In recent years, the world has witnessed the explosive growth of the Internet. Each year many more hosts are added while the number of users seems to be growing without limit. The Internet enables communications using different techniques including remote computer login, file transfer, world wide web (WWW) browsing, email, etc. Various protocols have been designed and are in use on the Internet to handle various types of communications. For example, file transfer protocol (FTP) for file transfer, hypertext markup language (HTML) for web traffic, etc. . . . Generally, the protocols related to Internet communications are grouped under the umbrella of the transmission control protocol/internet protocol (TCP/IP) suite of protocols that includes protocols at various layers of the OSI communications stack.
A key feature of the Internet is that it is a public network that is accessible by nearly anyone with a computer, telephone line and Internet service provider (ISP) account. A downside to this wide scale public accessibility is that it permits easy access for hackers and others intent on carrying out malicious activities against one or more hosts on the Internet. Illegal conduct such as stealing of secret information or the deletion of important files by a malicious user is possible by a hacker that manages to break into a computer on a remote network and succeed to tap communication data. The need for security was addressed by the Internet Architecture Board (IAB) by including security features in IPv6 such as encryption and authentication in that permit secure transactions over the Internet.
To combat the threat of hackers and to secure private networks, it is common today to place a firewall at the entrance of the private network in a company or organization. The firewall is a system that sits at the boundary between the local network of the organization and the global Internet, and employs some form of packet filter that functions to enforce a user defined security policy. It implements the filtering of all data communications in order to prevent leakage of information out to the external network and to prevent unauthorized access of the internal network from the outside. A deny/allow decision is made for each packet that is received by the firewall.
At the same time, the world is witnessing increasing demand for wireless services (i.e. cellular phones, two way pagers, cordless devices, etc.) and personal computing devices such as laptops, PDAs, etc. Many of these personal computing devices incorporate wireless communications circuitry to enable them to communicate via wireless networks (e.g., cellular or other broadband schemes) to WAN networks such as the Internet. Thus, more and more PDAs and cellular telephones are being connecting to the Internet thus exposing these devices to security risks. Preferably, these devices employ some type of firewall to protect against unauthorized access to the device. Most firewalls today, however, are implemented in software and require the computing resources of an entire desktop computer, making their use in a portable computing device such as cellular telephone or PDA impractical.
Thus, there is a need for a firewall or packet filter that can be easily implemented in small size suitable for incorporated in small portable computing devices such as cellular telephones and wireless connected PDAs.
U.S. Pat. No. 6,816,455 B2 provides a dynamic packet filter that can be implemented in hardware, software or a combination of both inside a LAN access device. The dynamic packet filter is operative to filter both inbound packets from WAN to LAN and outbound packets from LAN to WAN. Dynamic filtering is effective to check dynamic protocol behavior rather than the static rules of a protocol. This is achieved by creating sessions to track the state of communications between the source and destination. New sessions are detected and created, and data related thereto is stored in a session database. An attempt is made to recognize each received packet and associate it with a previously opened session; if this association is not possible a new session is created. The same session is used to validate similar packets (for example packets belonging to the same TCP connection or reply packets). Packets not matching an existing session and not expressly recognized as valid (i.e. session-opener) are dropped by the firewall.
The process of finding a session matching to a packet is performed using hash tables: when the packet is received by the system a hash value is computed according to its “socket fields”, containing source and destination IP addresses, protocol, source and destination TCP/UDP ports, if any. This hash value is then used to address a hash table whose elements point to active sessions. In case more than one session has the same hash value, these sessions are organized in a double linked list with the head pointed by the hash table elements. So the hash value is used to indirectly point to the first session in this list. If, by checking all socket fields, it is verified that this first session doesn't match the packet, the system proceeds to the next one and so on until a matching session is found or end of hash list is reached. If an existing session is found, the session related data is read from the session database and the received packet is checked against a set of rules. The rules are described as state transition diagrams that specify the states and transitions permitted by the particular protocol. If a packet conforms to the legal behavior for the protocol, it is allowed, otherwise, it is denied. The session data is then updated with new state information and related parameters and then it is written back into the session database.