US20050071493A1 - SNMP packet filtering for printing devices - Google Patents

SNMP packet filtering for printing devices Download PDF

Info

Publication number
US20050071493A1
US20050071493A1 US10675708 US67570803A US2005071493A1 US 20050071493 A1 US20050071493 A1 US 20050071493A1 US 10675708 US10675708 US 10675708 US 67570803 A US67570803 A US 67570803A US 2005071493 A1 US2005071493 A1 US 2005071493A1
Authority
US
Grant status
Application
Patent type
Prior art keywords
address
incoming packet
filter
packet
system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10675708
Inventor
Sheng Lee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toshiba Corp
Toshiba TEC Corp
Original Assignee
Toshiba Corp
Toshiba TEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing packet switching networks
    • H04L43/02Arrangements for monitoring or testing packet switching networks involving a reduction of monitoring data
    • H04L43/028Arrangements for monitoring or testing packet switching networks involving a reduction of monitoring data using filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Abstract

The present invention is directed to a system and method for filtering packets for a printing device. An IP address filter resides within an SNMP agent and acts to filter incoming SNMP packets, thereby restricting the visibility of the printing device to a small select group of users. An administrator determines the range of IP addresses to either allow access or reject. The filter comprises a reference IP address, within the range of administrator selected addresses and assigns an action corresponding to the selected addresses. The action may be either allowing the SNMP packet to be processed, or rejecting the SNMP packet and dropping the packet without replying to the sending address. To determine if the incoming packet source address matches the reference address, a 32-bit mask is also included within the filter.

