Systems and methods for protecting network devices by a firewall

US 10,541,971 B2
Filed: 01/17/2017
Issued: 01/21/2020
Est. Priority Date: 04/12/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

in response to a request from a client device, establishing, by a computer system, a network tunnel between the client device and a gateway, the gateway implementing a firewall including firewall rules for selectively blocking and allowing network traffic between the client device and one or more network devices in a private network;

in response to an update to a policy after establishing the network tunnel, receiving, by the computer system from the client device, a first token; and

in response to receiving the first token, updating, by the computer system, at least one of the firewall rules in real-time while the network tunnel is active.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method, including: in response to a request from a client device, establishing a network tunnel between the client device and a gateway, the gateway implementing a firewall including firewall rules for selectively blocking and allowing network traffic between the client device and one or more network devices in a private network; in response to an update to a policy after establishing the network tunnel, receiving a first token; and in response to receiving the first token, updating at least one of the firewall rules while the network tunnel is active.

Citations

20 Claims

1. A computer-implemented method, comprising:
- in response to a request from a client device, establishing, by a computer system, a network tunnel between the client device and a gateway, the gateway implementing a firewall including firewall rules for selectively blocking and allowing network traffic between the client device and one or more network devices in a private network;
  
  in response to an update to a policy after establishing the network tunnel, receiving, by the computer system from the client device, a first token; and
  
  in response to receiving the first token, updating, by the computer system, at least one of the firewall rules in real-time while the network tunnel is active.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the update to the policy is a first update, and the updating the at least one of the firewall rules provides a first firewall rule, the method further comprising, after establishing the network tunnel and in response to a second update to the policy;
    - receiving a second token from the client device; and
      
      updating the first firewall rule in real-time while the network tunnel is active.
  - 3. The method of claim 1, further comprising receiving an access rule from the client device, and authenticating the first token, wherein at least one of the firewall rules is derived, while the network tunnel is active, from the access rule after authenticating the first token.
  - 4. The method of claim 1, further comprising receiving, by the computer system, a client access list comprising one or more access rules.
  - 5. The method of claim 4, wherein the client access list comprises a condition that must be fulfilled for the access rules, an action that will be taken when the condition is not fulfilled, and wherein each access rule defines a respective firewall rule.
  - 6. The method of claim 5, wherein in response to determining that the condition is fulfilled, applying, by the gateway, the respective firewall rule.
  - 7. The method of claim 1, wherein the first token is a signed token comprising at least one of an access rule or authentication information.
  - 8. The method of claim 1, further comprising:
    - authenticating, via communication with a controller, the first token, wherein the updating the at least one of the firewall rules is further in response to authenticating the first token.
  - 9. The method of claim 1, wherein a controller generates the update to the policy, the controller provides authentication information to the client device, and the first token received from the client device comprises the authentication information.
  - 10. The method of claim 9, wherein the client device provides the first token to the computer system in response to the update to the policy by the controller.
  - 11. The method of claim 1, further comprising:
    - in response to triggering of a firewall rule by a request for access to the private network by the client device and before applying the firewall rule, checking, by the computer system, whether a corresponding condition is met; and
      
      in response to a determination that the condition is not met, sending, by the computer system, to the client device, an action to be performed by the client device.
  - 12. The method of claim 1, wherein:
    - the establishing the network tunnel comprises receiving, by the computer system, a client access list from the client device and verifying whether the client access list was not altered by the client device;
      
      the client access list is requested by the client device from an authentication server; and
      
      the client access list is signed by the authentication server such that alteration of the client access list can be verified by the computer system.

13. A system, comprising:
- at least one processor; and
  
  a non-transitory computer readable storage medium storing instructions programmed to instruct the at least one processor to;
  
  in response to a request from a client device, establish a network tunnel between the client device and a gateway, the gateway implementing a firewall including firewall rules for selectively blocking and allowing network traffic between the client device and one or more network devices in a private network;
  
  in response to an update to a policy after establishing the network tunnel, receive a first token; and
  
  in response to receiving the first token, update at least one of the firewall rules in real-time while the network tunnel is active.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13, wherein the instructions further instruct the at least one processor to receive a client access list, and the client access list is signed by an authentication server such that alteration of the client access list can be verified.
  - 15. The system of claim 14, wherein the instructions further instruct the at least one processor to authenticate the first token, and the updating the at least one of the firewall rules is further in response to authenticating the first token.
  - 16. The system of claim 13, wherein the instructions further instruct the at least one processor to receive a client access list comprising one or more access rules, wherein each access rule defines a respective firewall rule.

17. A non-transitory computer readable storage medium storing instructions configured to instruct a computing system to:
- in response to a request from a client device, establish a network tunnel between the client device and a gateway, the gateway implementing a firewall including firewall rules for selectively blocking and allowing network traffic between the client device and one or more network devices in a private network;
  
  in response to an update to a policy after establishing the network tunnel, receive a first token; and
  
  in response to receiving the first token, update at least one of the firewall rules while the network tunnel is active.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the instructions further instruct the computing system to, in response to triggering of a firewall rule by a request for access to the private network by the client device and before applying the firewall rule, check whether a corresponding condition is met.
  - 19. The non-transitory computer readable storage medium of claim 18, wherein in response to determining that the corresponding condition is met, apply the firewall rule.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein the first token is a signed token comprising at least one of an access rule or authentication information, the instructions further instruct the computing system to authenticate the first token, and the updating the at least one of the firewall rules is further in response to authenticating the first token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Original Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Inventors
Glazemakers, Kurt, Abolafya, Natan, Berberoglu, Gokhan, Cellerier, Thomas Bruno Emmanuel, Iturri, Aitor Perez, Leino, Per, Bodley-Scott, Jamie
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/408,132
Publication Number

US 20170295140A1
Time in Patent Office

1,099 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for protecting network devices by a firewall

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for protecting network devices by a firewall

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links