WO2012130523A1 - A method for providing a firewall rule and a corresponding system - Google Patents

A method for providing a firewall rule and a corresponding system Download PDF

Info

Publication number
WO2012130523A1
WO2012130523A1 PCT/EP2012/052609 EP2012052609W WO2012130523A1 WO 2012130523 A1 WO2012130523 A1 WO 2012130523A1 EP 2012052609 W EP2012052609 W EP 2012052609W WO 2012130523 A1 WO2012130523 A1 WO 2012130523A1
Authority
WO
WIPO (PCT)
Prior art keywords
rule
firewall
flow
network
lower layer
Prior art date
Application number
PCT/EP2012/052609
Other languages
French (fr)
Inventor
Felipe Huici
Mohamed Ahmed
Saverio Niccolini
Original Assignee
Nec Europe Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Europe Ltd. filed Critical Nec Europe Ltd.
Publication of WO2012130523A1 publication Critical patent/WO2012130523A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/302Route determination based on requested QoS
    • H04L45/306Route determination based on the nature of the carried application
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Definitions

  • the present invention relates to a method for providing a firewall rule and a corresponding system.
  • Network and computer security is today a crucial point in the computer industry: used to protect single computers or company computer network infrastructure against threats from the public internet.
  • Large local area networks, such as company networks use in-network firewalls to protect network flows and to ensure the reliability and resilience of company networks so as to protect the end-users and their computers within the network.
  • firewalls are used for a variety of important tasks including dropping malicious traffic targeted at end-users, black-holing traffic originating from a malicious or a compromised host, intercepting malicious control traffic - in particular botnet signaling traffic or the like or blocking specific services like internet community services preferably facebook, linked-in, etc.
  • Programmable networks are realized through the use of programmable, flow-based commodity network switches.
  • An example of this is the use of the so called Open Flow protocol and corresponding switches that are capable of processing the Open Flow protocol.
  • Such switches are typically used to decide whether to route or not to route flows through a network.
  • a flow based switch capable of processing flows includes a memory in which a table made up of flow entries is kept - preferably according to the Open Flow protocol standard. Each flow entry defines a filter used to match against incoming network flows and an action to be applied to flows matching the filter criteria.
  • An example of filter would state "drop flow any flow” destined to "y".
  • a flow based switch Based on the rules/filters specified for the flow entries, a flow based switch applies actions on the traffic that passes through it.
  • an external controller might be used.
  • the communication between the external controller and the flow-based switch may also be processed by the Open Flow protocol.
  • the Open Flow protocol supports only the matching of flows based on lower layer protocols. A disadvantage of this is that only either wild card or exact matching of entries in the Open Flow table in the Open Flow based switch with flow data is possible. If using only the primitives specified by the Open Flow protocol, filtering of network traffic, in particular firewalling is only possible at a rudimentary level.
  • a method for providing a firewall rule comprising the steps of a) defining a firewall rule for filtering network traffic, b) providing a layer order network protocol and a higher layer network protocol,
  • a system for providing a firewall rule comprises a flow-based switch device for routing network traffic according to at least one first rule and a firewall device for filtering network traffic according to at least one second rule, and is characterized in that the system further comprises a firewall rule decomposition device, wherein the firewall rule decomposition device is operable to decompose a firewall rule and to generate at least one lower layer rule according to a lower layer network protocol and at least one higher layer rule according to a higher layer network protocol from the decomposed firewall rule and to provide the generated lower layer rule to a flow-based switch device for processing traffic according to the lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the higher layer rule.
  • the method and the system for providing a firewall rule provide reduced work load for a firewall device when filtering network traffic according to a firewall rule.
  • the method and the system provide a more flexible and easy programming of firewall rules for filtering network traffic.
  • the method and system provide a simple and easy-to-use mechanism for firewall traversal.
  • the method and the system are cost-effective with regard to execution of the method respectively the manufacture of the system.
  • the method and the system according to the present invention match the capabilities of the hardware very well.
  • the Open Flow based switch may perform matching at line-rate of lower layer rules but cannot match higher layers.
  • the network processor in particular an upper-layer firewall processor, is able to match higher layer rules rather than lower layer rules.
  • the method and the system for providing a firewall rule of the present invention matches these capabilities using a switch device for matching lower layer rules at line-rate on all flows while it leverages the network processor to perform matching of higher layer rules on a subset of flows at line-rate too.
  • the present invention provides in particular a method and a system for firewall traversal for rules off-loaded to a flow-based switch.
  • the method and the system for providing a firewall rule provide a simple and light-weight mechanism for firewall traversal:
  • a specific entry preferably an Open Flow entry for the flow that should be allowed to traverse the firewall might be inserted.
  • the entries, preferably the Open Flow entries may be processed based on a prioritization scheme and entries specifying an exact match, that means no wildcards, have the highest priority. Therefore, an entry installed for specifying firewall traversal is quickly matched thus forwarding the corresponding matched flow without affecting its performance. Higher layer rules for traversal may then be handled or processed by the firewall device.
  • One of the ideas of the present invention is to specify a firewall rule, e.g. in iptables format and break it down into a set of flow entries, preferably Open Flow entries, then to install them on a programmable switch device representing the parts of the firewall corresponding to preferably OSI-layers equal or smaller than four and a higher layer rule, inserted into a firewall device, preferably an upper- layer firewall processor.
  • a decomposition preferably takes care of resolving firewall rules that require a more flexible matching in lower layers by breaking the firewall rule down to a lower layer, preferably smaller than OSI-layer four: For example a firewall rule needs to match all TCP packets with port range 1024-2048 from a certain IP address.