Description

    BACKGROUND OF THE INVENTION
  • The present invention pertains generally to computer network administration. More particularly, the present invention is related to filtering data packets using communications protocols.
  • Computer based networks, such as the Internet, transmit packets of information across its system. A packet is a sequence of binary digits, including data and control signals, that is transmitted and switched as a composite whole. The data, control signals, and possibly error control information, are arranged in a specific format. These formats may be expressed in the form of a protocol. A protocol is a formal set of conventions governing the format and control of interaction among communicating functional units. Protocols may govern portions of a network, types of services, or even administrative procedures. In a layered communications system architecture, such as the Internet, an intranet, Ethernet, or other computer network, a protocol is a formal set of procedures that are adopted to facilitate functional interoperation within that layered hierarchy. A resultant use of protocols is the ability of information systems to exchange information.
  • Most computer networks use the transmission control protocol, or TCP. The transmission control protocol is a network protocol that controls host-to-host transmissions over packet-switched communications networks. Acting in concert with TCP is the Internet protocol, or IP protocol. The IP protocol is a standard protocol designed for use in interconnected systems of packet-switched computer networks. The IP protocol provides for transmitting blocks of data called datagrams from sources to destinations, where sources and destinations are hosts identified by fixed-length addresses. The Internet protocol also provides for fragmentation and reassembly of long datagrams, if necessary, for transmission through small-packet networks. Fragmentation involves the breaking down of a long datagram into multiple datagrams, which are then transmitted and reassembled at the destination computer. The Transmission Control Protocol/Internet Protocol, or TCP/IP, controls how datagrams, or packets, are transmitted over the Internet. The TCP/IP are two interrelated protocols that are part of the Internet protocol suite. While TCP operates on the OSI Transport Layer and breaks data down into packets, IP operates on the OSI Network Layer and handles the routing of packets over the computer network.
  • Simple Network Management Protocol, or SNMP, is a TCP/IP standard protocol that (a) is used to manage and control IP gateways and the networks to which they are attached, (b) uses IP directly, bypassing the masking effects of TCP error correction, (c) has direct access to IP datagrams on a network that may be operating abnormally, thus requiring management, (d) defines a set of variables that the gateway must store, and (e) specifies that all control operations on the gateway are a side-effect of fetching or storing those data variables, i.e., operations that are analogous to writing commands and reading status.
  • Modern digital printing devices are often sophisticated enough to provide up-to-date device and print job status to administrators and users through the network protocols, described above. Using SNMP, an administrator is able to not only remotely access the device, but also able to remotely configure the device. Although very powerful as a management protocol, SNMP has one serious drawback, which is the lack of adequate security. SNMP has very limited security built into it. In a computer network, this equates to any user capable of viewing the resources available on a device. Virtually all users who have visibility to the printing device will be able to retrieve or even modify the device parameters. Visibility, as used herein means having the awareness of the status of a resource, which may or may not involve actually monitoring the resource.
  • Without built in security features, it is desirable to have some mechanism for administrators to restrict visibility of the device to a smaller group of users. Enterprise firewalls are capable of blocking SNMP traffic from the Internet, however these do little to prevent SNMP access on the intranet side of the firewall. Although routers are capable of filtering network packets, there may not be a router located on an intranet.
  • Thus, there exists a need for a method and system capable of restricting visibility of a device on a network, capable of implementation on any IP-based network, provide an alternative to network traffic management without adding a sophisticated router, and have minimal impact upon performance.
  • SUMMARY OF THE PRESENT INVENTION
  • In accordance with the present invention, there is provided a method and system capable of providing administrators with the ability to restrict device visibility to a small group of users. The method comprises the steps of specifying an address range to be associated with a data packet. One or more filters are then generated, corresponding to the administrator defined address range. The filters include a reference address, an address mask, and an instruction representing a desired action to be taken for a matched address. The filter then receives an incoming packet, and compares the source address of the packet to the reference address to determine a correlating address. The filter then executes the instruction representing the action according to the source address, either allowing the packet forward or rejecting the packet and dropping the packet. To generate the correlating address, the filter first performs a bitwise AND operation between the source address and the address mask. Next the filter performs a bitwise AND operation between the reference address and the address mask. The two outcomes are then compared. If the outcomes equal each other, the correlating address results. If the outcomes do not equal each other, the source address is outside the specified range.
  • Further in accordance with the present invention, there is provided a system capable of implementation on any IP-based network, which provides an alternative to network traffic management without adding a sophisticated router, and has a minimal impact upon network performance. The system includes means adapted for specifying an address range associated with a data packet. A system administrator determines the source address range for which the filter is to either allow or reject. The system also uses means adapted for generating at least one filter corresponding to the specified address range. The one or more filters are made of a reference address, an address mask, and an instruction representing a desired action to be taken for a correlating address. The system has a means adapted for receiving an incoming packet, and means adapted for comparing a source address of the incoming packet to the reference address to determine a correlating address. Also within the system, there is provided means adapted for executing the instruction representing the desired action in accordance with the source address of the incoming packet.
  • Additional objects, advantages and novel features of the invention will be set forth in part in the description which follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by practice of the invention. The objects and advantages of the invention may be realized and attained by various structures and methods as covered by the patent claims.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying figures incorporated in and forming a part of the specification, illustrates several aspects of the present invention, and together with the description serve to explain the principles of the invention. In the figures:
  • FIG. 1 is a block diagram of a component of the method envisioned by the present invention; and
  • FIG. 2 is a flow chart diagram of the address filtering method envisioned by the present invention; and
  • FIG. 3 is a block diagram representative of a network computer system.
  • DETAILED DESCRIPTION OF PREFERRED AND ALTERNATE EMBODIMENTS
  • The present invention is directed to a system and method for an administrator to restrict access to a device parameter over a distributed computer system. More particularly, the present invention is directed to a method for employing a packet filter implemented within a computer communications protocol. As discussed herein, the Simple Network Management Protocol (SNMP) will be used in the preferred embodiment, however, one of ordinary skill in the art will appreciate that the use of the aforementioned and below described invention need not be limited to SNMP. Other protocols, including, but not limited to, IP, TCP, HTTP, FTP, and the like, are also contemplated by the present invention, and the packet filter may be built into any agent correspondingly related to the communications protocol.
