I 1111111111111111 11111 1111111111 111111111111111 11111 11111 111111111111111111
`US008458784B2
`
`c12) United States Patent
`Krumel
`
`(IO) Patent No.:
`(45) Date of Patent:
`
`US 8,458,784 B2
`*Jun. 4, 2013
`
`(54) DATA PROTECTION SYSTEM SELECTIVELY
`ALTERING AN END PORTION OF PACKETS
`BASED ON INCOMPLETE DETERMINATION
`OF WHETHER A PACKET IS VALID OR
`INVALID
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`4,941,198 A * 7/1990 Johnson et al .................... 455/9
`5,343,471 A
`8/1994 Cassagnol ..................... 370/401
`(Continued)
`
`(75)
`
`Inventor: Andrew K. Krumel, San Jose, CA (US)
`
`(73) Assignee: 802 Systems, Inc., Marshall, TX (US)
`
`JP
`WO
`
`( *) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by O days.
`
`This patent is subject to a terminal dis(cid:173)
`claimer.
`
`(21) Appl. No.: 12/807,641
`
`(22) Filed:
`
`Sep.10,2010
`
`(65)
`
`Prior Publication Data
`
`US 2011/0197273 Al
`
`Aug.11,2011
`
`Related U.S. Application Data
`
`(63) Continuation of application No. 11/374,465, filed on
`Mar. 13, 2006, now abandoned, which
`is a
`continuation of application No. 09/611,775, filed on
`Jul. 7, 2000, now Pat. No. 7,013,482.
`
`(51)
`
`Int. Cl.
`G06F 17100
`G06F 15116
`G06F9/00
`(52) U.S. Cl.
`USPC ................. 726/13; 713/154; 726/11; 726/12;
`709/229
`
`(2006.01)
`(2006.01)
`(2006.01)
`
`( 58) Field of Classification Search
`USPC .................. 713/154; 709/229; 726/11, 12, 13
`See application file for complete search history.
`
`FOREIGN PATENT DOCUMENTS
`5/1997
`09117448 A
`WO 96/34479
`10/1996
`(Continued)
`
`OTHER PUBLICATIONS
`
`Xu, Jun and Mukesh Singhal. "Design and Evaluation of a High(cid:173)
`Performance ATM Firewall Switch and Its Applications", Jun.
`1999. *
`
`(Continued)
`
`Primary Examiner - Michael Simitoski
`(74) Attorney, Agent, or Firm - Loudermilk & Associates
`
`ABSTRACT
`(57)
`Methods and systems for firewall/data protection that filters
`data packets in real time and without packet buffering are
`disclosed. A data packet filtering hub, which may be imple(cid:173)
`mented as part of a switch or router, receives a packet on one
`link, reshapes the electrical signal, and transmits it to one or
`more other links. During this process, a number of filters
`checks are performed in parallel, resulting in a decision about
`whether each packet should or should not be invalidated by
`the time that the last bit is transmitted. To execute this task, the
`filtering hub performs rules-based filtering on several levels
`simultaneously, preferably with a programmable logic or
`other hardware device. Various methods for packet filtering in
`real time and without buffering with programmable logic are
`disclosed. The system may include constituent elements of a
`stateful packet filtering hub, such as microprocessors, con(cid:173)
`trollers, and integrated circuits. The system may be reset,
`enabled, disabled, configured, and/or reconfigured with
`toggles or other physical switches. Audio and visual feedback
`may be provided regarding the operation and status of the
`system.
`
`36 Claims, 14 Drawing Sheets
`
`(optional)
`
`Transmit
`alarm
`information
`
`SpoofCheck
`
`Alert LED
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 1 of 29
`
`

