United States Patent (19)
`Maria et al.
`
`USOO6158008A
`Patent Number:
`11
`(45) Date of Patent:
`
`6,158,008
`*Dec. 5, 2000
`
`54 METHOD AND APPARATUS FOR UPDATING
`ADDRESS LSTS FOR A PACKET FILTER
`PROCESSOR
`
`75 Inventors: SE Maria. tly
`s
`Guan,
`73 ASSignee: (IST Wireless Svcs. Inc., Redmond,
`S.
`
`sts Dale
`
`5,632,011 5/1997 Landfield et al. ...................... 395/326
`5,655,152 8/1997 Ohnishi et al. ......................... 395/856
`5,678,041 10/1997 Baker et al. ............................ 395/609
`5,684.951 11/1997 Goldman et al. ...
`... 395/188.01
`5,757,924 5/1998 Friedman et al. ........................ 380/49
`5,802,319 9/1998 Faulk, Jr. et al. ................. 395/200.79
`5,825,891 10/1998 Levesque et al. ........................ 380/49
`5,828,833 10/1998 Belville et al. .
`... 395/187.01
`6,035,423 3/2000 Hodges et al. ............................ 714/38
`
`*
`
`Notice:
`
`FOREIGN PATENT DOCUMENTS
`This patent issued on a continued pros
`ecution application filed under 37 CFR WES 3.E. WE
`1.53(d), and is subject to the twenty year
`f
`f
`patent term provisions of 35 U.S.C.
`OTHER PUBLICATIONS
`154(a)(2).
`
`21 Appl. No.: 08/956,990
`22 Filed:
`Oct. 23, 1997
`(51) Int. Cl. ................................................ G06F 11/30
`52 U.S. Cl. ..................
`713/201; 713/154
`58 Field of Search ..................................... 713/200, 201,
`713/202, 100, 153, 154; 709/225, 229,
`242; 707/9; 380/23, 25
`References Cited
`
`56)
`
`U.S. PATENT DOCUMENTS
`4,184.117 1/1980 Lindner ..................................... 325/33
`4,888,796 12/1989 Olivo, Jr. .....
`... 379/101
`5,172,111 12/1992 Olivo, Jr. .....
`340/825.31
`5,396,493 3/1995 Sugiyama .................................. 370/60
`5,448,698 9/1995 Wilkes .........
`395/200.01
`5,481,720 1/1996 Loucks et al. ...
`... 395/700
`5,553.315 9/1996 Sobti et al......................... 455/56.1
`5,561,770 10/1996 de Bruijn et al.
`... 395/200.06
`5,606,668 2/1997 Shwed ..............
`... 395/200.11
`5,615,340 3/1997 Dai et al. ..
`... 395/200.17
`5,627,886 5/1997 Bowman ................................. 379/111
`
`Microsoft Press, “Computer Dictionary, 2nd ed., pp.
`105-106.
`Primary Examiner Robert W. BeauSoliel, Jr.
`Assistant Examiner-Scott T. Baderman
`57
`ABSTRACT
`A dedicated data packet filtering processor whose only
`function is to filter data packets based on a list of source IP
`addresses Stored in high-speed memory of the processor. The
`processor has a Specialized operating System which controls
`the operation of the processor. The processor examines the
`Source IP address of each received data packet to determine
`if the source IP address matches one of the stored source IP
`addresses, and if there is a match, either discards or forwards
`the data packet depending on the processor configuration.
`The list of Source IP addresses are updated by a service
`provider having a central administrative Site. The Service
`provider keeps these lists up to data and periodically updates
`the Source IP addresses Stored in the random acceSS memory
`of the dedicated IP filtering processors
`g p
`
`9 Claims, 4 Drawing Sheets
`
`
`
`10
`
`
`
`
`
`ROUTER
`
`PACKET FILTER
`PROCESSOR
`
`12
`
`14
`
`18
`
`
`
`END-USER
`TERMINAL
`
`NETWORK B
`
`16
`
`
`
`
`
`GUEST TEK EXHIBIT 1011
`Guest Tek v. Nomadix, IPR2019-01191
`
`

`

`U.S. Patent
`
`Dec. 5, 2000
`
`Sheet 1 of 4
`
`6,158,008
`
`12
`
`ROUTER
`
`
`
`
`
`PACKET FILTER
`PROCESSOR
`
`
`
`16
`
`

