamic Packet Filter module (DPF)
`207. DPF 207 is coupled to a proxy 211, a User Defined
`Static Packet Filter module (UD-SPF) 209, Transparency
`Packet Filter (TPF) 215, and a local Transmission Control
`Protocol/lntemet Protocol stack (TC‘P/IP) 213. TCP/IP 213
`in turn is coupled to an Out-Going Dynamic Packet Filter
`(OG-DPF) 217.
`It should also be noted that the term “coupled" should be
`interpreted to mean one of many connection methods. For
`instance, NIC 215 may be coupled to the at least one outside
`network via wire or wireless communication connections,
`whereas NIC 203 may be coupled to NAT via physical wires.
`However, when two coupled modules are implemented in
`computer programs, the term coupled means data transfer
`between the two computer program modules during execu-
`tion thereof. In other words, the term “coupled” means a
`connection established through at
`least one of wireless
`communication links, wire connections and computer pro-
`gram data trafers.
`NAT 205, DPF 207, UD-SPF, 209, TPF 215, local TCP/IP
`213 and OG-DPF 217 are located in the kernel space of
`firewall 201. Here, the term kemel designates the operating
`system in a computer that contains the system-level com-
`mands hidden fiom the user. For example, the kernel may
`include device drivers, memory management routines,
`scheduling prograrm, and other system calls. The kernel
`always runs while the system is operating. Proxy 211 is
`located in the user space,
`i.e., the application layer, of
`firewall 201. The term proxy designates either all of the
`filtering and decision making processes or individual filter-
`ing processes occurring at
`the user space. Proxy 211,
`therefore, can be referred as a one process or a plurality of
`processes depending upon the context in which the term
`appears.
`
`Preferably, the preceding components in the kernel space
`and user space are implemented in computer programs
`
`|PR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 10
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 10
`
`

`
`US 6,728,885 B1
`
`5
`written in C or C++. Alternatively, the computer programs
`can be written in other computer languages such as Pascal.
`The computer programs are also implemented to run on a
`variety of computer operating systems such as UNIX, Win-
`dows NT or LINUX. It should be noted that the computer
`language and the corresponding operating system are not
`essential part of this invention;
`therefore,
`the invention
`dkclosed herein can be implemented in any computer lan-
`guage and operating system.
`The computer pmgram are stored in a computer readable
`storage medium, e.g., hard disks or floppy diskettes. In
`operation, the computer programs are read to a random
`access memory to be executed by a processor. The computer
`readable storage medium. the random access memory and
`the process are preferably included in the computer of
`firewall 201. Alternatively, however, the computer readable
`storage medium can be provided by another computer or
`floppy diskettes. Hence,
`the computer programs can be
`downloaded from a remote computer coupled to firewall
`201.
`
`Referring back to FIG. 2, preferably, firewall 201 can be
`part of a computer located between LAN and outside
`networks. NIC 203, also known as an adapter interface, is a
`hardware attachment, usually a computer expandable board,
`that connects firewall 201 to outside networks. Each physi-
`cal connection established through NIC 203 is asigned to a
`port number so as to identify the physical connection.
`The above described elements are further explained by
`way of steps that take place during operation therein. For
`instance, a plurality of packets from the outside networks
`arrives at NIC 21B. Each received packet
`is examined
`separately by firewall 201. More specifically, when a packet
`is received by NIC 203 from any one of outside networks
`111, 115, the packet is asociated with a corresponding port
`number. The packet is, then, forwarded to NAT 205 which
`translates the destination addres of the received packet into
`a corresponding address of internal hosts. The packet is then
`sent to DPF 207 for further examination and processing.
`Referring to FIG. 3, in step 253, DPF 207 determined
`whether the received packet is a connection control packet
`which requests to establish a data communication
`connection, disconnect an established connection, or put an
`established connection into a hold state. It should be noted
`that a physical connection between a source and destination
`connection does not establish a data communication con-
`
`nection. The connection is completely established only
`when the physical and data communication connections are
`achieved. In order to avoid any confusion, the physical
`communication connection is referred as a physical connec-
`tion and a data communication connection is referred as a
`
`connection hereinafter. If the paclaet is a connection control
`packet, DPF 207 perforrm step 255; and if the packet is not
`a connection control packet, i.e., a data packet, then DPF
`207 performs step 331.
`In step 255, DPF 207 determines whether the received
`packet
`is a connection establishing packet,
`i.e., a SYN
`packet. If the packet is a connection establishing packet,
`DPF 207 performs step 303; and if the packet
`is not a
`connection establishing packet, DPF 207 performs step 257.
