WO2012130523A1 - A method for providing a firewall rule and a corresponding system - Google Patents
A method for providing a firewall rule and a corresponding system Download PDFInfo
- Publication number
- WO2012130523A1 WO2012130523A1 PCT/EP2012/052609 EP2012052609W WO2012130523A1 WO 2012130523 A1 WO2012130523 A1 WO 2012130523A1 EP 2012052609 W EP2012052609 W EP 2012052609W WO 2012130523 A1 WO2012130523 A1 WO 2012130523A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- rule
- firewall
- flow
- network
- lower layer
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/302—Route determination based on requested QoS
- H04L45/306—Route determination based on the nature of the carried application
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
Definitions
- the present invention relates to a method for providing a firewall rule and a corresponding system.
- Network and computer security is today a crucial point in the computer industry: used to protect single computers or company computer network infrastructure against threats from the public internet.
- Large local area networks, such as company networks use in-network firewalls to protect network flows and to ensure the reliability and resilience of company networks so as to protect the end-users and their computers within the network.
- firewalls are used for a variety of important tasks including dropping malicious traffic targeted at end-users, black-holing traffic originating from a malicious or a compromised host, intercepting malicious control traffic - in particular botnet signaling traffic or the like or blocking specific services like internet community services preferably facebook, linked-in, etc.
- Programmable networks are realized through the use of programmable, flow-based commodity network switches.
- An example of this is the use of the so called Open Flow protocol and corresponding switches that are capable of processing the Open Flow protocol.
- Such switches are typically used to decide whether to route or not to route flows through a network.
- a flow based switch capable of processing flows includes a memory in which a table made up of flow entries is kept - preferably according to the Open Flow protocol standard. Each flow entry defines a filter used to match against incoming network flows and an action to be applied to flows matching the filter criteria.
- An example of filter would state "drop flow any flow” destined to "y".
- a flow based switch Based on the rules/filters specified for the flow entries, a flow based switch applies actions on the traffic that passes through it.
- an external controller might be used.
- the communication between the external controller and the flow-based switch may also be processed by the Open Flow protocol.
- the Open Flow protocol supports only the matching of flows based on lower layer protocols. A disadvantage of this is that only either wild card or exact matching of entries in the Open Flow table in the Open Flow based switch with flow data is possible. If using only the primitives specified by the Open Flow protocol, filtering of network traffic, in particular firewalling is only possible at a rudimentary level.
- a method for providing a firewall rule comprising the steps of a) defining a firewall rule for filtering network traffic, b) providing a layer order network protocol and a higher layer network protocol,
- a system for providing a firewall rule comprises a flow-based switch device for routing network traffic according to at least one first rule and a firewall device for filtering network traffic according to at least one second rule, and is characterized in that the system further comprises a firewall rule decomposition device, wherein the firewall rule decomposition device is operable to decompose a firewall rule and to generate at least one lower layer rule according to a lower layer network protocol and at least one higher layer rule according to a higher layer network protocol from the decomposed firewall rule and to provide the generated lower layer rule to a flow-based switch device for processing traffic according to the lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the higher layer rule.
- the method and the system for providing a firewall rule provide reduced work load for a firewall device when filtering network traffic according to a firewall rule.
- the method and the system provide a more flexible and easy programming of firewall rules for filtering network traffic.
- the method and system provide a simple and easy-to-use mechanism for firewall traversal.
- the method and the system are cost-effective with regard to execution of the method respectively the manufacture of the system.
- the method and the system according to the present invention match the capabilities of the hardware very well.
- the Open Flow based switch may perform matching at line-rate of lower layer rules but cannot match higher layers.
- the network processor in particular an upper-layer firewall processor, is able to match higher layer rules rather than lower layer rules.
- the method and the system for providing a firewall rule of the present invention matches these capabilities using a switch device for matching lower layer rules at line-rate on all flows while it leverages the network processor to perform matching of higher layer rules on a subset of flows at line-rate too.
- the present invention provides in particular a method and a system for firewall traversal for rules off-loaded to a flow-based switch.
- the method and the system for providing a firewall rule provide a simple and light-weight mechanism for firewall traversal:
- a specific entry preferably an Open Flow entry for the flow that should be allowed to traverse the firewall might be inserted.
- the entries, preferably the Open Flow entries may be processed based on a prioritization scheme and entries specifying an exact match, that means no wildcards, have the highest priority. Therefore, an entry installed for specifying firewall traversal is quickly matched thus forwarding the corresponding matched flow without affecting its performance. Higher layer rules for traversal may then be handled or processed by the firewall device.
- One of the ideas of the present invention is to specify a firewall rule, e.g. in iptables format and break it down into a set of flow entries, preferably Open Flow entries, then to install them on a programmable switch device representing the parts of the firewall corresponding to preferably OSI-layers equal or smaller than four and a higher layer rule, inserted into a firewall device, preferably an upper- layer firewall processor.
- a decomposition preferably takes care of resolving firewall rules that require a more flexible matching in lower layers by breaking the firewall rule down to a lower layer, preferably smaller than OSI-layer four: For example a firewall rule needs to match all TCP packets with port range 1024-2048 from a certain IP address.
- the firewall rule is then decomposed in such a way that a flow entry, preferably an Open Flow entry is generated directing all TCP traffic from the IP address defined in the firewall rule to a firewall device, preferably an upper-layer firewall processor.
- the upper-layer firewall processor then filters only those TCP packets in the port range according to the firewall rule.
- the method includes the step of checking a syntax of the firewall rule. This avoids incorrect firewall rules which cannot or not completely be processed by a firewall rule decomposition device. This might not only lead to an ineffective decomposition of the firewall rule but to a lowered security level for the network to be protected by the firewall due to an at least temporarily misconfigured firewall device.
- step c) includes extracting policy information and/or step e) includes the step of imposing policy information on the generated lower layer rule and/or higher layer rule.
