(12) United States Patent
`Fan et al.
`
`USOO6219706B1
`(10) Patent No.:
`US 6,219,706 B1
`(45) Date of Patent:
`Apr. 17, 2001
`
`(54) ACCESS CONTROL FOR NETWORKS
`(75) Inventors: Serene Fan, Palo Alto; Steve Truong,
`Saratoga, both of CA (US)
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(*) Notice:
`
`(21) Appl. No.: 09/174,200
`(22) Filed:
`Oct. 16, 1998
`(51) Int. Cl." ................................................... G06F 15/173
`(52) U.S. Cl. ........................... 709/225; 709/232; 713/201
`(58) Field of Search ..................................... 709/225, 232,
`709/229, 220, 217, 250; 713/201
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`2/1997 Shwed .................................. 395/200
`5,606,668
`5,896.499 * 4/1999 McKelvey .............
`... 395/187.01
`5,898,830 * 4/1999 Wesinger, Jr. et al.
`... 395/187.01
`5,951,651
`9/1999 Lakshman et al. .................. 709/239
`6,009,475
`12/1999 Shrader ................................ 709/249
`6,052,788
`8/2000 Wesinger, Jr. et al.
`... 713/201
`6,088,796 * 7/2000 Cianfrocca et al. ..
`... 713/152
`6,098,172 * 8/2000 Coss et al. .........
`... 713/201
`6,141,755
`10/2000 Dowd et al. ......................... 713/200
`OTHER PUBLICATIONS
`Presentation to Customers (described in attached IDS)
`Beginning Jul. 17, 1997.
`PreSS Release of Cisco Systems, Inc., www.cisco.com/warp/
`public/146/1977.html; Oct. 20, 1997.
`
`World Wide Web Page of Check Point Software Technolo
`gies, Ltd., www.checkpoint.com/products/technology/State
`ful 1.html; downloaded Sep. 18, 1998.
`
`* cited by examiner
`
`Primary Examiner Zarni Maung
`(74) Attorney, Agent, or Firm-Bever Weaver & Thomas,
`LLP
`
`(57)
`
`ABSTRACT
`
`An access control System (a firewall) controls traffic to and
`from a local network. The System is implemented on a
`dedicated network device Such as a router positioned
`between a local network and an external network, usually
`the Internet, or between one or more local networks. In this
`procedure, access control items are dynamically generated
`and removed based upon the context of an application
`conversation. Specifically, the System dynamically allocates
`channels through the firewall based upon its knowledge of
`the type of applications and protocol (context) employed in
`the conversation involving a node on the local network.
`Further, the System may Selectively examine packet pay
`loads to determine when new channels are about to be
`opened. In one example, the firewall employs different rules
`for handling SMTP (e-mail using a single channel having a
`well-known port number) sessions, FTP sessions (file trans
`fer using a Single control channel having a well known port
`number and using one or more data channels having arbi
`trary port numbers), and H.323 (video conferencing using
`multiple control channels and multiple data channels, which
`use arbitrary port numbers) Sessions.
`
`37 Claims, 11 Drawing Sheets
`
`
`
`802
`
`512
`
`806
`
`808
`
`ls Application
`Protocol one of
`FTP, TFTP, RPC
`or SMP?
`
`Yes
`
`Does payload
`have an Intrusion
`Signature?
`
`Yes
`
`Drop packet,
`reset the
`connection,
`Done,
`
`No
`
`812
`
`814
`
`Are we expecting
`alta,
`channels
`
`Prepare to E.
`a new passage for
`Does the
`W. a new channel.
`Y
`This inlcudes
`Yes EYE Yes
`creating a pre-gen
`Command?
`SS and ACLs.