`

`U.S. Patent
`
`Dec. 5, 2000
`
`Sheet 2 of 4
`
`6,158,008
`
`FIC. 2
`
`34
`
`LAN/F CONN.
`
`RS232
`CONN.
`
`RS232
`I/F
`
`36
`38
`
`802.3
`INTERFACE
`
`FIFO
`
`20
`
`22
`
`CLK
`
`26
`
`28
`
`30
`
`ric Hay r"
`
`DRAM
`CONTROL
`
`BANK
`ADDRESS
`LIST
`
`33
`
`
`
`4. O
`
`44
`
`FIFO
`
`802.3/F
`
`LAN/F CONN. i.
`
`NWRAM
`32K
`
`46
`
`42
`
`48
`
`

`

`U.S. Patent
`
`Dec. 5, 2000
`
`Sheet 3 of 4
`
`6,158,008
`
`FIG. 3
`
`START
`
`RECEIVE PACKET
`
`DETERMINE SOURCE
`ADDRESS
`
`COMPARE SOURCE
`ADDRESS WITH LIST
`
`
`
`ADDRESS ON
`LIST
`
`50
`
`52
`
`54
`
`
`
`
`
`
`
`
`
`PASS PACKET 2
`
`YES
`SEND PACKET TO
`DESTINATION NETWORK
`
`60
`
`62
`
`
`
`
`
`
`
`
`
`64
`
`
`
`
`
`DROP PACKET
`
`
`
`
`
`

`

`U.S. Patent
`
`Dec. 5, 2000
`
`Sheet 4 of 4
`
`6,158,008
`
`FIG. 4
`
`84
`
`CPU/MEMORY BUS
`
`72
`
`74
`
`76
`
`78
`
`80
`
`82
`
`MAIN
`
`CPU
`
`MEMORY a ADAPTER || ".
`
`BUS
`
`LIST
`REPLICATION |
`
`USER
`| INTERFACE
`
`Vof
`
`SYSTEM
`
`CONTROL
`
`I/O BUS
`
`86
`
`88
`
`88
`
`88
`
`I/O CONT.
`
`I/O CONT,
`
`I/O CONT.
`
`EXTERNAL
`of
`
`DATABASE
`
`NETWORK
`INTERFE
`
`90
`
`92
`
`94
`
`

