CA2226814A1 - System and method for providing peer level access control on a network - Google Patents

System and method for providing peer level access control on a network

Info

Publication number
CA2226814A1
CA2226814A1 CA002226814A CA2226814A CA2226814A1 CA 2226814 A1 CA2226814 A1 CA 2226814A1 CA 002226814 A CA002226814 A CA 002226814A CA 2226814 A CA2226814 A CA 2226814A CA 2226814 A1 CA2226814 A1 CA 2226814A1
Authority
CA
Canada
Prior art keywords
peer
tuple
rule
access control
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002226814A
Other languages
French (fr)
Other versions
CA2226814C (en
Inventor
Partha P. Dutta
Daniel N. Zenchelsky
Thomas B. London
Dalibor F. Vrsalovic
Karl A. Siil
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AT&T Corp
Original Assignee
At&T Corp.
Partha P. Dutta
Daniel N. Zenchelsky
Thomas B. London
Dalibor F. Vrsalovic
Karl A. Siil
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by At&T Corp., Partha P. Dutta, Daniel N. Zenchelsky, Thomas B. London, Dalibor F. Vrsalovic, Karl A. Siil filed Critical At&T Corp.
Publication of CA2226814A1 publication Critical patent/CA2226814A1/en
Application granted granted Critical
Publication of CA2226814C publication Critical patent/CA2226814C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Abstract

A system and method for providing peer-level access control on networks that carry packets of information, each packet having a 5-tuple having a source and destination address, a source and destination port, and a protocol identifier. The local rule base of a peer is dynamically loaded into a filter when the peer is authenticated, and ejected when the peer is loses authentication. The local rule base is efficiently searched through the use of hash tables wherein a hashed peer network address serves as a pointer the peer's local rules. Each rule comprises a 5-tuple and an action. The action of a rule is carried out on a packet when the 5-tuple of the rule corresponds to the 5-tuple of the packet.
CA002226814A 1997-01-17 1998-01-12 System and method for providing peer level access control on a network Expired - Fee Related CA2226814C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US08/785,501 1997-01-17
US08/785,501 US6233686B1 (en) 1997-01-17 1997-01-17 System and method for providing peer level access control on a network

Publications (2)

Publication Number Publication Date
CA2226814A1 true CA2226814A1 (en) 1998-07-17
CA2226814C CA2226814C (en) 2003-03-25

Family

ID=25135719

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002226814A Expired - Fee Related CA2226814C (en) 1997-01-17 1998-01-12 System and method for providing peer level access control on a network

Country Status (5)

Country Link
US (1) US6233686B1 (en)
EP (1) EP0854621B1 (en)
JP (1) JP3814068B2 (en)
CA (1) CA2226814C (en)
DE (1) DE69825801T2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6779118B1 (en) 1998-05-04 2004-08-17 Auriq Systems, Inc. User specific automatic data redirection system