`

`US 8,458,784 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`6/1995 Ong ................................ 326/39
`5,426,378 A
`6/1995 Trimberger ..................... 326/39
`5,426,379 A
`6/1996 Dighe ........................... 370/232
`5,530,695 A
`12/1996 Granville ...................... 702/155
`5,590,060 A
`8/1997 Nakagaki ...................... 370/394
`5,657,316 A
`4/1998 Dunne et al. ............. 395/200.68
`5,740,375 A
`4/1998 Jung et al. ....................... 356/73
`5,745,229 A
`8/1998 Aldebert et al. .............. 395/653
`5,794,033 A
`9/1998 Picazo et al. .................. 709/223
`5,805,816 A *
`11/1998 Shwedetal. ............ 395/200.59
`5,835,726 A
`3/1999 Baehr et al. .............. 395/187.01
`5,884,025 A
`5/1999 Flannner ....................... 370/406
`5,903,566 A
`5/1999 Holloway ..................... 713/201
`5,905,859 A
`10/1999 Nessett et al. ................ 713/201
`5,968,176 A
`10/1999 Klimenko ......................... 713/2
`5,974,547 A
`12/1999 Moughanni et al. .......... 713/200
`6,003,133 A
`12/1999 Shrader ......................... 709/249
`6,009,475 A
`1/2000 Sugawara ................ 370/395.51
`6,011,797 A
`2/2000 Patel ............................... 326/40
`6,020,758 A
`4/2000 Lawmann ....................... 326/38
`6,049,222 A
`4/2000 Lin ............................... 709/225
`6,052,785 A
`4/2000 Wesinger ...................... 713/201
`6,052,788 A
`6/2000 Fiveash ......................... 713/201
`6,076,168 A
`6/2000 Guccione ................. 395/500.17
`6,078,736 A
`7/2000 DiPlacido ..................... 709/224
`6,092,108 A
`7/2000 Steffan .............................. 710/8
`6,092,123 A
`8/2000 Graf .............................. 709/224
`6,101,540 A *
`8/2000 Knowlson ....................... 726/11
`6,108,786 A
`10/2000 Ahne ....................... 340/815.45
`6,133,844 A
`10/2000 Levy ............................. 713/200
`6,134,662 A
`11/2000 Swales .......................... 709/218
`6,151,625 A
`1/2001 Takao ........................... 715/500
`6,175,839 Bl
`1/2001 Hagiuda ....................... 713/201
`6,182,225 Bl
`4/2001 Ghani ........................... 370/230
`6,215,769 Bl
`4/2001 Fan et al. ...................... 709/225
`6,219,706 Bl
`4/2001 Schwuttke et al. ........... 345/419
`6,222,547 Bl
`4/2001 Sheafor et al. ................ 710/317
`6,223,242 Bl
`6/2001 Antur et al. ..................... 726/11
`6,243,815 Bl
`9/2001 Lakshman et al. ............ 370/389
`6,289,013 Bl
`10/2001 Fan .............................. 358/1.14
`6,310,692 Bl
`11/2001 Porras et al. .................... 726/25
`6,321,338 Bl
`12/2001 Fallside .......................... 326/38
`6,326,806 Bl
`12/2001 Kageyama ................... 358/1.15
`6,333,790 Bl
`1/2002 Kadambi ...................... 370/396
`6,335,935 B2
`1/2002 Fairchild ....................... 709/224
`6,343,320 Bl
`3/2002 Levi ................................ 716/16
`6,363,519 Bl
`4/2002 Hayes ........................... 710/107
`6,374,318 Bl
`5/2002 Katagiri ........................ 713/300
`6,389,544 Bl
`7/2002 Yagi .............................. 324/127
`6,414,476 B2
`8/2002 Sekizawa ........................ 714/47
`6,430,711 Bl
`4/2003 Suzuki .......................... 709/229
`6,549,947 Bl
`8/2003 Nichols ......................... 370/235
`6,608,816 Bl
`9/2003 Salim ............................ 370/389
`6,628,653 Bl
`10/2003 Rasmussen ................... 717/171
`6,640,334 Bl
`2/2004 Bal ............................... 709/238
`6,691,168 Bl
`6,700,891 Bl
`3/2004 Wong
`3/2004 Deng et al. .................... 713/153
`6,701,432 Bl*
`5/2004 Ochiai ......................... 358/1.15
`6,734,985 Bl
`6,771,646 Bl
`8/2004 Sarkissian ..................... 370/392
`8/2004 Xie et al. ........................ 726/11
`6,772,347 Bl*
`8/2004 Zintel ........................... 709/227
`6,779,004 Bl
`6,791,992 Bl
`9/2004 Yun ............................... 370/415
`9/2004 Trolan .......................... 713/160
`6,795,918 Bl*
`1/2006 Pearson .......................... 726/22
`6,990,591 Bl