`In step 257, DPF 207 performs the following: if the packet
`is a connection disconnecting packet, i.e., a FIN packet, the
`corresponding pre-exbting connection is disconnected; and
`if the packet is a hold packet, i.e., an RS1‘ packet, then the
`corresponding pre-existing connection is put on hold.
`Referring to FIG. 4, in step 303, to be performed when the
`packet is a connection establishing packet, DPF 207 further
`
`6
`determines whether the port, i.e., the port, on which the
`packet was received is a registered port. If the port
`is
`regbtered, DPF 207 performs step 311; and if the packet is
`not registered, DPF 207 performs step 321. The system
`administrator specifies which of the ports are to be registered
`in a configuration information file. For example, when
`physical connections are made between a remote host com-
`puter belonging to an outside network and a port on NIC
`203, the system administrator makes security assessment of
`the remote host. Subsequently, the system administrator sets
`up the configuration information file setting forth whether to
`regkter that port.
`In step 311, to be performed when the port is registered,
`DPF 207 transfers attribute information of the packet to
`proxy 211. Preferably, the attribute information includes the
`source and destination addreses of the packet and the port
`on which the packet was received.
`It should be noted,
`however, other information contained the connection estab-
`lishing packet can be sent
`to proxy as well. Once the
`attribute information has been sent to proxy, DPF 207 awaits
`instructions therefrom.
`
`Proxy 211, upon receiving the attribute information from
`DPF 207, determines whether to allow the connection. If the
`connection is to be allowed, proxy 211 further determines
`which filter dynamic filter rule to apply.
`One such dynamic filter mle is a filter all rule. This rule
`is utilized when only packet filtering is required for all
`packets in a particular connection. For example, this rule
`could be defined to apply packet filters to all “telnet”
`packets.
`Another dynamic filter rule is a selective filtering rule.
`Thb rule requires proxy 211 to handle connection control
`packets and packet filters to handle the data packets. In other
`words, the packet filtering will be enabled only when proxy
`211 has performed it’s security checks for the connections,
`i.e., checking the relevant information on the SYN packet
`sent by DPF 207. For instance,
`this rule '5 useful for
`protocols such as File Transfer Protocol (FTP), which sends
`data packets on a dilferent connection after establishing the
`connection. Other filtering rules are also possible such as not
`applying any filtering or applying a proxy filter at
`the
`application layer to all packets received on a specific con-
`nection.
`
`The configuration file discussed above, which stored the
`information on which ports are registered, further includes
`various filter rules to be applied for specific connections. For
`example, packets received from a particular port can be
`subjected to the filter all rule filter, while packets received
`fr'om another port can be subjected to the selective filtering
`rule. The configuration file is preferably stored in the com-
`puter where firewall 201 is located. It should be noted,
`however, that the configuration file can be stored in any of
`internal hosts.
`It should also be noted that
`the system
`administrator creates the configuration infonnation file dis-
`cussed above and specifies the TPF mles by utilizing a
`graphical user interface configured receive appropriate
`information from the system administrator.
`Once proxy 211 determines whether to allow the connec-
`tion and which one of the rules to apply to the connection,
`that information is trarsferred to DPF 207.
`
`20
`
`35
`
`45
`
`50
`
`In step 315, DPF 207 discarrk the packet if proxy 211
`determined not to allow the connection. In step 317, DPF
`207 creates a new connection and applies the corresponding
`rule. The rule will be applied to any subsequent packets from
`that connection until the connection is disconnected.
`
`65
`
`A new connection is created by modifying a connection
`list. The connection list, as the name implies, includes a list
`
`|PR20’l5-01856 CAP CO, Ltd. Exhibit 2005 Page 11
`
`IPR2015-01856 CAP CO, Ltd. Exhibit 2005 Page 11
`
`

`
`US 6,728,885 B1
`
`7
`of currently active or soon to be active connections and
`relevant information thereof such as the source and desti-
`nation addresses and the port on which the connection is or
`to be established. Each entry in the connection list represents
`TCP or UDP (User Datagram Protocol) connection. For
`instance. if the connection is allowed by proxy 211, the
`corresponding connection entry in the connection list is
`modified to indicate that the connection has been allowed
`and established.
`
`In yet another aspect of the invention, since there are no
`SYN packets for UDP conneetiorn, if a UDP packet has
`previously established a connection and the connection
`exists in the connection list then that connection is used for
`new UDP packets received on the same connection. Other
`UDP packet processing steps are similar to the TCP packet
`processing steps described above.
