Cross network layer correlation-based firewalls

US 20080072307A1
Filed: 08/29/2006
Published: 03/20/2008
Est. Priority Date: 08/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method of permitting data packets through a firewall, comprising:

establishing communication between a first participant and a second participant, a communication path for the communication passing through a firewall;

receiving a packet of information to the firewall;

comparing the packet of information to information stored for the established communication; and

allowing the packet to pass through the firewall to the second participant when the packet agrees with the session information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Lower layer traffic such as RTP streams or UDP packets that typically are not allowed through a firewall are permitted through the firewall by correlating the traffic with higher level communications already established, or messages exchanged, at a higher level layer such as for SIP sessions. Communication information and policies can be made available to the firewall, such that the firewall can allow through any packets for an active communication between authorized addresses through an authorized port. Such an approach can allow data such as streamed data and VoIP data to be passed through a firewall without weakening firewall policies.

107 Citations

View as Search Results

30 Claims

1. A method of permitting data packets through a firewall, comprising:
- establishing communication between a first participant and a second participant, a communication path for the communication passing through a firewall;
  
  receiving a packet of information to the firewall;
  
  comparing the packet of information to information stored for the established communication; and
  
  allowing the packet to pass through the firewall to the second participant when the packet agrees with the session information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A method according to claim 1, wherein:
    - establishing communication includes one of establishing a session and establishing a service connection for data exchange.
  - 3. A method according to claim 1, further comprising:
    - storing the information for the established communication to a firewall-accessible location.
  - 4. A method according to claim 1, further comprising:
    - blocking the packet where the packet does not match the information for the established communication.
  - 5. A method according to claim 1, wherein:
    - the information for the established communication includes a first address for the first participant, a second address for the second participant, and a port number of the firewall for the session.
  - 6. A method according to claim 1, wherein:
    - the information for the established communication includes one of a session identifier and an application identifier.
  - 7. A method according to claim 1, further comprising:
    - logging information about the established communication.
  - 8. A method according to claim 1, wherein:
    - logging information includes logging from at least one of inside and outside of the firewall.
  - 9. A method according to claim 7, further comprising:
    - enforcing at least one policy to authorize the logging.
  - 10. A method according to claim 1, further comprising:
    - applying at least one security policy to the packet where the packet matches the information for the established communication before allowing the packet to pass through the firewall to the second participant.
  - 11. A method according to claim 1, wherein:
    - a session is established at a first protocol layer, and the packet is received on a second protocol layer.
  - 12. A method according to claim 11, wherein:
    - the second protocol layer is lower than the first protocol layer.
  - 13. A method according to claim 11, wherein:
    - the first protocol layer is a Session Initialization Protocol (SIP) layer and the second protocol layer is a Real-time Transport Protocol (RTP) layer.
  - 14. A method according to claim 11, wherein:
    - the first protocol layer is one of an application and a service layer.
  - 15. A method according to claim 1, wherein:
    - the packet contains Voice over IP (VoIP) information.
  - 16. A method according to claim 1, further comprising:
    - receiving a request from the first participant;
      
      forwarding the request to the second participant;
      
      receiving a response from the second participant; and
      
      forwarding the response to the first participant,wherein communication is established between the first participant and the second participant.
  - 17. A method according to claim 1, further comprising:
    - receiving a request from the first participant to a proxy;
      
      forwarding the request from the proxy to the second participant;
      
      receiving a response from the second participant to the proxy; and
      
      forwarding the response to the first participant,wherein the proxy establishes the session for communication between the first participant and the second participant.
  - 18. A method according to claim 1, further comprising:
    - storing information about the established communication to a firewall-accessible location.
  - 19. A method according to claim 1, wherein:
    - the firewall-accessible location is one of inside and outside the firewall.
  - 20. A method according to claim 1, wherein:
    - the step of comparing the packet of information to information stored for the established communication is done for random received packets.

21. A system for permitting data packets through a firewall, comprising:
- a communication component operable to receive a request from a first participant and forward the request to a second participant, the communication component further operable to receive a response from the second participant and forward the response to the first participant, the communication component further operable to establish a communication for the first and second participant devices and store information for the established communication in response thereto;
  
  a firewall operable to receive a packet of information and compare the packet to the information for the established communication, the firewall being further operable to allow the packet to pass through the firewall to the second participant where the packet agrees with the information for the established communication and to block the packet where the packet does not agree with the information for the established communication.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. A system according to claim 21, wherein:
    - the communication component is one of a proxy, a service, and an application.
  - 23. A system according to claim 21, wherein:
    - the information for the established communication includes a first address for the first participant, a second address for the second participant, and a port number of the firewall for the session.
  - 24. A system according to claim 21, wherein:
    - the information for the established communication includes one of a session identifier and an application identifier.
  - 25. A system according to claim 21, wherein:
    - the firewall is further operable to apply at least one security policy to the packet where the packet agrees with the information for the established communication before allowing the packet to pass through the firewall to the second participant.
  - 26. A system according to claim 21, wherein:
    - the communication is established at a first protocol layer, and the packet is received on a second protocol layer.
  - 27. A system according to claim 26, wherein:
    - the first protocol layer is a Session Initialization Protocol (SIP) layer and the second protocol layer is a Real-time Transport Protocol (RTP) layer.
  - 28. A system according to claim 26, wherein:
    - the first protocol layer is one of an application and a service layer.

29. A computer program product embedded in a computer readable medium, comprising:
- computer code for establishing a communication between a first participant and a second participant, a communication path for the established communication passing through a firewall;
  
  computer code for receiving a packet of information to the firewall;
  
  computer code for comparing the packet of information to information for the established communication; and
  
  computer code for allowing the packet to pass through the firewall to the second participant where the packet agrees with the information for the established communication.
- View Dependent Claims (30)
- - 30. A computer program product according to claim 29, further comprising:
    - computer code for applying at least one security policy to the packet where the packet agrees with the information for the established communication before allowing the packet to pass through the firewall to the second participant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Maes, Stephane H.

Granted Patent

US 8,234,702 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 67/14   Session management for real...

H04L 67/146   Markers for unambiguous ide...

H04L 67/56   Provisioning of proxy servi...

Cross network layer correlation-based firewalls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Cross network layer correlation-based firewalls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links