(12) United States Patent
`Taylor et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,728,885 B1
`Apr. 27, 2004
`
`USOO6728885B1
`
`(54) SYSTEM AND METHOD FOR NETWORK
`ACCESS CONTROL USINGADAPTIVE
`PROXIES
`
`(75) Inventors: Kevin R. Taylor, Ellicott City, MD
`(US); Ganesh Murugesan, Reston, VA
`(US); Homayoon Tajalli, Ellicott City,
`MD (US)
`(73) Assignee: Networks Associates Technology, Inc.,
`Santa Clara, CA (US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(*) Notice:
`
`(21) Appl. No.: 09/414,711
`(22) Filed:
`Oct. 8, 1999
`Related U.S. Application Data
`(60) Provisional application No. 60/103,837, filed on Oct. 9,
`1998.
`(51) Int. Cl." ........................... H04L 9/32; G06F 11/30;
`GO6F 12/14
`(52) U.S. Cl. ........................ 713/201; 709/238; 709/249
`(58) Field of Search ................................. 713/201, 200;
`709/238,249
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`5,606,668 A 2/1997 Shwed .................. 395/200.11
`5,884,025 A * 3/1999 Baehr et al. ................ 713/201
`5,898.830 A * 4/1999 Wesinger et al. ........... 713/201
`5,968,176 A * 10/1999 Nessett et al. .............. 713/201
`6,128.298 A * 10/2000 Wootton et al. ............ 370/392
`OTHER PUBLICATIONS
`Firewall Software for NT and Unix, D. Seachrist et al., Byte,
`Jun. 1997, pp. 130–134.
`Applied Cryptography, Second Edition, Protocols, Algo
`rithms, and Source Code in C, B. Schneier, John Wiley &
`Sons, 1996, Chapters 8 and 24, pp. 185-187 and 574–579.
`
`Networks, T. Ramteke, Prentice Hall, 1994, Chapter 19, pp.
`430-436.
`Computer Network, A. Tanenbaum, Prentice Hall, 1981, pp.
`15-21.
`
`* cited by examiner
`
`Primary Examiner-Gilberto Barron
`ASSistant Examiner A. Nobahar
`(74) Attorney, Agent, or Firm-Silicon Valley IP Group,
`PC; Kevin J. Zilka; Christopher J. Hamaty
`(57)
`ABSTRACT
`A method, System and computer program for providing
`multilevel security to a computer network. The method
`comprises the Step of receiving a first communication packet
`on at least one network interface port from an outside
`network. The method further includes the steps of filtering
`the first packet in one of at least two levels of Security
`comprising a first level of Security which examines the
`content information of the packet and a Second level of
`Security which examines the first packet eXcluding the
`content information of the packet. The System includes a
`first packet filter configured to filter its input packets by
`examining content information of its packets and a Second
`packet filter configured to filter its input packets by exam
`ining the header information without examining the content
`information of its packets. The System further includes a
`third filter which is configured to forward a number of
`packets to one of the first and Second filters, thereby pro
`Viding Security to the computer network. The computer
`program includes a first module located in an application
`layer, a Second module located in a network layer, and a third
`module located in a kernel Space and configured to examine
`a number of packets received by the computer network from
`at least one outside network and to forward the number of
`packets to one of the first and Second modules after exam
`ining the number of packets.
`
`29 Claims, 7 Drawing Sheets
`
`Proxy
`
`2.
`
`
`
`Usef Space
`Kennel Space
`
`Use eited
`rules
`
`209
`
`
`
`Tcpip
`
`213
`
`Transparency
`Packet Fiter
`25
`
`OG
`DPF
`
`217
`
`Hardware
`
`20
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 1 of 17
`
`

`

`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 1 of 7
`
`US 6,728,885 B1
`
`-111
`
`117
`
`17
`
`--1
`
`115
`
`125
`
`103
`/
`
`107
`
`109
`
`FIG. 1
`(PRIOR ART)
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 2 of 17
`
`

`

`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 2 of 7
`
`US 6,728,885 B1
`
`
`
`User Defined
`rules
`
`Kernel Space
`
`Transparency
`Packet Filter
`
`FG. 2
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 3 of 17
`
`