`

`1
`METHOD AND APPARATUS FOR UPDATING
`ADDRESS LSTS FOR A PACKET FILTER
`PROCESSOR
`
`FIELD OF THE INVENTION
`The invention relates to packet filters in general. More
`particularly, the invention relates to a method and apparatus
`for filtering data packets using a dedicated processor and a
`list of Source addresses Stored in high-Speed memory, as well
`as a means for periodically updating the list of Source
`addresses to ensure the list is kept current.
`BACKGROUND OF THE INVENTION
`Many companies and individual homes have access to the
`Internet, and more particularly, the World Wide Web
`(WWW). With the growing number of Internet sites, there is
`also a growing number of Sites which provide content that
`Some companies may deem inappropriate for the workplace.
`Similarly, there are many Internet Sites which provide con
`tent that parents may deem inappropriate for young children.
`Data packet filters are currently available which filter out
`data packets from certain Internet Sites. On the commercial
`Side, these filters are often implemented as part of a router
`or “firewall.” On the individual side, these filters are imple
`mented as programs which run on a personal computer and
`operate in conjunction with individual browser Software.
`Both the commercial and individual filterS operate by Storing
`lists of prohibited Source addresses, Such as Internet Proto
`col (IP) addresses, and filtering out any data packets
`received from a site with a prohibited source IP address. One
`problem with the currently available filters is that there is a
`performance degradation as the list of prohibited Source IP
`addresses grows. Another problem is the administration of
`prohibited source IP address lists. Internet sites are being
`added and changed every day, and it is very difficult to keep
`a prohibited source IP address list up to date.
`One example of a conventional data packet filter is
`described in U.S. Pat. No. 5,606,668 titled “System for
`Securing Inbound and Outbound Data Packet Flow in a
`Computer Network.” The 668 patent relates to computer
`network security and the control of information flow
`between internal and external network destinations. The
`patent broadly describes prior art packet filtering using
`access list tables. The patent is directed to a filter module
`which provides network Security by Specifying Security rules
`for network traffic and accepting or dropping data packets
`according to the Security rules. The rules are implemented in
`packet filter code which is executed by packet filter modules
`located at various locations within the network.
`The packet filter disclosed in the 668 patent, however, is
`less than Satisfactory for a number of reasons. In accordance
`with the disclosure of the 668 patent, the packet filter
`modules are embodied as “virtual machines' residing on
`existing network host computers. Thus, these filters are
`Software modules executing on existing network computers,
`and are not separate dedicated filtering processors. Further,
`this patent fails to describe a method for administering and
`updating the access list tables. In addition, the packet filter
`disclosed in the 668 patent is implemented between the data
`link layer and network layer of the International Standard
`ization Organization (ISO) protocol stack. Therefore, the
`packets must unnecessarily pass through the protocols Set
`forth for the data link layer before being filtered, which
`Slows down the processing Speed of the packet filter.
`Another example of a conventional data packet filter is
`shown in U.S. Pat. No. 5,615,340 titled “Network Interfac
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,158,008
`
`2
`ing Apparatus and Method Using Repeater and Cascade
`Interface with Scrambling.” The 340 patent relates to
`interfacing nodes in a network. Each node is associated with
`a plurality of working ports. When a node receives an
`incoming data packet, the destination address of the data
`packet is compared against a stored address table to deter
`mine if the data packet is destined for a working port
`associated with the node. The node will only transmit the
`data packet to the node's working ports if there is a match.
`Similarly, when a node receives an outgoing data packet, the
`destination address of the data packet is compared against
`the Stored address table to determine if the data packet is
`destined for a working port associated with the node. If there
`is a match, then the node will transmit the data packet back
`to its working nodes. Otherwise, the node will transmit the
`data packet to the network. This System is not used for
`filtering unwanted data packets, but is instead used for
`network routing of data packets. Further, as with the 668
`patent, the 340 patent fails to disclose a means for updating
`the Source address list.
`From the foregoing, it can be appreciated that a Substan
`tial need exists for a high performance data packet filter
`which can work with a large number of source IP addresses.
`There is also a need for an efficient way to administer Source
`IP address lists.
`
`SUMMARY OF THE INVENTION
`One embodiment of the present invention proposes a
`method and apparatus for updating a profile of Source IP
`address lists for packet filtering devices. A Service provider
`administers a database of Source IP address lists. Each list
`may contain the IP addresses of particular types of Internet
`Sites. The Service provider keeps these lists up to date and
`periodically updates the Source IP addresses Stored in the
`random access memory of the dedicated IP filtering proces
`Sors. In this manner, end users can be assured that the Source
`IP address lists Stored in their filtering processor are up to
`date.
`With these and other advantages and features of the
`invention that will become hereinafter apparent, the nature
`of the invention may be more clearly understood by refer
`ence to the following detailed description of the invention,
`the appended claims and to the Several drawings attached
`herein.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 illustrates a network topology suitable for prac
`ticing one embodiment of the invention.
`FIG. 2 is a block diagram of a packet filter processor in
`accordance with one embodiment of the invention.
`FIG. 3 is a block flow diagram of steps for filtering data
`packets in accordance with one embodiment of the inven
`tion.
`FIG. 4 is a block diagram of a list Server in accordance
`with one embodiment of the invention.
`
`DETAILED DESCRIPTION
`Referring now in detail to the drawings wherein like parts
`are designated by like reference numerals throughout, there
`is illustrated in FIG. 1 a network topology suitable for
`practicing one embodiment of the invention. AS shown in
`FIG. 1, a first network 10 is connected to a router 12. Router
`12 is in turn connected to a packet filter processor 14. Packet
`filter processor 14 is connected to a Second network 16 and
`an end-user terminal 18.
`
`