`
`
`
`No
`
`N
`
`Done
`54
`
`816
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 1 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 1 of 11
`
`US 6,219,706 B1
`
`
`
`
`
`EXTERNAL
`NETWORK
`
`
`
`ROUTER/
`FIREWALL
`
`Figure 1
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 2 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 2 of 11
`
`US 6,219,706 B1
`
`MULTIPORT
`COMMUNICATIONS
`INTERFACE
`
`1 r v1 at 1 war rif r r r r s 11 r r rr at 11 r r A at F arr
`
`CONTROLLER
`
`
`
`
`
`MEMORY
`
`
`
`PROCESSOR
`
`
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 3 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 3 of 11
`
`US 6,219,706 B1
`
`301
`
`Config Process
`
`
`
`Timer Process
`
`FireWall
`
`P ProCeSS
`
`
`
`Interrupt path
`309
`
`
`
`Packet in
`
`Packet Out
`
`Figure 3
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 4 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 4 of 11
`
`US 6,219,706 B1
`
`
`
`Packet
`authorized?
`
`
`
`
`
`
`
`
`
`
`
`Packet
`mapped to
`an SS2
`
`UDP Or
`SYN Packet
`with configured
`protocol
`
`Create a SIS
`Add a new ACL to
`ensure the return
`traffic
`
`
`
`416
`
`
`
`
`
`
`
`
`
`Process the
`packet
`
`Figure 4
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 5 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 5 of 11
`
`US 6,219,706 B1
`
`
`
`418
`
`1
`
`TCP
`Connection is
`being
`terminated?
`
`Transit State. Delete Session
`when the Connection is
`terminated or timed Out.
`Delete the ACLS.
`
`
`
`Packet
`meets the
`Securit
`Criteria
`
`Drop Packet and issue alert
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Parse the payload if
`needed
`
`Update the session
`date
`
`514
`
`
`
`
`
`Forward the Packet
`
`516
`
`518
`
`Figure 5
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 6 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 6 of 11
`
`US 6,219,706 B1
`
`
`
`416
`
`1/
`
`If the packet matches a pre-gen
`SIS, update the ACLs of the
`pre-gen SIS and create an
`output ACL (if warranted)
`
`604
`
`Create an SS, nit the SIS
`fields. If the SS is Created
`based on a pre-gen SIS, update
`the SIS from the pre-gen SIS
`
`606
`
`Create an ACL to ensure the
`return traffic
`
`608
`
`Figure 6
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 7 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 7 of 11
`
`US 6,219,706 B1
`
`404
`
`Timeout event
`OCCured
`402
`
`
`
`702
`
`TimeOut Since
`last valid packet
`received for the
`Session?
`
`End Session.
`Delete the SIS and its
`ACLs.
`
`
`
`
`
`
`
`
`
`Restart the timer
`
`708
`
`Figure 7
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 8 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 8 of 11
`
`US 6,219,706 B1
`
`Start
`508
`
`802
`
`512
`1/
`
`804
`
`806
`
`808
`
`
`
`
`
`
`
`ls Application
`Protocol one of
`FTP, TFTP, RPC
`or SMTP?
`
`Does payload
`have an Intrusion
`Signature?
`
`Drop packet,
`reset the
`Connection.
`DOne.
`
`810
`
`812
`
`
`
`
`
`
`
`
`
`
`
`Are we expecting
`additional
`channels?
`
`
`
`
`
`
`
`Does the
`payload contain
`port negotiation
`Command?
`
`814
`
`Prepare to create
`a new passage for
`a new channel.
`This inlcudes
`creating a pre-gen
`SIS and ACLS.
`
`514
`
`816
`
`Figure 8
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 9 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 9 of 11
`
`US 6,219,706 B1
`
`900
`
`1/
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`902
`
`904
`
`906
`
`908
`
`910
`
`912
`
`914
`
`916
`
`918
`
`920
`
`922
`
`924
`
`Figure 9
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 10 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 10 of 11
`
`US 6,219,706 B1
`
`1005
`
`1001
`
`1003
`
`External Network
`
`
`
`
`
`Figure 10A
`
`1005
`
`1001
`
`1003
`
`External Network
`
`Figure 10B
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 11 of 21
`
`

`

`U.S. Patent
`
`Apr. 17, 2001
`
`Sheet 11 of 11
`
`US 6,219,706 B1
`
`
`
`1005
`
`1001
`
`1003
`
`External Network
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 12 of 21
`
`

`

`1
`ACCESS CONTROL FOR NETWORKS
`
`US 6,219,706 B1
`
`2
`not necessarily use well-known port numbers. In these cases,
`the port number is assigned dynamically. That is, for each
`new Session a different port number may be assigned.