  • An IP address filter resides within an SNMP agent and is tasked with filtering incoming SNMP packets. The filter comprises a reference IP address, an address mask and an action to be taken for matched addresses, which may either be “allow” or “reject”. The address mask is set by an administrator, and determines the range of addresses to be allowed. The mask comprises a 32-bit bitmap which specifies the bits in a reference address that need to be matched by a source address of the incoming packet. The reference address is input by the administrator, enabling the filter to compare addresses and render a decision on whether or not an incoming packet source address “matches” the reference address. The administrator then determines the appropriate course of action to be taken by the filter when a matched address is ascertained.
  • Turning now to FIG. 1, there is shown a block diagram of the matching process contemplated as a component of the filter implemented in the present invention. The filter receives an incoming SNMP packet at step 102. It should be appreciated by those in the art that the SNMP packet filter acts on those packets destined to a fixed port, i.e., port 161 for SNMP. It should further be understood by those skilled in the art that the port number associated with the protocol being used, e.g., HTTP, FTP, IP, TCP, and the like, is not needed because protocol filtering is not contemplated by the present invention.
  • At step 104, the source address, which is contained in every header associated with a packet in the IP based networks, is ascertained by the filter. The bitwise-AND value of the source address and the address mask is then determined. By way of explanation, a bitwise operator treats its operands as a vector of bits rather than a single number. Boolean bitwise operators combine bit N of each operand using a Boolean function (NOT, AND, OR, XOR) to produce bit N of the result. For example, a bitwise AND operator (“&” in the C programming language) would evaluate 13 & 9 as (binary) 1101 & 1001=1001=9, whereas, the logical AND, (in C, designated as “&&”) would evaluate 13 && 9 as TRUE && TRUE=TRUE=1. In some languages, e.g. Acorn's BASIC V, the same operators are used for both bitwise and logical operations. This usually works except when applying NOT to a value x which is neither 0 (false) nor −1 (true), in which case both x and (NOT x) will be non-zero and thus treated as TRUE. Other operations at the bit level, which are not normally described as “bitwise” include shift and rotate.
  • Having ascertained the bitwise-AND value of the source address and the address mask at step 204, the filter proceeds to step 106. At step 106, the bitwise-AND value of the reference IP address and the address mask is determined. The two bitwise-AND results from steps 104 and 106, respectively, are then compared at step 108. If the result of each is the same, that is source address bitwise-AND value equals reference address bitwise-AND value, the source address and the reference address are said to match 112. If the result between the bitwise-AND value of the source address and the bitwise-AND value of the reference address are not the same, the bitwise-AND source address and the bitwise-AND address do not match 110.
  • Turning now to FIG. 2, there is shown a method of operating the filters contemplated herein. The invention of this embodiment may include multiple filters, where an incoming packet may make it past a first filter, but be caught by a subsequent filter. For exemplification purposes, the additional bank of filters denoted as 128, will be addressed in detail following the initial description of the embodiment involving a single filter, filter #1. As shown in FIG. 2, the method begins by receiving an incoming packet at step 202. The packet is received by filter #1 in step 204 and a determination of whether or not the source address of the packet matches the reference address of filter #1 is made. The process discussed above referencing FIG. 1, is undergone in filter #1 and two possible determinations may be output. The first determination, that the source address of the incoming packet matches the reference address of filter #1 progresses the system to step 210, where the corresponding action #1 will occur. As shown, in the event that the action #1 corresponding to a matched address is to reject (block) the incoming packet from proceeding, the packet is rejected at step 218 and dropped. In such an event, the system will not reply to the sent address, but will simply drop the packet and await reception of the next packet. In the event that the action #1 corresponding to the matched address of step 204 is to allow the packet to proceed, the packet is processed at step 226.
  • Returning to step 204, when the determination is made that the source address of the incoming packet does not match the reference address of filter #1, i.e., the source address is out-of-range of the specified address, the packet proceeds to action #x at step 216. While the action specified in filter #1 will be imposed upon packets with a matched source address, filter #1 will also imply that the counter-action will be imposed upon packets with unmatched source addresses. That is, if filter #1 set action #1 at 210 to be allow the matched source address packet, it is intuitive to filter #1 to set action #x to reject the unmatched source address packet at 216. Thus, action #x corresponds to the opposite action undertaken in action #1. For example, action #1 was to reject a matched source address packet in step 210, action #x will allow an unmatched source address packet to proceed to step 226. Therefore, if action #1 were set to accept a matched source address packet in step 210, action #x would be set to reject and ignore at step 224.
  • Further explanation may best be accomplished by the following example. An administrator is desirous of blocking all traffic to a device, except for traffic originating from IP address range 159.119.44.0 to 159.119.45.255. The administrator will first specify a filter with the parameters, “action=allow; address=159.119.45.168; mask=255.255.254.0”. The “address” parameter can be any IP address within the specified range. The mask of “255.255.254.0” means that the two most significant octets in the source address of the incoming packet must match the same two octets of the reference address, i.e., the source address must begin with 159.119. The least significant bit of the third octet (“45” ) and the entire fourth octet (“168”) will not be checked while comparing the two addresses. Effectively, the two most significant octets of the source address must be “159.119.” and the least significant octet (fourth octet) maybe any number between 0-255. The third octet can be 44 or 45 because the least significant bit can be either 1 or 0.
  • If the mask in the above example was “255.255.252.0”, the two least significant bits of the third octet will not be checked. Therefore, the address range becomes 159.119.44.0 to 159.119.47.255. To determine the least significant bits, the octets (a networking term for eight (8) bits) are first converted into binary and the numbers corresponding to the appropriate bits will be determined. Therefore, in the second range depicted above, 255-252=3, or 0011. Using these two least significant numbers, the filter is able to ascertain the range of addresses incorporated, e.g., 159.119.44.0-159.119.47.255. Thus, when the filter receives an incoming packet denoting a source address of 159.119.46.130, the filter will follow the action (allow) accorded a matching address. However, should the source address of the incoming packet be 159.119.60.32, the filter will drop the incoming packet and not furnish a reply, as the address 159.119.60.32 fails to fall within the range of 159.119.44.0-159.119.47.255.