`

`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 3 of 7
`
`US 6,728,885 B1
`
`
`
`
`
`Step 331
`
`
`
`Disconnect the
`connection or put
`the connection
`on hold
`
`
`
`
`
`
`
`
`
`Receive a
`Packet
`
`25
`
`Is the packet
`a connection
`control packet?
`
`
`
`253
`
`Is the packet
`a connection
`establishing
`packet?
`
`255
`
`Yes
`
`Step 303
`
`FIG 3
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 4 of 17
`
`

`

`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 4 of 7
`
`US 6,728,885 B1
`
`
`
`
`
`
`
`
`
`Yes
`
`Is the port
`on which the
`packet was
`received
`registered?
`
`No
`
`303
`
`
`
`No
`
`
`
`
`
`Does the
`packet match
`with any user
`specified rules?
`
`321
`
`Apply Transparency
`
`Yes
`
`325
`
`
`
`Apply the matched
`rule on the packet
`
`323
`
`3.11
`
`(1) Send relevant
`information to the
`registered proxy
`
`(2) wait instructions
`from the proxy
`
`
`
`
`
`
`
`Is the
`connection
`approved by
`the proxy?
`
`313
`
`Discard the
`packet
`
`315
`
`Yes
`Create a new
`connection
`
`317
`
`FIG. 4
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 5 of 17
`
`

`

`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 5 of 7
`
`US 6,728,885 B1
`
`
`
`
`
`Is the packet
`from an existing
`connection?
`
`
`
`No
`
`
`
`Does the
`packet match
`with any user
`specified rules?
`
`
`
`
`
`Send the packet
`to its destination
`
`339
`
`
`
`
`
`
`
`
`
`ADply the
`pply
`matched rule
`
`
`
`337
`
`Apply
`Transparency
`
`Does the
`packet match
`with any user
`specified rules?
`
`341
`
`Yes
`Apply the
`matched rule
`
`343
`
`F.G. 5
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 6 of 17
`
`

`

`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 6 of 7
`
`US 6,728,885 B1
`
`
`
`
`
`
`
`
`
`Is the
`transparency
`on?
`
`Forward the
`packet to proxy
`
`
`
`403
`
`Forward the
`packet to its
`destination
`
`
`
`405
`
`FG 6
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 7 of 17
`
`

`

`U.S. Patent
`
`Apr. 27, 2004
`
`Sheet 7 of 7
`
`US 6,728,885 B1
`
`/
`
`-/N
`
`-N
`
`Nis
`r
`
`St
`
`NS:
`
`Set
`
`t
`
`23
`r
`
`2
`
`a
`
`-
`
`s
`
`ll
`
`Ns on
`
`3
`
`N
`CD
`-
`
`g
`
`N
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 8 of 17
`
`