Families Citing this family (104)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6160843A (en) * 1996-03-29 2000-12-12 Cisco Technology, Inc. Communication server apparatus providing XDSL services and method
ATE367701T1 (en) 1997-03-12 2007-08-15 Nomadix Inc NOMADIC TRANSLATOR OR PATH FINDER
JP3961060B2 (en) * 1997-03-19 2007-08-15 愛知機械工業株式会社 Manual transmission reverse idler gear mounting structure
US6070243A (en) * 1997-06-13 2000-05-30 Xylan Corporation Deterministic user authentication service for communication network
US6182228B1 (en) 1998-08-17 2001-01-30 International Business Machines Corporation System and method for very fast IP packet filtering
CA2287258C (en) * 1998-10-22 2004-08-10 At&T Corp. System and method for demand-driven loading of rules in a firewall
US7673323B1 (en) * 1998-10-28 2010-03-02 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US6158010A (en) 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
CA2287689C (en) * 1998-12-03 2003-09-30 P. Krishnan Adaptive re-ordering of data packet filter rules
US7194554B1 (en) 1998-12-08 2007-03-20 Nomadix, Inc. Systems and methods for providing dynamic network authorization authentication and accounting
US8266266B2 (en) 1998-12-08 2012-09-11 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
US8713641B1 (en) 1998-12-08 2014-04-29 Nomadix, Inc. Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device
US7136926B1 (en) * 1998-12-31 2006-11-14 Pmc-Sierrra Us, Inc. Method and apparatus for high-speed network rule processing
US6981155B1 (en) * 1999-07-14 2005-12-27 Symantec Corporation System and method for computer security
US7117532B1 (en) * 1999-07-14 2006-10-03 Symantec Corporation System and method for generating fictitious content for a computer
WO2001004753A1 (en) * 1999-07-14 2001-01-18 Recourse Technologies, Inc. System and method for tracking the source of a computer attack
US6587876B1 (en) 1999-08-24 2003-07-01 Hewlett-Packard Development Company Grouping targets of management policies
US20030115246A1 (en) * 1999-08-24 2003-06-19 Hewlett-Packard Company And Intel Corporation Policy management for host name mapped to dynamically assigned network address
US7203962B1 (en) * 1999-08-30 2007-04-10 Symantec Corporation System and method for using timestamps to detect attacks
US6971028B1 (en) * 1999-08-30 2005-11-29 Symantec Corporation System and method for tracking the source of a computer attack
WO2001031885A2 (en) 1999-10-22 2001-05-03 Nomadix, Inc. Gateway device having an xml interface and associated method
DE60041352D1 (en) 1999-10-22 2009-02-26 Nomadix Inc SYSTEM AND METHOD FOR DYNAMIC PARTICIPANT BASED BANDWIDTH MANAGEMENT IN A COMMUNICATION NETWORK
US6832321B1 (en) 1999-11-02 2004-12-14 America Online, Inc. Public network access server having a user-configurable firewall
EP1104142A1 (en) * 1999-11-29 2001-05-30 BRITISH TELECOMMUNICATIONS public limited company Network access system
US6684244B1 (en) 2000-01-07 2004-01-27 Hewlett-Packard Development Company, Lp. Aggregated policy deployment and status propagation in network management systems
US7143439B2 (en) 2000-01-07 2006-11-28 Security, Inc. Efficient evaluation of rules
US8074256B2 (en) 2000-01-07 2011-12-06 Mcafee, Inc. Pdstudio design system and method
US6606659B1 (en) 2000-01-28 2003-08-12 Websense, Inc. System and method for controlling access to internet sites
US6675223B1 (en) * 2000-04-10 2004-01-06 International Business Machines Corporation Method and apparatus for processing frames using static and dynamic classifiers
ATE339836T1 (en) * 2000-04-12 2006-10-15 Tenovis Gmbh & Co Kg FIRE WALL ARCHITECTURAL SAVERS FOR A GIVEN PROTOCOL
FR2810180B1 (en) * 2000-06-08 2005-04-29 Cit Alcatel METHOD FOR PROVIDING ACCESS CONTROL FOR AND / OR TO USERS ACCESSING TERMINALS TO THE INTERNET NETWORK, THROUGH A PRIVATE ACCESS NODE, AND ARRANGEMENTS FOR IMPLEMENTING A SUCH METHOD
US7917647B2 (en) 2000-06-16 2011-03-29 Mcafee, Inc. Method and apparatus for rate limiting
WO2001099372A2 (en) * 2000-06-16 2001-12-27 Securify, Inc. Efficient evaluation of rules
WO2002001827A2 (en) * 2000-06-26 2002-01-03 Intel Corporation Establishing network security using internet protocol security policies
GB2371186A (en) * 2001-01-11 2002-07-17 Marconi Comm Ltd Checking packets