- Extracting policy information from the firewall rule provides for example that policy information may be separated and stored before a firewall rule is decomposed. When generating a lower layer rule and/or a higher layer rule this extracting policy information may then be used as additional information during the generation process of the lower layer rule and/or the higher layer rule ensuring that the overall policy of the original firewall rule is still valid after the decomposition and the following generation process.
- This provides a very flexible and reliable method for providing firewall rules to a flow-based switch.
- network flow identity information is generated and provided to the firewall device.
- the network flow identity information is generated by rewriting a MAC address header of a network flow.
- the rewriting of the MAC address may for example be performed on a network flow entering a flow-based switch, so that, when subsequently transferring a flow through a firewall device, the firewall device may easily identify the rewritten MAC address and therefore the higher layer rule to be applied to the corresponding network flow.
- the network flow is then filtered or "firewalled" by the firewall device according to the higher layer rule.
- the network flow identity information is encapsulated in the network flow. Encapsulation of the network identity information in the network flow avoids problems when rewriting a MAC address. Encapsulation maybe performed for example by an IP-in-I P encapsulation whereby the flow-based switch adds an extra IP header to data packets to signal an entry into the network flow and the firewall device strips off the extra IP header after filtering or firewalling the corresponding network flow according to the higher layer rule. Devices connected to the firewall device do not receive this additional information and so disturbing network traffic due to a rewritten MAC address is avoided.
- the lower layer protocol is based on the open flow protocol.
- the Open Flow protocol provides an easy-to-use and cost- effective protocol for programming flow based switches and further a filtering and/or routing of network flows.
- the firewall rule decomposition device comprises a rule parser for syntax checking of the firewall rule and a rule generator for generating at least one lower layer rule and at least one higher layer rule.
- the rule parser ensures that input firewall rules to be used for decomposition are syntactically correct and correspond to a previously given format or syntax so that they can be decomposed by the rule generator correctly.
- the rule generator performs the decomposition of the firewall rule according to the lower layer protocol and the higher layer protocol. This provides a reliable generation of higher layer and/or lower layer rules avoiding network or firewall security problems due to at least partially false decomposition and false generation of lower layer and/or higher layer rules.
- the rule generator is a compiler operable to provide lexical analysis, parsing, semantic analysis and/or code generation for the lower layer rule and/or for the higher layer rule.
- a compiler provides a simple and easy-to-use generator for the lower layer rules and/or higher layer rules.
- the switch device is formed such to add network flow identity information to a flow. This enables the firewall device to identify the network flow already pre-filtered by the flow-based switch according to the lower layer rule so avoiding unnecessary workload on the firewall device and also providing a reliable matching of higher layer rules to a network flow subjected to a routing according to a lower layer rule.
- the layer of the lower layer rule corresponds to OSI-layers equal or smaller than four and the layer of the higher layer rule corresponds to OSI-layers greater than five.
- This orientation of layers enables an easy decomposition of traffic into lower and higher layers protocols and makes it easier to define entries enabling filtering in a flow-based switch device via the Open Flow protocol and to provide a filtering on the lower transport layers according to the OSI-layers up to the transport layer corresponding to level four in the OSI-layer-model.
- the firewall decomposition device is formed such to generate the lower layer rule and the higher layer rule according to a predefined rule generation policy.
- a rule generation policy may for example include information about constrains on how to decompose and how to generate lower layer rules and higher layer rules. It is also possible to extract policy information from the firewall rule in its original state and to impose the policy information on the generated lower layer rule and the higher layer rule.
- the rule generation policy is a NAT integrity policy.
- NAT network address translation
- Other rule generation policies are also possible.
- the switch device is formed such to add the network flow identity information by rewriting a MAC-header of the network flow and/or by encapsulating, preferably by adding an extra header to the network flow.
- Rewriting the MAC address provides a very easy-to-handle option for transmitting network flow identity information from the flow-based switch to the firewall device.
- the firewall device may then easily recognize from the rewritten MAC-address which second rule to be applied to the network flow.
- the firewall device When encapsulating the network flow identity information in the network flow the firewall device must analyze the additional information, for example added extra information in the header of the corresponding networks flow. This avoids problems with devices on the downstream side of the firewall device arising when a MAC-address is rewritten.
- Fig. 1 shows schematically a method according to a first embodiment of the present invention
- Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
- Fig. 1 shows schematically a method according to a first embodiment of the present invention.
- a firewall rule decomposition device in form of a rule engine comprising a rule parser for syntax checking and for checking if input firewall rules correspond to a pre-given format which may be decomposed and a rule generator for generating lower layer rules and higher layer rules.
- the rule engine uses as input one or more predefined firewall syntax.
- the firewall syntax is used to define the grammar of the input firewall rules.
- an Open Flow syntax is used for input into the rule engine to define Open Flow protocol entries in the rule generator.
- a rule engine policy is used to impose preferably predefined constrains on the decomposition and generation process of open flows and of rules for a firewall device.
- Such constrains may include information on how to decompose or generate certain rules as well as overall policy information, for example rules which must not be decomposed or the like.
- the firewall device is in Fig. 1 in form of an upper-layer firewall processor, in particular a network processor. To obtain an enhanced off-loading of firewall processing to a flow- based switch or switch device the firewall rule to be decomposed should as specific as possible.
- the rule generator Based on the input firewall rules and the rules engine policy as well as the Open Flow syntax and the firewall syntax the rule generator produces two sets of new rules: At least one for the flow based switch and at least one for the upper layer firewall processor.
- the rule for the flow based switch is in Fig. 1 a rule corresponding to an OSI-layer equal or smaller than four whereas the rule for the firewall device is a rule corresponding to an OSI-layer greater than five.
- the rule generator according to Fig. 1 may include or be used to define a compiler that performs lexical analysis, parsing, semantic analysis and code-generation.