`Obviously, in these cases, a Static packet filtering mecha
`nism must either block all use of this protocol or allow all
`use, regardless of port number. This represents a significant
`limitation of Standard packet filtering mechanisms.
`In addition to Single channel protocols, a variety of
`multi-channel protocols are known and others are being
`developed. For example, the File Transfer Protocol (“FTP")
`Sets up a control channel using a well-known port and a data
`channel using a variable port number. The control channel is
`used to initiate the FTP connection between the clients and
`a Server. Via this control channel, the client and Server
`negotiate a port number for a data channel. Once this data
`channel is established, the file to be retrieved is transmitted
`from the server to the client over the data channel. Other
`newer protocols such as the H.323 protocol used for video
`conferencing employ multiple control channels and multiple
`data channels Such as channels for transmission of audio
`information and channels for transmission of Video infor
`mation. The port numbers for these data channels can not be
`known ahead of time. Static packet filtering mechanisms
`have difficulty handling FTP and most multi-channel pro
`tocols.
`Another approach to firewall designs is employed in a
`“Stateful Inspection' firewall provided by Check Point
`Software Technology Ltd. In this approach, the firewall
`inspects not only the packet header but also the packet
`payload. This allows for the possibility of identifying chan
`nels in which the port number or numbers are set by the
`communicating nodes during a conversation. Specifically,
`the port numbers of channels about to be opened may be
`Specified in the payload or payloads of packets transmitted
`over a control channel for a conversation. By inspecting
`packet payloads in a control channel, the firewall can open
`a temporary channel corresponding to the port numbers
`agreed upon by the nodes establishing the Session. When the
`Session is terminated, the firewall can reseal the channel
`asSociated with those port numbers.
`Unfortunately, the firewall implemented by Check Point
`resides on a PC or a workstation host. Such host must be
`positioned at the interface of a local network and an external
`network. Typically, it must be used in conjunction with a
`router. This configuration limits the flexibility and efficiency
`of the firewall.
`For the above and other reasons, it would be desirable to
`have an improved firewall design.
`SUMMARY OF THE INVENTION
`The present invention addresses this need by providing an
`acceSS control System and method for controlling traffic to
`and from a local network. The System and procedures of this
`invention are preferably implemented on a dedicated net
`work device Such as a router positioned between a local
`network and an external network, e.g., the Internet, or
`between one or more local networks. In this procedure,
`acceSS control items are dynamically generated and removed
`based upon the context of an application conversation.
`Specifically, the procedures of this invention may dynami
`cally allocate channels through the firewall based upon its
`knowledge of the type of application and protocol (context)
`employed in the conversation involving a node on the local
`network. Further, the procedure may selectively examine
`packet payloads to determine when new channels are about
`to be opened. In one example, the System employs different
`
`BACKGROUND OF THE INVENTION
`This invention relates to network firewalls for controlling
`external access to a particular local network. More
`particularly, the invention relates to network firewalls hav
`ing dynamic access control lists.
`Firewalls were developed to protect networks from unau
`thorized accesses. Hackers, corporate Spies, political Spies,
`and others may attempt to penetrate a network to obtain
`Sensitive information or disrupt the functioning of the net
`work. To guard against these dangers, firewalls inspect
`packets and Sessions to determine if they should be trans
`mitted or dropped. In effect, firewalls have become a single
`point of network access where traffic can be analyzed and
`controlled according to parameterS Such as application,
`address, and user, for both incoming traffic from remote
`users and outgoing traffic to the Internet.
`Firewalls most commonly exist at points where private
`networks meet public ones, Such as a corporate Internet
`access point. However, firewalls can also be appropriate
`within an organization's network, to protect Sensitive
`resources Such as engineering Workgroup Servers or finan
`cial databases from unauthorized users.
`Firewalls protect by a variety of mechanisms. Generally,
`state-of-the art firewall technology is described in “Building
`Internet Firewalls” by D. Brent Chapman and Elizabeth D.
`Zwicky, O'Reilly and ASSociates, Inc. which is incorporated
`herein by reference for all purposes.
