公开(公告)号：US06219706B1

公开(公告)日：2001-04-17

申请号：US09174200

申请日：1998-10-16

申请人： Serene Fan ,  Steve Truong

发明人： Serene Fan ,  Steve Truong

IPC分类号： G06F15173

CPC分类号： H04L63/0254

摘要： An access control system (a firewall) controls traffic to and from a local network. The system is implemented on a dedicated network device such as a router positioned between a local network and an external network, usually the Internet, or between one or more local networks. In this procedure, access control items are dynamically generated and removed based upon the context of an application conversation. Specifically, the system dynamically allocates channels through the firewall based upon its knowledge of the type of applications and protocol (context) employed in the conversation involving a node on the local network. Further, the system may selectively examine packet payloads to determine when new channels are about to be opened. In one example, the firewall employs different rules for handling SMTP (e-mail using a single channel having a well-known port number) sessions, FTP sessions (file transfer using a single control channel having a well known port number and using one or more data channels having arbitrary port numbers), and H.323 (video conferencing using multiple control channels and multiple data channels, which use arbitrary port numbers) sessions.

摘要翻译： 访问控制系统（防火墙）控制来往本地网络的流量。 该系统在诸如位于本地网络和外部网络（通常为因特网）之间或位于一个或多个本地网络之间的专用网络设备上实现。 在该过程中，基于应用会话的上下文动态地生成和移除访问控制项。 具体地说，系统基于对涉及本地网络中的节点的会话中使用的应用和协议（上下文）的类型的了解，动态地分配通过防火墙的信道。 此外，系统可以选择性地检查分组有效载荷以确定新的信道何时将被打开。 在一个示例中，防火墙采用不同的规则来处理SMTP（使用具有公知端口号的单个信道的电子邮件）会话，FTP会话（使用具有公知端口号的单个控制信道的文件传输，并使用一个或 更多的具有任意端口号的数据信道）和H.323（使用多个控制信道和使用任意端口号的多个数据信道的视频会议）会话。