- the lexical analysis is performed on the input firewall rules to create language tokens that form an abstract syntax tree (AST). If an abstract syntax tree is generated the abstract syntax tree may than be translated using a context free grammar definition of the Open Flow rule structure with a token look-up table to convert between the language of the firewall rule and the set of input firewall rules in firewall rule language and the two sets of new rules, those for the flow-based switch and those for the upper layer firewall processor.
- AST abstract syntax tree
- OF_RULE PKT MATCH ⁇ ACTION ⁇
- MATCH_OP_1 WILD_CARD
- MATCH_FILTER_1 INPORT
- MATCH_FILTER_2 ESRC
- a firewall rule is in form of iptables, which is a userspace application allowing to configure the tables in a Linux kernel firewall, and for example the iptables rule defines dropping all TCP packets on port 25 to IP address 192.168.1.100 the iptables rule maybe mapped as follows from the iptables form into the Open Flow rule structure as shown above: I PTABLES:
- Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
- Fig. 2 shows an Open Flow based switch 1 comprising a switch device 2 and an upper layer firewall processor ULFP.
- a firewall rule to be installed on the Open Flow based switch 1 as an example consists of blocking all traffic from source I P address 173.194.70.93 going to http://www.youtube.com, which in a format resembling netfilter format would look like: block ip 173.194.70.93 proto tcp port 80 url firewall rule youtube.com.
- the firewall rule is inserted into the upper layer firewall processor ULFP where the decomposition is performed by a firewall rule decomposition device DEC.
- a firewall rule is split by the firewall rule decomposition device DEC into an Open Flow entry 6 in the switch device 2 matching http packets from the given source I P address and a rule for the upper layer firewall processor ULFP for youtube traffic.
- These two rules are installed in the Open Flow entry table 4 of the switch device 2 and in the upper layer firewall processor table 5 in the upper layer firewall processor ULFP respectively.
- the firewall rule decomposition device DEC specifies an addition to the open flow entry action for the upper layer firewall processor U LFP, namely a MAC header rewrite operation.
- the upper layer firewall processor rule may include a number representing the open flow switch port to send the flow out on.
- the header addition or marking is used by the upper layer firewall processor U LFP to identify which higher layer rule corresponds to a flow incoming from the switch device 2.
- the flows must be labeled in such a way that the upper layer firewall processor ULFP is able to distinguish between the different flows.
- the switch device 2 When the header addition or marking is encapsulated, in particular I P-in-IP, the switch device 2 adds an extra IP header to packets to signal an entry on a table 5 for the higher layer rules of the upper-layer firewall processor ULFP. After identifying the corresponding higher layer rule to the incoming flow, the upper layer firewall processor ULFP, in particular the demultiplex device DEMUX strips off the addition or marking.
- the flow-based-switch device and the firewall device are separate devices, for example that the upper-layer firewall processor ULFP is implemented at an external entity, for example in an Open Flow Controller for controlling an open-flow based switch device.
- one advantage of the invention is, that the system and the method for providing a firewall rule provide matching at line-rates in lower transport layers on all flows and providing higher layer matching on a sub-set of flows also at line- rates therefore optimizing work load between a switch and a firewall.
- a further advantage is that the invention provides a simple and light-weight mechanism for traversing firewalls: for traversal of the firewall a simple entry in the Open Flow entry table for the flow allowing it to be passed through is possible.
- a further advantage is, that a fast matching of low layer rules is possible, in particular if lower layer rules correspond to the Open Flow protocol due to a prioritization scheme and entries specifying an exact match, in particular no wild cards.
- a further advantage of the invention is that the method and the system for providing a firewall rule are inexpensive while still providing higher order and expressive firewall rules and firewall traversal capabilities.
- FIG. 1 Further advantages and inventive steps of the system and the method for filtering network traffic according to the present invention are: a) off-loading firewall processing to a flow-based switch, preferably programmable and/or Open Flow based by decomposing a firewall rule, b) allowing firewall traversal of the off-load rules on a flow based switch, c) using the capability of line-rate forwarding of inexpensive flow-based switches, preferably programmable and/or Open Flow based while still providing expressive firewall rules, including the ability to provide firewall traversal capabilities and d) resolving the limitation of using very simple Open Flow entries for performing low-level firewalling, e.g. blocking all traffic to a specific TCP port.
- a flow-based switch preferably programmable and/or Open Flow based by decomposing a firewall rule
- FIG. 1 Further advantages and inventive steps of the system and the method for filtering network traffic according to the present invention are: a) off-loading firewall processing to a flow-based switch, preferably programmable
Abstract
The invention relates to a method for providing a firewall rule com¬ prising the steps of • a) defining a firewall rule for filtering network traffic, • b) providing a layer order network protocol and a higher layer network protocol, • c) analyzing the firewall rule, • d) decomposing the analyzed firewall rule, • e) generating at least one lower layer rule according to the lower layer network protocol and at least one higher layer rule according to the higher layer protocol from the decomposed firewall rule, • f) providing the generated lower layer rule to a flow-based switch device for routing network traffic according to the generated lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the firewall rule.
Description
A METHOD FOR PROVIDING A FIREWALL RULE AND A
CORRESPONDING SYSTEM
The present invention relates to a method for providing a firewall rule and a corresponding system.
Network and computer security is today a crucial point in the computer industry: used to protect single computers or company computer network infrastructure against threats from the public internet. Large local area networks, such as company networks use in-network firewalls to protect network flows and to ensure the reliability and resilience of company networks so as to protect the end-users and their computers within the network. Such firewalls are used for a variety of important tasks including dropping malicious traffic targeted at end-users, black-holing traffic originating from a malicious or a compromised host, intercepting malicious control traffic - in particular botnet signaling traffic or the like or blocking specific services like internet community services preferably facebook, linked-in, etc.