`11/2001 Trcka et al. ................... 709/224
`2001/0039579 Al
`FOREIGN PATENT DOCUMENTS
`WO 99/48303
`9/1999
`WO 00/02114
`1/2000
`
`WO
`WO
`
`OTHER PUBLICATIONS
`
`"Baseband Specification Part B", Bluetooth Spec. v. 1.1, Edited by
`Henrik Hedlund in conjunction with Bluetooth.org, Feb.2001, Avail(cid:173)
`able from Internet: http://www.bluetooth.com/developer/specifica(cid:173)
`tion/core.asp, pp. 41-46.
`
`Comer, Douglas, "Internetworking with TCP/IP. vol. 1: Principles,
`Protocols, and Architectures", 4 th Edition, New Jersey: Prentice Hall,
`2000, Ch. 7, pp. 95-113, Ch. 12, pp. 197-206.
`Feit. Dr. Sidnie, "Architecture, Protocols, and Implementation with
`IPv6 and IP Security," TCP/IP Signature Edition, San Francisco:
`McGraw-Hill, Ch. 9: pp. 274-282, Ch. 11: pp. 432-457, 1999 .
`"Host Controller Interface Functional Specification, Part H: l" Edited
`by Christian Johansson in conjunction with Bluetooth.org., Feb .
`2001, Available from Internet: http://www.bluetooth.com/developer/
`specification/core.asp, pp. 543-550.
`"Jini Architecture Specifications." Version 1.1, Sun Microsystems,
`Inc., Oct. 2000. Available from Internet: http://www.sun.com/jini/
`specs/jinil 13 1.pdf, pp. 1-20.
`"Jini Device Architecture Specifications." Version 1.1, Sun
`Microsystems, Inc., Oct. 2000. Available from Internet: http://www .
`sun.corn/jini/specs/devicearchl_l.pdf, pp. 1-14 .
`"Logical Link Control and Adaptation Protocol Specification." Part
`D, Edited by Jon Inouye in conjunction with Bluetooth.org., Feb .
`2001, Available from Internet: http://www.bluetooth.com/developer/
`specification/core.asp, pp. 257-260 .
`Sollins, K., "The TFTP Protocol (Revision 2.0)", MIT, Jul. 1992.
`Available from Internet: http://www.cis.ohio-state.edu/cgi-bin/rfc/
`rfc1350.htrnl, pp. 1-10.
`Tanenbaum, Andrew S., "Computer Networks", 3m Edition, Vrije
`Universiteit, Amsterdam, The Netherlands, pub. New Jersey:
`Prentice Hall, 1996, 28-44 .
`Wilder, Floyd, "A Guide to the TCP/IP Protocol Suite", 2nd Edition,
`Boston: Artech House, 1998, Ch. 3, pp. 123-162 .
`3Com, "SuperStack 3 Firewall" 2000 3Com .
`Hughes, James "A High Speed Firewall Architecture for ATM/OC-
`3c" Feb. 1996 .
`IBM Technical Disclosure Bulletins NN8606320 (1986), NN950431
`(1995), NA81123528 (1981), NN9704141 (1997), NN9512419
`(1995), NN9502341 (1995), NN9308183 (1993), NN8606254
`(1986), NN83102393 (1983).
`Lakshman, T. V. "High Speed Policy-Based Packet Forwarding Using
`Efficient Multi-Dimensional Range Matching" 1998 ACM, pp. 203-
`214 .
`Network ICE Corp., "Black ICE Pro User's Guide Version 2.0" Jun .
`2000 (archive.org) .
`Packeteer, Inc., "PacketShaper 4000 Getting Started Version 4.0"
`Mar. 1999.
`Symantec, Inc. "Norton Personal Firewall 2000 User's Guide Version
`2.0" Jun. 2000 (archive.org).
`Xu, Jun and Mukesh Singha! "Design of a High-Performance ATM
`Firewall" 1999 ACM.
`Xu, Jun and Mukesh Singha!, "Design of a High-Performance ATM
`Firewall" 1998 ACM pp. 93-102 .
`AARNet,
`"ATM",
`<http://www.aarnet.edu.au/engineering/
`networkdesign/mtu/ atm.html> .
`Derfler, Jr., Frank J. et al. "How Networks Work" Sep. 2000, pp .
`162-167 .
`Newton, Harry, "Newton's TELECOM Dictionary" 2003 CMP
`Books, pp. 78-79.
`Efficiency"
`Unknown,
`"ATM
`u0227461/Website/efficiency.htm>.
`OfficeConnect Internet Firewall User Guide, 3Com, Feb. 2000, pp.
`1-178.
`Mogul, Jeffrey C., "Simple and Flexible Datagram Access Controls
`for Unix-based Gateways", Mar. 1989 .
`Biodata GmbH, "BIGfire + User Manual", V0306+, 1999 .
`Excerpts from File History related U.S. Appl. No. 09/611,775.
`Excerpts from File History of related U.S. Appl. No. 11/374,465.
`Excerpts from File History of related U.S. Appl. No. 09/745,599.
`Excerpts from File History of related U.S. Appl. No. 12/316,129,
`Abandoned.
`Excerpts from File History of related U.S. Appl. No. 09/746,519.
`Excerpts from File History of related U.S. Appl. No. 11/405,299.
`Excerpts from File History of related U.S. Appl. No. 09/746,107.
`
`<http://homepages.uel.ac.uk/
`
`* cited by examiner
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 2 of 29
`
`