  • For a more refined control of incoming traffic on a computer network, the invention contemplates the use of multiple filters, acting in concert to control the incoming packets and visibility to devices residing on the network. In this embodiment, the source address of an incoming packet will be tested at a first filter. If there is a match, the packet will be taken and processed as explained above regarding the single filter. In the event that the source address of the incoming packet is out-of-range, i.e., not a match, to the reference IP address residing in the first filter, the second filter will receive the packet. Upon determination of a match with the reference IP address contained within the second filter, the corresponding action stored thereon will be performed. In the event that the source address of the incoming packet fails to match the reference IP address of the second filter, the packet will proceed to the next filter in the bank of filters 228 and so on.
  • Returning to FIG. 2, there is illustrated an additional bank of filters 228, comprising a number of filters, beginning with filter #2 and ending with filter #n. It will be understood by those of ordinary skill in the art that the number of filters need only be limited by the number the administrator desires. Upon a negative determination of a match with filter #1 in step 204, the packet progresses to filter #2 at step 206. Here, filter #2 determines if the source address of the incoming packet matches the reference IP address it stores. The matching is determined in accordance with the procedures described above and the bitwise-AND calculations and operations are carried out. In the event that the result of the operations performed by filter #2 in step 206 is a matched address, the system progresses to step 212, where the action corresponding to the matched address is performed. If the action performed in step 212 is set by filter #2 to allow the matched source address packet, the packet is shunted to step 226 for processing. When the action to be performed in step 212 is set by filter #2 to block or reject the incoming packet having a matched source address, the packet is rejected and dropped from the system at step 220. It will be appreciated by one of ordinary skill in the art that no reply is sent to the originator of the dropped packet, nor is any such reply required.
  • Upon the determination in step 206 that the source address of the incoming packet is not a match for the reference IP address stored in filter #2, the incoming packet is forwarded on to the next filter, filter #3 (not shown) all the way down to the final filter, filter #n. As previously discussed, the number of filters need not be limited to the three filters shown, but rather, any number of filters, as decided upon by the system administrator, may be incorporated into the present invention. As shown in FIG. 2, the incoming packet has been received by filter #n in step 208 for analysis. The filter #n will process the source address of the incoming packet to determine if a matching address may be found in the filter #n reference IP address. In the event that a match has been found at step 208, the filter #n then performs the action #n 214, which was set to correspond to the matching address. When the action #n is to reject or drop the matching source address incoming packet, the packet is sent to step 222, wherein the incoming packet is dropped. However, if the incoming packet with the matching source address is to be allowed according to step 214, the incoming packet is forwarded onward to processing at step 226.
  • When filter #n determines at step 208 that the source address of the incoming packet does not match the reference IP address stored therein, the system proceeds to step 216. At step 216, action #x, which is the counter-action to the last filter's action, or action #n. Thus, if action #n allowed the packet, action #x acts to reject and vice-versa. Step 216 provides for two possibilities, the first allowing the packet with the unmatched source address to proceed to processing at step 226 or the second rejecting and dropping the packet at step 224. The filtering will stop once a match has been found. In the event, as described above, the source address falls outside the range of each and every filter, the counter action of the last filter will be imposed on the packet, hence the use of action #x at 216. It will be appreciated by those skilled in the art that the order of the filters is important as they are executed sequentially from first to last. Thus, an address may be allowed in one filter and rejected in another. The system administrator must determine the priority for each filter and assign them accordingly.
  • Turning now to FIG. 3, there is shown a representative computer network upon which the present invention may be implemented. The system comprises a server/administrator computer 302, multiple user groups 306, 308, and 310, and a multifunction peripheral device 304. These hardware components interact with each other via the intranet 316. As discussed previously, the intranet may have a slightly higher level of security from packets attempting to enter via the Internet 314 as a result of the firewall 312. Thus, the filtering aspects of the present invention will be implemented within the intranet 316. An administrator 302 assigns IP or source addresses to each user computer in user group A 306, user group B 308, and user group C 310, as well as an IP address for the multifunction peripheral device 304. The present invention enables the administrator 302 to selectively enable or restrict the user groups 306, 308 and 310 from viewing or altering the configuration of multifunction peripheral device 304.
  • For example, the administrator assigns user group A 306 one set of IP addresses 159.119.45.168-159.119.45.171, group B 310 another set of IP addresses 159.119.45.172-159.119.45.175, and group C 310 a third set of IP addresses 159.119.45.176-159.119.45.180. The sets of IP addresses are selected such that no overlap between the groups is created. It will be appreciated by those skilled in the art that the addresses chosen are for exemplary purposes only and do not limit the present invention to those addresses with the number of devices shown on FIG. 3. Having thus allocated addresses for each device, the administrator 302 then determines what the acceptable range of addresses will be allowed access to the multifunction peripheral 304 configuration. The administrator 302 may set a filter or filters allowing packets originating from addresses in group A 306 access, but dropping packets originating from groups B 308 and C 310. Alternatively, the administrator may enable filters dropping packets from addresses originating in groups A 306 and C 310, but allowing packets originating from addresses in group B 308 to be processed by multifunction peripheral device 304. Similarly, the administrator 302 may enable filters to limit the allowable addresses to only those belonging to groups A 306, B 308 and C 310, while restricting those addresses traveling from the Internet 314 through the firewall 312 to the multifunction peripheral device 304.
  • The filters, as utilized herein, may be assigned, modified, or deleted by the administrator though a user interface, e.g., web administration, and are permanently stored in the system configuration database, common in Windows systems, or in the per service configuration file, which is common in Unix-based systems. The SNMP service loads the filters at start-up. The filtering method, as envisioned by the present invention, is invoked after a packet is received from the network. If the address matching, as described and claimed below, fails, no reply will be returned, which practically makes the service invisible to the applications at the source address. The filtering method will not act to impede the performance of services as only logical operations are involved. In the presence of a large number of filters, one skilled in the art will recognize that, although still quite efficient, it is desirable to arrange the filters so that a decision, allow or reject, can be made for any given packet by at least a number of filters.
  • The foregoing description of a preferred embodiment of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed. Obvious modifications or variations are possible in light of the above teachings. The embodiment was chosen and described to provide the best illustration of the principles of the invention and its practical application to thereby enable one of the ordinary skilled in the art to utilize the invention in various embodiments and with various modifications as are suited to the particular use contemplated. All such modifications and variations are within the scope of the invention as determined by the appended claims when interpreted in accordance to the breadth to which they are fairly, legally and equitably entitled.