`One firewall mechanism involves “packet filtering.” A
`packet filtering firewall employs a list of permissible packet
`types from external Sources. This list typically includes
`information that may be checked in a packet header. The
`firewall checks each inbound packet to determine whether it
`meets any of the listed criteria for an admissible inbound
`packet. If it does not meet these criteria, the firewall rejects
`it. A similar mechanism may be provided for outbound
`packets.
`Often, the firewall maintains the access criteria as an
`access control list or “ ACL.” This list may contain network
`and transport layer information Such as addresses and ports
`for acceptable Sources and destination pairs. The firewall
`checkS packet headers for Source and destination addresses
`and Source and destination ports, if necessary, to determine
`whether the information conforms with any ACL items.
`From this, it decides which packets should be forwarded and
`which should be dropped. For example, one can block all
`User Datagram Protocol (“UDP) packets from a specific
`Source IP address or address range. Some extended acceSS
`lists can also examine transport-layer information to deter
`mine whether to forward or block packets.
`While packet filtering is a very fast firewall technology, it
`is not, unfortunately, very good at handling protocols that
`create multiple channels or do not necessarily employ well
`known port numbers. A channel is typically defined by a
`Source address, a destination address, a Source port number,
`and a destination port number. In Transport Control Protocol
`(“TCP”), a channel is referred to as a connection. For some
`protocols, Such as SMTP (electronic mail), only a single
`well-known destination port is used. Conversations involv
`ing these protocols involve only a single channel. For Such
`cases, the packet filtering mechanism will include an ACL
`item defining allowed accesses using the well-known port
`number. Because this well-known port number never
`changes, the ACL item can be set initially and left
`unchanged during the life of the firewall. Other protocols do
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 13 of 21
`
`

`

`US 6,219,706 B1
`
`3
`rules for handling SMTP (e-mail using a single channel
`having a well-known port number) Sessions, FTP sessions
`(file transfer using a single control channel having a well
`known port number and using one or more data channels
`having arbitrary port numbers), and H.323 (video confer
`encing using multiple control channels and multiple data
`channels, which use arbitrary port numbers) Sessions.
`One aspect of the invention pertains to methods of lim
`iting access to a local network. The methods may be
`characterized by the following sequence: (a) receiving a
`packet; (b) identifying an application associated with the
`packet; (c) determining whether the packet possesses a
`predefined Source or destination address or port; (d) deter
`mining whether the packet meets criteria for a current State
`of a TCP or UDP session with which it is associated; (e)
`determining whether to examine the payload of the packet;
`and (f) examining the packet payload. The method may also
`include various other operations Such as determining
`whether the packet Sequence number falls within a defined
`Sequence window and determining whether the packet has
`been received after a predetermined timeout period has
`elapsed.
`The process of determining whether the packet meets
`criteria for a current State may involve determining whether
`any state transition associated with a TCP or UDP session
`follows an expected Sequence of State transitions (e.g., a
`TCP FIN packet is received after a session is open). The
`process of determining whether to examine the payload may
`involve determining whether the payload may contain an
`intrusion signature. In a Specific embodiment, that involves
`determining whether the packet is an FTP packet, an RPC,
`a TFTP packet, or a SMTP packet. If the system identifies an
`intrusion signature in the packet payload of Such packet, it
`will drop the packet. The process of determining whether to
`examine the payload may also involve determining whether
`an additional channel of unknown port number may be
`opened (e.g., the connection is an FTP control channel or an
`H.323 channel when less than all data channels have been
`opened). ASSuming that the System determines that an addi
`tional channel could be opened, it examines the packet
`payload to identify a port negotiation command. If Such port
`negotiation command is detected, the System may dynami
`cally modify an access control list to create a path for the
`additional channel.
`The System may also detect when a packet initiates a new
`session (e.g., it is a TCP SYN packet). When this occurs, the
`method may involve (i) creating a state entry (e.g., a data
`Structure) for the new session; and (ii) creating one or more
`access control items allowing passage of packets from a
`node identified in the packet initiating the new Session.