  • the firewall rule is then decomposed in such a way that a flow entry, preferably an Open Flow entry is generated directing all TCP traffic from the IP address defined in the firewall rule to a firewall device, preferably an upper-layer firewall processor.
  • the upper-layer firewall processor then filters only those TCP packets in the port range according to the firewall rule.
  • the method includes the step of checking a syntax of the firewall rule. This avoids incorrect firewall rules which cannot or not completely be processed by a firewall rule decomposition device. This might not only lead to an ineffective decomposition of the firewall rule but to a lowered security level for the network to be protected by the firewall due to an at least temporarily misconfigured firewall device.
  • step c) includes extracting policy information and/or step e) includes the step of imposing policy information on the generated lower layer rule and/or higher layer rule.
  • Extracting policy information from the firewall rule provides for example that policy information may be separated and stored before a firewall rule is decomposed. When generating a lower layer rule and/or a higher layer rule this extracting policy information may then be used as additional information during the generation process of the lower layer rule and/or the higher layer rule ensuring that the overall policy of the original firewall rule is still valid after the decomposition and the following generation process.
  • This provides a very flexible and reliable method for providing firewall rules to a flow-based switch.
  • network flow identity information is generated and provided to the firewall device.
  • the network flow identity information is generated by rewriting a MAC address header of a network flow.
  • the rewriting of the MAC address may for example be performed on a network flow entering a flow-based switch, so that, when subsequently transferring a flow through a firewall device, the firewall device may easily identify the rewritten MAC address and therefore the higher layer rule to be applied to the corresponding network flow.
  • the network flow is then filtered or "firewalled" by the firewall device according to the higher layer rule.
  • the network flow identity information is encapsulated in the network flow. Encapsulation of the network identity information in the network flow avoids problems when rewriting a MAC address. Encapsulation maybe performed for example by an IP-in-I P encapsulation whereby the flow-based switch adds an extra IP header to data packets to signal an entry into the network flow and the firewall device strips off the extra IP header after filtering or firewalling the corresponding network flow according to the higher layer rule. Devices connected to the firewall device do not receive this additional information and so disturbing network traffic due to a rewritten MAC address is avoided.
  • the lower layer protocol is based on the open flow protocol.
  • the Open Flow protocol provides an easy-to-use and cost- effective protocol for programming flow based switches and further a filtering and/or routing of network flows.
  • the firewall rule decomposition device comprises a rule parser for syntax checking of the firewall rule and a rule generator for generating at least one lower layer rule and at least one higher layer rule.
  • the rule parser ensures that input firewall rules to be used for decomposition are syntactically correct and correspond to a previously given format or syntax so that they can be decomposed by the rule generator correctly.
  • the rule generator performs the decomposition of the firewall rule according to the lower layer protocol and the higher layer protocol. This provides a reliable generation of higher layer and/or lower layer rules avoiding network or firewall security problems due to at least partially false decomposition and false generation of lower layer and/or higher layer rules.
  • the rule generator is a compiler operable to provide lexical analysis, parsing, semantic analysis and/or code generation for the lower layer rule and/or for the higher layer rule.
  • a compiler provides a simple and easy-to-use generator for the lower layer rules and/or higher layer rules.
  • the switch device is formed such to add network flow identity information to a flow. This enables the firewall device to identify the network flow already pre-filtered by the flow-based switch according to the lower layer rule so avoiding unnecessary workload on the firewall device and also providing a reliable matching of higher layer rules to a network flow subjected to a routing according to a lower layer rule.
  • the layer of the lower layer rule corresponds to OSI-layers equal or smaller than four and the layer of the higher layer rule corresponds to OSI-layers greater than five.
  • This orientation of layers enables an easy decomposition of traffic into lower and higher layers protocols and makes it easier to define entries enabling filtering in a flow-based switch device via the Open Flow protocol and to provide a filtering on the lower transport layers according to the OSI-layers up to the transport layer corresponding to level four in the OSI-layer-model.
  • the firewall decomposition device is formed such to generate the lower layer rule and the higher layer rule according to a predefined rule generation policy.
  • a rule generation policy may for example include information about constrains on how to decompose and how to generate lower layer rules and higher layer rules. It is also possible to extract policy information from the firewall rule in its original state and to impose the policy information on the generated lower layer rule and the higher layer rule.
  • the rule generation policy is a NAT integrity policy.
  • NAT network address translation
  • Other rule generation policies are also possible.
  • the switch device is formed such to add the network flow identity information by rewriting a MAC-header of the network flow and/or by encapsulating, preferably by adding an extra header to the network flow.
  • Rewriting the MAC address provides a very easy-to-handle option for transmitting network flow identity information from the flow-based switch to the firewall device.
  • the firewall device may then easily recognize from the rewritten MAC-address which second rule to be applied to the network flow.
  • the firewall device When encapsulating the network flow identity information in the network flow the firewall device must analyze the additional information, for example added extra information in the header of the corresponding networks flow. This avoids problems with devices on the downstream side of the firewall device arising when a MAC-address is rewritten.
  • Fig. 1 shows schematically a method according to a first embodiment of the present invention
  • Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
  • Fig. 1 shows schematically a method according to a first embodiment of the present invention.
  • a firewall rule decomposition device in form of a rule engine comprising a rule parser for syntax checking and for checking if input firewall rules correspond to a pre-given format which may be decomposed and a rule generator for generating lower layer rules and higher layer rules.