Claims (24)

  1. 1. A method for an administrator to restrict access to a device parameter over a distributed computer system, the steps comprising:
    specifying an address range associated with a data packet;
    generating at least one filter corresponding to the specified address range, wherein the filter includes,
    a reference address,
    an address mask, and
    an instruction representative of a desired action to be taken for a correlating address;
    receiving an incoming packet;
    comparing a source address of the incoming packet to the reference address to determine a correlating address; and
    executing the instruction representative of the desired action in accordance with the source address of the incoming packet.
  2. 2. The method of claim 1, the comparing step further comprising:
    performing a bitwise AND operation between the source address and the address mask;
    performing a bitwise AND operation between the reference address and the address mask; and
    comparing the outcomes of the bitwise AND operations, wherein equal outcomes results in the correlating address, and wherein not equal outcomes results in an address outside the specified range.
  3. 3. The method of claim 1, wherein the desired action includes an instruction to block the incoming packet.
  4. 4. The method of claim 3, further comprising the step of dropping the incoming packet with a source address inside the specified address range.
  5. 5. The method of claim 3, further comprising the step of allowing the incoming packet with a source address outside the specified address range.
  6. 6. The method of claim 5, further comprising the step of processing the incoming packet with the source address outside the specified address range.
  7. 7. The method of claim 1, wherein the desired action includes an instruction to allow the incoming packet.
  8. 8. The method of claim 7, further comprising the step of processing the incoming packet.
  9. 9. The method of claim 7, further comprising the step of blocking the incoming packet with a source address outside the specified address range.
  10. 10. The method of claim 9, further comprising the step of dropping the incoming packet with the source address outside the specified address range.
  11. 11. The method of claim 1, wherein the filter is incorporated inside an SNMP agent.
  12. 12. The method of claim 1, wherein the source address and the reference address are an Internet Protocol address.
  13. 13. A system for an administrator to restrict access to a device parameter over a distributed computer system, comprising:
    means adapted for specifying an address range associated with a data packet;
    means adapted for generating at least one filter corresponding to the specified address range, wherein the filter includes,
    a reference address,
    an address mask, and
    an instruction representative of a desired action to be taken for a correlating address;
    means adapted for receiving an incoming packet;
    means adapted for comparing a source address of the incoming packet to the reference address to determine a correlating address; and
    means adapted for executing the instruction representative of the desired action in accordance with the source address of the incoming packet.
  14. 14. The system of claim 13, the comparing step further comprising:
    means adapted for performing a bitwise AND operation between the source address and the address mask;
    means adapted for performing a bitwise AND operation between the reference address and the address mask; and
    means adapted for comparing the outcomes of the bitwise AND operations, wherein equal outcomes results in the correlating address, and wherein not equal outcomes results in an address outside the specified range.
  15. 15. The system of claim 13, wherein the desired action includes an instruction to block the incoming packet.
  16. 16. The system of claim 15, further comprising means adapted for dropping the incoming packet with a source address inside the specified address range.
  17. 17. The system of claim 15, further comprising means adapted for allowing the incoming packet with a source address outside the specified address range.
  18. 18. The system of claim 17, further comprising means adapted for processing the incoming packet with the source address outside the specified address range.
  19. 19. The system of claim 13, wherein the desired action includes an instruction to allow the incoming packet.
  20. 20. The system of claim 19, further comprising means adapted for processing the incoming packet.
  21. 21. The system of claim 19, further comprising means adapted for blocking the incoming packet with a source address outside the specified address range.
  22. 22. The system of claim 21, further comprising means adapted for dropping the incoming packet with the source address outside the specified address range.
  23. 23. The system of claim 13, wherein the filter is incorporated inside an SNMP agent.
  24. 24. The system of claim 13, wherein the source address and the reference address are an Internet Protocol address.
US10675708 2003-09-30 2003-09-30 SNMP packet filtering for printing devices Abandoned US20050071493A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10675708 US20050071493A1 (en) 2003-09-30 2003-09-30 SNMP packet filtering for printing devices

