Using packet filters and network virtualization to restrict network communications
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-009/00
G06F-015/16
G06F-017/00
G06F-007/04
G06F-007/02
G06F-007/58
G06K-009/00
H04L-009/00
G06F-015/177
출원번호
US-0695821
(2000-10-24)
발명자
/ 주소
Hydrie,Aamer
Hunt,Galen C.
Levi,Steven P.
Tabbara,Bassam
Welland,Robert V.
출원인 / 주소
Microsoft Corporation
대리인 / 주소
Lee &
인용정보
피인용 횟수 :
103인용 특허 :
80
초록▼
A network mediator corresponding to a computing device uses packet filters to restrict network communications. The network mediator includes a set of one or more filters, each filter having parameters that are compared to corresponding parameters of a data packet to be passed through the network med
A network mediator corresponding to a computing device uses packet filters to restrict network communications. The network mediator includes a set of one or more filters, each filter having parameters that are compared to corresponding parameters of a data packet to be passed through the network mediator. The network mediator determines whether to allow the data packet through based on whether the data packet parameters match any filter parameters. The set of filters can be modified by a remote device, but cannot be modified by the computing device whose communications are being restricted. When a data packet is sent from the computing device, the data packet will include the virtual address which is changed to the network address by the network mediator prior to forwarding the packet on the network, and vice versa. By virtualizing the addresses, the computing device is restricted in accessing other devices over the network.
대표청구항▼
The invention claimed is: 1. A computing device comprising: a set of filters; a mapping of virtual addresses to network addresses; and a controller, coupled to the set of filters and the mapping, to, access, upon receipt of a data packet requested to be sent from the computing device to a target de
The invention claimed is: 1. A computing device comprising: a set of filters; a mapping of virtual addresses to network addresses; and a controller, coupled to the set of filters and the mapping, to, access, upon receipt of a data packet requested to be sent from the computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device, replace, based on the mapping, the target address in the data packet with a corresponding target network address; forward the data packet to the target device at the target network address if it is determined the data packet can be sent to the target device; prevent the computing device from modifying any of the filters in the set of filters, but allow the set of filters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, a first of the plurality of remote devices being a cluster operations management console for managing hardware operations of the computing device, a second of the plurality of remote devices being an application operations management console for managing software operations of the computing device; and prevent the application operations management console from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management console. 2. A computing device as recited in claim 1, wherein the controller is to make the computing device aware of the virtual addresses in the mapping but to hide the network addresses in the mapping from the computing device. 3. A computing device as recited in 1, further comprising allowing the set of filters to be modified by a lower managerial level remote device only if the modifications are not less restrictive than modifications imposed by a higher managerial level remote device. 4. A computing device as recited in claim 1, the computing device including a processor that supports multiple privilege levels, and the controller being implemented in a most privileged level of the multiple privilege levels. 5. A method comprising: maintaining, at a computing device, a set of filters that restrict the ability of the computing device to communicate with other computing devices; allowing the set of fitters to be modified by a plurality of remote devices operating at a plurality of different managerial levels, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device, and an application operations management device for managing software operations of the computing device; preventing the application operations management device from adding any filters to the set of filters that are less restrictive than filters added by the cluster operations management device; and preventing the computing device from modifying the set of filters. 6. A method as recited in claim 5, wherein restriction of the ability of the computing device to communicate with other computing devices comprises restricting the computing device from transmitting data packets to one or more other computing devices. 7. A method as recited in claim 5, wherein modification of the set of filters includes one or more of: adding a new filter to the set of filters, deleting a filter from the set of filters, and changing one or more parameters of a filter in the set of filters. 8. A method as recited in claim 5, wherein one or more filters in the set of filters restrict one or more of the transmission of data packets of a particular type from the computing device and reception of data packets of a particular type at the computing device. 9. A method as recited in claim 5, wherein one or more filters in the set of filters restrict one or more of the transmission of Internet Protocol (IP) data packets from the computing device and reception of IP data packets at the computing device based on one or more of: a source address, a destination IP address, a source port, a destination port, and a protocol. 10. A method as recited in claim 5, wherein one or more filters in the set of filters identifies that a data packet targeting a particular address can be transmitted from the computing device to the addressed device, and further identifies a new address that the particular address from the data packet is to be changed to prior to being communicated to the addressed device. 11. A method as recited in claim 5, wherein one of the filters in the set of filters is a permissive filter that indicates a data packet can be passed to its targeted destination device if the data packet parameters match corresponding parameters of the filter. 