`

`3
`Networks 10 and 16 are packet based networks, such as
`Transmission Control Protocol/Internet Protocol (TCP/IP)
`networks or X.25 networks. A packet originates from net
`work 10 with an intended destination to network 16 or
`end-user terminal 18. Both the Source and destination
`addresses are included in the packet.
`It is worthy to note that the network topology shown in
`FIG. 1 is exemplary only. The possible number of network
`configurations is virtually limitleSS, the design of which is
`well-known in the art. The present invention may work on
`any network configuration utilizing packet technology for
`transporting Voice, image or data Signals.
`The placement of packet filter processor 14 in a network
`is also variable depending on where a network designer
`would desire to control the in-flow or out-flow of packets
`between networks or network devices. In this embodiment
`of the invention, packet filter processor 14 is positioned at
`the only entry and exit point of either network 10 or 16,
`thereby controlling which packets enter either network. It
`can be appreciated, however, that packet filter processor 14
`could be placed on an individual network device, Such as a
`personal computer, thereby controlling the flow of packets
`only to the personal computer, or in any other Strategic point
`within a network.
`FIG. 2 is a block diagram of a packet filter processor in
`accordance with one embodiment of the invention. AS
`shown in FIG. 2, Local Area Network (LAN) interface (I/F)
`connectors 20 and 48 are coupled to network interface cards
`22 and 46, respectively. Connector 20 and card 22 are used
`to interface with network 10, and to accept packets origi
`nating from network 10. Connector 48 and card 46 are used
`to interface with network 16 or end-user terminal 18, and to
`accept packets originating from network 16 or terminal 18.
`Connectors 20 and 48, as well as cards 22 and 46, operate
`in accordance with principles well-known in the art.
`Further, cards 22 and 46 are designed to adhere to the
`Institute of Electrical and Electronics Engineers (IEEE)
`standard titled “Carrier Sense Multiple Access with Colli
`sion Detection (CSMA/CD) Access Method and Physical
`Layer Specifications, American National Standard ANSI/
`IEEE Standard 802.3, 1985 (“IEEE 802.3 standard”). The
`IEEE 802.3 standard defines a technique referred to as
`CSMA/CD, which is appropriate for a network having a
`buS/tree topology. It can be appreciated, however, that
`network interfaces designed to work with other medium
`access techniqueS or Standards could be used for packet filter
`processor 14, and still fall within the scope of the invention.
`Cards 22 and 44 are connected to one another, and also to
`First In First Out (FIFO) buffers 24 and 44, respectively.
`FIFO buffers 24 and 44 are used to store incoming or
`outgoing packets in memory until each packet can be
`compared and sent to networks 10 or 16.
`Packet filter processor 14 also includes several types of
`high-Speed memory. By way of example, this embodiment
`of the invention includes a 96 kilobyte (K) Programmable
`Read Only Memory (PROM) 40, a 32K Non-Volatile Ran
`dom. Access Memory (NVRAM) 42, and a Dynamic Ran
`dom. Access Memory (DRAM) bank 32. There is also a
`DRAM control 30 for DRAM bank 32.
`Each type of memory is used to Store data for packet filter
`processor 14. For example, PROM 40 is used to store an
`operating System (not shown) for packet filter processor 14.
`NVRAM 42 is used to store user defined parameters (not
`shown), and operating System parameters (not shown) used
`by the operating system stored in PROM 40. DRAM bank
`32 is used to store an address list 33 of Source IP addresses.
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,158,008
