The field of the invention is information systems access control, and in particular high resolution filtering of packetized information.
A firewall regulates the flow of packetized information. A packet includes a header and a payload. The header includes header parameters, including a source and destination address for the packet, as well as source and destination port numbers and a protocol number. Other examples of header parameters include various flags (e.g., security features implemented with respect to the packet (AUTHENTICATED, ENCRYPTED), quality of service requirements (e.g., HIGH, MEDIUM, LOW) for handling the packet, a priority parameter for handling the packet (e.g., ROUTINE, URGENT, FLASH), etc.) The payload includes the data meant to be conveyed by the packet from its source to its intended destination.
A known firewall is placed between the packet""s source and intended destination, where it intercepts the packet. The known firewall filters a packet based upon the packet""s header parameters and a rule loaded into the firewall. The rule correlates a pattern in the header of a packet with a prescribed action, either PASS or DROP. The filter identifies the rule that applies to the packet based upon the packet""s header, and then implements the rule""s prescribed action. When a DROP action is performed, the packet is blocked (deleted), and does not reach its intended destination. When a PASS action is performed, the packet is passed on toward its intended destination. The set of rules loaded into a firewall reflect a security policy, which prescribes what type of information is permissible to pass through the firewall, e.g., from which source, to which destination, for which applications, etc.
The set of rules loaded into a known firewall operate at a low level of resolution. As described above, a firewall rule prescribes a PASS or DROP action based only upon the header parameters of the packet. Packet header parameters alone do not reveal the ultimate target of, for example, a connection request from a sender to a destination host. For example, a HyperText Transfer Protocol (HTTP) connection request to send the file located at http://www.att.com/secret.html is not entirely disclosed in the header of the packet initiating the request. The header reveals the Internet Protocol (IP) address of the proxy corresponding to the domain name att.com. However, information regarding the particular file that is being requested, secret.html, is embedded in the payload of the packet. Since known firewalls only filter packets based upon their header parameters, known filters cannot PASS or DROP a packet on the basis of a particular file at a given destination. The same shortfall in known filters exists for filtering a packet destined for a particular newsgroup, chat session, e-mail address, etc.
The present invention provides high resolution access control for packetized information. In accordance with one embodiment of the present invention, a packet is received at a firewall and referred to an access control proxy. The access control proxy analyzes the contents of the packet, and identifies an access rule based upon the contents. The action prescribed by the access rule is performed with respect to the packet and any related packets. This advantageously provides for filtering a packet based not only upon its header information, as in known firewalls, but upon the information contained in the packet payload.