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10675708 US20050071493A1 (en) 2003-09-30 2003-09-30 SNMP packet filtering for printing devices
JP2004272093A JP2005108215A (en) 2003-09-30 2004-09-17 Snmp packet filtering for printer
US11758987 US7603456B2 (en) 2003-09-30 2007-06-06 System and method for securing remote administrative access to a processing device

Publications (1)

Publication Number Publication Date
US20050071493A1 true true US20050071493A1 (en) 2005-03-31

Family

ID=34377241

Family Applications (2)

Application Number Title Priority Date Filing Date
US10675708 Abandoned US20050071493A1 (en) 2003-09-30 2003-09-30 SNMP packet filtering for printing devices
US11758987 Expired - Fee Related US7603456B2 (en) 2003-09-30 2007-06-06 System and method for securing remote administrative access to a processing device

Family Applications After (1)

Application Number Title Priority Date Filing Date
US11758987 Expired - Fee Related US7603456B2 (en) 2003-09-30 2007-06-06 System and method for securing remote administrative access to a processing device

Country Status (2)

Country Link
US (2) US20050071493A1 (en)
JP (1) JP2005108215A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060187832A1 (en) * 2005-02-18 2006-08-24 Broadcom Corporation Filter based range check in a network device
US20060288116A1 (en) * 2005-05-31 2006-12-21 Brother Kogyo Kabushiki Kaisha Management System, and Communication Device and Data Processing Device Used in Such System
FR2887384A1 (en) * 2005-06-21 2006-12-22 Exosec Soc Par Actions Simplif Information system protecting method for DHCP server, involves supplying static routing to workstations such that any station-to-station communication is partially locked, and identifying information flow based on predetermined criterion
EP1739520A1 (en) * 2005-06-30 2007-01-03 Brother Kogyo Kabushiki Kaisha System and method for packet filter settings in a information processing device
US20070019657A1 (en) * 2005-07-19 2007-01-25 Hajime Takayama Network apparatus and method of specifying network parameter
US20070189173A1 (en) * 2006-02-14 2007-08-16 Finisar Corporation Sliding frame comparator in a network diagnostic device

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009050372A (en) * 2007-08-24 2009-03-12 Ge Medical Systems Global Technology Co Llc Ultrasonic diagnostic apparatus
JP2008010018A (en) * 2007-09-21 2008-01-17 Brother Ind Ltd Information processor, communication system, management device and program
US9692784B1 (en) * 2016-10-25 2017-06-27 Fortress Cyber Security, LLC Security appliance