12. A method as recited in claim 5, wherein one of the filters in the set of filters is an exclusionary filter that indicates a data packet cannot be passed to its targeted destination device if the data packet parameters match corresponding parameters of the filter. 13. A method as recited in claim 5, wherein each filter includes a plurality of filter parameters, and wherein each of the plurality of filter parameters can include wildcard values. 14. A method as recited in claim 5, wherein the set of filters restrict the ability of the computing device to communicate with other computing devices on a per-data packet basis, wherein each filter includes a plurality of filter parameters, and wherein each filter parameter includes a filter value and a mask value indicating which portions of the filter value must match a corresponding parameter in a data packet for the data packet to satisfy the filter. 15. One or more computer-readable memories containing a computer program that is executable by a processor to perform the method recited in claim 5. 16. A network mediator comprising: a set of filters; and a controller, coupled to the set of filters, to, access, upon receipt of a data packet requested to be sent from a computing device to a target device via a network, the set of filters and determine whether the data packet can be sent to the target device based on whether the computing device is allowed to communicate with the target device, prevent the computing device from modifying any of the filters in the set of filters but allow the set of filters to be modified by a remote cluster operations management console for managing hardware operations of the computing device and by a remote application operations management console for managing software operations of the computing device, and prevent the remote application operations management console from modifying the set of filters to be less restrictive than filters added by the remote cluster operations management console. 17. A network mediator as recited in claim 16, wherein the controller is further to access, upon receipt of another data packet from another target device via the network, the set of filters and determine whether the data packet can be received at the computing device based on whether the computing device is allowed to receive communications from the other target device. 18. A network mediator as recited in claim 16, wherein the modifying the set of filters includes one or more of: adding a new filter to the set of filters, deleting a filter from the set of filters, and changing one or more parameters of a filter in the set of filters. 19. A network mediator as recited in claim 16, wherein the network mediator is coupled to the computing device. 20. A network mediator as recited in claim 16, wherein the computing device includes the network mediator. 21. A network mediator as recited in claim 16, wherein each filter in the set of filters includes a plurality of filter parameters, and wherein each filter parameter includes a filter value and a mask value indicating which portions of the filter value must match a corresponding parameter in the data packet for the data packet to satisfy the filter. 22. A network mediator as recited in claim 21, wherein the controller is to allow the data packet to be forwarded to the target device if the data packet satisfies the filter. 23. A network mediator as recited in claim 21, wherein the controller is to prevent the data packet from being forwarded to the target device if the data packet satisfies the filter. 24. A method comprising: maintaining a set of filters that restrict the ability of a computing device to communicate with other computing devices; allowing multiple remote computing devices, each corresponding to a different managerial level, to modify the set of filters, the multiple remote computing devices including a cluster operations management device for managing hardware operations of the computing device, and an application operations management device for managing software operations of the computing device; and preventing the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device. 25. A method as recited in claim 24, wherein the preventing comprises: receiving a request from the application operations management device to modify the set of filters; determining whether the request to modify would result in a violation of a filter previously added to the set of filters by the cluster operations management device; and performing the request to modify when the request to modify would not result in a violation, and otherwise not performing the request to modify. 26. A method as recited in 25, wherein the request to modify comprises one or more of: adding a filter to the set of filters, modifying a filter in the set of filters, and deleting a filter from the set of filters. 27. A method as recited in claim 24, wherein the violation occurs when the request to modify would result in a filter being less restrictive than the filter added by the cluster operations management device. 28. A method as recited in claim 24, further comprising preventing the computing device from modifying the set of filters. 29. A method as recited in claim 24, wherein the set of filters restrict the ability of the computing device to communicate with other computing devices on a per-data packet basis, wherein each filter includes a plurality of filter parameters, and wherein each filter parameter includes a filter value and a mask value indicating which portions of the filter value must match a corresponding parameter in a data packet for the data packet to satisfy the filter. 30. One or more computer-readable memories containing a computer program that is executable by a processor to perform the method recited in claim 24. 