US7467298B2 (en) * 2001-04-16 2008-12-16 Microsoft Corporation Methods and arrangements for selectively maintaining parental access consent in a network environment
US7003578B2 (en) * 2001-04-26 2006-02-21 Hewlett-Packard Development Company, L.P. Method and system for controlling a policy-based network
US6816455B2 (en) * 2001-05-09 2004-11-09 Telecom Italia S.P.A. Dynamic packet filter utilizing session tracking
US20020198994A1 (en) * 2001-05-15 2002-12-26 Charles Patton Method and system for enabling and controlling communication topology, access to resources, and document flow in a distributed networking environment
WO2002101968A2 (en) * 2001-06-11 2002-12-19 Bluefire Security Technology Packet filtering system and methods
US7107464B2 (en) * 2001-07-10 2006-09-12 Telecom Italia S.P.A. Virtual private network mechanism incorporating security association processor
US7027446B2 (en) * 2001-07-18 2006-04-11 P-Cube Ltd. Method and apparatus for set intersection rule matching
US7209962B2 (en) * 2001-07-30 2007-04-24 International Business Machines Corporation System and method for IP packet filtering based on non-IP packet traffic attributes
US7367014B2 (en) * 2001-10-24 2008-04-29 Bea Systems, Inc. System and method for XML data representation of portlets
US7325248B2 (en) 2001-11-19 2008-01-29 Stonesoft Corporation Personal firewall with location dependent functionality
US7360242B2 (en) * 2001-11-19 2008-04-15 Stonesoft Corporation Personal firewall with location detection
US20060036701A1 (en) * 2001-11-20 2006-02-16 Bulfer Andrew F Messaging system having message filtering and access control
US7194464B2 (en) 2001-12-07 2007-03-20 Websense, Inc. System and method for adapting an internet filter
US7350226B2 (en) 2001-12-13 2008-03-25 Bea Systems, Inc. System and method for analyzing security policies in a distributed computer network
DE60104876T2 (en) * 2001-12-18 2004-12-23 Stonesoft Corp. Checking the configuration of a firewall
US7130921B2 (en) 2002-03-15 2006-10-31 International Business Machines Corporation Centrally enhanced peer-to-peer resource sharing method and apparatus
US7120691B2 (en) 2002-03-15 2006-10-10 International Business Machines Corporation Secured and access controlled peer-to-peer resource sharing method and apparatus
US7209449B2 (en) * 2002-03-27 2007-04-24 Intel Corporation Systems and methods for updating routing and forwarding information
US7185365B2 (en) * 2002-03-27 2007-02-27 Intel Corporation Security enabled network access control
US20030212901A1 (en) * 2002-05-13 2003-11-13 Manav Mishra Security enabled network flow control
US20030212900A1 (en) * 2002-05-13 2003-11-13 Hsin-Yuo Liu Packet classifying network services
EP1575230B1 (en) * 2002-11-29 2011-01-12 Freebit Co., Ltd. Server for routing connection to client device
JP4120415B2 (en) * 2003-02-10 2008-07-16 株式会社日立製作所 Traffic control computer
US7490348B1 (en) 2003-03-17 2009-02-10 Harris Technology, Llc Wireless network having multiple communication allowances
US7325002B2 (en) * 2003-04-04 2008-01-29 Juniper Networks, Inc. Detection of network security breaches based on analysis of network record logs
EP1480406A1 (en) * 2003-05-19 2004-11-24 Sony International (Europe) GmbH Confinement of data transfers to a local area network
US20040240447A1 (en) * 2003-05-28 2004-12-02 Dorbolo Riccardo G. Method and system for identifying bidirectional packet flow
US7359983B1 (en) * 2003-06-24 2008-04-15 Nvidia Corporation Fragment processing utilizing cross-linked tables
US7644432B2 (en) * 2003-10-10 2010-01-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050257245A1 (en) * 2003-10-10 2005-11-17 Bea Systems, Inc. Distributed security system with dynamic roles
US20050102536A1 (en) * 2003-10-10 2005-05-12 Bea Systems, Inc. Dynamically configurable distributed security system
US7844731B1 (en) * 2003-11-14 2010-11-30 Symantec Corporation Systems and methods for address spacing in a firewall cluster
US7472185B2 (en) * 2004-01-05 2008-12-30 International Business Machines Corporation Method and apparatus for scaling a user interface adaptively to an object discovery/display system with policy driven filtering
US20050228848A1 (en) * 2004-03-22 2005-10-13 Thurston Stacy D Method and system for operating a peer network
CN1934844B (en) * 2004-04-23 2010-12-01 松下电器产业株式会社 Server apparatus, client apparatus and network system