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010000193A1 (en) * 1998-08-17 2001-04-05 Boden Edward B. System and method for very fast IP packet filtering
US20030018591A1 (en) * 2001-06-11 2003-01-23 Bluefire Security Technologies Packet filtering system and methods
US20040117488A1 (en) * 2002-12-12 2004-06-17 Mcnamee Kevin Dynamic callback packet filtering gateway
US20040207866A1 (en) * 2003-04-16 2004-10-21 International Business Machines Corporation Printer discovery,status and automatic addition of printer to print spooler database
US20040250131A1 (en) * 2003-06-06 2004-12-09 Microsoft Corporation Method for managing network filter based policies

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69433482D1 (en) * 1993-11-16 2004-02-12 Fuji Xerox Co Ltd Network Printer
US5832298A (en) * 1995-05-30 1998-11-03 Canon Kabushiki Kaisha Adaptive graphical user interface for a network peripheral
US5720015A (en) * 1996-04-22 1998-02-17 Lexmark International, Inc. Method and apparatus for providing remote printer resource management
EP0979458A4 (en) * 1996-05-14 2000-05-03 Ricoh Corp Ltd Java printer
JP3834878B2 (en) * 1996-07-23 2006-10-18 ソニー株式会社 Printing system, a printing method, converter, data processing method, and a printing device
US5956487A (en) * 1996-10-25 1999-09-21 Hewlett-Packard Company Embedding web access mechanism in an appliance for user interface functions including a web server and web browser
US5901286A (en) * 1996-11-15 1999-05-04 Canon Information Systems, Inc. Method and apparatus for communicating with a network peripheral
US6184996B1 (en) * 1997-06-18 2001-02-06 Hewlett-Packard Company Network printer with remote print queue control procedure
US6141749A (en) 1997-09-12 2000-10-31 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with stateful packet filtering
EP0935182A1 (en) * 1998-01-09 1999-08-11 Hewlett-Packard Company Secure printing
US7409694B2 (en) * 1998-09-09 2008-08-05 Microsoft Corporation Highly componentized system architecture with loadable virtual memory manager
JP3780726B2 (en) * 1999-02-17 2006-05-31 ブラザー工業株式会社 The image processing system and recording medium
JP3403971B2 (en) * 1999-06-02 2003-05-06 富士通株式会社 Packet transfer device
CA2299824C (en) * 2000-03-01 2012-02-21 Spicer Corporation Network resource control system
US20020007422A1 (en) * 2000-07-06 2002-01-17 Bennett Keith E. Providing equipment access to supply chain members
US7269647B2 (en) * 2000-12-15 2007-09-11 International Business Machines Corporation Simplified network packet analyzer for distributed packet snooper
US20020078200A1 (en) * 2000-12-18 2002-06-20 Helms Janine L. Printer configuration service through a firewall
US7065564B2 (en) * 2000-12-22 2006-06-20 Canon Kabushiki Kaisha Network system, method and apparatus for processing information, and control program
WO2002061510A3 (en) * 2001-01-31 2002-10-17 Lancope Inc Network port profiling
US20020174362A1 (en) * 2001-03-29 2002-11-21 Ibm Corporation Method and system for network management capable of identifying sources of small packets
US7552239B2 (en) * 2001-05-14 2009-06-23 Canon Information Systems, Inc. Network device mimic support
GB0113577D0 (en) * 2001-06-04 2001-07-25 Hewlett Packard Co Architecture for a network including raster-driven engines
US7239409B2 (en) * 2001-06-22 2007-07-03 Hewlett-Packard Development Company, L.P. Remote access to print job retention
DE60237292D1 (en) * 2001-09-14 2010-09-23 Nokia Inc Apparatus and method for packet forwarding
US20030074428A1 (en) * 2001-10-11 2003-04-17 Haines Robert E. Device configuration method and apparatus
US20030084331A1 (en) * 2001-10-26 2003-05-01 Microsoft Corporation Method for providing user authentication/authorization and distributed firewall utilizing same
US7284061B2 (en) * 2001-11-13 2007-10-16 Canon Kabushiki Kaisha Obtaining temporary exclusive control of a device
US20030160989A1 (en) * 2002-02-25 2003-08-28 Xerox Corporation System for installing a printer driver on a network
JP3962612B2 (en) * 2002-03-12 2007-08-22 キヤノン株式会社 Setting a program executed by the information processing apparatus and an information processing apparatus
US7756956B2 (en) * 2002-11-14 2010-07-13 Canon Development Americas, Inc. Mimic support address resolution
US20040184106A1 (en) * 2003-03-21 2004-09-23 Sharp Laboratories Of America, Inc. Hybrid printer driver for color and black and white print-job splitting
US7298512B2 (en) * 2003-03-26 2007-11-20 Hewlett-Packard Development Company, L.P. Printing device with embedded database connector