`

`U.S. Patent
`
`Jun.4,2013
`
`Sheet 1 of 14
`
`US 8,458,784 B2
`
`<
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 3 of 29
`
`

`

`~ = N
`
`00
`~
`00
`UI
`~
`00
`
`d r.,;_
`
`.... ...
`0 ....
`N
`.....
`rJJ =(cid:173)
`
`('D
`('D
`
`~
`
`0 ....
`~ ...
`?
`2'
`
`N
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`FIG.lB
`
`Streaming Audio
`
`Server
`
`Web+ FTP
`
`Server
`
`Internal (protected) hosts
`
`Bastion ( exposed) hosts
`
`External (untrusted) hosts
`
`DSL Router
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 4 of 29
`
`

`

`U.S. Patent
`
`Jun.4,2013
`
`Sheet 3 of 14
`
`US 8,458,784 B2
`
`External
`PHY
`
`14
`
`16
`
`18
`
`0000
`
`Repeater Core
`
`Packet Nibbles L
`
`1-----jll,f Packet Type
`Filters
`
`22
`Packet Characteristics Logic
`Packet
`Characteristics
`d N'bbl D
`1 e ata ------
`an
`(No Buffering)
`
`Run Rule #1
`
`Internal
`PHY
`
`Pass/Junk----.
`
`Result
`
`Result
`Aggregator
`
`26
`
`24
`State
`36-1
`Result
`Rules Engine #1
`Get Rule
`
`.---_....__.._ __
`23 ~--~
`
`Entry to
`Loolc-Up
`
`Connection
`Cache
`
`30
`
`Run Rule #N
`34-N
`
`Result #1
`Result #N
`
`Rules
`#1
`40-1
`Rules Engine #N
`Get Rule
`36-N
`
`Rules Map _____ ___,
`Table
`Characteristics
`ID
`
`32
`
`Rule Dispatching Information
`State Rules Filter
`
`Legend
`~ Data
`~ Store
`VQueue
`
`CJ Logic
`- - Signal
`
`Rules
`#N
`40-N
`
`42
`
`FIG.2
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 5 of 29
`
`

`

`U.S. Patent
`
`Jun.4,2013
`
`Sheet 4 of 14
`
`US 8,458, 784 B2
`
`16
`
`I
`I
`
`l------------.,
`
`I
`I
`I
`I
`I
`I
`I
`I
`
`'· I
`
`I
`I
`I
`I
`I
`I
`
`Repeater
`~-P-ac-k-et-d-,--a-ta--1 Core
`
`44
`Determine packet
`characteristics
`(protocol, addrs,
`ports, flags)
`
`M--p-a-ss....,..,/f:--:-ai-=-1 ...,,,...fo-r ---.
`each network
`24
`
`Result
`Aggregator
`
`Level 2 Filters
`
`Level 3 Filters
`
`Level 4 Filters
`
`Spoof Check
`
`pass/fail
`46
`pass/fail
`48
`pass/fail
`50
`pass/fail
`52
`
`(optional)
`
`Transmit
`alarm
`information
`over
`network
`Alarm Controller ___________ .,
`
`FIG.3
`
`53 54
`Alert LED
`
`55
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 6 of 29
`
`

`

`U.S. Patent
`
`Jun.4,2013
`
`Sheet 5 of 14
`
`US 8,458, 784 B2
`
`8
`
`DSL Router/
`Cable Modem
`
`FIG.4
`18
`
`12
`56
`Bastion
`External 1 - - -+ 1 PHY
`Controller ..,.__ _ _ +---I PHY
`PHY
`data nibble
`
`60
`
`Reshape and transmit
`packet in real-time
`
`58
`
`62
`
`Level 2 Filters
`
`Junk/Pass for each
`PHY category
`Result Aggregator
`, ___ unm_own ___ i
`packet type
`66
`
`72
`
`73
`
`ket and from PHY ext?
`N
`Check options type of 7, 68, 131, or 137
`
`68
`Is from PHY ext
`and op code= 3?
`y
`y
`
`Not present
`
`Pass
`
`Present
`
`70
`
`46
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 7 of 29
`
`

`

`U.S. Patent
`
`Jun.4,2013
`
`Sheet 6 of 14
`
`US 8,458,784 B2
`
`Determine IP
`Datagram Characteristics
`
`Level 3 Filters
`
`Set Fail signal
`
`Set Fail signal
`
`80
`
`82
`
`N
`
`N
`
`88
`
`Pass
`
`86
`
`Set Fail signal
`
`90
`
`81
`
`Unknown
`
`IGMP
`
`ICMP
`
`§
`
`~
`fQ..,
`c..,)
`E---
`
`84
`
`Is from
`PHYext?
`y
`
`Is fragment
`offset O?
`y
`
`94
`
`98
`
`y
`
`Is
`fragment O?
`N
`
`100
`
`Pass
`
`FIG.5
`
`92
`Is type 5, 8, 10
`13, 15, 17?
`N
`Pass
`
`96
`
`y
`
`Set Fail
`signal
`
`102
`
`Set Fail
`signal
`
`104
`N
`
`Is protocol header
`contained in fragment?
`y
`
`Filter TCP and
`UDP datagram
`
`106
`
`Junk
`Pass
`Signal Signal
`+
`+
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 8 of 29
`
`

