Browse Prior Art Database

Method and System of MPLS based Firewall/Access Control

IP.com Disclosure Number: IPCOM000171118D
Original Publication Date: 2008-May-30
Included in the Prior Art Database: 2008-May-30
Document File: 2 page(s) / 89K

Publishing Venue

IBM

Abstract

As defined in Wikipeida [1], a firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules. The basic task of the firewall is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a “perimeter network” or Demilitarized zone (DMZ). As summarized in [2], there are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced. Early firewalls, which are network layer based, filter traffics according to many packet attributes like source IP address, source port, destination IP address or port. Because network layer based firewalls can be easily achieved by hardware, they have very high operational efficiency and bring less performance degradation to applications. However, network layer based firewalls can not inspect packets with improper application content, therefore they failed to restrict or prevent outright the spread of networked computer worms and trojans. To address this issue, application layer based firewalls [3] are produced to inspect the contents of the traffic, blocking what the firewall administrator views as inappropriate content, such as certain websites, viruses, attempts to exploit known logical flaws in client software, and so forth. Although application layer based firewalls have powerfully filtering functions, they are so complicated (can be achieved by software) and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach. It is well known that IBM has lots of products on network datacenter, server, appliance, network management, and most of services developed by IBM or carried in IBM products require application layer filtering. Therefore, it is much necessary to invent a hardware enabled application layer based firewall to leverage the efficiency and the application requirement.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 40% of the total text.

Page 1 of 2

Method and System of MPLS based Firewall

Method and System of MPLS based FirewallMethod and System of MPLS based Firewall /

///Access ControlAccess ControlAccess Control

Access Control

to achieveto achieveto achieve

                                                          to achieve hardware enabled application layer based firewalls to accelerate the content filtering between

hardware enabled application layer based firewalls to accelerate the content filtering betweenhardware enabled application layer based firewalls to accelerate the content filtering between

intranet and DMZ

intranet and DMZintranet and DMZ .

...

The basic principle of MPLS is illustrated in Fig

The basic principle of MPLS is illustrated in FigThe basic principle of MPLS is illustrated in Fig .

...2222.... MPLS provides a label switching functionMPLS provides a label switching functionMPLS provides a label switching function

MPLS provides a label switching function ,

,,,

which is hardware enabled

which is hardware enabledwhich is hardware enabled ,

,,, to accelerate the IP packets routing and switching in core networkto accelerate the IP packets routing and switching in core networkto accelerate the IP packets routing and switching in core network

to accelerate the IP packets routing and switching in core network .

... AtAtAt

At

The main idea of this invention is to employ Multi

The main idea of this invention is to employ MultiThe main idea of this invention is to employ Multi -

---Protocol Label Switching

Protocol Label SwitchingProtocol Label Switching

Protocol Label Switching

((((MPLS

MPLSMPLS

MPLS)

))

the network edge

the network edgethe network edge ,

,,, the label edge routers append a fixthe label edge routers append a fixthe label edge routers append a fix

the label edge routers append a fix -

---length label in front of IP packets

length label in front of IP packetslength label in front of IP packets

length label in front of IP packets ,

,,, and thenand thenand then

and then

routers

routersrouters/

///switches in the core network can forward the packets quickly by checking the label withswitches in the core network can forward the packets quickly by checking the label withswitches in the core network can forward the packets quickly by checking the label with

      switches in the core network can forward the packets quickly by checking the label with hardware rather than checking the IP header

hardware rather than checking the IP headerhardware rather than checking the IP header .

...

Our idea is to deploy a MPLS label administrator to distribute labels for packets required to be

    Our idea is to deploy a MPLS label administrator to distribute labels for packets required to beOur idea is to deploy a MPLS label administrator to distribute labels for packets required to be filtered by a MPLS enabled firewall between intranet and DMZ

filtered by a MPLS enabled firewall between intranet and DMZfilter...