Many companies and individual homes have access to the Internet, and more particularly, the World Wide Web (WWW). With the growing number of Internet sites, there is also a growing number of sites which provide content that some companies may deem inappropriate for the workplace. Similarly, there are many Internet sites which provide content that parents may deem inappropriate for young children.
Data packet filters are currently available which filter out data packets from certain Internet sites. On the commercial side, these filters are often implemented as part of a router or “firewall.” On the individual side, these filters are implemented as programs which run on a personal computer and operate in conjunction with individual browser software. Both the commercial and individual filters operate by storing lists of prohibited source addresses, such as Internet Protocol (IP) addresses, and filtering out any data packets received from a site with a prohibited source IP address. One problem with the currently available filters is that there is a performance degradation as the list of prohibited source IP addresses grows. Another problem is the administration of prohibited source IP address lists. Internet sites are being added and changed every day, and it is very difficult to keep a prohibited source IP address list up to date.
One example of a conventional data packet filter is described in U.S. Pat. No. 5,606,668 titled “System for Securing Inbound and Outbound Data Packet Flow in a Computer Network.” The '668 patent relates to computer network security and the control of information flow between internal and external network destinations. The patent broadly describes prior art packet filtering using access list tables. The patent is directed to a filter module which provides network security by specifying security rules for network traffic and accepting or dropping data packets according to the security rules. The rules are implemented in packet filter code which is executed by packet filter modules located at various locations within the network.
The packet filter disclosed in the '668 patent, however, is less than satisfactory for a number of reasons. In accordance with the disclosure of the '668 patent, the packet filter modules are embodied as “virtual machines” residing on existing network host computers. Thus, these filters are software modules executing on existing network computers, and are not separate dedicated filtering processors. Further, this patent fails to describe a method for administering and updating the access list tables. In addition, the packet filter disclosed in the '668 patent is implemented between the data link layer and network layer of the International Standardization Organization (ISO) protocol stack as set forth in ISO standard 7498 titled “Basic Reference Model for Open Systems Interconnection”(1984). Therefore, the packets must unnecessarily pass through the protocols set forth for the data link layer before being filtered, which slows down the processing speed of the packet filter.
Another example of a conventional data packet filter is shown in U.S. Pat. No. 5,615,340 titled “Network Interfacing Apparatus and Method Using Repeater and Cascade Interface with Scrambling.” The '340 patent relates to interfacing nodes in a network. Each node is associated with a plurality of working ports. When a node receives an incoming data packet, the destination address of the data packet is compared against a stored address table to determine if the data packet is destined for a working port associated with the node. The node will only transmit the data packet to the node's working ports if there is a match. Similarly, when a node receives an outgoing data packet, the destination address of the data packet is compared against the stored address table to determine if the data packet is destined for a working port associated with the node. If there is a match, then the node will transmit the data packet back to its working nodes. Otherwise, the node will transmit the data packet to the network. This system is not used for filtering unwanted data packets, but is instead used for network routing of data packets. Further, as with the '668 patent, the '340 patent fails to disclose a means for updating the source address list.
From the foregoing, it can be appreciated that a substantial need exists for a high performance data packet filter which can work with a large number of source IP addresses. There is also a need for an efficient way to administer source IP address lists.