`

`~ = N
`
`00
`~
`00
`UI
`~
`00
`
`d r.,;_
`
`.... ...
`0 ....
`-....J
`.....
`rJJ =(cid:173)
`
`('D
`('D
`
`~
`
`0 ....
`~ ...
`?
`2'
`
`N
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`-----------~----' ext external (Internet) network connection
`int internal ~AN) network connection
`port-e external port number
`port-i internal port number
`Legend
`
`PHY-e external physical byer chlp
`PHY-i internal physical byer chlp
`
`and ACK not set then pass int if have comm state match h-13 O
`If PHY-e active and TCP and port-e = 20 and SYN set
`
`-
`
`Lt~
`
`1
`\. state
`' Comm . LJ
`
`and (get client active port and store comm state)
`set and ACK set and PORT command then pass ext h-128
`
`.--1-2-4 ___.__....., h..._
`
`, _
`
`w~ If PHY-i active and TCP and port-e = 21 and SYN not
`
`ext
`pass
`
`,1,
`
`int
`pass
`
`,1,
`
`complete
`check
`state
`
`'
`
`~
`_
`~If-all--'-ch-ecks_c_om-ple-te~
`132 ~
`
`1 a s 1or 1
`s·gn l , ·nt & ext
`and bitwise-or pass
`then set comp signal
`
`FIG.6
`
`"-122
`
`I-----,
`
`If PHY-1 active and UDP and port-e = 53
`
`then pass ext and store comm state
`
`. .
`
`If PHY-i active and TCP then pass ext
`
`1
`
`•
`and TCP and port-1 = 80 then pass mt
`If server-mode enab~ed and PHY-e ac~ve
`
`L_ 120
`::=====================::1---____,
`If TCP and (ACK set or FIN set) then pass mt & ext h....t l S
`h-116
`
`j___ 114
`
`If port-i = 68 and port-e = 67 then pass int & ext
`
`·
`
`llel ( other protocols also handled simultaneously)
`TCP and UDP packets are evaluated for pass or fail in
`
`· iiaia.
`
`108
`
`~126
`
`.------.
`,
`----------------.
`
`then pass int if have comm state match
`If PHY-e active and UDP and port-e = 53
`
`..J '-----I
`
`:
`
`and active PHY
`UDP, ICMP, ... ) L.Jh...
`Packet type (TCP,
`__ ..... r__
`/ 112
`
`-
`
`ports, and flags
`,
`IP address
`
`Determine packet 1------1
`
`1----..-
`
`• r-110
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 9 of 29
`
`

`

`U.S. Patent
`
`Jun.4,2013
`
`Sheet 8 of 14
`
`US 8,458,784 B2
`
`133
`
`Determine UDP and TCP
`Packet Characteristics
`
`lookup code
`
`~ ID Enable Web Client
`......
`ID Enable Web Servers
`~ ID User Defined Toggle(s)
`
`~ _______ __,
`
`0
`
`134
`Exec
`addr
`Rules
`Dispatcher---~- Mapping Table
`..__,__"T'"""""" mapping
`data
`
`FIG.7
`
`136
`
`I
`
`I i 148
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`I : toggle states _......__......,
`datagram
`Rules
`
`comm state
`
`Rules
`
`toggle states
`data~m
`characteristics
`comm state
`
`characteristics Engine #1 --~ .------t Engine #N
`- z
`~ ~
`"C
`s::i..
`§-
`::::s
`- ..fi
`- c.,;,
`~ .a
`-:::I ~
`tr.I z
`-=
`...... e
`~ ......
`....
`..... u
`0
`u
`
`ad
`
`rule
`data
`Rules
`Table #1
`
`142-1
`
`0
`
`0
`
`ad
`
`rule
`data
`
`c.,;,
`0
`
`tr.I
`cu
`
`Lookup comm
`state for
`external host
`
`146
`
`comm state
`update
`
`Result
`Aggregator
`
`144
`
`Pass
`Signal
`+
`
`Junk
`Signal
`+
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 10 of 29
`
`

`

`U.S. Patent
`
`Jun.4,2013
`
`Sheet 9 of 14
`
`US 8,458, 784 B2
`
`Determine UDP and TCP
`Packet Characteristics
`
`150
`
`[] Enable Active FTP
`152
`
`Pass signals for
`each network
`
`160-1
`Protocol front-end #1
`
`160-N
`Protocol front-end #N
`
`store si
`
`155
`
`store,
`clear signals
`
`Register
`Controller
`
`store and clear
`signal for Reg 1
`
`store and clear
`signal for Reg N
`
`156
`
`State
`Registers
`
`packet state
`characteristic
`match signals
`
`store si
`..___ ____ Protocol back-end #N
`
`Stateful Filters
`
`154
`
`Co!flPare
`characteristics to the
`allowed non-stateful
`rules and make
`judgment
`
`Non-Stateful Filters
`
`153
`
`Pass signal for
`each network
`
`Pass signal for
`rk
`each netwo
`!
`Result
`- Aggregator
`144_)
`FIG .8
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 11 of 29
`
`

