Multi-layered firewall architecture

US 20050022010A1
Filed: 06/06/2003
Published: 01/27/2005
Est. Priority Date: 06/06/2003
Status: Active Grant

First Claim

Patent Images

1. A firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:

a set of layer processors, each layer processor being capable of processing layer parameters for the packet associated with the layer processor and each layer processor being further capable of issuing a classification request that includes the layer parameters; and

a first firewall engine including;

a layer interface for receiving first layer parameters from a requesting layer processor and for returning an action to the requesting layer, the requesting layer processor being one of the set of layer processors;

a set of installed filters; and

a lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are provided for implementing a firewall architecture in a network device. The firewall architecture includes a plurality of network layers, a first firewall engine, and one or more callout modules. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet. The callouts provide additional functionality such as intrusion detection, logging, and parental control features.

92 Citations

View as Search Results

38 Claims

1. A firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:
- a set of layer processors, each layer processor being capable of processing layer parameters for the packet associated with the layer processor and each layer processor being further capable of issuing a classification request that includes the layer parameters; and
  
  a first firewall engine including;
  
  a layer interface for receiving first layer parameters from a requesting layer processor and for returning an action to the requesting layer, the requesting layer processor being one of the set of layer processors;
  
  a set of installed filters; and
  
  a lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The firewall framework of claim 1, wherein the requesting layer receives packet context including second layer parameters from a previous layer processor and the classification request includes the packet context, wherein the lookup component further uses the packet context for identifying the at least one matching filter.
  - 3. The firewall framework of claim 2, wherein the firewall engine further comprises:
    - a callout interface for sending the first layer parameters, the packet context, and the packet to a callout, wherein the callout analyzes the packet and returns the action to the firewall engine.
  - 4. The firewall framework of claim 2, wherein the requesting layer passes the packet context to a next layer.
  - 5. The firewall framework of claim 1, further comprising:
    - a policy provider for establishing a new filter; and
      
      a second firewall engine for adding the new filter to the set of installed filers.
  - 6. The firewall framework of claim 1, wherein each of the installed filters comprises:
    - a filter condition including a type-data pair, the type defining the size of the data and the data including a filter parameter, and the action.
  - 7. The firewall framework of claim 6, wherein the filter parameter includes a range of values.
  - 8. The firewall framework of claim 6, wherein the filter comprises a weight factor defining a priority of the filter.
  - 9. The firewall framework of claim 1, wherein the set of layer processors further comprises:
    - a link layer having layer parameters including an interface number and source and destination MAC addresses;
      
      an network layer having layer parameters including a source and destination IP address;
      
      a transport layer having layer parameters including source and destination ports; and
      
      an application layer having layer parameters including a stream of data.
  - 10. The firewall framework of claim 9, wherein the network layer is further divided into a fragment layer and a fully assembled layer, the fragment layer processing IP packet fragments and the fully assembled layer processing complete IP packets, each of the fragment layer and the fully assembled layer issuing the classify request.
  - 11. The firewall framework of claim 1, wherein the first firewall engine executes in an operating system kernel mode.
  - 12. The firewall framework of claim 1, wherein the first firewall engine executes in an operating system user mode.

13. A method of communicating between a first layer process and a firewall process in an operating system, comprising the steps of:
- issuing, by the first layer process, a classify call having a plurality of parameters comprising, a protocol packet, at least one layer parameter, and a packet context from a second layer process;
  
  receiving, by the firewall process, the classify call; and
  
  issuing, by the firewall process, an action identified from a filter matching the at least one layer parameter.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the first layer process is a new process, further comprising:
    - issuing by the first layer process, an add layer call.
  - 15. The method of claim 13, wherein the first layer process is an existing process, further comprising:
    - issuing by the first layer process, a delete layer call.

16. A method of communicating between a firewall process and a callout process in an operating system, comprising the steps of:
- issuing, by the firewall process, a classify call having a plurality of parameters comprising, a protocol packet, at least one layer parameter, a packet context, and a matching filter identification;
  
  receiving, by the callout process, the classify call; and
  
  issuing, by the callout process, an action identified from the plurality of parameters in the classify call.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the callout process is a parental control module maintaining a cache of acceptable resource location, further comprising:
    - examining the packet to identify a resource location and comparing the resource location to the acceptable locations.
  - 18. The method of claim 17, wherein the action issued by the callout process is block and the protocol packet is prevented from network traversal.
  - 19. The method of claim 17, wherein the action issued by the callout process is permit and the protocol packet is permitted to further traverse the network.
  - 20. The method of claim 16, wherein the callout process is a logging module, further comprising storing in a memory the protocol packet.
  - 21. The method of claim 16, wherein the callout process is a security module, further comprising:
    - determining, by the security module, that the protocol packet is required to conform to a security protocol;
      
      verifying that the protocol packet conforms to the security protocol.
  - 22. The method of claim 21, wherein the security protocol is an IPSec security protocol.

