Multi-layer based method for implementing network firewalls

US 20050022011A1
Filed: 06/06/2003
Published: 01/27/2005
Est. Priority Date: 06/06/2003
Status: Active Grant

First Claim

Patent Images

1. A method for implementing a firewall policy at a requesting stage, the requesting stage being one of a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:

receiving, by the requesting stage, a packet from a previous stage in the plurality of stages;

identifying, by the requesting stage, a set of parameters associated with the packet;

issuing a classify call including the set of parameters associated with the packet;

receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for implementing a firewall in a firewall architecture. The firewall architecture includes a plurality of network layers and a first firewall engine. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet.

114 Citations

28 Claims

1. A method for implementing a firewall policy at a requesting stage, the requesting stage being one of a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
- receiving, by the requesting stage, a packet from a previous stage in the plurality of stages;
  
  identifying, by the requesting stage, a set of parameters associated with the packet;
  
  issuing a classify call including the set of parameters associated with the packet;
  
  receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the action is an instruction to allow the packet to continue network traversal, further comprising:
    - processing the packet according to a layer protocol; and
      
      sending the packet to a next stage in the plurality of stages.
  - 3. The method of claim 1, wherein the packet is an outbound packet destined for a network device and wherein the set of parameters include information to be added to the packet according to a protocol implemented by the requesting stage.
  - 4. The method of claim 1, wherein the packet is an inbound packet received from a network device and wherein the set of parameters include information that the requesting stage parses from the inbound packet according to a protocol implemented by the requesting stage.
  - 5. The method of claim 1, wherein the plurality of stages execute within a kernel mode of an operating system.
  - 6. The method of claim 1 wherein the plurality of stages execute within a user mode of an operating system.
  - 7. The method of claim 1 further comprising:
    - receiving a packet context data structure from the previous stage, the packet context including previous stage data associated with the packet; and
      
      modifying the packet context data structure by adding the set of parameters.
  - 8. The method of claim 7 wherein parameters of the set of parameters includes identification of the requesting stage, the parameter type, and a value.
  - 9. The method of claim 7, wherein the requesting stage sends the modified packet context data structure to a next stage in the plurality of stages.

10. A method for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
- receiving a set of packet parameters including first packet information associated with a requesting layer and second packet information associated with a packet context data structure;
  
  identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters; and
  
  identifying the associated action from at least one of the matching filters.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein each filter in the set of matching filters has a priority and the associated action from a highest priority filter is a non-terminating action, further comprising:
    - identify the associated action from one or more lower priority filters in the set of matching filters until a terminating action is reached.
  - 12. The method of claim 10, wherein a filter from the set of matching filter identifies a callout module, further comprising:
    - sending the packet parameters and an identification of the filter from the set of matching filters to the callout module.
  - 13. The method of claim 12, wherein the callout modifies the packet context.
  - 14. The method of claim 10, wherein the firewall engine executes in a user mode of an operating system.
  - 15. The method of claim 10, wherein the firewall engine executes in a kernel mode of an operating system.

16. A method for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
- creating a first firewall filter that permits inbound packets according to a key negotiation protocol;
  
  conducting a successful key negotiation between the initiating network device and the responding network device according to the key negotiation protocol;
  
  verifying the identity of the initiating device as part of the key negotiation protocol; and
  
  creating a second firewall filter that permits inbound packets sent from the initiating network device.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the second firewall filter permits packets conforming to a security protocol sent from the initiating network device.
  - 18. The method of claim 16, wherein the second firewall filter permits packets designating an address of the initiating device.
  - 19. The method of claim 16 wherein the key negotiation is an IKE negotiation.

20. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy at a requesting stage, the requesting stage being one of a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
- receiving, by the requesting stage, a packet from a previous stage in the plurality of stages;
  
  identifying, by the requesting stage, a set of parameters associated with the packet;
  
  issuing a classify call including the set of parameters associated with the packet;
  
  receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters.
- View Dependent Claims (21, 22)
- - 21. The computer-readable medium of claim 20, wherein the action is an instruction to allow the packet to continue network traversal, further comprising:
    - processing the packet according to a layer protocol; and
      
      sending the packet to a next stage in the plurality of stages.
  - 22. The computer-readable medium of claim 20 further comprising:
    - receiving a packet context data structure from the previous stage, the packet context including previous stage data associated with the packet; and
      
      modifying the packet context data structure by adding the set of parameters.

23. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
- receiving a set of packet parameters including first packet information associated with a requesting layer and second packet information associated with a packet context data structure identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters; and
  
  identifying the associated action from at least one of the matching filters.
- View Dependent Claims (24, 25)
- - 24. The computer-readable medium of claim 23, wherein each filter in the set of matching filters has a priority and the associated action from a highest priority filter is a non-terminating action, further comprising:
    - identify the associated action from one or more lower priority filters in the set of matching filters until a terminating action is reached.
  - 25. The computer-readable medium of claim 23, wherein a filter from the set of matching filter identifies a callout module, further comprising:
    - sending the packet parameters and an identification of the filter from the set of matching filters to the callout module.

26. A computer-readable medium for executing computer-readable instructions for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
- creating a first firewall filter that permits inbound packets according to a key negotiation protocol;
  
  conducting a successful key negotiation between the initiating network device and the responding network device according to the key negotiation protocol;
  
  verifying the identity of the initiating device as part of the key negotiation protocol; and
  
  creating a second firewall filter that permits inbound packets sent from the initiating network device.
- View Dependent Claims (27, 28)
- - 27. The computer-readable medium of claim 26, wherein the second firewall filter permits packets conforming to a security protocol sent from the initiating network device.
  - 28. The computer-readable medium of claim 26, wherein the second firewall filter permits packets designating an address of the initiating device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Swander, Brian D., Pall, Gurdeep Singh, Rao, Nagampalli S. S. Narasimha

Granted Patent

US 7,260,840 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0823   using certificates cryptogr...

Multi-layer based method for implementing network firewalls

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Multi-layer based method for implementing network firewalls

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others