FR2872983A1 (en) * 2004-07-09 2006-01-13 Thomson Licensing Sa FIREWALL PROTECTION SYSTEM FOR A COMMUNITY OF APPLIANCES, APPARATUS PARTICIPATING IN THE SYSTEM AND METHOD FOR UPDATING FIREWALL RULES WITHIN THE SYSTEM
GB2416879B (en) 2004-08-07 2007-04-04 Surfcontrol Plc Device resource access filtering system and method
GB2418037B (en) 2004-09-09 2007-02-28 Surfcontrol Plc System, method and apparatus for use in monitoring or controlling internet access
GB2418108B (en) * 2004-09-09 2007-06-27 Surfcontrol Plc System, method and apparatus for use in monitoring or controlling internet access
GB2418999A (en) * 2004-09-09 2006-04-12 Surfcontrol Plc Categorizing uniform resource locators
US8078707B1 (en) * 2004-11-12 2011-12-13 Juniper Networks, Inc. Network management using hierarchical domains
JP4168052B2 (en) * 2005-04-01 2008-10-22 株式会社日立製作所 Management server
US7577151B2 (en) * 2005-04-01 2009-08-18 International Business Machines Corporation Method and apparatus for providing a network connection table
US8250229B2 (en) * 2005-09-29 2012-08-21 International Business Machines Corporation Internet protocol security (IPSEC) packet processing for multiple clients sharing a single network address
KR100819036B1 (en) * 2005-12-08 2008-04-02 한국전자통신연구원 Traffic Authentication Equipment using Packet Header Information and Method thereof
WO2007072245A2 (en) * 2005-12-21 2007-06-28 Koninklijke Philips Electronics N.V. Dynamic firewall rule definition
US8615800B2 (en) 2006-07-10 2013-12-24 Websense, Inc. System and method for analyzing web content
US8020206B2 (en) * 2006-07-10 2011-09-13 Websense, Inc. System and method of analyzing web content
AU2007303531B2 (en) 2006-09-29 2011-03-03 Nomadix, Inc. Systems and methods for injecting content
US10255445B1 (en) * 2006-11-03 2019-04-09 Jeffrey E. Brinskelle Identifying destinations of sensitive data
US8484733B2 (en) * 2006-11-28 2013-07-09 Cisco Technology, Inc. Messaging security device
US9654495B2 (en) 2006-12-01 2017-05-16 Websense, Llc System and method of analyzing web addresses
EP1931099A1 (en) * 2006-12-04 2008-06-11 Alcatel Lucent Method for managing a communication between a server device and a customer device
JP5424008B2 (en) * 2006-12-19 2014-02-26 日本電気株式会社 Shared information management method and system
GB2445764A (en) * 2007-01-22 2008-07-23 Surfcontrol Plc Resource access filtering system and database structure for use therewith
US8015174B2 (en) 2007-02-28 2011-09-06 Websense, Inc. System and method of controlling access to the internet
GB0709527D0 (en) 2007-05-18 2007-06-27 Surfcontrol Plc Electronic messaging system, message processing apparatus and message processing method
US8416773B2 (en) * 2007-07-11 2013-04-09 Hewlett-Packard Development Company, L.P. Packet monitoring
US8199916B2 (en) * 2007-12-26 2012-06-12 International Business Machines Corporation Selectively loading security enforcement points with security association information
US9648039B1 (en) * 2008-01-24 2017-05-09 RazorThreat, Inc. System and method for securing a network
CN102077201A (en) 2008-06-30 2011-05-25 网圣公司 System and method for dynamic and real-time categorization of webpages
EP2141858B1 (en) * 2008-06-30 2014-11-26 Alcatel Lucent Method for managing a communication between a server device and a customer device
US20100054128A1 (en) * 2008-08-29 2010-03-04 O'hern William Near Real-Time Alerting of IP Traffic Flow to Subscribers
US8103600B1 (en) * 2009-02-23 2012-01-24 The United States Of America As Represented By The Secretary Of The Navy Graphic user interface having menus for display of context and syntax useful in an artificial intelligence system
US9130972B2 (en) 2009-05-26 2015-09-08 Websense, Inc. Systems and methods for efficient detection of fingerprinted data and information
US20110030037A1 (en) 2009-07-07 2011-02-03 Vadim Olshansky Zone migration in network access
US9117054B2 (en) 2012-12-21 2015-08-25 Websense, Inc. Method and aparatus for presence based resource management
US10410015B2 (en) 2017-05-18 2019-09-10 Linden Research, Inc. Systems and methods to secure personally identifiable information
US10476674B2 (en) 2017-05-18 2019-11-12 Linden Research, Inc. Systems and methods to secure searchable data having personally identifiable information