Due to the enormous growth in the volume of global network traffic on the internet, network operators have to use more powerful and expensive firewall devices to cope with the increasing network traffic load. To reduce costs, programmable networks are used. Programmable networks are realized through the use of programmable, flow-based commodity network switches. An example of this is the use of the so called Open Flow protocol and corresponding switches that are capable of processing the Open Flow protocol. Such switches are typically used to decide whether to route or not to route flows through a network.
A flow based switch, capable of processing flows includes a memory in which a table made up of flow entries is kept - preferably according to the Open Flow protocol standard. Each flow entry defines a filter used to match against incoming
network flows and an action to be applied to flows matching the filter criteria. An example of filter would state "drop flow any flow" destined to "y".
Based on the rules/filters specified for the flow entries, a flow based switch applies actions on the traffic that passes through it. To install and/or delete entries on the flow based switch an external controller might be used. The communication between the external controller and the flow-based switch may also be processed by the Open Flow protocol. However, the Open Flow protocol supports only the matching of flows based on lower layer protocols. A disadvantage of this is that only either wild card or exact matching of entries in the Open Flow table in the Open Flow based switch with flow data is possible. If using only the primitives specified by the Open Flow protocol, filtering of network traffic, in particular firewalling is only possible at a rudimentary level.
It is therefore an objective of the present invention to provide a filtering method for network traffic and a corresponding system which enables more advanced and/or more flexible firewall rules.
It is a further objective of the present invention to provide a filtering method for network traffic and a corresponding system, which reduces the load for processing network traffic in a firewall device. It is even a further objective of the present invention to provide a filtering method and a system for network traffic which is easy to use and cost-effective.
In accordance with the invention the aforementioned objectives are accomplished by the method of claim 1 and the system of claim 8.
According to claim 1 a method for providing a firewall rule comprising the steps of a) defining a firewall rule for filtering network traffic,
b) providing a layer order network protocol and a higher layer network protocol,
c) analyzing the firewall rule,
d) decomposing the analyzed firewall rule,
e) generating at least one lower layer rule according to the lower layer network protocol and at least one higher layer rule according to the higher layer protocol from the decomposed firewall rule,
f) providing the generated lower layer rule to a flow-based switch device for routing network traffic according to the generated lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the higher layer rule.
According to claim 8 a system for providing a firewall rule, preferably for carrying out a method according to one of the claims 1 -7, comprises a flow-based switch device for routing network traffic according to at least one first rule and a firewall device for filtering network traffic according to at least one second rule, and is characterized in that the system further comprises a firewall rule decomposition device, wherein the firewall rule decomposition device is operable to decompose a firewall rule and to generate at least one lower layer rule according to a lower layer network protocol and at least one higher layer rule according to a higher layer network protocol from the decomposed firewall rule and to provide the generated lower layer rule to a flow-based switch device for processing traffic according to the lower layer rule and the generated higher layer rule to a firewall device for filtering network traffic according to the higher layer rule.
According to the present invention it has first been recognized that the method and the system for providing a firewall rule provide reduced work load for a firewall device when filtering network traffic according to a firewall rule. According to the present invention it has been further first recognized, that the method and the system provide a more flexible and easy programming of firewall rules for filtering network traffic.
According to the present invention it has further been first recognized that the method and system provide a simple and easy-to-use mechanism for firewall traversal. According to the present invention it has further been first recognized that the method and the system are cost-effective with regard to execution of the method respectively the manufacture of the system.
In particular in the case of an Open Flow based switch with an embedded network processor, the method and the system according to the present invention match the capabilities of the hardware very well. The Open Flow based switch may perform matching at line-rate of lower layer rules but cannot match higher layers. The network processor, in particular an upper-layer firewall processor, is able to match higher layer rules rather than lower layer rules. The method and the system for providing a firewall rule of the present invention matches these capabilities using a switch device for matching lower layer rules at line-rate on all flows while it leverages the network processor to perform matching of higher layer rules on a subset of flows at line-rate too. The present invention provides in particular a method and a system for firewall traversal for rules off-loaded to a flow-based switch. Since operators tend to add increasingly stringent and strict firewall rules to protect their networks, for example a company internal network, the level of protection cannot be increased over a certain threshold. Otherwise this might lead to blocking benign network traffic: for instance, SIP-based Voice-Over-IP- calls might fail when traversing a corresponding firewall.
In contrast to conventional methods like Session Traversal Utilities for NAT (STUN) or the like for firewall traversal, the method and the system for providing a firewall rule provide a simple and light-weight mechanism for firewall traversal: A specific entry, preferably an Open Flow entry for the flow that should be allowed to traverse the firewall might be inserted. The entries, preferably the Open Flow entries may be processed based on a prioritization scheme and entries specifying an exact match, that means no wildcards, have the highest priority. Therefore, an
entry installed for specifying firewall traversal is quickly matched thus forwarding the corresponding matched flow without affecting its performance. Higher layer rules for traversal may then be handled or processed by the firewall device. One of the ideas of the present invention is to specify a firewall rule, e.g. in iptables format and break it down into a set of flow entries, preferably Open Flow entries, then to install them on a programmable switch device representing the parts of the firewall corresponding to preferably OSI-layers equal or smaller than four and a higher layer rule, inserted into a firewall device, preferably an upper- layer firewall processor. Such a decomposition preferably takes care of resolving firewall rules that require a more flexible matching in lower layers by breaking the firewall rule down to a lower layer, preferably smaller than OSI-layer four: For example a firewall rule needs to match all TCP packets with port range 1024-2048 from a certain IP address. The firewall rule is then decomposed in such a way that a flow entry, preferably an Open Flow entry is generated directing all TCP traffic from the IP address defined in the firewall rule to a firewall device, preferably an upper-layer firewall processor. The upper-layer firewall processor then filters only those TCP packets in the port range according to the firewall rule. According to a preferred embodiment the method includes the step of checking a syntax of the firewall rule. This avoids incorrect firewall rules which cannot or not completely be processed by a firewall rule decomposition device. This might not only lead to an ineffective decomposition of the firewall rule but to a lowered security level for the network to be protected by the firewall due to an at least temporarily misconfigured firewall device.