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010000193A1 (en) * 1998-08-17 2001-04-05 Boden Edward B. System and method for very fast IP packet filtering
US20030018591A1 (en) * 2001-06-11 2003-01-23 Bluefire Security Technologies Packet filtering system and methods
US20040117488A1 (en) * 2002-12-12 2004-06-17 Mcnamee Kevin Dynamic callback packet filtering gateway
US20040207866A1 (en) * 2003-04-16 2004-10-21 International Business Machines Corporation Printer discovery,status and automatic addition of printer to print spooler database
US20040250131A1 (en) * 2003-06-06 2004-12-09 Microsoft Corporation Method for managing network filter based policies

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060187832A1 (en) * 2005-02-18 2006-08-24 Broadcom Corporation Filter based range check in a network device
US20060288116A1 (en) * 2005-05-31 2006-12-21 Brother Kogyo Kabushiki Kaisha Management System, and Communication Device and Data Processing Device Used in Such System
FR2887384A1 (en) * 2005-06-21 2006-12-22 Exosec Soc Par Actions Simplif Information system protecting method for DHCP server, involves supplying static routing to workstations such that any station-to-station communication is partially locked, and identifying information flow based on predetermined criterion
WO2006136692A1 (en) * 2005-06-21 2006-12-28 Exosec Method and system for protecting an information system formed around a local network
EP1739520A1 (en) * 2005-06-30 2007-01-03 Brother Kogyo Kabushiki Kaisha System and method for packet filter settings in a information processing device
US20070043805A1 (en) * 2005-06-30 2007-02-22 Brother Kogyo Kabushiki Kaisha Information Processing Device, Communication System, Management Device, Method, and Program
US8095627B2 (en) 2005-06-30 2012-01-10 Brother Kogyo Kabushiki Kaisha Information processing device, communication system, management device, method, and program
US20070019657A1 (en) * 2005-07-19 2007-01-25 Hajime Takayama Network apparatus and method of specifying network parameter
US20070189173A1 (en) * 2006-02-14 2007-08-16 Finisar Corporation Sliding frame comparator in a network diagnostic device
US8050181B2 (en) * 2006-02-14 2011-11-01 Jds Uniphase Corporation Sliding frame comparator in a network diagnostic device

Also Published As

Publication number Publication date Type
US7603456B2 (en) 2009-10-13 grant
JP2005108215A (en) 2005-04-21 application
US20070260722A1 (en) 2007-11-08 application

Similar Documents

Publication Publication Date Title
US6141686A (en) Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control
US6249820B1 (en) Internet protocol (IP) work group routing
US7778194B1 (en) Examination of connection handshake to enhance classification of encrypted network traffic
US8339959B1 (en) Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane
US7260840B2 (en) Multi-layer based method for implementing network firewalls
US6141755A (en) Firewall security apparatus for high-speed circuit switched networks
Kent et al. Security architecture for the internet protocol
US6772223B1 (en) Configurable classification interface for networking devices supporting multiple action packet handling rules
US6718379B1 (en) System and method for network management of local area networks having non-blocking network switches configured for switching data packets between subnetworks based on management policies
US7409707B2 (en) Method for managing network filter based policies
US7068656B2 (en) Packet routing apparatus and a method of routing a packet
Baker Requirements for IP version 4 routers
US6854063B1 (en) Method and apparatus for optimizing firewall processing
US7000120B1 (en) Scheme for determining transport level information in the presence of IP security encryption
US20060013211A1 (en) Apparatus and method for mapping overlapping internet protocol addresses in layer two tunneling protocols
US7315541B1 (en) Methods and apparatus for routing a content request
US6671739B1 (en) Controlling network access by modifying packet headers at a local hub
US6510154B1 (en) Security system for network address translation systems
US7002974B1 (en) Learning state machine for use in internet protocol networks
US7092397B1 (en) Method and apparatus for mapping an MPLS tag to a data packet in a headend
EP1054529A2 (en) Method and apparatus for associating network usage with particular users
US7227838B1 (en) Enhanced internal router redundancy
US20030065812A1 (en) Tagging packets with a lookup key to facilitate usage of a unified packet forwarding cache
US6772347B1 (en) Method, apparatus and computer program product for a network firewall
US7003578B2 (en) Method and system for controlling a policy-based network

Legal Events

Date Code Title Description
AS Assignment

Owner name: TOSHIBA TEC KABUSHIKI KAISHA, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LEE, SHENG;REEL/FRAME:014565/0862

Effective date: 20030924

Owner name: TOSHIBA CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LEE, SHENG;REEL/FRAME:014565/0862

Effective date: 20030924