`

`~ = N
`
`00
`~
`00
`UI
`~
`00
`d r.,;_
`
`.... ...
`0 ....
`0
`....
`.....
`rJJ =(cid:173)
`
`('D
`('D
`
`~
`
`0 ....
`~ ...
`?
`2'
`
`N
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`FIG.9
`
`External Link LED
`
`Link LED
`Internal
`
`179
`
`Alert LED
`
`178
`
`177
`
`I ,. Network
`Internal
`
`RJ-45 I•
`
`----PHY
`
`174
`
`172
`
`I I
`
`I ..
`
`Update button
`
`r-(S:j176
`
`button
`
`PLD
`
`PHY
`
`170
`
`162
`
`164-'
`
`I •I RJ-45
`
`Network
`External ..
`
`168
`
`Controller 1---1 I ~ Server enabled
`
`I
`
`I
`
`166-'
`
`~I 81 Client enabled
`
`button
`
`180
`
`Memory
`Nonvolatile ~ Reset Button
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 12 of 29
`
`

`

`U.S. Patent
`
`Jun. 4, 2013
`
`Sheet 11 of 14
`
`US 8,458,784 B2
`
`192
`
`193
`
`194
`
`----- __ --t--198
`
`- - -
`
`I .---208
`__ alert ____ 212 ___ _
`204
`206
`55
`223
`
`FIG.IO
`
`internal
`--ffnT- -
`
`server
`mode
`
`202
`176
`218
`220
`216
`210
`222
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 13 of 29
`
`

`

`~ = N
`
`00
`~
`00
`UI
`~
`00
`
`d r.,;_
`
`.... ...
`0 ....
`N
`....
`.....
`rJJ =(cid:173)
`
`('D
`('D
`
`~
`
`0 ....
`~ ...
`?
`2'
`
`N
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`N
`
`y
`
`N
`
`FIG.I I
`
`y
`
`236
`
`Junk packet
`
`y
`
`230
`
`Remove from
`
`flood list
`
`and ports to flood list entries
`
`Compare IP address
`
`226
`
`224
`
`,-----------.----------from external PHY
`Wait for a packet
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 14 of 29
`
`

`

`240
`
`N
`
`242
`
`y
`
`add 1 to new ACK #
`Unset SYN flag and
`
`244
`
`FIG.12
`
`---from internal PHY
`Wait for a packet
`
`3) transmit
`2) Recalc TCP, IP, Eth checksums
`1) set RST flag
`Transmit RST packet (high priority)
`
`238
`
`and ACK #'s
`3) swap MAC, IP, ports
`2) write bits into list
`1) get flood list locations
`
`250
`
`y
`
`Add to flood list
`
`252
`
`N
`
`2) transmit
`1) recalc TCP, IP, Eth checksums
`Transmit ACK packet:
`
`248
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 15 of 29
`
`

`

`U.S. Patent
`
`Jun. 4, 2013
`
`Sheet 14 of 14
`
`US 8,458,784 B2
`
`254
`
`Wait for 1 second
`
`256
`...-----_.,. For each flood list entry ......_ __ __,
`
`get+
`
`258
`
`N
`
`y
`
`262
`
`I) unset ACK and set RST flag
`2) add 1 to sequence#
`3) rec ale checksums
`4) recalc TCP, IP, Eth checksums
`
`264
`Transmit RST packet
`
`266
`
`Remove from flood list
`
`FIG.13
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 16 of 29
`
`