According to a further preferred embodiment step c) includes extracting policy information and/or step e) includes the step of imposing policy information on the generated lower layer rule and/or higher layer rule. Extracting policy information from the firewall rule provides for example that policy information may be separated and stored before a firewall rule is decomposed. When generating a lower layer rule and/or a higher layer rule this extracting policy information may then be used as additional information during the generation process of the lower layer rule and/or the higher layer rule ensuring that the overall policy of the original
firewall rule is still valid after the decomposition and the following generation process. This provides a very flexible and reliable method for providing firewall rules to a flow-based switch. According to a further preferred embodiment network flow identity information is generated and provided to the firewall device. This enables the firewall device to match a higher layer rule to a given network flow, which was processed in a switch device according to a lower layer rule more easily, so that the firewall device is able to filter respectively "firewalling" network flows according to the higher layer rule and with an even further decreased work load.
According to a further preferred embodiment the network flow identity information is generated by rewriting a MAC address header of a network flow. The rewriting of the MAC address may for example be performed on a network flow entering a flow-based switch, so that, when subsequently transferring a flow through a firewall device, the firewall device may easily identify the rewritten MAC address and therefore the higher layer rule to be applied to the corresponding network flow. The network flow is then filtered or "firewalled" by the firewall device according to the higher layer rule.
According to a further preferred embodiment the network flow identity information is encapsulated in the network flow. Encapsulation of the network identity information in the network flow avoids problems when rewriting a MAC address. Encapsulation maybe performed for example by an IP-in-I P encapsulation whereby the flow-based switch adds an extra IP header to data packets to signal an entry into the network flow and the firewall device strips off the extra IP header after filtering or firewalling the corresponding network flow according to the higher layer rule. Devices connected to the firewall device do not receive this additional information and so disturbing network traffic due to a rewritten MAC address is avoided.
According to a further preferred embodiment the lower layer protocol is based on the open flow protocol. The Open Flow protocol provides an easy-to-use and cost-
effective protocol for programming flow based switches and further a filtering and/or routing of network flows.
According to a preferred embodiment of a system according to claim 8 the firewall rule decomposition device comprises a rule parser for syntax checking of the firewall rule and a rule generator for generating at least one lower layer rule and at least one higher layer rule. The rule parser ensures that input firewall rules to be used for decomposition are syntactically correct and correspond to a previously given format or syntax so that they can be decomposed by the rule generator correctly. The rule generator performs the decomposition of the firewall rule according to the lower layer protocol and the higher layer protocol. This provides a reliable generation of higher layer and/or lower layer rules avoiding network or firewall security problems due to at least partially false decomposition and false generation of lower layer and/or higher layer rules.
According to a further preferred embodiment the rule generator is a compiler operable to provide lexical analysis, parsing, semantic analysis and/or code generation for the lower layer rule and/or for the higher layer rule. A compiler provides a simple and easy-to-use generator for the lower layer rules and/or higher layer rules.
According to a further preferred embodiment the switch device is formed such to add network flow identity information to a flow. This enables the firewall device to identify the network flow already pre-filtered by the flow-based switch according to the lower layer rule so avoiding unnecessary workload on the firewall device and also providing a reliable matching of higher layer rules to a network flow subjected to a routing according to a lower layer rule.
According to a further preferred embodiment the layer of the lower layer rule corresponds to OSI-layers equal or smaller than four and the layer of the higher layer rule corresponds to OSI-layers greater than five. This orientation of layers enables an easy decomposition of traffic into lower and higher layers protocols and makes it easier to define entries enabling filtering in a flow-based switch device via the Open Flow protocol and to provide a filtering on the lower transport
layers according to the OSI-layers up to the transport layer corresponding to level four in the OSI-layer-model.
According to a further preferred embodiment, the firewall decomposition device is formed such to generate the lower layer rule and the higher layer rule according to a predefined rule generation policy. A rule generation policy may for example include information about constrains on how to decompose and how to generate lower layer rules and higher layer rules. It is also possible to extract policy information from the firewall rule in its original state and to impose the policy information on the generated lower layer rule and the higher layer rule.
According to a further preferred embodiment the rule generation policy is a NAT integrity policy. Such a policy preserves network address translation (NAT) integrity, so that the rule generator ignores all NAT-related firewall rules. Other rule generation policies are also possible.
According to a further preferred embodiment the switch device is formed such to add the network flow identity information by rewriting a MAC-header of the network flow and/or by encapsulating, preferably by adding an extra header to the network flow. Rewriting the MAC address provides a very easy-to-handle option for transmitting network flow identity information from the flow-based switch to the firewall device. The firewall device may then easily recognize from the rewritten MAC-address which second rule to be applied to the network flow. When encapsulating the network flow identity information in the network flow the firewall device must analyze the additional information, for example added extra information in the header of the corresponding networks flow. This avoids problems with devices on the downstream side of the firewall device arising when a MAC-address is rewritten. There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end it is to be referred to the patent claims subordinate to patent claims 1 and 8 on the one hand and to the following explanation and preferred embodiments of the invention by way of example illustrated by the drawing on the other hand.
ln connection with the explanation of the preferred embodiment of the invention by aid of the drawing generally preferred embodiments and further developments of the teaching will be explained. In the drawing
Fig. 1 shows schematically a method according to a first embodiment of the present invention; and
Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
Fig. 1 shows schematically a method according to a first embodiment of the present invention. In Fig. 1 there is shown a firewall rule decomposition device in form of a rule engine comprising a rule parser for syntax checking and for checking if input firewall rules correspond to a pre-given format which may be decomposed and a rule generator for generating lower layer rules and higher layer rules. Further, the rule engine uses as input one or more predefined firewall syntax. The firewall syntax is used to define the grammar of the input firewall rules. Further an Open Flow syntax is used for input into the rule engine to define Open Flow protocol entries in the rule generator. A rule engine policy is used to impose preferably predefined constrains on the decomposition and generation process of open flows and of rules for a firewall device. Such constrains may include information on how to decompose or generate certain rules as well as overall policy information, for example rules which must not be decomposed or the like. The firewall device is in Fig. 1 in form of an upper-layer firewall processor, in particular a network processor. To obtain an enhanced off-loading of firewall processing to a flow- based switch or switch device the firewall rule to be decomposed should as specific as possible.
