System and method for filtering network traffic

摘要

Protocol status information is used to perform traffic filtering by dropping messages that are not consistent with the protocol status information. In one embodiment, a method involves comparing message information and protocol status information. The message information is associated with a first message. The protocol status information is obtained in response to one or more second messages, which are conveyed according to a protocol used to assign network addresses to clients. The method also involves determining whether to discard the first message, based on an outcome of the comparison of the message information and the protocol status information. For example, it can be determined that the first message should be discarded, if the message information does not match the protocol status information.

主权项

1. A method comprising:
applying an access control rule to a first message, wherein
the first message comprises message information,the message information is used to select the access control rule,the access control rule is calculated using protocol status information,the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server,the protocol status information comprises protocol information generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list; determining whether to perform one or more security actions, wherein
the determining is performed in response to the applying, andthe access control rule indicates whether to perform the one or more security actions; and performing a first security action for the first message, wherein
the access control rule indicates performance of the first security action; and selecting to unicast the first message instead of forwarding the first message normally, wherein
the first message would normally be broadcast, multicast, or flooded to multiple recipients, andthe selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server, updating a binding table entry in response to detecting the one or more protocol messages, wherein
the binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client, and allocating an entry in the access control list to store access control information, wherein
the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by a snooping agent, andthe snooping agent is configured to update information in the binding table in response to processing the DHCP message.