`
`4
`The heart of packet filter processor 14 is a dedicated high
`performance microprocessor 38. Any microprocessor
`capable of operating at the Speeds necessary to implement of
`the functions of the packet filter processor is appropriate.
`Examples of processors Suitable to practice the invention
`includes the INTEL family of processors, such as the
`Pentium(R), Pentium(R) Pro, and Pentium(R II microproces
`SOS.
`Packet filter processor 14 also includes a connector 34 and
`interface 36, both of which are attached to microprocessor
`38. Connector 34 and interface 36 both adhere to Electronic
`Industries Association (EIA) Standard RS-232-C titled
`“Interface Between Data Terminal Equipment and Data
`Communication Equipment Employing Serial Binary Data
`Interexchange,” October, 1969. Finally, packet filter proces
`Sor 14 includes a clock 26 and clock counter 28 to control
`the timing of packet filter processor 14.
`Packet filter processor 14 operates in accordance with the
`operating System, which is comprised of a Set of computer
`program instructions which are stored in PROM 40. Since a
`list of Source IP addresses can include a large number of
`addresses, e.g., ranging from hundreds to Several thousand,
`the processing time required to compare a Source IP address
`of an incoming packet with a list of Several thousand Source
`IP addresses is enormous, and Significantly degrades the
`performance of many conventional packet filters. According
`to the principles of the present invention, however, packet
`filter processor 14 combines the elements of a high-speed
`microprocessor, a Source IP address list Stored in high-speed
`memory, and a dedicated proprietary operating System, to
`ensure that data packets can be filtered at a high-rate of
`Speed.
`Operating System 39 is designed to control the operation
`of the microprocessor 38. More particularly, the operating
`System is designed Such that the microprocessor 38 is
`directed to look at the Source IP address of each received
`data packet to determine if the Source IP address matches
`one of the Stored Source IP addresses, and if there is a match,
`to either discard or forward the data packet depending on the
`processor configuration. Since the operating System and
`microprocessor 38 are dedicated to one task, packet filter
`processor 14 can perform the filtering process very quickly
`and efficiently. The operation of the operating System, and of
`packet filter processor 14 in general, will be described in
`more detail with reference to FIG. 3.
`Another reason packet filter processor 14 is So efficient is
`that packet filter processor 14 is implemented between the
`physical layer and data link layer of the ISO protocol Stack.
`The significance of this implementation can be better appre
`ciated in View of Some background information of network
`architectures in general.
`A network architecture defines protocols, message
`formats, and Standards to which products must conform in
`order to connect properly with the network. Architectures
`are developed by Standards organizations, common carriers,
`and computer and network vendors. Network architectures
`use a layered approach, whereby functions are organized
`into groups and assigned to Specific functional layers in the
`architecture. Network architectures define the interfaces
`between layers in a given network node and within the same
`layer in two different nodes.
`OSI provides a generalized model of System interconnec
`tion. It encompasses Seven layers: application, presentation,
`Session, transport, network, data link, and physical. A brief
`Summary for each layer is given as follows:
`1. Physical Layer. The physical layer is responsible for
`the transmission of bit Stream acroSS a particular physical
`
`

