The invention relates to packet filters in general. More particularly, the invention relates to a method and apparatus for filtering data packets using a dedicated processor and a list of source addresses stored in high-speed memory, as well as a means for periodically updating the list of source addresses to ensure the list is kept current.
Many companies and individual homes have access to the Internet, and more particularly, the World Wide Web (WWW). With the growing number of Internet sites, there is also a growing number of sites which provide content that some companies may deem inappropriate for the workplace. Similarly, there are many Internet sites which provide content that parents may deem inappropriate for young children.
Data packet filters are currently available which filter out data packets from certain Internet sites. On the commercial side, these filters are often implemented as part of a router or xe2x80x9cfirewall.xe2x80x9d On the individual side, these filters are implemented as programs which run on a personal computer and operate in conjunction with individual browser software. Both the commercial and individual filters operate by storing lists of prohibited source addresses, such as Internet Protocol (IP) addresses, and filtering out any data packets received from a site with a prohibited source IP address. One problem with the currently available filters is that there is a performance degradation as the list of prohibited source IP addresses grows. Another problem is the administration of prohibited source IP address lists. Internet sites are being added and changed every day, and it is very difficult to keep a prohibited source IP address list up to date.
One example of a conventional data packet filter is described in U.S. Pat. No. 5,606,668 titled xe2x80x9cSystem for Securing Inbound and Outbound Data Packet Flow in a Computer Network.xe2x80x9d The ""668 patent relates to computer network security and the control of information flow between internal and external network destinations. The patent broadly describes prior art packet filtering using access list tables. The patent is directed to a filter module which provides network security by specifying security rules for network traffic and accepting or dropping data packets according to the security rules. The rules are implemented in packet filter code which is executed by packet filter modules located at various locations within the network.
The packet filter disclosed in the ""668 patent, however, is less than satisfactory for a number of reasons. In accordance with the disclosure of the ""668 patent, the packet filter modules are embodied as xe2x80x9cvirtual machinesxe2x80x9d residing on existing network host computers. Thus, these filters are software modules executing on existing network computers, and are not separate dedicated filtering processors. Further, this patent fails to describe a method for administering and updating the access list tables. In addition, the packet filter disclosed in the ""668 patent is implemented between the data link layer and network layer of the International Standardization Organization (ISO) protocol stack as set forth in ISO standard 7498 titled xe2x80x9cBasic Reference Model for Open Systems Interconnectionxe2x80x9d (1984). Therefore, the packets must unnecessarily pass through the protocols set forth for the data link layer before being filtered, which slows down the processing speed of the packet filter.
Another example of a conventional data packet filter is shown in U.S. Pat. No. 5,615,340 titled xe2x80x9cNetwork Interfacing Apparatus and Method Using Repeater and Cascade Interface with Scrambling.xe2x80x9d The ""340 patent relates to interfacing nodes in a network. Each node is associated with a plurality of working ports. When a node receives an incoming data packet, the destination address of the data packet is compared against a stored address table to determine if the data packet is destined for a working port associated with the node. The node will only transmit the data packet to the node""s working ports if there is a match. Similarly, when a node receives an outgoing data packet, the destination address of the data packet is compared against the stored address table to determine if the data packet is destined for a working port associated with the node. If there is a match, then the node will transmit the data packet back to its working nodes. Otherwise, the node will transmit the data packet to the network. This system is not used for filtering unwanted data packets, but is instead used for network routing of data packets. Further, as with the ""668 patent, the ""340 patent fails to disclose a means for updating the source address list.
From the foregoing, it can be appreciated that a substantial need exists for a high performance data packet filter which can work with a large number of source IP addresses. There is also a need for an efficient way administer source IP address lists.
One embodiment of the present invention proposes a dedicated data packet filtering processor whose only function is to filter data packets based on a list of source IP addresses stored in high-speed memory of the processor. The processor has a specialized operating system which controls the operation of the processor. The only function of the processor is to look at the source IP address of each received data packet to determine if the source IP address matches one of the stored source IP addresses, and if there is a match, to either discard or forward the data packet depending on the processor configuration. Since the processor is dedicated to one task, it can perform the filtering process very quickly and efficiently. In various embodiments, the filtering processor may be used in conjunction with a local area network and many end users (such as in a commercial or business environment), or a single end user computer (such as in a home environment). Further, the filtering processor may be connected to the Internet via wired connections or wireless connections, such as a fixed wireless network.
With these and other advantages and features of the invention that will become hereinafter apparent, the nature of the invention may be more clearly understood by reference to the following detailed description of the invention, the appended claims and to the several drawings attached herein.