-
公开(公告)号:US06219706B1
公开(公告)日:2001-04-17
申请号:US09174200
申请日:1998-10-16
申请人: Serene Fan , Steve Truong
发明人: Serene Fan , Steve Truong
IPC分类号: G06F15173
CPC分类号: H04L63/0254
摘要: An access control system (a firewall) controls traffic to and from a local network. The system is implemented on a dedicated network device such as a router positioned between a local network and an external network, usually the Internet, or between one or more local networks. In this procedure, access control items are dynamically generated and removed based upon the context of an application conversation. Specifically, the system dynamically allocates channels through the firewall based upon its knowledge of the type of applications and protocol (context) employed in the conversation involving a node on the local network. Further, the system may selectively examine packet payloads to determine when new channels are about to be opened. In one example, the firewall employs different rules for handling SMTP (e-mail using a single channel having a well-known port number) sessions, FTP sessions (file transfer using a single control channel having a well known port number and using one or more data channels having arbitrary port numbers), and H.323 (video conferencing using multiple control channels and multiple data channels, which use arbitrary port numbers) sessions.
摘要翻译: 访问控制系统(防火墙)控制来往本地网络的流量。 该系统在诸如位于本地网络和外部网络(通常为因特网)之间或位于一个或多个本地网络之间的专用网络设备上实现。 在该过程中,基于应用会话的上下文动态地生成和移除访问控制项。 具体地说,系统基于对涉及本地网络中的节点的会话中使用的应用和协议(上下文)的类型的了解,动态地分配通过防火墙的信道。 此外,系统可以选择性地检查分组有效载荷以确定新的信道何时将被打开。 在一个示例中,防火墙采用不同的规则来处理SMTP(使用具有公知端口号的单个信道的电子邮件)会话,FTP会话(使用具有公知端口号的单个控制信道的文件传输,并使用一个或 更多的具有任意端口号的数据信道)和H.323(使用多个控制信道和使用任意端口号的多个数据信道的视频会议)会话。
-
公开(公告)号:US06854063B1
公开(公告)日:2005-02-08
申请号:US09517961
申请日:2000-03-03
申请人: Diheng Qu , Kevin Li , Sami Boutros , Seren Fan , Steve Truong
发明人: Diheng Qu , Kevin Li , Sami Boutros , Seren Fan , Steve Truong
IPC分类号: H04L29/06 , G06F15/173 , G06F15/177 , H04L9/00 , H04L12/28 , H04L12/56
CPC分类号: H04L63/0245 , H04L63/0254 , H04L63/101
摘要: A firewall system and method which optimizes the performance of the firewall process by reducing overhead associated with ACL verification and firewall application-level authorization. The firewall system comprises a session manager operating in the firewall services component and a firewall module operating in the switching process component. In one embodiment, the firewall module is configured to provide certain “non-application” level inspection of data packets and update the context of “sessions” associated with the data packets without sending the packets to the firewall services component using session information provided by the session manager.
摘要翻译: 防火墙系统和方法,通过减少与ACL验证和防火墙应用级授权相关的开销来优化防火墙进程的性能。 防火墙系统包括在防火墙服务组件中操作的会话管理器和在切换过程组件中操作的防火墙模块。 在一个实施例中,防火墙模块被配置为提供数据分组的某些“非应用”级别检查,并且更新与数据分组相关联的“会话”的上下文,而不会使用由所述数据分组提供的会话信息将分组发送到防火墙服务组件 会话经理。
-