31. One or more computer-readable media having stored thereon a computer program to implement a multiple-level filter administration scheme and including a plurality of instructions that, when executed by one or more processors, causes the one or more processors to perform acts including: allowing a cluster operations management device for managing hardware operations of a filtered device to modify a set of filters corresponding to the filtered device, the cluster operations management device operating at a first of the multiple levels; and allowing an application operations management device for managing software operations of the filtered device to modify the set of filters only if the modification is at least as restrictive as the filters imposed by the first computing device, the application operations management device operating at a second of the multiple levels. 32. One or more computer-readable media as recited in claim 31, wherein the plurality of instructions further include instructions that, when executed by the one or more processors, causes the one or more processors to perform acts including allowing the cluster operations management device to remove a filter from the set of filters imposed by the cluster operations management device but not allowing the application operations management device to remove the filter. 33. One or more computer-readable media as recited in claim 31, wherein allowing the cluster operations management device or the application operations management device to modify the set of filters comprises one or more of: adding a new filter to the set of filters, removing a filter from the set of filters, and changing parameters of a filter in the set of filters. 34. One or more computer-readable media as recited in claim 31, wherein the plurality of instructions further include instructions that, when executed by the one or more processors, causes the one or more processors to perform acts including preventing the filtered device from modifying the set of filters. 35. A method comprising: maintaining an association of virtual addresses and corresponding network addresses; making a computing device aware of the virtual addresses; hiding the network addresses from the computing device; receiving, from the computing device, a data packet intended for a target computing device corresponding to a target virtual address; replacing, based on the target virtual address, the target virtual address with the corresponding target network address; forwarding the data packet to the target computing device at the target network address; maintaining, at the computing device, a set of filters that further restrict the ability of the computing device to communicate with other computing devices; allowing the set of filters to be modified from a plurality of remote devices, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device and an application operations management device for managing software operations of the computing device; preventing the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device; and preventing the computing device from modifying the set of filters. 36. A method as recited in claim 35, wherein the replacing comprises performing the replacing transparent to the computing device. 37. A method as recited in claim 35, further comprising: receiving, from a source device, another data packet that is intended for the computing device, wherein the other data packet includes a network address of the source device; and replacing, based on the network address of the source device, the network address of the source device with a corresponding virtual address. 38. One or more computer-readable memories containing a computer program that is executable by a processor to perform the method recited in claim 35. 39. A network mediator comprising: a mapping of virtual addresses to network addresses; a set of filters that restrict the ability of the computing device to communicate with other computing devices; and a controller, coupled to the mapping, to, make a corresponding computing device aware of the virtual addresses, hide the network addresses from the computing device, receive, from the computing device, a data packet intended for a target computing device corresponding to a target virtual address, replace, based on the target virtual address, the target virtual address with the corresponding target network address, forward the data packet to the target computing device at the target network address, allow the set of filters to be modified from a plurality of remote devices, the plurality of remote devices including a cluster operations management device for managing hardware operations of the computing device and an application operations management device for managing software operations of the computing device, prevent the application operations management device from modifying the set of filters in a manner that would result in a violation of a filter added by the cluster operations management device, and prevent the computing device from modifying the set of filters. 40. A network mediator as recited in claim 39, wherein the network mediator is communicatively coupled to the computing device. 41. A network mediator as recited in claim 39, wherein the computing device includes the network mediator.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (80)
Keith Franklin Falck ; Chinmei Chen Lee, Arrangement of delivering internet protocol datagrams for multimedia services to the same server.
Salo, Randy; Van Hamersveld, Chris; Shelton, Barry K.; Herbinaux, Larry; Deacon, D. Brian; Fayal, Jr., Kenneth Eugene, CLIENTS REMOTE ACCESS TO ENTERPRISE NETWORKS EMPLOYING ENTERPRISE GATEWAY SERVERS IN A CENTRALIZED DATA CENTER CONVERTING PLURALITY OF DATA REQUESTS FOR MESSAGING AND COLLABORATION INTO A SINGLE REQU.
Srini Krishnamurthy ; Sunil Sharad Mehta ; Cary Bailey O'Brien, DEVICE MANAGEMENT SYSTEM FOR MANAGING STANDARDS-COMPLIANT AND NON-COMPLIANT NETWORK ELEMENTS USING STANDARD MANAGEMENT PROTOCOLS AND A UNIVERSAL SITE SERVER WHICH IS CONFIGURABLE FROM REMOTE LOCATION.
See Michael E. ; Bailey John W. ; Panza Charles L. ; Pikover Yuri ; Stone Geoffrey C., Deterministic user authentication service for communication network.
Gai, Silvano; McCloghrie, Keith; Mohaban, Shai, Method and apparatus for identifying network data traffic flows and for applying quality of service treatments to the flows.
Arad Naveh ; Itzhak Parnafes ; Shai Mohaban ; Steven M. Woo, Method and apparatus for policy-based management of quality of service treatments of network data traffic flows by integrating policies with application programs.