`

`US 8,458,784 B2
`
`1
`DATA PROTECTION SYSTEM SELECTIVELY
`ALTERING AN END PORTION OF PACKETS
`BASED ON INCOMPLETE DETERMINATION
`OF WHETHER A PACKET IS VALID OR
`INVALID
`
`This application is a continuation of U.S. application Ser.
`No.11/374,465, filed Mar. 13, 2006now abandoned, which is
`a continuation of U.S. application Ser. No. 09/611,775, filed
`Jul. 7, 2000, now U.S. Pat. No. 7,013,482.
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer security and data
`protection systems and methods, and more particularly to
`firewall and data protection systems and methods for filtering
`packets, such as from the Internet, in real time and without
`packet buffering.
`
`2
`either accepted ( and passed to the computer) or rejected ( and
`disposed of by the software). This software often requires
`substantial computer knowledge and experience. Users of
`such devices and tools typically have an expertise in network
`5 administration or a similar field, so they can configure, opti(cid:173)
`mize, and even build the complex filtering and security
`options provided by the software.
`While such devices and tools can be quite effective in
`providing "firewall" protection for sophisticated users of
`10 large office systems, they pose several barriers to unsophisti(cid:173)
`cated users of small office and home systems in the growing
`SOHO market. Current large office systems are expensive,
`difficult to set up, and require technical skills. What is needed
`for SOHO systems is a relatively inexpensive, uncompli-
`15 cated, "plug and play" type oflnternet protection system that
`can be easily connected and configured by relatively unso(cid:173)
`phisticated users.
`
`SUMMARY OF THE INVENTION
`
`BACKGROUND OF THE INVENTION
`
`20
`
`The use of the Internet has exploded in recent years. Small
`and large companies as well as individual users are spending
`more time with their computers connected to the Internet.
`With the advent of Internet technologies, such as cable
`modems, digital subscriber lines, and other "broadband"
`access devices, users are connecting their computers to the
`Internet for extended periods of time.
`Such extended or "persistent" connection to the Internet
`brings many advantages to users in immediate access to the 30
`content on the Internet through the use of email, search
`engines, and the like. Unfortunately, however, persistent
`access to the Internet exposes connected computers to poten(cid:173)
`tial security threats, where intruders and "hackers" may com(cid:173)
`promise proprietary systems, engage in information theft, or 35
`take control of the connected computers remotely. With more
`sophisticated tools at their disposal, hackers pose security and
`privacy risks to systems with persistent access to the Internet.
`Such security risks are even present for computers connected
`to the Internet for limited periods of time (such as through 40
`dial-up, modem connections), though to a lesser degree than
`the extended access computers.
`There are currently many different types of firewall sys(cid:173)
`tems available on the market, including proxy servers, appli(cid:173)
`cation gateways, stateful inspection firewalls, and packet fil- 45
`tering firewalls, each of which provides a variety of strategies
`and services for data protection. Conventional packet filters
`typically are computers, routers, or ASICs based on general
`purpose CPUs. They perform their filtering duties by receiv(cid:173)
`ing a packet, buffering the data until a determination can be 50
`made, and forwarding the packet as applicable for the par(cid:173)
`ticular system. For example, a dual-homed, Linux-based filter
`with two network cards might receive a packet completely,
`evaluate whether it meets specific criteria, and transmit the
`packet on the other network card. In another example, a router 55
`designed for switch mode routing might begin buffering a
`packet until a decision is made, then forward the packet on the
`applicable interface while still receiving the packet. With
`most packet filters, software is used and data is buffered.
`Sophisticated computer users working for medium- to 60
`large-sized companies have a variety of relatively expensive
`protection devices and tools at their disposal. Such devices
`and tools typically screen data packets received from the
`Internet with sophisticated software-based filtering tech(cid:173)
`niques. Using relatively complex tools for software analysis, 65
`each packet is stored in a buffer and examined sequentially
`with software-based rules, which results in each packet being
`
`In accordance with the present invention, devices, methods
`and systems are provided for the filtering of Internet data
`packets in real time and without packet buffering. A stateful
`packet filtering hub is provided in accordance with preferred
`25 embodiments of the present invention. The present invention
`also could be implemented as part of a switch or incorporated
`into a router.
`A packet filter is a device that examines network packet
`headers and related information, and determines whether the
`packet is allowed into or out of a network. A stateful packet
`filter, however, extends this concept to include packet data
`and previous network activity in order to make more intelli(cid:173)
`gent decisions about whether a packet should be allowed into
`orout of the network. An Ethernet hub is a network device that
`links multiple network segments together at the medium level
`(the medium level is just above the physical level, which
`connects to the network cable), but typically provides no
`capability for packet-type filtering. As is known, when a hub
`receives an Ethernet packet on one connection, it forwards the
`packet to all other links with minimal delay and is accordingly
`not suitable as a point for making filtering-type decisions.
`This minimum delay is important since Ethernet networks
`only work correctly if packets travel between hosts ( comput(cid:173)
`ers) in a certain amount of time.
`In accordance with the present invention, as the data of a
`packet comes in from one link (port), the packet's electrical
`signal is reshaped and then transmitted down other links.
`During this process, however, a filtering decision is made
`between the time the first bit is received on the incoming port
`and the time the last bit is transmitted on the outgoing links.
`During this short interval, a substantial number of filtering
`rules or checks are performed, resulting in a determination as
`to whether the packet should or should not be invalidated by
`the time that the last bit is transmitted. To execute this task, the
`present invention performs multiple filtering decisions simul(cid:173)
`taneously: data is received; data is transmitted; and filtering
`rules are examined in parallel and in real time. For example,
`on a 100 Mbit/sec Ethernet network, 4 bits are transmitted
`every 40 nano seconds (at a clock speed of 25 MHz). The
`present invention makes a filtering decision by performing
`the rules evaluations simultaneously at the hardware level,
`preferably with a programmable logic device.
`The present invention may employ a variety of networking
`devices in order to be practical, reliable and efficient. In
`addition, preferred embodiments of the present invention
`may include constituent elements of a stateful packet filtering
`hub, such as microprocessors, controllers, and integrated cir-
`
`Ex.1001
`CISCO SYSTEMS, INC. / Page 17 of 29
`
`