Based on the input firewall rules and the rules engine policy as well as the Open Flow syntax and the firewall syntax the rule generator produces two sets of new
rules: At least one for the flow based switch and at least one for the upper layer firewall processor. The rule for the flow based switch is in Fig. 1 a rule corresponding to an OSI-layer equal or smaller than four whereas the rule for the firewall device is a rule corresponding to an OSI-layer greater than five.
The rule generator according to Fig. 1 may include or be used to define a compiler that performs lexical analysis, parsing, semantic analysis and code-generation. The lexical analysis is performed on the input firewall rules to create language tokens that form an abstract syntax tree (AST). If an abstract syntax tree is generated the abstract syntax tree may than be translated using a context free grammar definition of the Open Flow rule structure with a token look-up table to convert between the language of the firewall rule and the set of input firewall rules in firewall rule language and the two sets of new rules, those for the flow-based switch and those for the upper layer firewall processor. In the following, example Open Flow rules for Open Flow matching in Backus-Naur-form notation are described:
OF_RULE := PKT MATCH { ACTION }
ACTION := FORWARD | ECANPSULATE | SEND | DROP
MATCH :=MATCH_OP_1 MATCH_FILTER_1 | MATCH_OP_1 MATCH_FILTER_2 I
MATCH_OP_2 MATCH_FI LTER_2
MATCH_OP_1 := WILD_CARD | EXACT
MATCH_OP_2 := PREFIX_MATCH
MATCH_FILTER_1 := INPORT | ETYPE |VLAN ID | ...
MATCH_FILTER_2 := ESRC | EDST | I PV4SRC | IPV4DST
PKT := BYTE_FIELD
For example, if a firewall rule is in form of iptables, which is a userspace application allowing to configure the tables in a Linux kernel firewall, and for example the iptables rule defines dropping all TCP packets on port 25 to IP address 192.168.1.100 the iptables rule maybe mapped as follows from the iptables form into the Open Flow rule structure as shown above:
I PTABLES:
iptables -A INPUT -s 192.168.1.100 -p tcp --destination-port 25 -j DROP OPENFLOW:
match: nw_src = 192.168.1.100, proto = tcp, tp_dst=25
action: drop
Fig. 2 shows a schematically view of a method according to a second embodiment of the present invention.
Fig. 2 shows an Open Flow based switch 1 comprising a switch device 2 and an upper layer firewall processor ULFP. In Fig. 2 a firewall rule to be installed on the Open Flow based switch 1 as an example consists of blocking all traffic from source I P address 173.194.70.93 going to http://www.youtube.com, which in a format resembling netfilter format would look like: block ip 173.194.70.93 proto tcp port 80 url firewall rule youtube.com.
To program the open flow based switch 1 with the above mentioned firewall rule, the firewall rule is inserted into the upper layer firewall processor ULFP where the decomposition is performed by a firewall rule decomposition device DEC. A firewall rule is split by the firewall rule decomposition device DEC into an Open Flow entry 6 in the switch device 2 matching http packets from the given source I P address and a rule for the upper layer firewall processor ULFP for youtube traffic. These two rules are installed in the Open Flow entry table 4 of the switch device 2 and in the upper layer firewall processor table 5 in the upper layer firewall processor ULFP respectively. Further the firewall rule decomposition device DEC specifies an addition to the open flow entry action for the upper layer firewall processor U LFP, namely a MAC header rewrite operation. This rewritten header of a flow with the header addition or marking is later used by the upper layer firewall processor ULFP to demultiplex (reference sign DEMUX for a demultiplexer device, preferably within the upper layer firewall processor U LFP) flows from the switch device 2 wherein switch device 2 performs Open Flow filtering according to the entries 6 of the Open Flow entry table 4. If a flow arrives at the switch device 2, the
switch device 2 rewrites the MAC header address of the flow to match the flows to the corresponding upper layer firewall processor rule, in Fig. 2 the corresponding rule defines url = youtube.com. Flows which do not match the upper layer firewall processor rule are forwarded on. Otherwise the flow is dropped. The upper layer firewall processor rule may include a number representing the open flow switch port to send the flow out on.
The header addition or marking is used by the upper layer firewall processor U LFP to identify which higher layer rule corresponds to a flow incoming from the switch device 2. The flows must be labeled in such a way that the upper layer firewall processor ULFP is able to distinguish between the different flows.
When the header addition or marking is encapsulated, in particular I P-in-IP, the switch device 2 adds an extra IP header to packets to signal an entry on a table 5 for the higher layer rules of the upper-layer firewall processor ULFP. After identifying the corresponding higher layer rule to the incoming flow, the upper layer firewall processor ULFP, in particular the demultiplex device DEMUX strips off the addition or marking.
It is also possible that the flow-based-switch device and the firewall device are separate devices, for example that the upper-layer firewall processor ULFP is implemented at an external entity, for example in an Open Flow Controller for controlling an open-flow based switch device.
In summary one advantage of the invention is, that the system and the method for providing a firewall rule provide matching at line-rates in lower transport layers on all flows and providing higher layer matching on a sub-set of flows also at line- rates therefore optimizing work load between a switch and a firewall.