`Another aspect of the invention pertains to network
`devices Such as routers which may be characterized by the
`following features: (a) two or more interfaces configured to
`connect with distinct networks or network segments; (b) a
`memory or memories configured to Store (i) one or more
`access control criteria for allowing or disallowing a packet
`based upon header information and (ii) information speci
`fying the content of an application conversation; and (c) a
`processor configured to compare packet header information
`with the access control criteria and determine whether to
`examine packet payloads based upon the context of the
`application conversation. The network device may include
`an operating System which controls the network device to
`perform functions necessary to control access to the local
`network and route network traffic. To facilitate rapid pro
`cessing of packets, the network device may include at least
`two processors, at least one of which is associated with one
`of the interfaces.
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`The memory may be configured to Store the acceSS control
`criteria in the form of an access control list. It may also be
`configured to Store State information Such as the State of at
`least one of a TCP session and a UDP session. It may further
`be configured with information Specifying the context of an
`application conversation indicating whether a Side channel
`may be opened for the application.
`The processor may be configured to examine packet
`payloads when context information in the memory indicates
`that a side channel may be opened. In Such cases, the
`processor may initiate Steps to dynamically modify the
`acceSS control criteria when a new side channel opens.
`These and other features and advantages of the present
`invention will be presented in more detail below with
`reference to the associated drawings.
`BRIEF DESCRIPTION OF THE DRAWINGS
`FIG. 1 is a diagram illustrating how a firewall of this
`invention may be integrated in a network.
`FIG. 2 is a block diagram of a router that may be used in
`this invention.
`FIG. 3 is a block diagram of a computer architecture that
`may be employed with this invention.
`FIGS. 4-8 are flow charts depicting a preferred method by
`which the firewalls of this invention may protect a local
`network.
`FIG. 9 is diagram of a State Information Structure (a data
`Structure) used in a preferred implementation of this inven
`tion.
`FIGS. 10A-10C depict an FTP session using a firewall/
`router in accordance with an embodiment of this invention.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`
`1. System Structure and Architecture
`FIG. 1 illustrates a general arrangement by which a local
`network allows its hosts (e.g., a host 6) to communicate with
`external nodes located on an external network 8 Such as the
`Internet. Typically local network 4 is connected to external
`network 8 via a router 10 which routes packets between
`external network 8 and local network 4.
`In this invention, router 10 may also double as a firewall
`that protects local network 4 from potentially dangerous
`accesses from external network 8. When acting as a firewall,
`a router 10 will, under certain circumstances, allow host 6 to
`initiate a conversation with an external node 12 that is
`connected to external network 8. If router/firewall 10 allows
`host 6 to initiate Such a conversation, it must also allow
`appropriate return communications from node 12 to host 6.
`Details of how router/firewall 10 allows such conversations
`and yet protects the local network will be detailed below, in
`one embodiment.
`Generally, a firewall of this invention may be specially
`constructed for the required purposes, or it may be a
`general-purpose programmable machine Selectively acti
`Vated or reconfigured by a computer program Stored in
`memory. The processes presented herein are not inherently
`related to any particular router or other network apparatus.
`Preferably, the invention is implemented on a network
`device designed to handle network traffic. Such network
`devices typically have multiple network interfaces including
`frame relay and ISDN interfaces, for example. Specific
`examples of Such network devices include routers and
`Switches. For example, the firewalls of this invention may be
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 14 of 21
`
`

`

`US 6,219,706 B1
`
`15
`
`25
`
`35
`
`40
`
`S
`Specially configured routerS Such as Specially configured
`router models 1600, 2500, 2600, 3600, 4500, 4700, 7200,
`and 7500 available from Cisco Systems, Inc. of San Jose,
`Calif. A general architecture for Some of these machines will
`appear from the description given below. In an alternative
`embodiment, the firewall may be implemented on a general
`purpose network host machine Such as a personal computer
`or WorkStation. Further, the invention may be at least par
`tially implemented on a card (e.g., an interface card) for a
`network device or a general-purpose computing device.