`

`1
`SYSTEMAND METHOD FOR NETWORK
`ACCESS CONTROL USINGADAPTIVE
`PROXIES
`
`CROSS REFERENCE TO RELATED
`APPLICATIONS
`This application claims the benefit of U.S. Provisional
`Application No. 60/103,837, filed Oct. 9, 1998.
`FIELD OF INVENTION
`This invention relates to providing Security in communi
`cation networks. In particular, the invention relates to fire
`wall technology in packet Switched networks for adaptively
`providing a plurality of Security levels.
`BACKGROUND OF THE INVENTION
`Referring to FIG. 1, a typical firewall 101 is placed
`between a Local Area Network (LAN) 103 and outside
`networks 111, 115. LAN 103 may include a plurality of
`internal hosts 105,107, 109. Outside networks 111 can be
`networked through the Internet 117. Outside network 115
`may also include its own firewall 117. Internal hosts 105,
`107, 109 and remote hosts 119, 121 are computers, e.g.,
`personal computers (PC) or computer workStations. Firewall
`101 includes a combination of computer hardware and
`Software components configured to protect LAN 103, i.e.,
`preventing unwanted intrusions from outside networkS 111,
`115.
`In order to eXchange information, e.g., Sending a message
`from remote host 119 to internal host 105, a connection 125
`is established by Sending a plurality of packets therebe
`tween. A packet is a basic message unit routed between a
`Source computer and a destination computer, e.g., remote
`host 119 and internal host 105, respectively, in a packet
`Switched network depicted in FIG. 1. For example, when a
`file, e.g., an e-mail message, HTML file, or other similar
`message, is sent from a Source computer to a destination
`computer, the file is broken into a plurality of packets. (Here,
`HTML, Hypertext Markup Language, is a set of “markup”
`symbols or codes, which instructs a Web browser how to
`display a Web page's words and images.)
`More specifically, a Transport Control Protocol (TCP)
`module of a TCP/IP layer in a source computer divides the
`file into packets of an efficient Size for transmitting over the
`network. Each packet includes header information, e.g., a
`destination address and a Source address, and content
`information, i.e., the broken up message file. Further, the
`plurality of packets from the file includes a plurality of
`connection control packets and data transfer packets. The
`connection control packets include at least one connection
`establishing packet, e.g., a SYN packet, and at least one
`connection disconnection packet, e.g., RST, FIN, FIN-ACK
`packets. The data transfer packets include the pieces of the
`broken up file. Individual packets for a given file may travel
`different routes through the packet Switching network. When
`the packets from one file have all arrived at their destination
`computer, they are reassembled into the original file by a
`TCP module in the destination computer.
`Here, the TCP module is a communication protocol used
`along with the Internet Protocol (IP) to send data in the form
`of packets between a Source and destination computers.
`While the IP module performs the actual delivery of the data,
`the TCP module keeps track of the individual packets that a
`file is divided into for efficient routing through the Internet.
`OSI (Open Systems Interconnection) is briefly described
`here to provide the context in which the present invention is
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 6,728,885 B1
`
`2
`discussed later. OSI is a reference model for the layer of
`common functions in a communications System. Although
`many existing hardware and Software products have been
`developed on a slightly different model, the OSI model is
`often used as a guideline when new products are designed
`and Serves as a common reference for understanding any
`particular design or comparing it with others.
`OSI includes seven layers:
`The application layer (layer 7) is a layer at which a user
`interacts with a computer to View messages or Send
`data requests or responses.
`The presentation layer (layer 6) is a layer, usually part of
`an operating System, that converts incoming and out
`going data from one presentation format to another
`(e.g., converting a text stream into a popup window
`with a newly arrived text String).
`The Session layer (layer 5) manages the establishment of
`a continuing Series of requests and responses between
`the applications at each end of a communication con
`nection.
`The transport layer (layer 4) manages the end-to-end
`control (e.g., determining whether all packets have
`arrived) and error-checking.
`The network layer (layer 3) handles the routing of the data
`(sending it in the right direction to the right destination
`on Outgoing transmissions and receiving incoming
`transmissions at the packet level).
`The link (or data-link) layer (layer 2) provides error
`control and Synchronization for the physical level and
`does bit-stuffing for strings of 1's in excess of 5.
`The physical layer (layer 1) conveys the bit stream
`through the network at the electrical and mechanical
`level.
`Referring back to FIG. 1, the basic task of firewall 101 is
`to separate internal network 103 from outside networks 117,
`115 and enforce security policies with a set of rules. The
`most common firewall features include: Securing internal
`network 103 access with a perimeter defense, controlling all
`connections into and out of internal network 103, filtering
`packets according to previously defined rules, “authenticat
`ing” or making Sure users and applications are permitted to
`acceSS resources, logging of activities, and actively notifying
`the appropriate people when Suspicious events occur.
`Conventional firewalls include only one of a packet filter,
`an application proxy and a Stateful inspection.
`A packet filter examines each incoming packet and
`decides what actions to take by checking against a table of
`access control rules. The packet filter, in its simpler
`embodiments, examines the header information of each
`incoming packet and makes pass/fail decisions based on
`their Source and destination addresses. A weakness of Such
`a firewall is that the content information of the packetS is
`unknown to the firewall. More Specifically, because packet
`filters perform their checking at the network access layer,
`there is no real knowledge of application level Vulnerabili
`ties. As a result, direct connections are allowed between a
`Source and destination computers through firewall 101,
`exposing internal hosts 105, 107, 109 to direct attacks.
`An application proxy does not allow direct contact
`between a trusted and “untrusted networks. Each of the
`packets passing through this type of firewall is examined at
`the application layer-meaning the application proxies
`understand the destination and contents of packets. Such a
`firewall, for example, distinguishes between “FTP Put” and
`"Get' commands. A typical application proxy includes a
`built-in proxy function also known as a transparency func
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 9 of 17
`
`

