System and method for redirected firewall discovery in a network environment

US 10,652,210 B2
Filed: 08/24/2017
Issued: 05/12/2020
Est. Priority Date: 10/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a firewall, the method comprising:

receiving a network flow of data including an initial connection packet;

determining whether the firewall has metadata associated with the network flow in a metadata cache of the firewall;

blocking the network flow and sending a discovery redirect, if the firewall does not have metadata associated with the network flow in a metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall;

receiving, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and

releasing a connection to a server, responsive to the metadata being received.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.

403 Citations

20 Claims

1. A method implemented by a firewall, the method comprising:
- receiving a network flow of data including an initial connection packet;
  
  determining whether the firewall has metadata associated with the network flow in a metadata cache of the firewall;
  
  blocking the network flow and sending a discovery redirect, if the firewall does not have metadata associated with the network flow in a metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall;
  
  receiving, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and
  
  releasing a connection to a server, responsive to the metadata being received.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - caching the initial connection packet, if the firewall does not have the metadata in the metadata cache of the firewall.
  - 3. The method of claim 1, further comprising:
    - dropping the initial connection packet, if the firewall does not have the metadata in the metadata cache of the firewall.
  - 4. The method of claim 1, wherein the metadata includes a universally unique identifier (UUID) associated with a host, user credentials of a process owner, a filename or pathname of an application file, a hash function of an executable file, a source Internet protocol (IP) address and port, or a destination IP address and port.
  - 5. The method of claim 1, wherein the metadata is received using a Datagram Transport Layer Security protocol.
  - 6. The method of claim 1, wherein the discovery redirect includes an Internet Control Message Protocol Destination Unreachable packet.
  - 7. The method of claim 1, wherein the discovery redirect includes a message authentication code or an encrypted hash.

8. An apparatus that implements a firewall, the apparatus comprising:
- an interface that receives a network flow of data including an initial connection packet, determines whether the firewall has metadata associated with the network flow in a metadata cache of the firewall, sends a discovery redirect, if the firewall does not have metadata associated with the network flow in the metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall, and receives, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and
  
  a processor configured to block the network flow, if the firewall does not have metadata about the network flow in the metadata cache of the firewall, and release a connection to a server, responsive to the metadata being received.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, wherein the processor is configured to cache the initial connection packet, if the firewall does not have the metadata in the metadata cache of the firewall.
  - 10. The apparatus of claim 8, wherein the processor is configured to drop the initial connection packet, if the firewall does not have the metadata in the metadata cache of the firewall.
  - 11. The apparatus of claim 8, wherein the metadata includes a universally unique identifier (UUID) associated with a host, a filename or pathname of an application file, a hash function of an executable file, a source Internet protocol (IP) address and port, or a destination IP address and port.
  - 12. The apparatus of claim 8, wherein the interface receives the metadata using a Datagram Transport Layer Security protocol.
  - 13. The apparatus of claim 8, wherein the discovery redirect includes a message authentication code or an encrypted hash.

14. A non-transitory medium including logic that implements operations for a firewall, the operations comprising:
- receiving a network flow of data including an initial connection packet;
  
  determining whether the firewall has metadata associated with the network flow in a metadata cache of the firewall;
  
  blocking the network flow and sending a discovery redirect, if the firewall does not have metadata associated with the network flow in a metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall;
  
  receiving, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and
  
  releasing a connection to a server, responsive to the metadata being received.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The medium of claim 14, the operations further comprising:
    - caching the initial connection packet, if the firewall does not have the metadata in the metadata cache of the firewall.
  - 16. The medium of claim 14, the operations further comprising:
    - dropping the initial connection packet, if the firewall does not have the metadata in the metadata cache of the firewall.
  - 17. The medium of claim 14, wherein the metadata includes a universally unique identifier (UUID) associated with a host, a filename or pathname of an application file, a hash function of an executable file, a source Internet protocol (IP) address and port, or a destination IP address and port.
  - 18. The medium of claim 14, wherein the metadata is received using a Datagram Transport Layer Security protocol.
  - 19. The medium of claim 14, wherein the discovery redirect includes an Internet Control Message Protocol Destination Unreachable packet.
  - 20. The medium of claim 14, wherein the discovery redirect includes a message authentication code or an encrypted hash.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Cooper, Geoffrey, Green, Michael W., Guzik, John Richard
Primary Examiner(s)
Le, Chau

Application Number

US15/686,059
Publication Number

US 20170374030A1
Time in Patent Office

992 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0442   wherein the sending and rec...

System and method for redirected firewall discovery in a network environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

403 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for redirected firewall discovery in a network environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

403 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others