`Referring now to FIG. 2, a router 210 suitable for imple
`menting the present invention includes a master central
`processing unit (CPU) 262, low and medium speed inter
`faces 268, and high-speed interfaces 212. When acting under
`the control of appropriate software or firmware, the CPU
`262 is responsible for Such router tasks as routing table
`computations and network management. It is also respon
`Sible for creating and updating an Access Control List,
`comparing incoming packets with the current Access Con
`trol List, generating State Information Structures, inspecting
`packet headers and payloads as necessary, enforcing the
`State of a Session, etc. It preferably accomplishes all these
`functions under the control of Software including an oper
`ating System (e.g., the Internet Operating System (IOSCE) of
`Cisco Systems, Inc.) and any appropriate applications Soft
`ware. CPU 262 may include one or more microprocessor
`chips 263 such as the Motorola MPC860 microprocessor,
`the Motorola 68030 microprocessor, or other available
`chips. In a preferred embodiment, a memory 261 (Such as
`non-volatile RAM and/or ROM) also forms part of CPU
`262. However, there are many different ways in which
`memory could be coupled to the System.
`The interfaces 212 and 268 are typically provided as
`interface cards (sometimes referred to as "line cards”).
`Generally, they control the Sending and receipt of data
`packets over the network and Sometimes Support other
`peripherals used with the router 210. The low and medium
`Speed interfaces 268 include a multiport communications
`interface 252, a Serial communications interface 254, and a
`token ring interface 256. The high-speed interfaces 212
`include an FDDI interface 224 and a multiport ethernet
`interface 226. Preferably, each of these interfaces (low/
`medium and high-speed) includes (1) a plurality of ports
`appropriate for communication with the appropriate media,
`and (2) an independent processor Such as the 2901 bit slice
`processor (available from Advanced Micro Devices corpo
`ration of Santa Clara Calif.), and in Some instances (3)
`volatile RAM. The independent processors control such
`communications intensive tasks as packet Switching, media
`control and management. By providing Separate processors
`for the communications intensive tasks, this architecture
`permits the master microprocessor 262 to efficiently perform
`routing computations, network diagnostics, Security
`functions, etc.
`The low and medium speed interfaces are coupled to the
`master CPU 262 through a data, control, and address bus
`265. High-speed interfaces 212 are connected to the bus 265
`through a fast data, control, and address buS 215 which is in
`turn connected to a bus controller 222. The bus controller
`functions are provided by a processor such as a 2901 bit slice
`processor.
`Although the system shown in FIG. 2 is a preferred router
`of the present invention, it is by no means the only router
`architecture on which the present invention can be imple
`mented. For example, an architecture having a single pro
`ceSSor that handles communications as well as routing
`computations, etc. would also be acceptable. Further, other
`types of interfaces and media could also be used with the
`rOuter.
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`Regardless of network device's configuration, it may
`employ one or more memories or memory modules
`(including memory 261) configured to Store program
`instructions for the network operations and acceSS control
`functions described herein. The program instructions may
`Specify an operating System and one or more applications,
`for example. Such memory or memories may also be con
`figured to store access control criteria (e.g., an ACL), State
`information (specifying the context of a network Session for
`example), etc.
`Because Such information and program instructions may
`be employed to implement the access control Systems/
`methods described herein, the present invention relates to
`machine readable media that include program instructions,
`State information, etc. for performing various operations
`described herein. Examples of machine-readable media
`include, but are not limited to, magnetic media Such as hard
`disks, floppy disks, and magnetic tape, optical media Such as
`CD-ROM disks; magneto-optical media such as floptical
`disks, and hardware devices that are specially configured to
`Store and perform program instructions, Such as read-only
`memory devices (ROM) and random access memory
`(RAM). Examples of program instructions include both
`machine code, Such as produced by a compiler, and files
`containing higher level code that may be executed by the
`computer using an interpreter.
`FIG. 3 is a system diagram of router or other network
`device 301 that may implement a firewall in accordance with
`this invention. As shown network device 301 includes
`various processes and paths that form part of an operating
`System for the network device. These may include configu
`ration processes 303, timer processes 305, IP processes 307,
`and interrupt paths 309. IP processes 307 and interrupts 309
`are provided for routine packet handling functions as illus
`trated in the figure. In addition to these processes and paths,
`network device 301 includes firewall code 311 for executing
`firewall functions in response to requests from processes
`303, 305, and 307 and interrupts 309. In a preferred
`embodiment, firewall code 311 may include both an engine
`that handles transport layer functions and various inspection
`modules, each of which is dedicated to handling a specific
`application protocol (e.g., FTP, H.323, etc.). In a further
`preferred embodiment, firewall code 311 is integrated with
`the remainder of the network device's operating System.