  • the rule engine uses as input one or more predefined firewall syntax.
  • the firewall syntax is used to define the grammar of the input firewall rules.
  • an Open Flow syntax is used for input into the rule engine to define Open Flow protocol entries in the rule generator.
  • a rule engine policy is used to impose preferably predefined constrains on the decomposition and generation process of open flows and of rules for a firewall device.
  • Such constrains may include information on how to decompose or generate certain rules as well as overall policy information, for example rules which must not be decomposed or the like.
  • the firewall device is in Fig. 1 in form of an upper-layer firewall processor, in particular a network processor. To obtain an enhanced off-loading of firewall processing to a flow- based switch or switch device the firewall rule to be decomposed should as specific as possible.
  • the rule generator Based on the input firewall rules and the rules engine policy as well as the Open Flow syntax and the firewall syntax the rule generator produces two sets of new rules: At least one for the flow based switch and at least one for the upper layer firewall processor.
  • the rule for the flow based switch is in Fig. 1 a rule corresponding to an OSI-layer equal or smaller than four whereas the rule for the firewall device is a rule corresponding to an OSI-layer greater than five.
  • the rule generator according to Fig. 1 may include or be used to define a compiler that performs lexical analysis, parsing, semantic analysis and code-generation.
  • the lexical analysis is performed on the input firewall rules to create language tokens that form an abstract syntax tree (AST). If an abstract syntax tree is generated the abstract syntax tree may than be translated using a context free grammar definition of the Open Flow rule structure with a token look-up table to convert between the language of the firewall rule and the set of input firewall rules in firewall rule language and the two sets of new rules, those for the flow-based switch and those for the upper layer firewall processor.
  • AST abstract syntax tree
  • OF_RULE PKT MATCH ⁇ ACTION ⁇
  • MATCH_OP_1 WILD_CARD
  • MATCH_FILTER_1 INPORT
  • MATCH_FILTER_2 ESRC
  • a firewall rule is in form of iptables, which is a userspace application allowing to configure the tables in a Linux kernel firewall, and for example the iptables rule defines dropping all TCP packets on port 25 to IP address 192.168.1.100 the iptables rule maybe mapped as follows from the iptables form into the Open Flow rule structure as shown above: I PTABLES:
  • Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
  • Fig. 2 shows an Open Flow based switch 1 comprising a switch device 2 and an upper layer firewall processor ULFP.
  • a firewall rule to be installed on the Open Flow based switch 1 as an example consists of blocking all traffic from source I P address 173.194.70.93 going to http://www.youtube.com, which in a format resembling netfilter format would look like: block ip 173.194.70.93 proto tcp port 80 url firewall rule youtube.com.
  • the firewall rule is inserted into the upper layer firewall processor ULFP where the decomposition is performed by a firewall rule decomposition device DEC.
  • a firewall rule is split by the firewall rule decomposition device DEC into an Open Flow entry 6 in the switch device 2 matching http packets from the given source I P address and a rule for the upper layer firewall processor ULFP for youtube traffic.
  • These two rules are installed in the Open Flow entry table 4 of the switch device 2 and in the upper layer firewall processor table 5 in the upper layer firewall processor ULFP respectively.
  • the firewall rule decomposition device DEC specifies an addition to the open flow entry action for the upper layer firewall processor U LFP, namely a MAC header rewrite operation.
  • the upper layer firewall processor rule may include a number representing the open flow switch port to send the flow out on.
  • the header addition or marking is used by the upper layer firewall processor U LFP to identify which higher layer rule corresponds to a flow incoming from the switch device 2.
  • the flows must be labeled in such a way that the upper layer firewall processor ULFP is able to distinguish between the different flows.
  • the switch device 2 When the header addition or marking is encapsulated, in particular I P-in-IP, the switch device 2 adds an extra IP header to packets to signal an entry on a table 5 for the higher layer rules of the upper-layer firewall processor ULFP. After identifying the corresponding higher layer rule to the incoming flow, the upper layer firewall processor ULFP, in particular the demultiplex device DEMUX strips off the addition or marking.
  • the flow-based-switch device and the firewall device are separate devices, for example that the upper-layer firewall processor ULFP is implemented at an external entity, for example in an Open Flow Controller for controlling an open-flow based switch device.
  • one advantage of the invention is, that the system and the method for providing a firewall rule provide matching at line-rates in lower transport layers on all flows and providing higher layer matching on a sub-set of flows also at line- rates therefore optimizing work load between a switch and a firewall.
  • a further advantage is that the invention provides a simple and light-weight mechanism for traversing firewalls: for traversal of the firewall a simple entry in the Open Flow entry table for the flow allowing it to be passed through is possible.
  • a further advantage is, that a fast matching of low layer rules is possible, in particular if lower layer rules correspond to the Open Flow protocol due to a prioritization scheme and entries specifying an exact match, in particular no wild cards.
  • a further advantage of the invention is that the method and the system for providing a firewall rule are inexpensive while still providing higher order and expressive firewall rules and firewall traversal capabilities.
  • FIG. 1 Further advantages and inventive steps of the system and the method for filtering network traffic according to the present invention are: a) off-loading firewall processing to a flow-based switch, preferably programmable and/or Open Flow based by decomposing a firewall rule, b) allowing firewall traversal of the off-load rules on a flow based switch, c) using the capability of line-rate forwarding of inexpensive flow-based switches, preferably programmable and/or Open Flow based while still providing expressive firewall rules, including the ability to provide firewall traversal capabilities and d) resolving the limitation of using very simple Open Flow entries for performing low-level firewalling, e.g. blocking all traffic to a specific TCP port.
  • a flow-based switch preferably programmable and/or Open Flow based by decomposing a firewall rule
  • FIG. 1 Further advantages and inventive steps of the system and the method for filtering network traffic according to the present invention are: a) off-loading firewall processing to a flow-based switch, preferably programmable