A further advantage is that the invention provides a simple and light-weight mechanism for traversing firewalls: for traversal of the firewall a simple entry in the Open Flow entry table for the flow allowing it to be passed through is possible.
A further advantage is, that a fast matching of low layer rules is possible, in particular if lower layer rules correspond to the Open Flow protocol due to a prioritization scheme and entries specifying an exact match, in particular no wild cards. A further advantage of the invention is that the method and the system for providing a firewall rule are inexpensive while still providing higher order and expressive firewall rules and firewall traversal capabilities.
Further advantages and inventive steps of the system and the method for filtering network traffic according to the present invention are: a) off-loading firewall processing to a flow-based switch, preferably programmable and/or Open Flow based by decomposing a firewall rule, b) allowing firewall traversal of the off-load rules on a flow based switch, c) using the capability of line-rate forwarding of inexpensive flow-based switches, preferably programmable and/or Open Flow based while still providing expressive firewall rules, including the ability to provide firewall traversal capabilities and d) resolving the limitation of using very simple Open Flow entries for performing low-level firewalling, e.g. blocking all traffic to a specific TCP port.
Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
Claims
1. A method for providing a firewall rule comprising the steps of
a) defining a firewall rule for filtering network traffic,
b) providing a layer order network protocol and a higher layer network protocol,
c) analyzing the firewall rule,
d) decomposing the analyzed firewall rule,
e) generating at least one lower layer rule according to the lower layer network protocol and at least one higher layer rule according to the higher layer protocol from the decomposed firewall rule,
f) providing the generated lower layer rule to a flow-based switch device (2) for routing network traffic according to the generated lower layer rule and the generated higher layer rule to a firewall device (ULFP) for filtering network traffic according to the firewall rule.
2. A method according to claim 1 , characterized in that the method includes the step of checking the syntax of a firewall rule.
3. A method according to claim 1 or 2, characterized in that step c) includes extracting policy information and/or step e) includes the step of imposing policy information on the generated lower order rule and/or higher order rule.
4. A method according to one of the claims 1 -3, characterized in that network flow identity information is generated and provided to the firewall device (ULFP).
5. A method according to claim 4, characterized in that the network flow identity information is generated by rewriting a MAC address header of a flow.
6. A method according to claims 4 or 5, characterized in that the network flow identity information is encapsulated in the network flow.
7. A method according to one of the claims 1 -6, characterized in that the lower order network protocol is based on the Open Flow protocol.
8. A system (1 ) for providing a firewall rule, preferably for carrying out a method according to one of the claims 1 -7, comprising a flow-based switch device (2) and routing means for routing network traffic according to at least one first rule and a firewall device (ULFP) for filtering network traffic according to at least one second rule,
characterized in that the system (1 ) further comprises a firewall rule decomposition device (DEC), wherein the firewall rule decomposition device (DEC) is operable to decompose a firewall rule and to generate at least one lower layer rule according to a lower layer protocol and at least one higher layer rule according to a higher layer protocol from the decomposed firewall rule and to provide the generated lower layer rule as a first rule to the flow-based switch device (2) and the higher layer rule as a second rule to the firewall device (U LFP).
9. A system according to claim 8, characterized in that the firewall rule decomposition device (DEC) comprises a rule parser for syntax checking of the firewall rule and a rule generator for generating at least one lower layer rule and at least one higher layer rule.
10. A system according to claim 8 or 9, characterized in that the rule generator is a compiler operable such to provide lexical analysis, parsing, semantic analysis and/or code generation for the lower layer rule and/or for the higher layer rule.
1 1. A system according to claims 8-10, characterized in that the switch device (2) is formed such to add network flow identity information to a flow.
12. A system according to claims 8-1 1 , characterized in that the layer of the lower layer rule corresponds to OSI-layers equal to or smaller than four and that the order of the higher layer rule corresponds to OSI-layers greater than five.
13. A system according to claims 8-12, characterized in that the firewall rule decomposition device (DEC) is formed such to generate the lower layer rule and the higher layer rule according to a predefined rule generation policy.