`

`US 6,728,885 B1
`
`15
`
`3
`tion. The transparency function replaces the IP address of a
`host on the internal protected network with its own IP
`address for all traffic passing through. The transparency
`function provides added Security, because it hides the
`addresses of internal hosts. This makes it more difficult for
`hackers on the outside to target Specific devices inside Such
`a firewall. For this higher Security, however, the application
`proxy requires large amounts of processing power and a
`corresponding loss of performance.
`Finally, a Stateful packet filter examines packets without
`examining the packets as well as that of an application
`proxy. After a packet filter firewall or Stateful inspection
`firewall has decided to allow a connection to be made, it
`allows data to travel directly between the networks without
`further inspection. Once a Session is opened, the nature of
`the Session can be changed without being detected. This
`allows for more Speed, but also createS potential Security
`risks as well. Again, making internal hosts 105, 107, 109
`Vulnerable to attacks from outside.
`Accordingly, there exists a need for a firewall method
`which makes it possible to dynamically Select the best
`procedures from existing firewall methods to achieve the
`required level of Security while meeting performance con
`Straints.
`Further, the definitions of network communication terms
`25
`and phases can be found in Andrew S. Tannenbaum, “Com
`puter Networks” 2" ed., (1989), the contents of which are
`herein incorporated by reference. Information on network
`programming can also be found in W. Richard Stevens,
`“Unix Network Programming” (1990), the contents of
`which are herein incorporated by reference.
`SUMMARY OF THE INVENTION
`The firewall of the present invention combines the advan
`tages provided in the conventional firewall technologies
`described above while eliminating Short comings thereof. In
`other words, the firewall of the present invention is just as
`Secure as a proxy firewall, but it is more flexible and
`efficient.
`More specifically, the firewall of the present invention is
`provided between an internal computer network to be pro
`tected by the firewall and at least one outside network. The
`firewall includes a dynamic packet filter which communi
`cates with a proxy. The proxy registers with the dynamic
`packet filter for notifications of request to establish new data
`communication connections through physical connections
`between the internal and outside computer networks. When
`a connection establishing request is received, in the form of
`a SYN packet, the dynamic packet filter notifies the proxy
`and provides attribute information thereto. The attribute
`information includes the Source and destination addresses
`and the physical connection on which the packet was
`received.
`In order to determine whether to allow the requested data
`communication connection, the proxy compares the attribute
`information with rules in a configuration information file.
`The rules in the configuration information file are entered by
`a user to Set forth whether to allow data communication
`connections for certain physical connections. If the rule is to
`allow the data communication connection and forward the
`packets at the packet level, the dynamic packet filter creates
`a connection rule So as to apply the connection rule to
`packets having the same attribute information. Subsequent
`packets received with the same attribute information are
`then automatically forwarded without consulting the proxy.
`Once the connection terminates, the connection rule is
`removed and the proxy is notified. However, if the decision
`
`4
`is to absorb, the dynamic packet filter Sends the packets up
`a TCP/IP stack in the firewall, where they will be accepted
`by the proxy.
`In other words, the proxy acts as the Server to the
`incoming connection and initiates a new connection, acting
`as a client, to the ultimate destination. In between, the
`necessary application-level filtering is performed.
`An added benefit of the present invention, beyond the
`performance improvement, is the flexibility it gives its users.
`Within the adaptive proxy model, a firewall can be config
`ured to follow more or leSS Stringent Security rules, fine
`tuning performance even more.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a schematic illustration of a conventional
`communication network;
`FIG. 2 is a schematic illustration of internal modules of
`the firewall of the present invention;
`FIGS. 3-6 are flow charts a plurality of functions per
`formed by the firewall of the present invention; and
`FIG. 7 is a schematic illustration of the transparency
`function of the present invention.
`DETAILED DESCRIPTION
`Referring to FIG. 2, there is illustrated an overall block
`diagram of a firewall 201 of the present invention that
`includes a Network Interface Card (NIC) 203 coupled to at
`least one outside network. NIC 203 is also coupled to a
`Network Address Translation module (NAT) 205 which in
`turn is coupled to a Dynamic Packet Filter module (DPF)
`207. DPF 207 is coupled to a proxy 211, a User Defined
`Static Packet Filter module (UD-SPF) 209, Transparency
`Packet Filter (TPF) 215, and a local Transmission Control
`Protocol/Internet Protocol stack (TCP/IP) 213. TCP/IP 213
`in turn is coupled to an Out-Going Dynamic Packet Filter
`(OG-DPF) 217.
`It should also be noted that the term “coupled' should be
`interpreted to mean one of many connection methods. For
`instance, NIC 203 may be coupled to the at least one outside
`network via wire or wireleSS communication connections,
`whereas NIC 203 may be coupled to NAT via physical wires.
`However, when two coupled modules are implemented in
`computer programs, the term coupled means data transfer
`between the two computer program modules during execu
`tion thereof. In other words, the term “coupled” means a
`connection established through at least one of wireleSS
`communication links, wire connections and computer pro
`gram data transferS.
`NAT 205, DPF 207, UD-SPF,209, TPF 215, local TCP/IP
`213 and OG-DPF 217 are located in the kernel space of
`firewall 201. Here, the term kernel designates the operating
`System in a computer that contains the System-level com
`mands hidden from the user. For example, the kernel may
`include device drivers, memory management routines,
`Scheduling programs, and other System calls. The kernel
`always runs while the System is operating. Proxy 211 is
`located in the user Space, i.e., the application layer, of
`firewall 201. The term proxy designates either all of the
`filtering and decision making processes or individual filter
`ing processes occurring at the user Space. Proxy 211,
`therefore, can be referred as a one process or a plurality of
`processes depending upon the context in which the term
`appearS.
`Preferably, the preceding components in the kernel Space
`and user Space are implemented in computer programs
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 10 of 17
`
`