Abstract

The invention relates to a method for providing a firewall rule com¬ prising the steps of • a) defining a firewall rule for filtering network traffic, • b) providing a layer order network protocol and a higher layer network protocol, • c) analyzing the firewall rule, • d) decomposing the analyzed firewall rule, • e) generating at least one lower layer rule according to the lower layer network protocol and at least one higher layer rule according to the higher layer protocol from the decomposed firewall rule, • f) providing the generated lower layer rule to a flow-based switch device for routing network traffic according to the generated lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the firewall rule.

Description

A METHOD FOR PROVIDING A FIREWALL RULE AND A
CORRESPONDING SYSTEM
The present invention relates to a method for providing a firewall rule and a corresponding system.
Network and computer security is today a crucial point in the computer industry: used to protect single computers or company computer network infrastructure against threats from the public internet. Large local area networks, such as company networks use in-network firewalls to protect network flows and to ensure the reliability and resilience of company networks so as to protect the end-users and their computers within the network. Such firewalls are used for a variety of important tasks including dropping malicious traffic targeted at end-users, black-holing traffic originating from a malicious or a compromised host, intercepting malicious control traffic - in particular botnet signaling traffic or the like or blocking specific services like internet community services preferably facebook, linked-in, etc.
Due to the enormous growth in the volume of global network traffic on the internet, network operators have to use more powerful and expensive firewall devices to cope with the increasing network traffic load. To reduce costs, programmable networks are used. Programmable networks are realized through the use of programmable, flow-based commodity network switches. An example of this is the use of the so called Open Flow protocol and corresponding switches that are capable of processing the Open Flow protocol. Such switches are typically used to decide whether to route or not to route flows through a network.
A flow based switch, capable of processing flows includes a memory in which a table made up of flow entries is kept - preferably according to the Open Flow protocol standard. Each flow entry defines a filter used to match against incoming network flows and an action to be applied to flows matching the filter criteria. An example of filter would state "drop flow any flow" destined to "y".
Based on the rules/filters specified for the flow entries, a flow based switch applies actions on the traffic that passes through it. To install and/or delete entries on the flow based switch an external controller might be used. The communication between the external controller and the flow-based switch may also be processed by the Open Flow protocol. However, the Open Flow protocol supports only the matching of flows based on lower layer protocols. A disadvantage of this is that only either wild card or exact matching of entries in the Open Flow table in the Open Flow based switch with flow data is possible. If using only the primitives specified by the Open Flow protocol, filtering of network traffic, in particular firewalling is only possible at a rudimentary level.
It is therefore an objective of the present invention to provide a filtering method for network traffic and a corresponding system which enables more advanced and/or more flexible firewall rules.
It is a further objective of the present invention to provide a filtering method for network traffic and a corresponding system, which reduces the load for processing network traffic in a firewall device. It is even a further objective of the present invention to provide a filtering method and a system for network traffic which is easy to use and cost-effective.
In accordance with the invention the aforementioned objectives are accomplished by the method of claim 1 and the system of claim 8.
According to claim 1 a method for providing a firewall rule comprising the steps of a) defining a firewall rule for filtering network traffic, b) providing a layer order network protocol and a higher layer network protocol,
c) analyzing the firewall rule,
d) decomposing the analyzed firewall rule,
e) generating at least one lower layer rule according to the lower layer network protocol and at least one higher layer rule according to the higher layer protocol from the decomposed firewall rule,
f) providing the generated lower layer rule to a flow-based switch device for routing network traffic according to the generated lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the higher layer rule.
According to claim 8 a system for providing a firewall rule, preferably for carrying out a method according to one of the claims 1 -7, comprises a flow-based switch device for routing network traffic according to at least one first rule and a firewall device for filtering network traffic according to at least one second rule, and is characterized in that the system further comprises a firewall rule decomposition device, wherein the firewall rule decomposition device is operable to decompose a firewall rule and to generate at least one lower layer rule according to a lower layer network protocol and at least one higher layer rule according to a higher layer network protocol from the decomposed firewall rule and to provide the generated lower layer rule to a flow-based switch device for processing traffic according to the lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the higher layer rule.
According to the present invention it has first been recognized that the method and the system for providing a firewall rule provide reduced work load for a firewall device when filtering network traffic according to a firewall rule. According to the present invention it has been further first recognized, that the method and the system provide a more flexible and easy programming of firewall rules for filtering network traffic. According to the present invention it has further been first recognized that the method and system provide a simple and easy-to-use mechanism for firewall traversal. According to the present invention it has further been first recognized that the method and the system are cost-effective with regard to execution of the method respectively the manufacture of the system.
In particular in the case of an Open Flow based switch with an embedded network processor, the method and the system according to the present invention match the capabilities of the hardware very well. The Open Flow based switch may perform matching at line-rate of lower layer rules but cannot match higher layers. The network processor, in particular an upper-layer firewall processor, is able to match higher layer rules rather than lower layer rules. The method and the system for providing a firewall rule of the present invention matches these capabilities using a switch device for matching lower layer rules at line-rate on all flows while it leverages the network processor to perform matching of higher layer rules on a subset of flows at line-rate too. The present invention provides in particular a method and a system for firewall traversal for rules off-loaded to a flow-based switch. Since operators tend to add increasingly stringent and strict firewall rules to protect their networks, for example a company internal network, the level of protection cannot be increased over a certain threshold. Otherwise this might lead to blocking benign network traffic: for instance, SIP-based Voice-Over-IP- calls might fail when traversing a corresponding firewall.