14. A system according to claim 13, characterized in that the rule generation policy is a NAT integrity policy.
15. A system according to claim 1 1 , characterized in that the switch device (2) is formed such to add the network flow identity information by rewriting a MAC header of the flow and/or by encapsulation, preferably by adding an extra header.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP11002570 | 2011-03-29 | ||
EP11002570.7 | 2011-03-29 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012130523A1 true WO2012130523A1 (en) | 2012-10-04 |
Family
ID=45819182
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2012/052609 WO2012130523A1 (en) | 2011-03-29 | 2012-02-15 | A method for providing a firewall rule and a corresponding system |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2012130523A1 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140245423A1 (en) * | 2013-02-26 | 2014-08-28 | Zentera Systems, Inc. | Peripheral Firewall System for Application Protection in Cloud Computing Environments |
US9525564B2 (en) | 2013-02-26 | 2016-12-20 | Zentera Systems, Inc. | Secure virtual network platform for enterprise hybrid cloud computing environments |
US9596315B2 (en) | 2013-05-30 | 2017-03-14 | Zentera Systems, Inc. | Secure data transfer platform for hybrid computing environment |
CN106790068A (en) * | 2016-12-21 | 2017-05-31 | 西安兖矿科技研发设计有限公司 | A kind of method for accelerating industry control firewall rule to match |
US9699034B2 (en) | 2013-02-26 | 2017-07-04 | Zentera Systems, Inc. | Secure cloud fabric to connect subnets in different network domains |
US10348767B1 (en) | 2013-02-26 | 2019-07-09 | Zentera Systems, Inc. | Cloud over IP session layer network |
US10382401B1 (en) | 2013-02-26 | 2019-08-13 | Zentera Systems, Inc. | Cloud over IP for enterprise hybrid cloud network and security |
US10484334B1 (en) | 2013-02-26 | 2019-11-19 | Zentera Systems, Inc. | Distributed firewall security system that extends across different cloud computing networks |
US10530684B2 (en) | 2015-05-19 | 2020-01-07 | International Business Machines Corporation | Management of unreachable OpenFlow rules |
CN111600812A (en) * | 2020-05-13 | 2020-08-28 | 优刻得科技股份有限公司 | Message processing method, processing device, readable medium and system |
US20210092142A1 (en) * | 2016-02-25 | 2021-03-25 | Imperva, Inc. | Techniques for targeted botnet protection |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040243835A1 (en) * | 2003-05-28 | 2004-12-02 | Andreas Terzis | Multilayer access control security system |
-
2012
- 2012-02-15 WO PCT/EP2012/052609 patent/WO2012130523A1/en active Application Filing
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040243835A1 (en) * | 2003-05-28 | 2004-12-02 | Andreas Terzis | Multilayer access control security system |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10484334B1 (en) | 2013-02-26 | 2019-11-19 | Zentera Systems, Inc. | Distributed firewall security system that extends across different cloud computing networks |
US10523514B2 (en) | 2013-02-26 | 2019-12-31 | Zentera Systems, Inc. | Secure cloud fabric to connect subnets in different network domains |
US9712624B2 (en) | 2013-02-26 | 2017-07-18 | Zentera Systems, Inc. | Secure virtual network platform for enterprise hybrid cloud computing environments |
US9525564B2 (en) | 2013-02-26 | 2016-12-20 | Zentera Systems, Inc. | Secure virtual network platform for enterprise hybrid cloud computing environments |
US10348767B1 (en) | 2013-02-26 | 2019-07-09 | Zentera Systems, Inc. | Cloud over IP session layer network |
US9634990B2 (en) * | 2013-02-26 | 2017-04-25 | Zentera Systems, Inc. | Distributed firewall security system for cloud computing environments |
US9130901B2 (en) * | 2013-02-26 | 2015-09-08 | Zentera Systems, Inc. | Peripheral firewall system for application protection in cloud computing environments |
US9699034B2 (en) | 2013-02-26 | 2017-07-04 | Zentera Systems, Inc. | Secure cloud fabric to connect subnets in different network domains |
US20150341318A1 (en) * | 2013-02-26 | 2015-11-26 | Zentera Systems, Inc. | Distributed firewall security system for cloud computing environments |
US20140245423A1 (en) * | 2013-02-26 | 2014-08-28 | Zentera Systems, Inc. | Peripheral Firewall System for Application Protection in Cloud Computing Environments |
US10382401B1 (en) | 2013-02-26 | 2019-08-13 | Zentera Systems, Inc. | Cloud over IP for enterprise hybrid cloud network and security |
US9596315B2 (en) | 2013-05-30 | 2017-03-14 | Zentera Systems, Inc. | Secure data transfer platform for hybrid computing environment |
US11743178B2 (en) | 2015-05-19 | 2023-08-29 | International Business Machines Corporation | Management of unreachable openflow rules |
US10530684B2 (en) | 2015-05-19 | 2020-01-07 | International Business Machines Corporation | Management of unreachable OpenFlow rules |
US10616102B2 (en) | 2015-05-19 | 2020-04-07 | International Business Machines Corporation | Management of unreachable OpenFlow rules |
US20210092142A1 (en) * | 2016-02-25 | 2021-03-25 | Imperva, Inc. | Techniques for targeted botnet protection |
CN106790068B (en) * | 2016-12-21 | 2019-08-06 | 西安兖矿科技研发设计有限公司 | One kind is for accelerating the matched method of industry control firewall rule |
CN106790068A (en) * | 2016-12-21 | 2017-05-31 | 西安兖矿科技研发设计有限公司 | A kind of method for accelerating industry control firewall rule to match |
CN111600812A (en) * | 2020-05-13 | 2020-08-28 | 优刻得科技股份有限公司 | Message processing method, processing device, readable medium and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2012130523A1 (en) | A method for providing a firewall rule and a corresponding system | |
US9954873B2 (en) | Mobile device-based intrusion prevention system | |
JP3954385B2 (en) | System, device and method for rapid packet filtering and packet processing | |
JP6236528B2 (en) | Packet classification for network routing | |
US7467406B2 (en) | Embedded data set processing | |
US20070022474A1 (en) | Portable firewall | |
CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
US20220263823A1 (en) | Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium | |
US20210212163A1 (en) | Relay apparatus, communication system, relay method, and non-transitory computer readable medium storing relay program | |
JP2007208861A (en) | Illegal access monitoring apparatus and packet relaying device | |
WO2019190403A1 (en) | An industrial control system firewall module | |
CN113518042B (en) | Data processing method, device, equipment and storage medium | |
TWI797962B (en) | Method for sase based ipv6 cloud edge network secure connection | |
Singh | Machine learning in openflow network: comparative analysis of DDoS detection techniques. | |
CN116055586B (en) | Fragment message matching method, router and storage medium | |
US20210194850A1 (en) | Smart network switching systems and related methods | |
CN111030970A (en) | Distributed access control method and device and storage equipment | |
EP3298745B1 (en) | Small form-factor pluggable module | |
CN105827630A (en) | Botnet attribute identification method, defense method and device | |
JP2017163505A (en) | Monitoring device, switch, communication device, communication system, monitoring method, and monitoring program | |
Bui et al. | A generic interface for Open vSwitch | |
KR100350451B1 (en) | Packet filtering method of network device | |
RU2812087C1 (en) | System and method for analysing incoming traffic flow | |
US11777832B2 (en) | Iterative development of protocol parsers | |
Lai et al. | Design and implementation of distributed firewall system for ipv6 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12708505 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12708505 Country of ref document: EP Kind code of ref document: A1 |