Multi-layer based method for implementing network firewalls
First Claim
1. A method for implementing a firewall policy at a requesting stage, the requesting stage being one of a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
- receiving, by the requesting stage, a packet from a previous stage in the plurality of stages;
identifying, by the requesting stage, a set of parameters associated with the packet;
issuing a classify call including the set of parameters associated with the packet;
receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters.
3 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for implementing a firewall in a firewall architecture. The firewall architecture includes a plurality of network layers and a first firewall engine. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet.
114 Citations
28 Claims
-
1. A method for implementing a firewall policy at a requesting stage, the requesting stage being one of a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
-
receiving, by the requesting stage, a packet from a previous stage in the plurality of stages;
identifying, by the requesting stage, a set of parameters associated with the packet;
issuing a classify call including the set of parameters associated with the packet;
receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
-
receiving a set of packet parameters including first packet information associated with a requesting layer and second packet information associated with a packet context data structure;
identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters; and
identifying the associated action from at least one of the matching filters. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
-
creating a first firewall filter that permits inbound packets according to a key negotiation protocol;
conducting a successful key negotiation between the initiating network device and the responding network device according to the key negotiation protocol;
verifying the identity of the initiating device as part of the key negotiation protocol; and
creating a second firewall filter that permits inbound packets sent from the initiating network device. - View Dependent Claims (17, 18, 19)
-
-
20. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy at a requesting stage, the requesting stage being one of a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
-
receiving, by the requesting stage, a packet from a previous stage in the plurality of stages;
identifying, by the requesting stage, a set of parameters associated with the packet;
issuing a classify call including the set of parameters associated with the packet;
receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters. - View Dependent Claims (21, 22)
-
-
23. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
-
receiving a set of packet parameters including first packet information associated with a requesting layer and second packet information associated with a packet context data structure identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters; and
identifying the associated action from at least one of the matching filters. - View Dependent Claims (24, 25)
-
-
26. A computer-readable medium for executing computer-readable instructions for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
-
creating a first firewall filter that permits inbound packets according to a key negotiation protocol;
conducting a successful key negotiation between the initiating network device and the responding network device according to the key negotiation protocol;
verifying the identity of the initiating device as part of the key negotiation protocol; and
creating a second firewall filter that permits inbound packets sent from the initiating network device. - View Dependent Claims (27, 28)
-
Specification