In contrast to conventional methods like Session Traversal Utilities for NAT (STUN) or the like for firewall traversal, the method and the system for providing a firewall rule provide a simple and light-weight mechanism for firewall traversal: A specific entry, preferably an Open Flow entry for the flow that should be allowed to traverse the firewall might be inserted. The entries, preferably the Open Flow entries may be processed based on a prioritization scheme and entries specifying an exact match, that means no wildcards, have the highest priority. Therefore, an entry installed for specifying firewall traversal is quickly matched thus forwarding the corresponding matched flow without affecting its performance. Higher layer rules for traversal may then be handled or processed by the firewall device. One of the ideas of the present invention is to specify a firewall rule, e.g. in iptables format and break it down into a set of flow entries, preferably Open Flow entries, then to install them on a programmable switch device representing the parts of the firewall corresponding to preferably OSI-layers equal or smaller than four and a higher layer rule, inserted into a firewall device, preferably an upper- layer firewall processor. Such a decomposition preferably takes care of resolving firewall rules that require a more flexible matching in lower layers by breaking the firewall rule down to a lower layer, preferably smaller than OSI-layer four: For example a firewall rule needs to match all TCP packets with port range 1024-2048 from a certain IP address. The firewall rule is then decomposed in such a way that a flow entry, preferably an Open Flow entry is generated directing all TCP traffic from the IP address defined in the firewall rule to a firewall device, preferably an upper-layer firewall processor. The upper-layer firewall processor then filters only those TCP packets in the port range according to the firewall rule. According to a preferred embodiment the method includes the step of checking a syntax of the firewall rule. This avoids incorrect firewall rules which cannot or not completely be processed by a firewall rule decomposition device. This might not only lead to an ineffective decomposition of the firewall rule but to a lowered security level for the network to be protected by the firewall due to an at least temporarily misconfigured firewall device.
According to a further preferred embodiment step c) includes extracting policy information and/or step e) includes the step of imposing policy information on the generated lower layer rule and/or higher layer rule. Extracting policy information from the firewall rule provides for example that policy information may be separated and stored before a firewall rule is decomposed. When generating a lower layer rule and/or a higher layer rule this extracting policy information may then be used as additional information during the generation process of the lower layer rule and/or the higher layer rule ensuring that the overall policy of the original firewall rule is still valid after the decomposition and the following generation process. This provides a very flexible and reliable method for providing firewall rules to a flow-based switch. According to a further preferred embodiment network flow identity information is generated and provided to the firewall device. This enables the firewall device to match a higher layer rule to a given network flow, which was processed in a switch device according to a lower layer rule more easily, so that the firewall device is able to filter respectively "firewalling" network flows according to the higher layer rule and with an even further decreased work load.
According to a further preferred embodiment the network flow identity information is generated by rewriting a MAC address header of a network flow. The rewriting of the MAC address may for example be performed on a network flow entering a flow-based switch, so that, when subsequently transferring a flow through a firewall device, the firewall device may easily identify the rewritten MAC address and therefore the higher layer rule to be applied to the corresponding network flow. The network flow is then filtered or "firewalled" by the firewall device according to the higher layer rule.
According to a further preferred embodiment the network flow identity information is encapsulated in the network flow. Encapsulation of the network identity information in the network flow avoids problems when rewriting a MAC address. Encapsulation maybe performed for example by an IP-in-I P encapsulation whereby the flow-based switch adds an extra IP header to data packets to signal an entry into the network flow and the firewall device strips off the extra IP header after filtering or firewalling the corresponding network flow according to the higher layer rule. Devices connected to the firewall device do not receive this additional information and so disturbing network traffic due to a rewritten MAC address is avoided.
According to a further preferred embodiment the lower layer protocol is based on the open flow protocol. The Open Flow protocol provides an easy-to-use and cost- effective protocol for programming flow based switches and further a filtering and/or routing of network flows.
According to a preferred embodiment of a system according to claim 8 the firewall rule decomposition device comprises a rule parser for syntax checking of the firewall rule and a rule generator for generating at least one lower layer rule and at least one higher layer rule. The rule parser ensures that input firewall rules to be used for decomposition are syntactically correct and correspond to a previously given format or syntax so that they can be decomposed by the rule generator correctly. The rule generator performs the decomposition of the firewall rule according to the lower layer protocol and the higher layer protocol. This provides a reliable generation of higher layer and/or lower layer rules avoiding network or firewall security problems due to at least partially false decomposition and false generation of lower layer and/or higher layer rules.
According to a further preferred embodiment the rule generator is a compiler operable to provide lexical analysis, parsing, semantic analysis and/or code generation for the lower layer rule and/or for the higher layer rule. A compiler provides a simple and easy-to-use generator for the lower layer rules and/or higher layer rules.
According to a further preferred embodiment the switch device is formed such to add network flow identity information to a flow. This enables the firewall device to identify the network flow already pre-filtered by the flow-based switch according to the lower layer rule so avoiding unnecessary workload on the firewall device and also providing a reliable matching of higher layer rules to a network flow subjected to a routing according to a lower layer rule.
According to a further preferred embodiment the layer of the lower layer rule corresponds to OSI-layers equal or smaller than four and the layer of the higher layer rule corresponds to OSI-layers greater than five. This orientation of layers enables an easy decomposition of traffic into lower and higher layers protocols and makes it easier to define entries enabling filtering in a flow-based switch device via the Open Flow protocol and to provide a filtering on the lower transport layers according to the OSI-layers up to the transport layer corresponding to level four in the OSI-layer-model.
According to a further preferred embodiment, the firewall decomposition device is formed such to generate the lower layer rule and the higher layer rule according to a predefined rule generation policy. A rule generation policy may for example include information about constrains on how to decompose and how to generate lower layer rules and higher layer rules. It is also possible to extract policy information from the firewall rule in its original state and to impose the policy information on the generated lower layer rule and the higher layer rule.
According to a further preferred embodiment the rule generation policy is a NAT integrity policy. Such a policy preserves network address translation (NAT) integrity, so that the rule generator ignores all NAT-related firewall rules. Other rule generation policies are also possible.
According to a further preferred embodiment the switch device is formed such to add the network flow identity information by rewriting a MAC-header of the network flow and/or by encapsulating, preferably by adding an extra header to the network flow. Rewriting the MAC address provides a very easy-to-handle option for transmitting network flow identity information from the flow-based switch to the firewall device. The firewall device may then easily recognize from the rewritten MAC-address which second rule to be applied to the network flow. When encapsulating the network flow identity information in the network flow the firewall device must analyze the additional information, for example added extra information in the header of the corresponding networks flow. This avoids problems with devices on the downstream side of the firewall device arising when a MAC-address is rewritten. There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end it is to be referred to the patent claims subordinate to patent claims 1 and 8 on the one hand and to the following explanation and preferred embodiments of the invention by way of example illustrated by the drawing on the other hand. ln connection with the explanation of the preferred embodiment of the invention by aid of the drawing generally preferred embodiments and further developments of the teaching will be explained. In the drawing