`

`US 6,728,885 B1
`
`15
`
`35
`
`40
`
`25
`
`S
`written in C or C++. Alternatively, the computer programs
`can be written in other computer languages Such as Pascal.
`The computer programs are also implemented to run on a
`variety of computer operating systems such as UNIX, Win
`dows NT or LINUX. It should be noted that the computer
`language and the corresponding operating System are not
`essential part of this invention; therefore, the invention
`disclosed herein can be implemented in any computer lan
`guage and operating System.
`The computer programs are Stored in a computer readable
`Storage medium, e.g., hard disks or floppy diskettes. In
`operation, the computer programs are read to a random
`access memory to be executed by a processor. The computer
`readable Storage medium, the random access memory and
`the process are preferably included in the computer of
`firewall 201. Alternatively, however, the computer readable
`Storage medium can be provided by another computer or
`floppy diskettes. Hence, the computer programs can be
`downloaded from a remote computer coupled to firewall
`2O1.
`Referring back to FIG. 2, preferably, firewall 201 can be
`part of a computer located between LAN and outside
`networks. NIC 203, also known as an adapter interface, is a
`hardware attachment, usually a computer expandable board,
`that connects firewall 201 to outside networks. Each physi
`cal connection established through NIC 203 is assigned to a
`port number So as to identify the physical connection.
`The above described elements are further explained by
`way of Steps that take place during operation therein. For
`instance, a plurality of packets from the outside networks
`arrives at NIC 203. Each received packet is examined
`separately by firewall 201. More specifically, when a packet
`is received by NIC 203 from any one of outside networks
`111, 115, the packet is associated with a corresponding port
`number. The packet is, then, forwarded to NAT 205 which
`translates the destination address of the received packet into
`a corresponding address of internal hosts. The packet is then
`sent to DPF 207 for further examination and processing.
`Referring to FIG. 3, in step 253, DPF 207 determined
`whether the received packet is a connection control packet
`which requests to establish a data communication
`connection, disconnect an established connection, or put an
`established connection into a hold state. It should be noted
`that a physical connection between a Source and destination
`connection does not establish a data communication con
`nection. The connection is completely established only
`when the physical and data communication connections are
`achieved. In order to avoid any confusion, the physical
`communication connection is referred as a physical connec
`tion and a data communication connection is referred as a
`connection hereinafter. If the packet is a connection control
`packet, DPF 207 performs step 255; and if the packet is not
`a connection control packet, i.e., a data packet, then DPF
`207 performs step 331.
`55
`In step 255, DPF 207 determines whether the received
`packet is a connection establishing packet, i.e., a SYN
`packet. If the packet is a connection establishing packet,
`DPF 207 performs step 303; and if the packet is not a
`connection establishing packet, DPF 207 performs step 257.
`In step 257, DPF 207 performs the following: if the packet
`is a connection disconnecting packet, i.e., a FIN packet, the
`corresponding pre-existing connection is disconnected; and
`if the packet is a hold packet, i.e., an RST packet, then the
`corresponding pre-existing connection is put on hold.
`Referring to FIG.4, in step 303, to be performed when the
`packet is a connection establishing packet, DPF 207 further
`
`45
`
`50
`
`60
`
`65
`
`6
