United States Patent  [ii] Patent Number: 5,606,668
Shwed  Date of Patent: Feb. 25,1997
 SYSTEM FOR SECURING INBOUND AND OUTBOUND DATA PACKET FLOW IN A COMPUTER NETWORK
 Inventor: Gil Shwed, Jerusalem, Israel
 Assignee: Checkpoint Software Technologies
Ltd., Jerusalem, Israel
 Appl. No.: 168,041
 Filed: Dec. 15,1993
 Int. CI.6 G06F 13/36; G06F 15/401
 U.S. CI 395/200.11; 395/200.1;
395/836; 395/186; 395/187.01; 380/42
 Field of Search 395/200.01, 200.1,
395/200.11, 835, 836, 186, 726, 187.01;
 References Cited
U.S. PATENT DOCUMENTS
4,315,315 2/1982 Kossiakoff 364/300
4,736,320 4/1988 Bristol 364/300
5,247,693 9/1993 Bristol 395/800
"A Software Design and Implementation for Filtering, Forwarding and Ciphering in a Secure Bridge", Soriano et al, IEEE, 1992, pp. 487-492.
"A Network Firewall", Marcus J. Ranum, Digital Equipment Corporation.
A filter module allows controlling network security by specifying security rules for traffic in the network and accepting or dropping communication packets according to these security rules. A set of security rules are defined in a high level form and are translated into a packet filter code. The packet filter code is loaded into packet filter modules located in strategic points in the network. Each packet transmitted or received at these locations is inspected by performing the instructions in the packet filter code. The result of the packet filter code operation decides whether to accept (pass) or reject (drop) the packet, disallowing the communication attempt.
12 Claims, 18 Drawing Sheets