Fig. 1 shows schematically a method according to a first embodiment of the present invention; and
Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
Fig. 1 shows schematically a method according to a first embodiment of the present invention. In Fig. 1 there is shown a firewall rule decomposition device in form of a rule engine comprising a rule parser for syntax checking and for checking if input firewall rules correspond to a pre-given format which may be decomposed and a rule generator for generating lower layer rules and higher layer rules. Further, the rule engine uses as input one or more predefined firewall syntax. The firewall syntax is used to define the grammar of the input firewall rules. Further an Open Flow syntax is used for input into the rule engine to define Open Flow protocol entries in the rule generator. A rule engine policy is used to impose preferably predefined constrains on the decomposition and generation process of open flows and of rules for a firewall device. Such constrains may include information on how to decompose or generate certain rules as well as overall policy information, for example rules which must not be decomposed or the like. The firewall device is in Fig. 1 in form of an upper-layer firewall processor, in particular a network processor. To obtain an enhanced off-loading of firewall processing to a flow- based switch or switch device the firewall rule to be decomposed should as specific as possible.
Based on the input firewall rules and the rules engine policy as well as the Open Flow syntax and the firewall syntax the rule generator produces two sets of new rules: At least one for the flow based switch and at least one for the upper layer firewall processor. The rule for the flow based switch is in Fig. 1 a rule corresponding to an OSI-layer equal or smaller than four whereas the rule for the firewall device is a rule corresponding to an OSI-layer greater than five.
The rule generator according to Fig. 1 may include or be used to define a compiler that performs lexical analysis, parsing, semantic analysis and code-generation. The lexical analysis is performed on the input firewall rules to create language tokens that form an abstract syntax tree (AST). If an abstract syntax tree is generated the abstract syntax tree may than be translated using a context free grammar definition of the Open Flow rule structure with a token look-up table to convert between the language of the firewall rule and the set of input firewall rules in firewall rule language and the two sets of new rules, those for the flow-based switch and those for the upper layer firewall processor. In the following, example Open Flow rules for Open Flow matching in Backus-Naur-form notation are described:
OF_RULE := PKT MATCH { ACTION }
ACTION := FORWARD | ECANPSULATE | SEND | DROP
MATCH :=MATCH_OP_1 MATCH_FILTER_1 | MATCH_OP_1 MATCH_FILTER_2 I
MATCH_OP_2 MATCH_FI LTER_2
MATCH_OP_1 := WILD_CARD | EXACT
MATCH_OP_2 := PREFIX_MATCH
MATCH_FILTER_1 := INPORT | ETYPE |VLAN ID | ...
MATCH_FILTER_2 := ESRC | EDST | I PV4SRC | IPV4DST
PKT := BYTE_FIELD
For example, if a firewall rule is in form of iptables, which is a userspace application allowing to configure the tables in a Linux kernel firewall, and for example the iptables rule defines dropping all TCP packets on port 25 to IP address 192.168.1.100 the iptables rule maybe mapped as follows from the iptables form into the Open Flow rule structure as shown above: I PTABLES:
iptables -A INPUT -s 192.168.1.100 -p tcp --destination-port 25 -j DROP OPENFLOW:
match: nw_src = 192.168.1.100, proto = tcp, tp_dst=25
action: drop
Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
Fig. 2 shows an Open Flow based switch 1 comprising a switch device 2 and an upper layer firewall processor ULFP. In Fig. 2 a firewall rule to be installed on the Open Flow based switch 1 as an example consists of blocking all traffic from source I P address 173.194.70.93 going to http://www.youtube.com, which in a format resembling netfilter format would look like: block ip 173.194.70.93 proto tcp port 80 url firewall rule youtube.com.
To program the open flow based switch 1 with the above mentioned firewall rule, the firewall rule is inserted into the upper layer firewall processor ULFP where the decomposition is performed by a firewall rule decomposition device DEC. A firewall rule is split by the firewall rule decomposition device DEC into an Open Flow entry 6 in the switch device 2 matching http packets from the given source I P address and a rule for the upper layer firewall processor ULFP for youtube traffic. These two rules are installed in the Open Flow entry table 4 of the switch device 2 and in the upper layer firewall processor table 5 in the upper layer firewall processor ULFP respectively. Further the firewall rule decomposition device DEC specifies an addition to the open flow entry action for the upper layer firewall processor U LFP, namely a MAC header rewrite operation. This rewritten header of a flow with the header addition or marking is later used by the upper layer firewall processor ULFP to demultiplex (reference sign DEMUX for a demultiplexer device, preferably within the upper layer firewall processor U LFP) flows from the switch device 2 wherein switch device 2 performs Open Flow filtering according to the entries 6 of the Open Flow entry table 4. If a flow arrives at the switch device 2, the switch device 2 rewrites the MAC header address of the flow to match the flows to the corresponding upper layer firewall processor rule, in Fig. 2 the corresponding rule defines url = youtube.com. Flows which do not match the upper layer firewall processor rule are forwarded on. Otherwise the flow is dropped. The upper layer firewall processor rule may include a number representing the open flow switch port to send the flow out on.
The header addition or marking is used by the upper layer firewall processor U LFP to identify which higher layer rule corresponds to a flow incoming from the switch device 2. The flows must be labeled in such a way that the upper layer firewall processor ULFP is able to distinguish between the different flows.
When the header addition or marking is encapsulated, in particular I P-in-IP, the switch device 2 adds an extra IP header to packets to signal an entry on a table 5 for the higher layer rules of the upper-layer firewall processor ULFP. After identifying the corresponding higher layer rule to the incoming flow, the upper layer firewall processor ULFP, in particular the demultiplex device DEMUX strips off the addition or marking.
It is also possible that the flow-based-switch device and the firewall device are separate devices, for example that the upper-layer firewall processor ULFP is implemented at an external entity, for example in an Open Flow Controller for controlling an open-flow based switch device.
In summary one advantage of the invention is, that the system and the method for providing a firewall rule provide matching at line-rates in lower transport layers on all flows and providing higher layer matching on a sub-set of flows also at line- rates therefore optimizing work load between a switch and a firewall.
A further advantage is that the invention provides a simple and light-weight mechanism for traversing firewalls: for traversal of the firewall a simple entry in the Open Flow entry table for the flow allowing it to be passed through is possible. A further advantage is, that a fast matching of low layer rules is possible, in particular if lower layer rules correspond to the Open Flow protocol due to a prioritization scheme and entries specifying an exact match, in particular no wild cards. A further advantage of the invention is that the method and the system for providing a firewall rule are inexpensive while still providing higher order and expressive firewall rules and firewall traversal capabilities.
Further advantages and inventive steps of the system and the method for filtering network traffic according to the present invention are: a) off-loading firewall processing to a flow-based switch, preferably programmable and/or Open Flow based by decomposing a firewall rule, b) allowing firewall traversal of the off-load rules on a flow based switch, c) using the capability of line-rate forwarding of inexpensive flow-based switches, preferably programmable and/or Open Flow based while still providing expressive firewall rules, including the ability to provide firewall traversal capabilities and d) resolving the limitation of using very simple Open Flow entries for performing low-level firewalling, e.g. blocking all traffic to a specific TCP port.
Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