`

`US 8,458,784 B2
`
`3
`cuits, in order to perform the real time, packet-filtering, with(cid:173)
`out requiring buffering as with conventional techniques. The
`present invention preferably is reset, enabled, disabled, con(cid:173)
`figured and/or reconfigured with relatively simple toggles or
`other physical switches, thereby removing the requirement 5
`for a user to be'trained in sophisticated computer and network
`configuration. In accordance with preferred embodiments of
`the present invention, the system may be controlled and/or
`configured with simple switch activation(s).
`Accordingly, one object of the present invention is to sim- 10
`plify the configuration requirements and filtering tasks of
`Internet firewall and data protection systems.
`Another object is to provide a device, method and system
`for Internet firewall and data protection that does not require 15
`the use of CPU-based systems, operating systems, device
`drivers, or memory bus architecture to buffer packets and
`sequentially carry out the filtering tasks.
`A further object of the present invention is to perform the
`filtering tasks of Internet firewall protection through the use 20
`of hardware components.
`Another object is to utilize programmable logic for filter(cid:173)
`ing tasks.
`Still another object is to provide a device, method, and
`system to carry out bitstream filtering tasks in real time.
`Yet another object is to perform parallel filtering, where
`packet data reception, filtering, and transmission are con(cid:173)
`ducted simultaneously.
`A further object of the present invention is to perform the
`filtering tasks relatively faster than current state-of-the-art, 30
`software-based firewall/data protection systems.
`Another object is to provide a device, method and system
`for firewall protection without the use of a buffer or temporary
`storage area for packet data.
`Still another object of the present invention is to design a
`device, method and system that does not require software
`networking configurations in order to be operational.
`A further object of the present invention is to provide a
`device, method and system for Internet firewall and data 40
`security protection that supports partitioning a network
`between client and server systems.
`It is a yet another object of the present invention to provide
`a device, method and system for Internet firewall and data
`protection that supports multiple networking ports.
`Another object is to maintain stateful filtering support for
`standard data transmission protocols on a per port basis.
`Still another object ofis to configure network functionality
`using predefined toggles or other types of physical switches.
`A further object of the present invention is to conduct 50
`packet filtering without requiring a MAC address or IP
`address to perform packet filtering.
`Yet another object of the present invention is to facilitate
`the shortest time to carry out bitstream filtering tasks.
`Finally, it is another object of the present invention to be 55
`able to perform filtering rules out of order and without the
`current state-of-the-art convention of prioritizing the filtering
`rules serially.
`
`25
`
`35
`
`4
`FIG. 2 is a flow diagram illustrating the components and
`operations of a preferred embodiment of the present inven(cid:173)
`tion;
`FIG. 3 is a flow chart illustrating the basic functions of a
`repeater core and four filter levels in accordance with pre(cid:173)
`ferred embodiments of the present invention;
`FIG. 4 is a diagram illustrating filtering functions of Level
`2 filters in relation to the flow of packet data from internal and
`external networks in accordance with preferred embodiments
`of the present invention;
`FIG. 5 is a flow chart illustrating packet filtering functions
`of Level 3 filters in accordance with preferred embodiments
`of the present invention;
`FIG. 6 illustrates the rules by which TCP and UDP packets
`are evaluated in parallel in accordance with preferred
`embodiments of the present invention;
`FIG. 7 is a diagram illustrating parallel rule evaluation for
`TCP and UDP packets in accordance with preferred embodi(cid:173)
`ments of the present invention;
`FIG. 8 is a flow chart illustrating packet filtering functions
`of Level 4 filters in accordance with preferred embodiments
`of the present invention;
`FIG. 9 is a blockdiagramofthehardware components ofa
`preferred embodiment of the present invention;
`FIG. 10 is an illustration of an exemplary design of an
`external case in accordance with preferred embodiments of
`the present invention;
`FIGS. 11 and 12 are flow diagrams illustrating SYN flood
`protection in accordance with preferred embodiments of the
`present invention; and
`FIG. 13 is a flow chart illustrating the process of"garbage
`collection" in flood lists in accordance with preferred
`embodiments of the present invention.
`
`DETAILED DESCRIPTION OF