This application is based on and claims the benefit of German Patent Application No. 198 20525.2 filed May 8, 1998, which is incorporated by reference herein.
The present invention concerns a process for the control of forwarding packets from completed packet sequences of packet-switched networks, to a software module for such control, and to an interface, a terminal device and a server for this purpose.
The increasing network interconnection of computers between each other to computer networks in local areas through so-called Local Area Networks (LAN), in broad traffic through so-called Wide Area Networks (WAN) as well as world wide through ATM Networks (Asynchronous Transfer Mode) and over the Internet allows the exchange of the computers"" data between each other to an ever increasing extent. Data is exchanged in data packets on the aforementioned networks. Insofar as the computers included in the data exchange can permit or run the data exchange themselves, a problem-free and control-free data exchange is advantageous and desirable. Usually, however, it is not desired that data on other computers be accessed from every other computer or that data be sent to one computer which this computer is not allowed to receive. In addition, to avoid superfluous data traffic, for example, for cost-related reasons or for reasons of the overloading of communications networks, it can make good sense to impede the exchange of data between individual computers.
To control the exchange of data, control mechanisms can be installed onto a computer at the interface with one of the aforementioned networks. This control mechanism can examine access to the computer as well as access from the computer to other computers and, if necessary, it can prevent such access. Such control mechanisms are characterized as firewalls. Such a firewall is usually inserted at an interface between different networks, for example between a LAN and a WAN. In addition, a computer that controls the data traffic between the networks is inserted at least on one side of the interfacexe2x80x94in the example above usually on the LAN""s side. The computer then controls the data traffic from or to the LAN and in this manner prevents foreign computers from accessing the computer connected to the LAN without permission, for instance, or it enables the computers on the LAN to communicate without permissions with communications partners outside the LAN.
In the simplest case, a firewall controls the messages exchanged between two communications partners only on the basis of the communications partners"" addresses provided in the packets. Only when data traffic is allowed between these addresses will a message from one of these communications partners be forwarded to the other respective communications partner. More demanding implementations of a firewall go beyond the address and also test the respective information transported in the messages, i.e. the so-called application level or user data level of the messages. Such content-related examination of all messages is very costly, however, and demands very powerful computers as platforms for the firewall if the data traffic is not to be hindered by the control.
In the aforementioned examination it is assumed that a respective message to be examined is present in its entirety, i.e. that the message consists of a complete address section and complete user data section, for example, so that every message can be examined in itself. This is especially possible then, when a protocol from the family of so-called Internet Protocols (IP) is implemented for the transport of the message because then complete messages of varying lengths can be sent respectively, which are created dependent on the amount of information to be transported.
If larger amounts of data are to be sent, data will be segmented and distributed among various messages. On the basis of sequence IDs in the individual messages, the segmented data can be taken out of the messages in the correct order and returned to the original form. Such sequence IDs offer the Internet Protocol Transmission Control Protocol (TCP), for instance. Messages that are transmitted with the Transmission Control Protocol contain the control information from the TCP, the so-called TCP Header, as well as the control information from the IP, the so-called IP Header. By segmenting of the data into various messages, every message sent with the TCP Protocol also has complete control information, a so-called header, so that a firewall can search the named addresses in the header of every one of these messages and thereby determine if forwarding the respective message is allowed.
Especially in wide-area traffic, network protocols are often implemented in which the data packets are set at a prescribed length. A typical example are ATM networks that are being increasingly used in Wide Area Networks and more and more in Local Area Networks as well. The data packets used in ATM networks always have the same length and are called ATM cells. Now, if a message created with the assistance of an IP protocol is to be transmitted to an ATM network, this message, because of its length, must in many cases be distributed segmentally to many ATZ cells of an ATM cell sequence. The original message transported in these cells can be restored by means of the right IDs in the control portion of the ATM cells of the sequence. If such an ATM cell sequence is to be controlled by a firewall, then first the message contained in the cell sequence, e.g. the previously mentioned IP message, must be restored before an examination can determine whether this message is allowed to pass through the firewall or must be rejected. The ATM cell sequence can, if necessary, be sent further only beyond the firewall after this content-related examination. The speed of the data transfer is greatly diminished as a result of this.
An object of the invention is to control completed packet sequences before potential forwarding, by an efficient means.
This and other objects are accomplished by means of a process for the control of forwarding packets (C11A, C12A, C13A) from completed packet sequences of packet-switched networks, whereby information is transported segmentally within the packets of the packet sequences, and whereby at least the first packet (C11A) in each case, which is recognizable as the beginning of a packet sequence (C11A, C12A, C13A), characterized in that:
first, the permission to forward any packet is verified in that, at least whenever the respective packet belongs to the start of a packet sequence (C11A, C12A, C13A), the information transported in this packet is compared with at least one predetermined criterion,
second, the first packet and, if necessary, the packet (C11A) along with the successive packets (C12A, C13A) of a packet sequence, are verified before forwarding up until the transported information has become sufficiently available so that it is comparable with the minimum one predetermined criterion, and,
third, one packet (C11A) of a packet sequence will be forwarded only when it has been determined in the comparison that forwarding the packet is allowed, or when it has been determined by verifying a previous packet of the same packet sequence that forwarding is allowed for the packets of this packet sequence.
The object of the invention is further attained by a software module for the control of forwarding packets, and an interface, a terminal device and a server for this purpose.
With some of the commonly known packet filter techniques, only the initial packets that are sent for the construction of a communications relationship are examined by a firewall in order to improve the efficiency of the control and in order to determine if a communications relationship is, in itself, allowed. All further packets from this communications relationship then undergo only one simple address verification by the firewall, i.e. verification of the addresses given in the data packets. However, it is possible that, within the framework of a once-allowed communications relationship, sent information can be exchanged without verifications in the form of individual messages or in the form of message sequences. This can happen despite the fact that this data actually should not be exchanged. As explained below, the present invention does not leave open such security holes and allows for expeditious data traffic as well.