`determines whether the port, i.e., the port, on which the
`packet was received is a registered port. If the port is
`registered, DPF 207 performs step 311; and if the packet is
`not registered, DPF 207 performs step 321. The system
`administrator Specifies which of the ports are to be registered
`in a configuration information file. For example, when
`physical connections are made between a remote host com
`puter belonging to an outside network and a port on NIC
`203, the System administrator makes Security assessment of
`the remote host. Subsequently, the System administrator Sets
`up the configuration information file Setting forth whether to
`register that port.
`In Step 311, to be performed when the port is registered,
`DPF 207 transfers attribute information of the packet to
`proxy 211. Preferably, the attribute information includes the
`Source and destination addresses of the packet and the port
`on which the packet was received. It should be noted,
`however, other information contained the connection estab
`lishing packet can be sent to proxy as well. Once the
`attribute information has been sent to proxy, DPF 207 awaits
`instructions therefrom.
`Proxy 211, upon receiving the attribute information from
`DPF 207, determines whether to allow the connection. If the
`connection is to be allowed, proxy 211 further determines
`which filter dynamic filter rule to apply.
`One such dynamic filter rule is a filter all rule. This rule
`is utilized when only packet filtering is required for all
`packets in a particular connection. For example, this rule
`could be defined to apply packet filters to all “telnet'
`packets.
`Another dynamic filter rule is a Selective filtering rule.
`This rule requires proxy 211 to handle connection control
`packets and packet filters to handle the data packets. In other
`words, the packet filtering will be enabled only when proxy
`211 has performed it's Security checks for the connections,
`i.e., checking the relevant information on the SYN packet
`sent by DPF 207. For instance, this rule is useful for
`protocols such as File Transfer Protocol (FTP), which sends
`data packets on a different connection after establishing the
`connection. Other filtering rules are also possible Such as not
`applying any filtering or applying a proxy filter at the
`application layer to all packets received on a specific con
`nection.
`The configuration file discussed above, which stored the
`information on which ports are registered, further includes
`various filter rules to be applied for Specific connections. For
`example, packets received from a particular port can be
`subjected to the filter all rule filter, while packets received
`from another port can be Subjected to the Selective filtering
`rule. The configuration file is preferably Stored in the com
`puter where firewall 201 is located. It should be noted,
`however, that the configuration file can be Stored in any of
`internal hosts. It should also be noted that the system
`administrator creates the configuration information file dis
`cussed above and specifies the TPF rules by utilizing a
`graphical user interface configured receive appropriate
`information from the System administrator.
`Once proxy 211 determines whether to allow the connec
`tion and which one of the rules to apply to the connection,
`that information is transferred to DPF 207.
`In step 315, DPF 207 discards the packet if proxy 211
`determined not to allow the connection. In step 317, DPF
`207 creates a new connection and applies the corresponding
`rule. The rule will be applied to any Subsequent packets from
`that connection until the connection is disconnected.
`A new connection is created by modifying a connection
`list. The connection list, as the name implies, includes a list
`
`Ex.1009
`CISCO SYSTEMS, INC. / Page 11 of 17
`
`