Basani, Vijay R.; Mangiapudi, Krishna; Murach, Lynne M.; Karge, Leroy R.; Revsin, Vitaly S.; Bestavros, Azer; Crovella, Mark E.; LaRosa, Domenic J., Method and apparatus for scalable distribution of information in a distributed network.
Novaes, Marcos N.; Laib, Gregory D.; Lucash, Jeffrey S.; Goering, Ronald T.; Sohos, George, Method, system and program products for defining nodes to a cluster.
Rodney A. DeKoning ; Ray M. Jantz ; William V. Courtright, II, Methods and apparatus for committing configuration changes to managed devices prior to completion of the configuration change.
Jantz, Ray M.; DeKoning, Rodney A.; Courtright, II, William V.; Markus, Matthew A., Methods and apparatus for performing mass operations on a plurality of managed devices on a network.
Sarit Mukherjee ; Ibrahim Kamel ; Prasant Mohapatra, Multimedia file systems using file managers located on clients for managing network attached storage devices.
Jain Lalit ; Ford Michael T., Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks.
Waldo James H. (Dracut MA) Arnold Kenneth C. (Newton Centre MA) Erdos Marlena E. (Somerville MA) Robinson Douglas B. (Hollis NH) Hoffman D. Jeffrey (Nashua NH) Smith Lamar D. (San Jose CA) Showman Pe, Object oriented distributed computing system processing request to other object model with code mapping by object manage.
Albert, Mark; Howes, Richard A.; Jordan, James A.; Kersey, Edward A.; Menditto, Louis F.; O'Rourke, Chris; Tiwari, Pranav Kumar; Tsang, Tzu-Ming, Sending instructions from a service manager to forwarding agents on a need to know basis.
Boden Edward B. ; Brzozowski Wesley A. ; Bullock Mark C. ; Parks Scott B. ; Williams Michael D., System and method for IP network address translation and IP filtering with dynamic address resolution.
Boden, Edward B.; Brzozowski, Wesley A.; Gruber, Franklin A.; Palermo, Donald A.; Williams, Michael D., System and method for IP network address translation using selective masquerade.
Hunt, Galen C.; Hydrie, Aamer; Welland, Robert V.; Tabbara, Bassam; Levi, Steven P.; Rehof, Jakob, System and method for designing a logical model of a distributed computer system and deploying physical resources according to the logical model.
Michael W. Dennis ; Michele L. Freed ; Daniel Plastina ; Eric R. Flo ; David E. Kays, Jr. ; Robert E. Corrington, System and method for implementing group policy.
Krishna, Gopal S.; Chow, Peter Ka-Fai; Viswanath, Somnath; Tzeng, Shr-Jie; Kanuri, Mrudula, System and method for network management of local area networks having non-blocking network switches configured for switching data packets between subnetworks based on management policies.
Badovinatz Peter Richard ; Brenner Larry Bert ; Chandra Tushar Deepak ; Kirby Orvalle Theodore ; Pershing ; Jr. John Arthur, System for utilizing batch requests to present membership changes to process groups.
Paul Weschler, System, method and computer program product for searching for, and retrieving, profile attributes based on other target profile attributes and associated profiles.
Christopher Ambler ; Andrew Wallace, System, method, and computer program product for workflow processing using internet interoperable electronic messaging with mime multiple content type.
Christopher Sean Johnson, Systems and methods for multiple mode voice and data communications using intelligently bridged TDM and packet buses and methods for implementing language capabilities using the same.
Sheard Nicolas C. ; Fischer Larry J. ; Matthews Richard W. ; Gurla Himabindu ; Hu Qilin ; Zheng Wendy J. ; Mow Boyle Y., Visual data integration system and method.
Hunt, Galen C.; Tabbara, Bassam; Grealish, Kevin; Outhred, Geoffrey; Mensching, Rob, Architecture for distributed computing system and automated design, deployment, and management of distributed applications.
Hunt, Galen C.; Tabbara, Bassam; Grealish, Kevin; Outhred, Geoffrey; Mensching, Rob, Architecture for distributed computing system and automated design, deployment, and management of distributed applications.
de la Iglesia, Erik; Lowe, Rick; Ahuja, Ratinder Paul Singh; Deninger, William; King, Samuel; Khasgiwala, Ashish; Massaro, Donald J., Method and apparatus for data capture and analysis system.
de la Iglesia, Erik; Lowe, Rick; Ahuja, Ratinder Paul Singh; Deninger, William; King, Samuel; Khasgiwala, Ashish; Massaro, Donald J., Method and apparatus for data capture and analysis system.