`Firewall code 311 may make use of various lists, data
`Structures, and other stored information (collectively indi
`cated by reference numeral 313 in FIG. 3). Examples
`include access control lists, State information Structures
`(described below), timers, and various lists.
`Regarding the operating System, it may require execution
`of code 311 under various circumstances associated with
`packet processing. In one example, configuration processes
`303 specify that the FTP protocol is to be inspected. Thus
`processes 303 may ask code 311 to configure an acceSS
`control list to allow initiation of an FTP session. Timer
`processes 305 may indicate to code 311 that a particular
`Session has timed out. In this case, the firewall code 311 may
`delete any State information Structure for that Session as well
`as the associated ACL items. Still further IP processes 307
`and interrupts 309 may call firewall code 311 during the
`course of processing a packet to determine whether it meets
`certain ACL items or to determine whether its payload
`should be inspected.
`2. Firewall Process
`
`Overview
`Network communications at high levels, Such as at the
`application layer, may be referred to as “conversations.” An
`
`Ex.1013
`CISCO SYSTEMS, INC. / Page 15 of 21
`
`

`

`US 6,219,706 B1
`
`15
`
`25
`
`7
`“application conversation' may have one or many “chan
`nels” (also referred to as “sessions” or “socket pairs” ).
`These terms were chosen to cover at least TCP and UDP
`communications. In TCP, each channel represents a Separate
`“connection.” In UDP, which is connectionless, each chan
`nel is defined by a unique combination of Source and
`destination IP addresses and port numbers. All UDP packets
`received within a defined timeout period and having the
`Same unique combination of addresses and port numbers are
`deemed to belong to the Same Session or channel.
`An application conversation may include only a single
`well-known channel as in the case of SMTP, HTTP, and
`Telnet or it may contain many channels as in the case of
`certain multimedia applications (e.g., H.323 and
`RealAudio). Still other application conversations may have
`variable numbers of channels as in the case of FTP and TFTP
`which create a new data channel each time a different file is
`transferred from server to client. The present invention
`handles all of these situations.
`Like packet filtering, the acceSS control of this invention
`examines network and transport-layer information. In
`addition, it examines application layer protocol information
`(such as FTP) to learn about and inspect the state of TCP or
`UDP sessions. This mechanism dynamically creates and
`deletes temporary openings in the firewall by temporarily
`modifying access lists to change packet filtering criteria.
`Preferably, the dynamically created access control list items
`are Stored in memory in the network device's network
`interface. A firewall of this invention may also maintain State
`information in its own data structures (referred to herein as
`State Information Structures or “SISs”) and use that infor
`mation to create the temporary entries (by dynamically
`modifying its ACL, for example). Thus, a firewall may retain
`State information that is not retained in the access list entries.
`A firewall may inspect each packet within a data flow to
`ensure that the State of the Session and packets themselves
`meet the criteria established by a user's Security policy. State
`information is used to make intelligent permit/deny deci
`Sions. When a Session closes, its temporary ACL entry is
`deleted, and the opening in the firewall is closed.
`A firewall may monitor each application on a per
`connection basis for comprehensive traffic control capabil
`ity. The firewall watches application Sessions, notes the ports
`each Session is using and opens the appropriate channels for
`the duration of the Session, closing them when the Session is
`finished. Specifically, when a newly authorized Session is
`registered, the System may create a new SIS and any new
`ACL items for the Session. Thereafter, packets transmitted to
`and from the hosts involved in the connection are allowed to
`pass back and forth across the firewall So as long as the ACL
`50
`items allow a transmission.
`The firewalls of this invention preferably consider the
`TCP or UDP session state. In fact, a firewall may base
`decisions on the State of its Sessions. To do So, it may
`maintain a record of the State of each connection going
`through. Also, the firewalls preferably keep track of items
`Such as: how long was the last transmitted packet in this
`Session, are the Sequence/acknowledgment nu