Method and apparatus for enabling enhanced control of traffic propagation through a network firewall

US 20060075478A1
Filed: 09/30/2004
Published: 04/06/2006
Est. Priority Date: 09/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method of controlling traffic on a communication network, the method comprising the steps of:

obtaining, by a network firewall, information from a firewall agent configured to collect information about at least one of user and application activity; and

adjusting filtering rules to be applied by the network firewall at least in part based on the information from the firewall agent.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed firewall system is used to implement a network firewall with enhanced control over network traffic to allow policy to be implemented on a per-user basis, a per-application basis, a per-user and application basis, and to allow ports to be dynamically opened and closed as needed by the applications. The distributed firewall system may include application identifiers associated with applications running on a network element, one or more firewall agents instantiated on the network element hosting the applications, and a firewall configured to interface with the firewall agents. Communications between the distributed components are secured to allow the firewall to detect if an agent has been compromised, and to allow the firewall agent to determine if the application has been compromised. The distributed firewall system may work in a VPN environment, such as in connection with a VPN server, to implement firewall policy at the point where VPN traffic enters the protected network.

Citations

24 Claims

1. A method of controlling traffic on a communication network, the method comprising the steps of:
- obtaining, by a network firewall, information from a firewall agent configured to collect information about at least one of user and application activity; and
  
  adjusting filtering rules to be applied by the network firewall at least in part based on the information from the firewall agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the information comprises at least one of port usage and Internet Protocol (EP) address usage.
  - 3. The method of claim 1, wherein the information comprises user data and application data, and wherein the user data comprises information associated with a host that the user has logged into and wherein the application data comprises information associated with which applications the user is running.
  - 4. The method of claim 1, wherein the network firewall is configured to filter traffic on the communication network based on the filtering rules.
  - 5. The method of claim 1, wherein the network firewall is instantiated in a first network element on the communication network, and wherein the firewall agent is instantiated on a second network element on the communication network.
  - 6. The method of claim 5, wherein the application is instantiated in the second network element.
  - 7. The method of claim 1, wherein the application is configured to dynamically assign ports to communication sessions on the communication network, and wherein the information comprises at least current port assignment information.
  - 8. The method of claim 7, wherein the step of adjusting filtering rules to be applied by the network firewall comprises opening a port on the network firewall based on the current port assignment information.
  - 9. The method of claim 1, wherein the information from the firewall agent comprises user information.
  - 10. The method of claim 9, further comprising the step of validating, by the firewall agent, the user information.
  - 11. The method of claim 10, wherein the step of validating comprises interfacing, by the firewall agent, an authentication server.
  - 12. The method of claim 1, further comprising the step of providing, by the firewall agent, user information.
  - 13. The method of claim 12, further comprising the step of signing, by the firewall agent, the user information.
  - 14. The method of claim 1, further comprising the step of verifying the identity of the firewall agent to the network firewall.
  - 15. The method of claim 14, wherein the step of verifying the identity of the firewall agent comprises providing a digital signature from the firewall agent to the firewall.
  - 16. The method of claim 1, wherein the network firewall comprises a plurality of distributed components, one of said components being associated with a VPN server, the method further comprising the step of passing the filtering rules to the component associated with the VPN server.

17. A distributed firewall system, comprising:
- at least one firewall agent configured to collect information about at least one application configured to provide services on a communication network; and
  
  a firewall appliance configured receive at least a portion of the collected information and to apply filter rules to network traffic on the communication network, said filter rules being adjustable based at least in part on the received information.
- View Dependent Claims (18, 20, 21, 22, 23)
- - 18. The distributed firewall system of claim 17, wherein the collected information is port and Internet Protocol address information.
  - 20. The distributed firewall system of claim 17, wherein the firewall agent and firewall appliance are configured to exchange collected information in a secure and trusted manner.
  - 21. The distributed firewall system of claim 17, wherein the firewall agent is instantiated on a first network element, the firewall appliance is instantiated on a second network element, and wherein the firewall agent is configured to perform an application inventory indicative of applications running on the first network element.
  - 22. The distributed firewall system of claim 17, wherein the firewall agent is configured to audit user and application information.
  - 23. The distributed firewall system of claim 17, further comprising firewall software associated with a VPN server on the network, said firewall software being configured to allow the VPN server to be configured to apply firewall policy to VPN traffic.

19. The distributed firewall system of 17, further comprising at least one application identifier associated with the application and configured to provide path information and application signature information to the firewall agent.

24. A Virtual Private Network (VPN) server, comprising:
- VPN software configured to allow the VPN server to perform at least one of encapsulation and encryption to traffic to be carried on a VPN tunnel; and
  
  firewall software configured to enable the VPN server to apply firewall policy to traffic on the VPN tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Hyndman, Arn, Sauriol, Nicholas

Granted Patent

US 8,146,145 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/12   Applying verification of th...

Method and apparatus for enabling enhanced control of traffic propagation through a network firewall

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for enabling enhanced control of traffic propagation through a network firewall

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links