503 results about "Packet filtering" patented technology

Methods and devices for processing packets are provided. The processing device may include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.

A packet filter (2500) for incoming communications packets includes extractor circuitry (2510) operable to extract data from a packet, and packet processor circuitry (2520) operable to concurrently mask (3010) the packet data from the extractor circuitry (2510), perform an arithmetic/logic operation (3020) on the packet to supply a packet drop signal (DROP), and perform a conditional limit operation and a conditional jump operation (3030).

A system monitors and detects unauthorized wireless LAN access points and wireless devices. The system includes one or more wireless LAN monitoring devices, which detect and report the presence of unauthorized or “rogue” wireless LAN access points or wireless devices within a predetermined area, for example, within the vicinity of a wired LAN, including indoor and/or outdoor areas. Improved range is achieved through the use of preamplification and sectorized antennas. Larger areas may be covered using additional wireless LAN monitoring devices, which operate independently or cooperate together in the detection process. Geolocation is possible using single or multiple, cooperating monitoring devices. Provision can be made for monitoring devices to provide packet filtering on a wired LAN.

A multi-stage packet filtering method and system. The multi-stage packet filtering according to the invention applies a set of filtering rules early in the processing of incoming communications packets by filtering incoming data packets using the filtering rules in a plurality of stages wherein the first stage is triggered by the receipt of a data packet by the device. Filtering rules that cannot be applied in the first stage may be deferred to a pre-memory allocation stage. Thus, preferable leaving only rules that must be executed in conjunction with protocol processing to be filtered at a filtering stage executed in a protocol processing filtering stage.

The invention provides improved computer network firewalls which include one or more features for increased processing efficiency. A firewall in accordance with the invention can support multiple security policies, multiple users or both, by applying any one of several distinct sets of access rules. The firewall can also be configured to utilize “stateful” packet filtering which involves caching rule processing results for one or more packets, and then utilizing the cached results to bypass rule processing for subsequent similar packets. To facilitate passage to a user, by a firewall, of a separate later transmission which is properly in response to an original transmission, a dependency mask can be set based on session data items such as source host address, destination host address, and type of service. The mask can be used to query a cache of active sessions being processed by the firewall, such that a rule can be selected based on the number of sessions that satisfy the query. Dynamic rules may be used in addition to pre-loaded access rules in order to simplify rule processing. To unburden the firewall of application proxies, the firewall can be enabled to redirect a network session to a separate server for processing.

In a security engine management apparatus in network nodes, a security instruction and library subsystem processes every application program and utility. A policy decision subsystem determines a filtering policy, an intrusion detection policy and an access control policy. An authentication and access control subsystem blocks an unauthorized user to access to a system and allows an authorized user to access thereto according to the access control policy. A policy application subsystem applies the policies. A packet filtering subsystem receives an allowed packet and denies a disallowed packet according to the filtering policy. An intrusion analysis and audit trail subsystem analyzes the intrusion according to the intrusion detection policy. A security management subsystem manages a security engine.

The subject matter described herein includes methods, systems, and computer readable media for adaptive packet filtering. One method includes identifying at least one subset of rules and an ordered set of firewall packet filtering rules that defines a firewall policy such that the subset contains disjoint rules. Disjoint rules are defined as rules whose order can be changed without changing integrity of the firewall policy. Rules in the subset are sorted to statistically decrease the number of comparisons that will be applied to each packet that a firewall encounters. Packets are filtered at the firewall using the sorted rules in the subset by comparing each packet to each of the sorted rules in the subset until the packet is allowed or denied and ceasing the comparing for the packet in response to the packet being allowed or denied and thereby achieving sub-linear searching for packets filtered using the sorted rules in the subset.

A method, system, apparatus, and computer program product is presented for management of a distributed data processing system. The network management framework is able to monitor multiple sources of network packets on various subnets within the distributed data processing system; distributed packet snoopers are deployed from a packet usage manager to monitor the multiple sources of network packets. The system administrator can request packet filtering based upon selected active users or active applications. A bandwidth history database is compiled from bandwidth usage data associated with multiple entities within the data processing system, including users, applications, and/or endpoints within the data processing system. In response to a requested action within the data processing system, bandwidth usage for the requested action can be predicted with reference to the bandwidth history database. The actual and predicted bandwidth usage of requested actions can be displayed to the system administrator in real time.

An access control system for a computing environment in which a number of processing nodes are interconnected to one another via an interconnection system. Multiple program applications, each made up of a number of application components, are installed in the environment, such that their components may be distributed among the various processing nodes of the platform. A set of rules is established, indicating allowed inter-node communications between the application components, and those rules are mapped onto a set of logic in the platform. The logic may be embodied in various forms, such as packet-filtering logic in a network interconnect switch, or firewall logic in a processing node. In turn, when an application component on one node attempts to communication with another application component on another node, a determination can be made whether the communication is allowed and, if the communication is not allowed, the communication can be blocked.

