Host firewall integration with edge traversal technology

US 20090007251A1
Filed: 06/26/2007
Published: 01/01/2009
Est. Priority Date: 06/26/2007
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing traffic received at a host firewall of a host within a local network and destined for a target in the host, the method comprising:

determining an edge traversal context indicating whether the traffic traversed an edge of the local network to reach the host;

evaluating the traffic against a firewall rule that includes an edge traversal criterion;

authorizing the traffic to pass through the host firewall to the target, if the traffic satisfies the firewall rule based on the determined edge traversal context of the traffic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic.

Citations

20 Claims

1. A method of authorizing traffic received at a host firewall of a host within a local network and destined for a target in the host, the method comprising:
- determining an edge traversal context indicating whether the traffic traversed an edge of the local network to reach the host;
  
  evaluating the traffic against a firewall rule that includes an edge traversal criterion;
  
  authorizing the traffic to pass through the host firewall to the target, if the traffic satisfies the firewall rule based on the determined edge traversal context of the traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - blocking the traffic from passing through the host firewall to the target, if the traffic fails to satisfy any firewall rule that allows the traffic to pass to the target.
  - 3. The method of claim 1 wherein the determining operation comprises:
    - inspecting an IANA interface type and a tunnel type against which the traffic is classified.
  - 4. The method of claim 1 wherein the evaluating operation comprises:
    - determining a context of the traffic, including the edge traversal context;
      
      evaluating the context of the traffic against the firewall rule.
  - 5. The method of claim 1 wherein the traffic is received inbound by the host through an entry point of the local network.
  - 6. The method of claim 1 wherein the target is an edge traversal service of the host.
  - 7. The method of claim 1 wherein the traffic is received by the host firewall via re-injection internal to the host.
  - 8. The method of claim 1 further comprising:
    - receiving at the host firewall the traffic destined for an edge traversal service of the host;
      
      evaluating the traffic against another firewall rule that includes an edge traversal criterion;
      
      authorizing the traffic to pass through the host firewall to the edge traversal service of the host, if the traffic satisfies the other firewall rule, based on the determined edge traversal context of the traffic;
      
      re-injecting the traffic into the host firewall of the host, prior to the determination operation, wherein the re-injected traffic is destined for the target in the host.
  - 9. The method of claim 8 wherein the evaluating operation comprises:
    - determining a context of the traffic, including the edge traversal context;
      
      evaluating the context of the traffic against the firewall rule.
  - 10. The method of claim 1 wherein the firewall rule includes an edge traversal criterion.

11. A computer-readable storage medium having computer-executable instructions for performing a computer process that authorizes traffic received at a host firewall of a host within a local network and destined for a target in the host, the computer process comprising:
- determining an edge traversal context indicating whether the traffic traversed an edge of the local network to reach the host;
  
  evaluating context of the traffic against a firewall rule that includes an edge traversal criterion;
  
  authorizing the traffic to pass through the host firewall to the target, if the context of the traffic satisfies the firewall rule based on the determined edge traversal context of the traffic.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer-readable storage medium of claim 11, wherein the computer process further comprises:
    - blocking the traffic from passing through the host firewall to the target, if the traffic fails to satisfy any firewall rule that allows the traffic to pass to the target.
  - 13. The computer-readable storage medium of claim 11 wherein the determining operation comprises:
    - inspecting an IANA interface type and a tunnel type against which the traffic is classified.
  - 14. The computer-readable storage medium of claim 11, wherein the computer process further comprises:
    - receiving at the host firewall the traffic destined for an edge traversal service of the host;
      
      evaluating the traffic against another firewall rule that includes an edge traversal criterion;
      
      authorizing the traffic to pass through the host firewall to the edge traversal service of the host, if the traffic satisfies the other firewall rule, based on the determined edge traversal context of the traffic;
      
      re-injecting the traffic into the host firewall of the host, prior to the determination operation, wherein the re-injected traffic is destined for the target in the host.
  - 15. The computer-readable storage medium of claim 14 wherein the evaluating operation comprises:
    - determining a context of the traffic, including the edge traversal context;
      
      evaluating the context of the traffic against the firewall rule.
  - 16. The computer-readable storage medium of claim 11 wherein the firewall rule includes an edge traversal criterion.

17. A host computer that authorizes traffic received of the host within a local network, the host computer comprising:
- a target in the host to which the traffic is destined;
  
  a host firewall that determines an edge traversal context indicating whether the traffic traversed an edge of the local network to reach the host, evaluates the traffic against a firewall rule that includes an edge traversal criterion, and authorizes the traffic to pass through the host firewall to the target, if the traffic satisfies the firewall rule based on the determined edge traversal context of the traffic.
- View Dependent Claims (18, 19, 20)
- - 18. The host computer of claim 17 wherein the host firewall blocks the traffic from passing through the host firewall to the target, if the traffic fails to satisfy any firewall rule that allows the traffic to pass to the target.
  - 19. The host computer of claim 17 further comprising:
    - an edge traversal service module that receives the traffic from the host firewall, decapsulates the traffic to access the payload of the traffic, and re-injects the payload into the host firewall of the host.
  - 20. The host computer of claim 17 wherein the firewall rule includes an edge traversal criterion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cuellar, Gerardo Diaz, Yariv, Eran, Sehgal, Amit A., Surkan, Michael R., Abzarian, David, Khan, Salahuddin C.J., Paleologu, Emanuel

Granted Patent

US 8,370,919 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/029 Firewall traversal, e.g. tu...

Host firewall integration with edge traversal technology

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Host firewall integration with edge traversal technology

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links