`

`S
`transmission medium. It involves a connection between two
`machines that allows electrical signals to be exchanged
`between them.
`2. Data Link Layer. The data link layer is responsible for
`providing reliable data transmission from one node to
`another and for Shielding higher layers form any concerns
`about the physical transmission medium. It is concerned
`with the error free transmission of frames of data.
`3. Network Layer. The network layer is concerned with
`routing data from one network node to another. It is respon
`Sible for establishing, maintaining, and terminating the net
`work connection between two users and for transferring data
`along that connection.
`4. Transport Layer-The transport layer is responsible for
`providing data transfer between two users at an agreed on
`level of quality.
`5. Session Layer-The Session layer focuses on providing
`Services used to organize and Synchronize the dialog that
`takes place between users and to manage data eXchange.
`6. Presentation Layer-The presentation layer is respon
`Sible for the presentation of information in a way that is
`meaningful to the network users, e.g., character code
`translation, data conversion, or data compression or expan
`SO.
`7. Application Layer-The application layer provides a
`means for application processes to access the System inter
`connection facilities in order to exchange information.
`Packet filter processor 14 is implemented between the
`physical layer and data link layerS described above, in order
`to increase the Speed at which packets are filtered. The
`physical layer is responsible for data encoding and decod
`ing. Data encoding refers to translating the bits being
`transmitted into the proper electrical Signals to be sent acroSS
`the transmission medium. Data decoding translates the elec
`trical Signals received over the transmission medium into the
`bit stream those signals represent. The data link layer is
`concerned with data encapsulation/decapsulation and media
`access management. These functions, however, are not nec
`essary for identifying the Source address of the packet. For
`example, data decapsulation is the function of recognizing
`the destination address, determining if it matches the receiv
`ing Station's address, performing error checking, and remov
`ing control information that was added by the data encap
`Sulation function in the Sending Station. Therefore, by
`implementing packet filter processor 14 between the physi
`cal layer and data link layer, processor 14 can maximize the
`Speed at which it filters each packet.
`FIG. 3 illustrates a block flow diagram of steps for
`filtering data packets in accordance with one embodiment of
`the invention. The description with respect to FIG. 3 will
`assume that a packet is originating from network 10 and has
`an intended destination address that is within network 16. It
`can be appreciated, however, that the operation of packet
`filter processor 14 is identical when the packet originates
`from network 16 or terminal 18 and has an intended desti
`nation address within network 10.
`Packet filter processor 14 receives a packet at step 50.
`Connector 20 receives the packet and passes the packet to
`interface card 22 which is designed to convert the electrical
`impulses received over the physical transmission media into
`packets conforming to the standards set forth in IEEE 802.3.
`The packet is stored in FIFO 24.
`Processor 38 reads the source IP address for the packet at
`step 52, and compares the source IP address with list 33,
`which is stored in DRAM band 32, at step 54. List 33 is
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,158,008
`
`6
`stored in DRAM bank 32 in order to increase the speed at
`which data from the list could be retrieved by processor 38,
`as compared to, ego, when data is Stored on Some other
`computer readable medium Such as a hard drive or floppy
`disk. Step 56 comprises a test to determine whether there is
`a match at step 54. If there is a match at step 54, then packet
`filter processor 58 records the attempt at step 58 before
`passing control to Step 60. If there is not a match at Step 54,
`then control is directly passed to step 60.
`Packet filter processor 14 determines whether the packet
`should be passed at step 60. The decision whether to pass the
`packet or not is dependent upon the mode in which processor
`14 is currently configured. Packet filter processor 14 has a
`restrictive mode and a permissive mode. Restrictive mode
`refers to a condition where a Select number of packets are to
`be passed, and all others blocked. Permissive mode is where
`all packets are to be passed except for a Select few that
`require blocking. Thus, in permissive mode, the packet is
`passed if the Source IP address for a packet does not match
`an address on list 33. If there is a match, packet filter
`processor 14 drops the packet. In restrictive mode, the
`packet is passed if the Source IP address does match an
`address from list 33, and is dropped otherwise.
`At step 60, packet filter processor 14 determines whether
`the packet should be passed depending on whether packet
`filter processor 14 has been Set to permissive mode or
`restrictive mode. If packet filter processor 14 has been Set to
`restrictive mode, and there is a match at Step 56, then the
`packet is passed at Step 62 to the destination network which
`in this embodiment of the invention is network 16 or
`terminal 18. If packet filter processor 14 has been set to
`restrictive mode, and there is not a match at Step 56, then the
`packet is dropped at Step 64. Conversely, if packet filter
`processor 14 has been Set to permissive mode, and there is
`a match at Step 56, then the packet is dropped at Step 64. If
`packet filter processor 14 has been Set to permissive mode,
`and there is not a match at Step 56, then the packet is passed
`to the destination network at step 62. In this embodiment of
`the invention, a default condition is that no feedback is given
`to the System sending the packets for Security reasons if a
`packet is dropped at Step 64. It can be appreciated, however,
`that this default condition can be changed and still fall within
`the Scope of the invention.
`In accordance with the System administration aspects of
`the invention, a Service provider administers a database of
`Source IP address lists. Each list may contain the IP
`addresses of particular types of Internet Sites. The Service
`provider keeps these lists up to data and periodically updates
`list33 stored in DRAM bank 32 of packet filter processor 14.
`In this manner, end users can be assured that the Source IP
`address lists Stored in their filtering processor are up to date.
`List 33 can be updated in at least two ways. First, list 33
`could be updated by connecting Data Terminal Equipment
`(DTE) such as an asynchronous (ASCII) terminal (or per
`Sonal computer emulating an asynchronous terminal) to
`RS-232 connector 34 of packet filter processor 14. This
`method would enhance Security when updating list 33.
`Alternatively, a network connection is formed with a
`central administrative site equipped with a list server 70,
`preferably through an Internet Service Provider (ISP) using
`a direct network connection or via RS-232 connector 34.
`List 33 is then updated from the central administrative site,
`either by a request by the list server 70 of the administrative
`Site, or on the request of packet filter processor 14. List
`server 70 is described in more detail with reference to FIG.
`4.
`
`

