IIIIIIIIIIIIIIIIIIIIIIIIIUIIIIIIIIIIIIIIIIIIIIIIIIII
US0O5606668A
United States Patent [19] [ii] Patent Number: 5,606,668
Shwed [45] Date of Patent: Feb. 25,1997
[54] SYSTEM FOR SECURING INBOUND AND OUTBOUND DATA PACKET FLOW IN A COMPUTER NETWORK
[75] Inventor: Gil Shwed, Jerusalem, Israel
[73] Assignee: Checkpoint Software Technologies
Ltd., Jerusalem, Israel
[21] Appl. No.: 168,041
[22] Filed: Dec. 15,1993
[51] Int. CI.6 G06F 13/36; G06F 15/401
[52] U.S. CI 395/200.11; 395/200.1;
395/836; 395/186; 395/187.01; 380/42
[58] Field of Search 395/200.01, 200.1,
395/200.11, 835, 836, 186, 726, 187.01;
380/42
[56] References Cited
U.S. PATENT DOCUMENTS
4,315,315 2/1982 Kossiakoff 364/300
4,736,320 4/1988 Bristol 364/300
5,247,693 9/1993 Bristol 395/800
OTHER PUBLICATIONS
"A Software Design and Implementation for Filtering, Forwarding and Ciphering in a Secure Bridge", Soriano et al, IEEE, 1992, pp. 487-492.
"A Network Firewall", Marcus J. Ranum, Digital Equipment Corporation.
A filter module allows controlling network security by specifying security rules for traffic in the network and accepting or dropping communication packets according to these security rules. A set of security rules are defined in a high level form and are translated into a packet filter code. The packet filter code is loaded into packet filter modules located in strategic points in the network. Each packet transmitted or received at these locations is inspected by performing the instructions in the packet filter code. The result of the packet filter code operation decides whether to accept (pass) or reject (drop) the packet, disallowing the communication attempt.
12 Claims, 18 Drawing Sheets