C l a i m s
1. A method for providing a firewall rule comprising the steps of
a) defining a firewall rule for filtering network traffic,
b) providing a layer order network protocol and a higher layer network protocol,
c) analyzing the firewall rule,
d) decomposing the analyzed firewall rule,
e) generating at least one lower layer rule according to the lower layer network protocol and at least one higher layer rule according to the higher layer protocol from the decomposed firewall rule,
f) providing the generated lower layer rule to a flow-based switch device (2) for routing network traffic according to the generated lower layer rule and the generated higher layer rule to a firewall device (ULFP) for filtering network traffic according to the firewall rule.
2. A method according to claim 1 , characterized in that the method includes the step of checking the syntax of a firewall rule.
3. A method according to claim 1 or 2, characterized in that step c) includes extracting policy information and/or step e) includes the step of imposing policy information on the generated lower order rule and/or higher order rule.
4. A method according to one of the claims 1 -3, characterized in that network flow identity information is generated and provided to the firewall device (ULFP).
5. A method according to claim 4, characterized in that the network flow identity information is generated by rewriting a MAC address header of a flow.
6. A method according to claims 4 or 5, characterized in that the network flow identity information is encapsulated in the network flow.
7. A method according to one of the claims 1 -6, characterized in that the lower order network protocol is based on the Open Flow protocol.
8. A system (1 ) for providing a firewall rule, preferably for carrying out a method according to one of the claims 1 -7, comprising a flow-based switch device (2) and routing means for routing network traffic according to at least one first rule and a firewall device (ULFP) for filtering network traffic according to at least one second rule,
characterized in that the system (1 ) further comprises a firewall rule decomposition device (DEC), wherein the firewall rule decomposition device (DEC) is operable to decompose a firewall rule and to generate at least one lower layer rule according to a lower layer protocol and at least one higher layer rule according to a higher layer protocol from the decomposed firewall rule and to provide the generated lower layer rule as a first rule to the flow-based switch device (2) and the higher layer rule as a second rule to the firewall device (U LFP).
9. A system according to claim 8, characterized in that the firewall rule decomposition device (DEC) comprises a rule parser for syntax checking of the firewall rule and a rule generator for generating at least one lower layer rule and at least one higher layer rule.
10. A system according to claim 8 or 9, characterized in that the rule generator is a compiler operable such to provide lexical analysis, parsing, semantic analysis and/or code generation for the lower layer rule and/or for the higher layer rule.
1 1. A system according to claims 8-10, characterized in that the switch device (2) is formed such to add network flow identity information to a flow.
12. A system according to claims 8-1 1 , characterized in that the layer of the lower layer rule corresponds to OSI-layers equal to or smaller than four and that the order of the higher layer rule corresponds to OSI-layers greater than five.
13. A system according to claims 8-12, characterized in that the firewall rule decomposition device (DEC) is formed such to generate the lower layer rule and the higher layer rule according to a predefined rule generation policy.
14. A system according to claim 13, characterized in that the rule generation policy is a NAT integrity policy.
15. A system according to claim 1 1 , characterized in that the switch device (2) is formed such to add the network flow identity information by rewriting a MAC header of the flow and/or by encapsulation, preferably by adding an extra header.
PCT/EP2012/052609 2011-03-29 2012-02-15 A method for providing a firewall rule and a corresponding system WO2012130523A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP11002570 2011-03-29
EP11002570.7 2011-03-29