`

`7
`FIG. 4 is a block diagram of a list server suitable for
`practicing one embodiment of the invention. List server 70
`comprises a main memory module 72, a central processing
`unit (CPU)74, a system control module 82, a bus adapter 76,
`a list replication module 78, and a user interface module 80,
`each of which is connected to a CPU/memory bus 84 and an
`Input/Output (I/O) bus 86 via bus adapter 76. Further, list
`server 70 contains multiple I/O controllers 88, as well as an
`external memory 90, a database 92 and network interface 94,
`each of which is connected to I/O bus 86 via I/O controllers
`88.
`The overall functioning of list server 70 is controlled by
`CPU 74, which operates under the control of executed
`computer program instructions that are Stored in main
`memory 72 or external memory 90. Both main memory 72
`and external memory 90 are machine readable Storage
`devices. The difference between main memory 72 and
`external memory 90 is that CPU 74 can typically access
`information stored in main memory 72 faster than informa
`tion stored in external memory 90. Thus, for example, main
`memory 72 may be any type of machine readable Storage
`device, Such as random access memory (RAM), read only
`memory (ROM), programmable read only memory
`(PROM), erasable programmable read only memory
`(EPROM), electronically erasable programmable read only
`memory (EEPROM). External memory 90 may be any type
`of machine readable Storage device, Such as magnetic Stor
`age media (i.e., a magnetic disk), or optical Storage media
`(i.e., a CD-ROM). Further, list server 70 may contain
`various combinations of machine readable Storage devices
`through other I/O controllers, which are accessible by CPU
`74, and which are capable of Storing a combination of
`computer program instructions and data.
`CPU 74 includes any processor of sufficient processing
`power to perform the functionality found in list server 70.
`Examples of CPUs suitable to practice the invention
`includes the INTEL family of processors, such as the
`Pentium(R), Pentium(R) Pro, and Pentium(R II microproces
`SOS.
`Network interface 94 is used for communications between
`list Server 70 and a communications network, Such as the
`Public Switched Telephone Network (PSTN) or the Internet.
`Network interface 94 Supports appropriate Signaling, ringing
`functions and Voltage levels, in accordance with techniques
`well known in the art.
`I/O controllers 88 are used to control the flow of infor
`mation between list server 70 and a number of devices or
`networks such as external memory 90, database 92 and
`network interface 94. System control module 82 includes
`human user System control and operation. Bus adapter 76 is
`used for transferring data back and forth between CPU/
`memory bus 84 and I/O bus 86.
`List replication module 78 and user interface module 80
`implements the main functionality for list server 70. It is
`noted that modules 78 and 80 are shown as separate func
`tional modules in FIG. 4. It can be appreciated, however, that
`the functions performed by these modules can be further
`Separated into more modules, combined together to form
`one module, or be distributed throughout the System, and
`still fall within the scope of the invention. Further, the
`functionality of these modules may be implemented in
`hardware, Software, or a combination of hardware and
`Software, using well-known signal processing techniques.
`List server 70 operates as follows. A profile is established
`for each packet filter processor customer Subscribing to the
`list updating Service. The profile contains a copy of list 33
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6,158,008
`
`8
`for each packet filter processor. List 33 at list server 70 is
`updated with new Source IP addresses on a periodic basis.
`Similarly, old or invalid source IP addresses are removed
`from list 33 on a periodic basis.
`The updating of list 33 at list server 70 can be accom
`plished in two ways. First, the central administrator for list
`server 70 obtains new Source IP address information from
`various Sources, Such as Service providers or Search robots
`Specializing in gathering Source IP addresses by category,
`e.g., telemarketers, adult material, advertising entities, hate
`groups, and So forth. The central administrator for list Server
`70 then updates list 33 at list server 70 with the new source
`IP address information in a timely manner, e.g., within hours
`of receiving the new information. Second, the user of a
`packet filter processor can access list Server 70 via user
`interface module 80, and perform updates to list 33 at list
`server 70 directly. The user could update list server 70 in a
`variety of ways, Such as adding, deleting or modifying the
`Source IP addresses of list 33 stored in database 92 of list
`Server 70.
`Once list 33 at list server 70 is updated, list replication
`module Sends updated list 33 to each packet filter processor
`according to the profile of each packet filter processor. The
`profile for each packet filter processor contains information
`regarding when and how often list 33 at list server 70 is to
`be replicated to the packet filter processor. For example, list
`33 at list server 70 can be replicated to a packet filter
`processor on a periodic basis, Such as every day at a certain
`time, or whenever a change to list 33 at list server 70 is
`performed. In addition, a user of a packet filter processor
`may request an update of list 33, Such as when the user has
`modified list 33 at server 70, or in the event list 33 at the
`packet filter processor has become corrupted or lost.
`In addition to updating existing lists for packet filter
`processors, list server 70 has predetermined lists of source IP
`addresses by category. For example, a list of Source IP
`addresses for all Internet Sites containing adult material can
`be pre-established, and therefore readily replicated to a
`packet filter processor by a user Simply accessing the central
`administrative site and making a request. Other lists for
`telemarketing firms, non-busineSS related web sites, a com
`petitor's network devices, government web sites, and So
`forth, could also be pre-established and made available for
`a user of the p