SYSTEMS AND METHODS FOR INTEGRATION BETWEEN APPLICATION FIREWALL AND CACHING

US 20100325357A1
Filed: 06/22/2009
Published: 12/23/2010
Est. Priority Date: 06/22/2009
Status: Active Grant

First Claim

Patent Images

1. A method of integrating an application firewall with a cache in an intermediary device, the method comprising:

a) storing, by the intermediary device, to a cache an HTTP response received from a server to a first request of a user for a page;

b) generating, by an application firewall configured on the intermediary device, metadata from the HTTP response, the metadata identifying information to enforce a plurality of security rules by the application firewall;

c) storing, by the intermediary device, the metadata in the cache with the HTTP response;

d) receiving, by the intermediary device, a second request for the page;

e) determining, by a cache manager of the intermediary device, that the HTTP response is stored in the cache; and

f) providing, by the cache manager, a reference to the metadata in the cache for inclusion with session data associated with the second request.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed towards systems and methods for integrating cache managing and application firewall processing in a networked system. In various embodiments, an integrated cache/firewall system comprises an application firewall operating in conjunction with a cache managing system in operation on an intermediary device. In various embodiments, the application firewall processes a received HTTP response to a request by a networked entity serviced by the intermediary device. The application firewall generates metadata from the HTTP response and stores the metadata in cache with the HTTP response. When a subsequent request hits in the cache, the metadata is identified to a user session associated with the subsequent request. In various embodiments, the application firewall can modify a cache-control header of the received HTTP response, and can alter the cookie-setting header of the cached HTTP response. The system and methods can significantly reduce processing time associated with application firewall processing of web content exchanged over a network.

68 Citations

View as Search Results

22 Claims

1. A method of integrating an application firewall with a cache in an intermediary device, the method comprising:
- a) storing, by the intermediary device, to a cache an HTTP response received from a server to a first request of a user for a page;
  
  b) generating, by an application firewall configured on the intermediary device, metadata from the HTTP response, the metadata identifying information to enforce a plurality of security rules by the application firewall;
  
  c) storing, by the intermediary device, the metadata in the cache with the HTTP response;
  
  d) receiving, by the intermediary device, a second request for the page;
  
  e) determining, by a cache manager of the intermediary device, that the HTTP response is stored in the cache; and
  
  f) providing, by the cache manager, a reference to the metadata in the cache for inclusion with session data associated with the second request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein step (a) further comprises reserving space in the cached HTTP response to insert a session cookie.
  - 3. The method of claim 2, further comprising determining, by the application firewall, that a session cookie is to be sent with the HTTP response to the second request and inserting, by the application firewall, a header to set a cookie in the reserved space of the HTTP response.
  - 4. The method of claim 2, further comprising determining, by the application firewall, that a session cookie is not to be sent with the HTTP response to the second request and inserting, by the application firewall, a header in the reserved space of the HTTP response that will be ignored by a recipient of the HTTP response.
  - 5. The method of claim 1, wherein step (b) further comprises generating the metadata to identify a type and value of one or more fields of a form in the HTTP response.
  - 6. The method of claim 1, wherein step (b) further comprises generating the metadata to identify one or more HTTP methods in the HTTP response.
  - 7. The method of claim 1, wherein step (b) further comprises generating the metadata to identify one or more uniform resource locators from the HTTP response.
  - 8. The method of claim 1, further comprising applying, by the application firewall responsive to the second request, the plurality of security rules to the metadata identified via the session data.
  - 9. The method of claim 1, further comprising modifying, by the application firewall, a cache control header of the HTTP response to include cache control information from the application firewall and a copy of cache control information originally in the HTTP response.
  - 10. The method of claim 9, further comprising determining, by the cache manager, whether to cache an HTTP response based on inclusion of the copy of the cache control information.
  - 11. The method of claim 1, further comprising storing, by the intermediary device, the reference to the metadata with a user session associated with the first request and with a user session associated with the second request.

12. A system for integrating an application firewall with a cache comprising:
- an application firewall generating metadata from an HTTP response received from a server to a first request of a user for a page, the metadata identifying information to enforce a plurality of security rules by the application firewall;
  
  an intermediary device storing to a cache the HTTP response and storing the metadata in the cache with the HTTP response; and
  
  a cache manager operating in conjunction with the intermediary device and application firewall, the cache manager adapted to determine that the HTTP response is stored in the cache and provide a reference to the metadata in the cache for inclusion with session data associated with the second request, whereinthe intermediary device further receives a second request for the page.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the application firewall generates the metadata to identify a type and value of one or more fields of a form in the HTTP response.
  - 14. The system of claim 12, wherein the application firewall generates the metadata to identify one or more HTTP methods in the HTTP response.
  - 15. The system of claim 12, wherein the application firewall generates the metadata to identify one or more uniform resource locators from the HTTP response.
  - 16. The system of claim 12, wherein the intermediary device reserves space in the cached HTTP response to insert a session cookie.
  - 17. The system of claim 16, wherein the application firewall determines that a session cookie is to be sent with the HTTP response to the second request and inserts a header to set a cookie in the reserved space of the HTTP response.
  - 18. The system of claim 16, wherein the application firewall determines that a session cookie is not to be sent with the HTTP response to the second request and inserts a header in the reserved space of the HTTP response that will be ignored by a recipient of the HTTP response.
  - 19. The system of claim 12, wherein the application firewall applies, responsive to the second request, the plurality of security rules to the metadata identified via the session data.
  - 20. The system of claim 12, wherein the application firewall modifies a cache control header of the HTTP response to include cache control information from the application firewall and a copy of cache control information originally in the HTTP response.
  - 21. The system of claim 20, wherein the cache manager determines whether to cache an HTTP response based on inclusion of the copy of the cache control information.
  - 22. The system of claim 12, wherein the intermediary device stores the reference to the metadata with a user session associated with the first request and with a user session associated with the second request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Reddy, Anoop Kandi, Khemani, Prakash, Anderson, Craig Steven

Granted Patent

US 8,205,035 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/118
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2149   Restricted operating enviro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/561   Adding application-function...

H04L 67/568   Storing data temporarily at...

SYSTEMS AND METHODS FOR INTEGRATION BETWEEN APPLICATION FIREWALL AND CACHING

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR INTEGRATION BETWEEN APPLICATION FIREWALL AND CACHING

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links