Publications (1)

Publication Number Publication Date
WO2012130523A1 true WO2012130523A1 (en) 2012-10-04

Family

ID=45819182

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/052609 WO2012130523A1 (en) 2011-03-29 2012-02-15 A method for providing a firewall rule and a corresponding system

Country Status (1)

Country Link
WO (1) WO2012130523A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140245423A1 (en) * 2013-02-26 2014-08-28 Zentera Systems, Inc. Peripheral Firewall System for Application Protection in Cloud Computing Environments
US9525564B2 (en) 2013-02-26 2016-12-20 Zentera Systems, Inc. Secure virtual network platform for enterprise hybrid cloud computing environments
US9596315B2 (en) 2013-05-30 2017-03-14 Zentera Systems, Inc. Secure data transfer platform for hybrid computing environment
CN106790068A (en) * 2016-12-21 2017-05-31 西安兖矿科技研发设计有限公司 A kind of method for accelerating industry control firewall rule to match
US9699034B2 (en) 2013-02-26 2017-07-04 Zentera Systems, Inc. Secure cloud fabric to connect subnets in different network domains
US10348767B1 (en) 2013-02-26 2019-07-09 Zentera Systems, Inc. Cloud over IP session layer network
US10382401B1 (en) 2013-02-26 2019-08-13 Zentera Systems, Inc. Cloud over IP for enterprise hybrid cloud network and security
US10484334B1 (en) 2013-02-26 2019-11-19 Zentera Systems, Inc. Distributed firewall security system that extends across different cloud computing networks
US10530684B2 (en) 2015-05-19 2020-01-07 International Business Machines Corporation Management of unreachable OpenFlow rules
CN111600812A (en) * 2020-05-13 2020-08-28 优刻得科技股份有限公司 Message processing method, processing device, readable medium and system
US20210092142A1 (en) * 2016-02-25 2021-03-25 Imperva, Inc. Techniques for targeted botnet protection

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040243835A1 (en) * 2003-05-28 2004-12-02 Andreas Terzis Multilayer access control security system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040243835A1 (en) * 2003-05-28 2004-12-02 Andreas Terzis Multilayer access control security system

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10484334B1 (en) 2013-02-26 2019-11-19 Zentera Systems, Inc. Distributed firewall security system that extends across different cloud computing networks
US10523514B2 (en) 2013-02-26 2019-12-31 Zentera Systems, Inc. Secure cloud fabric to connect subnets in different network domains
US9712624B2 (en) 2013-02-26 2017-07-18 Zentera Systems, Inc. Secure virtual network platform for enterprise hybrid cloud computing environments
US9525564B2 (en) 2013-02-26 2016-12-20 Zentera Systems, Inc. Secure virtual network platform for enterprise hybrid cloud computing environments
US10348767B1 (en) 2013-02-26 2019-07-09 Zentera Systems, Inc. Cloud over IP session layer network
US9634990B2 (en) * 2013-02-26 2017-04-25 Zentera Systems, Inc. Distributed firewall security system for cloud computing environments
US9130901B2 (en) * 2013-02-26 2015-09-08 Zentera Systems, Inc. Peripheral firewall system for application protection in cloud computing environments
US9699034B2 (en) 2013-02-26 2017-07-04 Zentera Systems, Inc. Secure cloud fabric to connect subnets in different network domains
US20150341318A1 (en) * 2013-02-26 2015-11-26 Zentera Systems, Inc. Distributed firewall security system for cloud computing environments
US20140245423A1 (en) * 2013-02-26 2014-08-28 Zentera Systems, Inc. Peripheral Firewall System for Application Protection in Cloud Computing Environments
US10382401B1 (en) 2013-02-26 2019-08-13 Zentera Systems, Inc. Cloud over IP for enterprise hybrid cloud network and security
US9596315B2 (en) 2013-05-30 2017-03-14 Zentera Systems, Inc. Secure data transfer platform for hybrid computing environment
US11743178B2 (en) 2015-05-19 2023-08-29 International Business Machines Corporation Management of unreachable openflow rules
US10530684B2 (en) 2015-05-19 2020-01-07 International Business Machines Corporation Management of unreachable OpenFlow rules
US10616102B2 (en) 2015-05-19 2020-04-07 International Business Machines Corporation Management of unreachable OpenFlow rules
US20210092142A1 (en) * 2016-02-25 2021-03-25 Imperva, Inc. Techniques for targeted botnet protection
CN106790068B (en) * 2016-12-21 2019-08-06 西安兖矿科技研发设计有限公司 One kind is for accelerating the matched method of industry control firewall rule
CN106790068A (en) * 2016-12-21 2017-05-31 西安兖矿科技研发设计有限公司 A kind of method for accelerating industry control firewall rule to match
CN111600812A (en) * 2020-05-13 2020-08-28 优刻得科技股份有限公司 Message processing method, processing device, readable medium and system

Similar Documents

Publication Publication Date Title
WO2012130523A1 (en) A method for providing a firewall rule and a corresponding system
US9954873B2 (en) Mobile device-based intrusion prevention system
JP3954385B2 (en) System, device and method for rapid packet filtering and packet processing
JP6236528B2 (en) Packet classification for network routing
US7467406B2 (en) Embedded data set processing
US20070022474A1 (en) Portable firewall
CN108881328B (en) Data packet filtering method and device, gateway equipment and storage medium
US20220263823A1 (en) Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium
US20210212163A1 (en) Relay apparatus, communication system, relay method, and non-transitory computer readable medium storing relay program
JP2007208861A (en) Illegal access monitoring apparatus and packet relaying device
WO2019190403A1 (en) An industrial control system firewall module
CN113518042B (en) Data processing method, device, equipment and storage medium
TWI797962B (en) Method for sase based ipv6 cloud edge network secure connection
Singh Machine learning in openflow network: comparative analysis of DDoS detection techniques.
CN116055586B (en) Fragment message matching method, router and storage medium
US20210194850A1 (en) Smart network switching systems and related methods
CN111030970A (en) Distributed access control method and device and storage equipment
EP3298745B1 (en) Small form-factor pluggable module
CN105827630A (en) Botnet attribute identification method, defense method and device
JP2017163505A (en) Monitoring device, switch, communication device, communication system, monitoring method, and monitoring program
Bui et al. A generic interface for Open vSwitch
KR100350451B1 (en) Packet filtering method of network device
RU2812087C1 (en) System and method for analysing incoming traffic flow
US11777832B2 (en) Iterative development of protocol parsers
Lai et al. Design and implementation of distributed firewall system for ipv6

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12708505

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12708505

Country of ref document: EP

Kind code of ref document: A1