摘要:
A novel and useful dynamic packet filter that can be incorporated in a hardware based firewall suitable for use in portable computing devices such as cellular telephones and wireless connected PDAs adapted to connect to the Internet. The invention performs dynamic packet filtering on packets received over an input packet stream. The dynamic filter checks dynamic protocol behavior using information extracted from the received packet. Sessions are created and stored in a session database to track the state of communications between the source and destination. Recognition of a session is accelerated by use of a hash table to quickly determine the corresponding session record in the session database. Session related data is read from the session database and the received packet is checked against a set of rules to determine whether to allow or deny the packet.
摘要:
A novel and useful virtual private network (VPN) mechanism and related security association processor for maintaining the necessary security related parameters to perform security functions such as encryption, decryption and authentication. A security association database (SAD) and related circuitry is adapted to provide the necessary parameters to implement the IPSec group of security specifications for encryption/decryption and authentication. Each security association (SA) entry in the database comprises all the parameters that are necessary to receive and transmit VPN packets according to the IPSec specification.
摘要:
A method for secure communication between a local area network and a wide area network includes integrating a NAT functionality in a firewall associated with the local area network, wherein the NAT functionality is suitable to translate the source port of outgoing data packets with a NAT port value obtained by adding to a NAT offset value the value of the session ED used in a session database. When reply data packets coming from the wide area network are received by the firewall, the session ID is extracted from the NAT port value and is used for directly pointing to the session database, thus reducing the time required to recognize the session.
摘要:
A method for secure communication between a local area network and a wide area network includes integrating a NAT functionality in a firewall associated with the local area network, wherein the NAT functionality is suitable to translate the source port of outgoing data packets with a NAT port value obtained by adding to a NAT offset value the value of the session ED used in a session database. When reply data packets coming from the wide area network are received by the firewall, the session ID is extracted from the NAT port value and is used for directly pointing to the session database, thus reducing the time required to recognize the session.