`

`US 6,728,885 B1
`
`7
`of currently active or Soon to be active connections and
`relevant information thereof Such as the Source and desti
`nation addresses and the port on which the connection is or
`to be established. Each entry in the connection list represents
`TCP or UDP (User Datagram Protocol) connection. For
`instance, if the connection is allowed by proxy 211, the
`corresponding connection entry in the connection list is
`modified to indicate that the connection has been allowed
`and established.
`In yet another aspect of the invention, Since there are no
`SYN packets for UDP connections, if a UDP packet has
`previously established a connection and the connection
`exists in the connection list then that connection is used for
`new UDP packets received on the same connection. Other
`UDP packet processing steps are similar to the TCP packet
`processing Steps described above.
`Preferably, the communication between proxy 211 and
`DPF 207 describe above is achieved by using a socket. The
`following is a description of a specific implementation of the
`Sockets. For instance, a new network protocol family and
`new functions can be added to a conventional Socket API
`(Application Program Interface). Sockets provide a conve
`nient and well known programming model to one of ordi
`nary skill in the art.
`Preferably, the following data structures are defined in a
`Socket definition header file:
`
`15
`
`25
`
`8
`the connect function, Sin port Specifies the Source port of a
`connection to be filtered. For the bind function, it specifies
`the destination TCP/UDP port number of SYN/UDP packets
`for which the proxy wishes to register via a listen function.
`For the accept function, it contains the Source port number
`of the SYN/UDP packet received by the firewall. The listen
`function is discussed below.
`proto
`This variable field specifies the type of Internet Transport
`Protocol that must be Dynamic Packet Filtered. The only
`valid values for this variable are IPPROTO TCP for TCP
`and IPPROTO UDP for UDP
`Sout addr
`This variable field specifies a destination IP address. For
`the connect function, Sout addr Specifies the destination IP
`address of a connection to be packet filtered. For the accept
`function, it contains the destination IP address of the SYN/
`UDP packet received by the firewall.
`Sout port
`This variable field specifies the destination port number.
`For the connect function, Sout port Specifies the destination
`port of a connection to be packet filtered. For the accept
`function, it contains the destination port number of the
`SYN/UDP packet received by the firewall.
`Sin Zero
`This variable field specifies unused byte of data. This
`enables the use of padding to match the size of Struct
`Sockaddr.
`Preferably, data gt data structure defined below is used
`by the getsockopt function to retrieve DPF connection
`Statistics.
`
`struct sockaddr gt {
`u short
`struct in addr
`u short
`Ll char
`struct in addr
`u short
`Ll char
`
`sin family;
`sin addr;
`sin port;
`proto;
`SOut addr;
`Sout port;
`sin Zero1;
`
`35
`
`struct data gt {
`int
`Src Sent;
`int
`dist sent;
`
`The above definition of Struct is a Structure in computer
`program language. A structure is a collection of one or more
`variables, possibly of different types, grouped together under
`a single name for convenient handling. It should be noted
`that Structures are called “records' in Some other computer
`languages, notably Pascal. The Structures permit a group of
`related variables to be treated as a unit instead of as Separate
`entities. This arrangement helps to organize complicated
`data, particularly in large computer programs.
`The variable definitions Such as u short and u char
`Specify the length of corresponding variables to be unsigned
`Short integer and unsigned character, respectively. These
`terms are well known to one of ordinary skill in the art of
`computer programming. The following is a brief description
`of the various fields in the Struct Sockaddr gt:
`Sin family
`This variable field specifies the protocol family to which
`the Struct Sockaddr gt belongs.
`Sin addr
`This variable field specifies a source IP address. For a
`connect function, Sin addr Specifies the Source IP address of
`a connection to be filtered. For a bind function, it specifies
`the IP address of an interface port to which the socket should
`be bound by the bind function. For an accept function, it
`specifies the source IP address of the SYN/UDP packet
`received by firewall 201. The connect, bind, and accept
`functions are discussed below.
`Sin port
`This variable field Specifies a Source port number, i.e., the
`interface port on which the packets are to be received. For
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`SrC Sent
`This variable returns the number of bytes transferred by
`the Source end of the connection.
`dst Sent
`This variable returns the number of bytes transferred by
`the destination end of the connection.
`In order to fully discuss the new Socket Structure, the
`Semantics of the various functions mentioned above is
`described below. AS a Starting point, the Semantic