23. A computer-readable medium for executing computer-readable instructions for facilitating a firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:
- a set of layer processors, each layer processor being capable of processing layer parameters for the packet associated with the layer processor and each layer processor being further capable of issuing a classification request that includes the layer parameters; and
  
  a first firewall engine including;
  
  a layer interface for receiving first layer parameters from a requesting layer processor and for returning an action to the requesting layer, the requesting layer processor being one of the set of layer processors;
  
  a set of installed filters; and
  
  a lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The computer-readable medium of claim 23, wherein the requesting layer receives packet context including second layer parameters from a previous layer processor and the classification request includes the packet context, wherein the lookup component further uses the packet context for identifying the at least one matching filter.
  - 25. The computer-readable medium of claim 24, wherein the firewall engine further comprises:
    - a callout interface for sending the first layer parameters, the packet context, and the packet to a callout, wherein the callout analyzes the packet and returns the action to the firewall engine.
  - 26. The computer-readable medium of claim 24, wherein the requesting layer passes the packet context to a next layer.
  - 27. The computer-readable medium of claim 23, further comprising:
    - a policy provider for establishing a new filter; and
      
      a second firewall engine for adding the new filter to the set of installed filers.

28. A computer-readable medium for executing computer-readable instructions for communicating between a first layer process and a firewall process in an operating system, comprising the steps of:
- issuing, by the first layer process, a classify call having a plurality of parameters comprising, a protocol packet, at least one layer parameter, and a packet context from a second layer process;
  
  receiving, by the firewall process, the classify call; and
  
  issuing, by the firewall process, an action identified from a filter matching the at least one layer parameter.
- View Dependent Claims (29, 30)
- - 29. The computer-readable medium of claim 28, wherein the first layer process is a new process, further comprising:
    - issuing by the first layer process, an add layer call.
  - 30. The computer-readable medium of claim 28, wherein the first layer process is an existing process, further comprising:
    - issuing by the first layer process, a delete layer call.

31. A computer-readable medium for executing computer-executable instructions for communicating between a firewall process and a callout process in an operating system, comprising the steps of:
- issuing, by the firewall process, a classify call having a plurality of parameters comprising, a protocol packet, at least one layer parameter, a packet context, and a matching filter identification;
  
  receiving, by the callout process, the classify call; and
  
  issuing, by the callout process, an action identified from the plurality of parameters in the classify call.
- View Dependent Claims (32, 33)
- - 32. The computer-readable medium of claim 31, wherein the callout process is a logging module, further comprising storing in a memory the protocol packet.
  - 33. The computer-readable medium of claim 31, wherein the callout process is an security module, further comprising:
    - determining, by the security module, that the protocol packet is required to conform to a security protocol;
      
      verifying that the protocol packet conforms to the security protocol.

34. A functional interface for allowing a requesting layer to obtain policy for a packet, the requesting layer being one of a plurality layers, comprising:
- a classify method comprising;
  
  the packet received by the requesting layer;
  
  a set of parameters associated with the packet, the set of parameters including data processed by the requesting layer;
  
  a packet context received by the requesting layer from another layer of the plurality of layers; and
  
  an action to be returned to the requesting layer identifying a first policy to be applied to the packet.
- View Dependent Claims (35, 36, 37, 38)
- - 35. The functional interface of claim 34, further comprising:
    - an add layer method for allowing a new layer to be added to the plurality of layers.
  - 36. The functional interface of claim 34, further comprising:
    - a delete layer method for removing an existing layer from the plurality of layers.
  - 37. The functional interface of claim 34, further comprising:
    - a policy context defining a second policy to be applied to the packet.
  - 38. The functional interface of claim 37, wherein the first policy is a firewall policy and the second policy is a non-firewall policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Swander, Brian D., Mayfield, Paul G.

Granted Patent

US 7,509,673 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/164   at the network layer

Multi-layered firewall architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-layered firewall architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links