Aoki, Kentaro; Moriya, Yukinobu; Shimizu, Naoto; Saitoh, Shinichiroh, Method and apparatus for dynamic destination address control in a computer network.
Aoki, Kentaro; Moriya, Yukinobu; Shimizu, Naoto; Saitoh, Shinichiroh, Method and apparatus for dynamic destination address control in a computer network.
Outhred, Geoffrey; Han, Eric K; Grealish, Kevin D. J.; Brown, Mathilde C.; Gustin, Reid B; Mensching, Rob; Nielsen, Steven T, Model and system state synchronization.
Vinberg, Anders B.; Fries, Robert M.; Grealish, Kevin; Hunt, Galen C.; Hydrie, Aamer; Lassettre, Edwin R.; Mensching, Rob; Outhred, Geoffrey; Parchem, John M.; Pardyak, Przemek; Tabbara, Bassam; Vega, Rene Antonio; Welland, Robert V.; Winner, Eric J.; Woolsey, Jeffrey A., Model-based provisioning of test environments.
Vinberg, Anders B.; Fries, Robert M.; Grealish, Kevin; Hunt, Galen C.; Hydrie, Aamer; Lassettre, Edwin R.; Mensching, Rob; Outhred, Geoffrey; Parchem, John M.; Tabbara, Bassam; Vega, Rene Antonio; Welland, Robert V.; Winner, Eric J.; Woolsey, Jeffrey A., Model-based virtual system provisioning.
Vinberg, Anders B.; Fries, Robert M.; Grealish, Kevin; Hunt, Galen C.; Hydrie, Aamer; Lassettre, Edwin R.; Mensching, Rob; Outhred, Geoffrey; Parchem, John M.; Tabbara, Bassam; Vega, Rene Antonio; Welland, Robert V.; Winner, Eric J.; Woolsey, Jeffrey A., Model-based virtual system provisioning.
Vinberg, Anders B.; Fries, Robert M.; Grealish, Kevin; Hunt, Galen C.; Hydrie, Aamer; Mensching, Rob; Outhred, Geoffrey; Parchem, John M.; Tabbara, Bassam; Vega, Rene Antonio; Welland, Robert V.; Winner, Eric J.; Woolsey, Jeffrey A., Model-based virtual system provisioning.
Gbadegesin, Abolade; House, Sean B.; Hydrie, Aamer; Joy, Joseph M.; Kaniyar, Sanjay N.; Welland, Robert V., Network load balancing with connection manipulation.
Hunt, Galen C.; Hydrie, Aamer; Levi, Steven P.; Stutz, David S.; Tabbara, Bassam; Welland, Robert V., System and method for distributed management of shared computers.
Hunt, Galen C.; Hydrie, Aamer; Levi, Steven P.; Stutz, David S.; Tabbara, Bassam; Welland, Robert V., System and method for distributed management of shared computers.
Jreij, Elie A.; Chieng, Darrell L.; Cochran, Stephen D.; Hrustemovic, Nasiha; Wang, James C., System and method for filtering communications at a network interface controller.
Ahuja, Ratinder Paul Singh; Jha, Bimalesh; Maini, Nitin; Patel, Sujata; Jain, Ankit R.; Hegde, Damodar K.; Nanganure, Rajaram V.; Pawar, Avinash Vishnu, System and method for providing data protection workflows in a network environment.
Ahuja, Ratinder Paul Singh; Jha, Bimalesh; Maini, Nitin; Patel, Sujata; Jain, Ankit R.; Hegde, Damodar K.; Nanganure, Rajaram V.; Pawar, Avinash Vishnu, System and method for providing data protection workflows in a network environment.
de la Iglesia, Erik; Lowe, Rick; Ahuja, Ratinder Paul Singh; Coleman, Shaun; King, Samuel; Khasgiwala, Ashish, Tag data structure for maintaining relational data over captured objects.
de la Iglesia, Erik; Lowe, Rick; Ahuja, Ratinder Paul Singh; Coleman, Shaun; King, Samuel; Khasgiwala, Ashish, Tag data structure for maintaining relational data over captured objects.
Beloussov, Serguei M.; Protassov, Stanislav S.; Tormasov, Alexander G., Virtual private server with CPU time scheduler and isolation of system components.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.