Computer networks such as local area networks (LANs) today provide internal communication within virtually all types of organizations. Recently, local area networks have been connected together into what are known as "internetworks". Internetworks provide communication between administratively distinct organizations, linking businesses, schools, and government agencies. Unfortunately, internetworks create security problems that cannot be solved with existing mechanisms used within individual organizations, such as restricting physical access to host systems. In particular, interconnection of local area networks at the datagram level is an "all or none" mechanism, allowing outsiders access to all resources on an organization's network. Where this type of interconnection is provided, in order to avoid penetration into the organization's computer systems, every host within the organization must be individually secured. Such security measures are extremely costly when tens of thousands of workstations are in use within the organization. Accordingly, network administrators need a generalized system to restrict inter-organization access to hosts and applications within their organization.
One example of a packet forwarding device used to connect multiple local area networks into an internetwork is a "router" (also referred to as a "gateway"). Existing network layer routers are based on the internet protocol (IP) suite. All datagrams in an IP internetwork carry an IP header, which includes source and destination host addresses. Data is carried by transport protocols layered above the IP layer. Common transport protocols include the Transport Control Protocol (TCP), and the User Datagram Protocol (UDP). To provide network security, network administrators for an organization desire to restrict the use of such higher level protocols through each gateway connecting the organization with the internet.
The TCP and UDP protocols incorporate the concept of a "port", identifying an end point of a communication path. In some cases network managers desire the ability to restrict access to specific ports of systems within their organization.
Various specific approaches have been used to protect an organization's network from unwanted internetwork connections by blocking connections in gateways. One existing approach is to remove routing table entries in each gateway that defines routes to specific external networks, thus making it impossible for a local host to send packets to those external networks. Since most protocols require some bi-directional packet flow, breaking the route in one direction is usually sufficient to prevent formation of a connection. However, this approach does not allow the network administrator to permit access to some local hosts but not others.
Other existing packet filtering systems parse the headers of received packets and apply filtering rules directly from a simple set of rules input by the network administrator to determine whether to route or drop the packet. In existing systems, the header fields used to filter the received packets include packet type (TCP, UDP, etc.), source IP address, destination IP address, as well as source and destination TCP/UDP ports.
In addition to the information contained in the headers, some existing gateway filtering systems allow a network administrator to specify rules that determine whether a packet should be filtered based in part on which router interface the packet is destined to go out on, and others allow rules based on which interface the packet came in on.
Filtering rules are expressed in existing systems as a table of conditions and associated actions which are applied to each received packet in a predetermined order until a decision to route or drop the packet is reached. Each row in the table contains the conditions specified by a single rule and whether or not to drop a packet which meets those conditions. When a particular packet meets all the conditions specified by a given row of the table, the packet is either dropped or forwarded, according to the action specified in the row. Such exhaustive searching of the rule table is time consuming and reduces gateway performance.
Thus there is needed a new system for packet filtering which does not require a search through individual rules in a packet filtering database for each received packet. The new system should also not require removal of routes to specific external networks from network routing tables. And the new system should permit filtering based on both source and destination TCP/UDP ports.