`Preferably, the communication between proxy 211 and
`DPF 207 describe above is achieved by using a socket. The
`following is a description of a specific implementation of the
`sockets. For instance, a new network protocol family and
`new functions can be added to a conventional socket APl
`
`(Application Program Interface). Sockets provide a conve-
`nient and well known programming model to one of ordi-
`nary skill in the art.
`Preferably, the following data structures are defined in a
`socket definition header file:
`
`20
`
`struct aockaddr_gt {
`u_short
`struct in_addr
`u_short
`u_clIar
`struct in_addr
`u_short
`u_clIar
`
`ain_farnily:
`sirLaddr;
`sin_port;
`proto;
`sout_addr.
`aout_port;
`airI._Zero[1]:
`
`the connect function, sin_port specifies the source port of a
`connection to be filtered. For the bind function, it specifies
`the destination TCP/UDP port number of SYN/UDP packets
`for which the proxy wishes to register via a listen function.
`For the accept function, it contains the source port number
`of the SYN/UDP packet received by the firewall. The listen
`function is discussed below.
`proto
`This variable field specifies the type of lntemet Transport
`Protocol that must be Dynamic Packet Filtered. The only
`valid values for this variable are lPPROT‘O_T‘CP for TCP
`and lPPROT0_UDP for UDP.
`sout_addr
`This variable field specifies a destination IP address. For
`the connect function, sout_addr specifies the destination IP
`address of a connection to be packet filtered. For the accept
`function, it contains the destination IP address of the SYN/
`UDP packet received by the firewall.
`sout_port
`This variable field specifies the destination port number.
`For the connect function, sout_pon specifies the destination
`port of a connection to be packet filtered. For the accept
`function,
`it contains the destination port number of the
`SYN/UDP packet received by the firewall.
`SlIl_7£|'0
`This variable field specifies unused byte of data. This
`enables the use of padding to match the size of struct
`sockaddr.
`
`Preferably, data_gt data structure defined below '5 used
`by the getsockopt function to retrieve DPF connection
`statistics.
`
`35
`
`struct data_gt {
`int
`arc_aent;
`int
`dst_sent:
`
`};
`
`The above definition of struct is a structure in computer
`program language. Astructure is a collection of one or more
`variables, possibly of ditferent types, grouped together under
`a single name for convenient handling. It should be noted
`that structures are called “records” in some other computer
`languages, notably Pascal. The structures permit a group of
`related variables to be treated as a unit instead of as separate
`entities. This arrangement helps to organize complicated
`data, partiailarly in large computer programs.
`The variable definitions such as u_short and u_char
`specify the length of corresponding variables to be unsigned
`short integer and umigned character, respectively. These
`terms are well known to one of ordinary skill in the art of
`computer programming. The following is a brief description
`of the various fields in the struct sockaddr_gt:
`sin_family
`Thu variable field specifies the protocol family to which
`the struct sockaddr_gt belongs.
`sin_addr
`This variable field specifies a source [P address. For a
`connect function, sin_addr specifies the source IP address of
`a connection to be filtered. For a bind function, it specifies
`the IP address of an interface port to which the socket should
`be bound by the bind function. For an accept function, it
`specifies the source IP addres of the SYN/UDP packet
`received by firewall 201. The connect, bind, and accept
`functions are discussed below.
`
`sin_port
`This variable field specifies a source port number, i.e., the
`interface port on which the packets are to be received. For
`
`45
`
`50
`
`65
`
`src_sent
`This variable returns the number of bytes transferred by
`the source end of the connection.
`dst_sent
`This variable returns the number of bytes transferred by
`the destination end of the connection.
`In order to fully discuss the new socket structure, the
`semantics of the various functions mentioned above is
`described below. As a starting point, the semantics of the
`functions is similar to the semantics of the various standard
`
`socket application calls for adaptive proxies and DPF. In
`other words, except for the data structure described above,
`the parameters to the functions are substantially similar to
`conventional socket interfaces such as the standard Berkley
`and Winsock socket interfaces
`
`Socket(int domain, int type, int protocol)
`This function creates an endpoint for communication. It
`opens a passive entry and returns a descriptor to the socket.
`Bind(SOCKETs, const stmct sockaddr ‘name, int namelen)
`The bind function asigns a name to an unbound socket
`created by socket. This causes the socket to be associated
`with the address specified in name. From the perspective of
`DPF 207, the hind function allows proxy 211 to register with
`a kemel/driver for packet filtering on a specific interface port
`number. Only the sin_family, sin_addr, and sin_port fields
`in nam