The present invention provides methods, systems, and computer program instructions for providing location-independent packet routing and secure access in a wireless networking environment (such as that encountered within a building), enabling client devices to travel seamlessly within the environment. Each client device uses a constant address. An address translation process that is transparent to the client and server is automatically performed as the device roams through the environment, enabling efficient client migration from one supporting access point to another. The secure access techniques provide user-centric authentication and allow policy-driven packet filtering, while taking advantage of encryption capabilities that are built in to the hardware at each endpoint.

Systems and methods are disclosed that allow for improved management and control of packet forwarding in network systems. Network devices and tool optimizers and a related systems and methods are disclosed for improved packet forwarding between input ports and output ports. The input ports and output ports are configured to be connected to source devices and destination devices, for example, network sources and destination tools in a network monitoring environment. The network devices and tool optimizers disclosed can use a packet processing system whereby forwarding behavior is governed by matching packets in parallel against multiple user-specified packet filtering criteria, and by performing forwarding actions associated with all such matching filter criteria. The multi-action packet forwarding can be implemented using hardware configured to directly provide multi-action packet forwarding and/or hardware configured to provide single-packet-forwarding that has been subsequently configured using filter engines to provide multi-action packet forwarding.

Methods and devices for processing packets are provided. The processing device may Include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.

A system protects against loss of communication during network attacks. In a first implementation, a system (120) models the behavior of normal users in a network in response to an application of a first packet filtering technique. The system (120) receives a group of packets from a first user subsequent to the application of the first packet filtering technique and creates one or more models reflecting the behavior of the first user based on the received packets. In another implementation, a system (130) receives a stream of packets subsequent to a filtering technique being applied, partitions the packets into groups, where each group corresponds to more than one packet, and classifies each group of packets as a normal group or an attack group using one or more models. Each model reflects a normal response to an application of the filtering technique. The system (130) forwards groups classified as normal groups, thus preventing network attacks from choking off all communication in the network.

Methods and systems for a PLD-based network update transport (PNUT) protocol that utilizes UDP and other protocols for transmitting update or other commands or information over a packet-based or IP network. PNUT is a hardware-based network communication protocol that does not require the full TCP/IP stack and may be utilized for exchanging commands and information with such PLD-based and other devices. Protocols may include a set of core commands and a set of custom commands. Logic components within the PLD-based devices may consist of a command dispatcher, a transmitter/controller, a MAC receiver, a MAC transmitter, a packet parser, a packet generator, and core receiving and transmitting commands. The present invention may be implemented without requiring CPU cores, special controllers, stringent timings, or operating systems as compared with conventional network protocols. Various methods for exchanging and updating PNUT commands are disclosed. The methods and systems of the present invention may be utilized to provide other functions, such as filtering, logging, polling, testing, debugging, and monitoring, and may be implemented between a server and a PLD-based device or solely between PLD-based devices.

A method for testing of a communication network having a plurality of end-points, using one or more network agents coupled to the network at respective locations. The method includes specifying at least one packet filtering criterion, and transmitting one or more data packets meeting the at least one criterion through the network from one of the end-point to another. At least one of the data packets meeting the criterion is intercepted using the network agents at one or more of the respective locations in the network traversed by the at least one of the data packets. Information regarding the at least one intercepted packet at the one or more respective locations is recorded and processed to analyze a route of the at least one intercepted packet through the network.

A method of filtering multicast packets received in a first network interface of a router is provided. The router receives multicast traffic in the first network interface from sources that send multicast packets to at least a first multicast group address. The router also having second and third network interfaces for receiving multicast traffic requests. In one implementation the filtering method includes receiving in the second network interface a first multicast traffic request for a first multicast group address according to a first multicast routing protocol including a first set of sources, receiving in the third network interface a second multicast traffic request for the first multicast group address according to a second multicast routing protocol, the multicast traffic request including a second set of sources, creating from the first and second multicast traffic requests a filter record having a third set of sources indicative of all of the sources of the first multicast group address requested to be transmitted through the second and third interfaces of the router; and filtering multicast packets received at the first network interface using the record. In alternative embodiments, multiple multicast state records (e.g., an Include source record and an Exclude source record) are stored for each network interface and multicast group address, the multiple multicast state records being used to create one or more multiple filter records that each have a set of sources that are used in combination to filter multicast packets received at the first network interface.

The invention provides a message filtration method and a system and equipment thereof; DPI proxy servers which are arranged at the user side of the access network identify the service type and/or content of the received data message and then DPI filtration is implemented on the data message according to the set DPI filtration strategy and the identified service type and/or content. By adopting the mode, the DPI proxy servers can be distributed at the user side of the access network and the received data messages are only the messages transmitted by the user equipment of the corresponding user network; compared with the DPI servers which are arranged at the boundary of the core network and the access network, the data message flow which needs to be processed is reduced; therefore, the real-time deep packet inspection on the data message can be guaranteed.