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5473607A (en) * 1993-08-09 1995-12-05 Grand Junction Networks, Inc. Packet filtering for data networks
US5606668A (en) * 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
DK0767646T3 (en) * 1994-06-30 1999-12-20 Procter & Gamble Fluid-permeable tissue exhibiting a surface energy gradient
WO1996005549A1 (en) * 1994-08-09 1996-02-22 Shiva Corporation Apparatus and method for restricting access to a local computer network
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
SE504546C2 (en) * 1995-08-21 1997-03-03 Telia Ab Arrangement for network access via the telecommunications network through a remote controlled filter

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6779118B1 (en) 1998-05-04 2004-08-17 Auriq Systems, Inc. User specific automatic data redirection system
USRE46459E1 (en) 1998-05-04 2017-06-27 Linksmart Wireless Technology, Llc User specific automatic data redirection system

Also Published As

Publication number Publication date
EP0854621B1 (en) 2004-08-25
JPH10229418A (en) 1998-08-25
CA2226814C (en) 2003-03-25
EP0854621A1 (en) 1998-07-22
MX9800399A (en) 1998-10-31
JP3814068B2 (en) 2006-08-23
DE69825801T2 (en) 2005-09-01
US6233686B1 (en) 2001-05-15
DE69825801D1 (en) 2004-09-30

Similar Documents

Publication Publication Date Title
CA2226814A1 (en) System and method for providing peer level access control on a network
WO2000002114A3 (en) Firewall apparatus and method of controlling network data packet traffic between internal and external networks
CA2249787A1 (en) Methods and apparatus for accelerating osi layer 3 routers
ATE307449T1 (en) METHOD FOR PACKET AUTHENTICATION IN THE PRESENCE OF NETWORK ADDRESS TRANSLATIONS AND PROTOCOL CONVERSIONS
WO1997040610A3 (en) Internet protocol filter
WO2003023638A3 (en) Topology discovery by partitioning multiple discovery techniques
CA2272054A1 (en) A method and apparatus for filtering packets using a dedicated processor
GB2394866B (en) Arrangements and method in mobile internet communications systems
US20060272013A1 (en) Firewall protection for wireless users
EP1063830A1 (en) Method, devices and signals for multiplexing payload data in a data network
ATE400121T1 (en) SYSTEM AND METHOD FOR SELF-CONFIGURATION AND DISCOVERY OF IP-TO-MAC ADDRESS MAP AND GATEWAY PRESENCE
WO1997002734A3 (en) Internet protocol (ip) work group routing
DE69328749D1 (en) Dynamic signal routing
WO2003073626A3 (en) Method and process for signaling, communication and administration of networked objects
CA2379630A1 (en) Method of communications routing
CA2094405A1 (en) Methods and Apparatus for Routing Packets in Packet Transmission Networks
WO2000051290A3 (en) Multi-service network switch
CA2426609A1 (en) Method for geolocating logical network addresses
NZ331324A (en) Updated address for network name site retrieved from service control point
WO2002086715A3 (en) Integrated procedure for partitioning network data services among multiple subscribers
CA2276577A1 (en) Method and apparatus for routing in a communication or data network, or a network comprising communication and data networks
CA2110091A1 (en) Composite Communication Network
AU6082199A (en) Intelligent data network router
Cisco VINES Commands
Cisco Banyan VINES Commands

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed

Effective date: 20170112