SYSTEMS AND METHODS FOR PROCESSING APPLICATION FIREWALL SESSION INFORMATION ON OWNER CORE IN MULTIPLE CORE SYSTEM

US 20110154471A1
Filed: 12/23/2009
Published: 06/23/2011
Est. Priority Date: 12/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method of processing application firewall checks in a multi-core intermediary device, the method comprising:

(a) storing, by a first application firewall module executing on a first core of a multi-core intermediary device, application firewall session data to memory accessible by the first core, the first core establishing a session for a user;

(b) receiving, by a second application firewall module executing on a second core of the multi-core intermediary device, a request from the user via the session, the request comprising a session identifier identifying the first core as establishing the session;

(c) determining, by the second application firewall module, to perform a security check of a plurality of security checks on the request;

(d) communicating, by the second application firewall module, a first portion of the request corresponding to the security check to the first core identified by the session identifier;

(e) receiving, by the second application firewall module, from the first core a result of the security check performed by the first core on the first portion of the request using the stored application firewall session data.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core.

Citations

26 Claims

1. A method of processing application firewall checks in a multi-core intermediary device, the method comprising:
- (a) storing, by a first application firewall module executing on a first core of a multi-core intermediary device, application firewall session data to memory accessible by the first core, the first core establishing a session for a user;
  
  (b) receiving, by a second application firewall module executing on a second core of the multi-core intermediary device, a request from the user via the session, the request comprising a session identifier identifying the first core as establishing the session;
  
  (c) determining, by the second application firewall module, to perform a security check of a plurality of security checks on the request;
  
  (d) communicating, by the second application firewall module, a first portion of the request corresponding to the security check to the first core identified by the session identifier;
  
  (e) receiving, by the second application firewall module, from the first core a result of the security check performed by the first core on the first portion of the request using the stored application firewall session data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein step (b) further comprises receiving the request comprising a uniform resource locator (URL) and wherein step (c) further comprises determining, by the second application firewall module, to perform a URL closure check as the security check, the URL closure check verifying whether or not the URL has previously traversed the intermediary device.
  - 3. The method of claim 2, wherein step (d) further comprises communicating the URL to the first core to perform the URL closure check and wherein step (e) further comprises, the second application firewall module receiving as the result one of a pass or fail of the URL closure check.
  - 4. The method of claim 1, wherein step (b) further comprises receiving the request comprising one or more cookies and wherein step (c) further comprises determining, by the second application firewall module, to perform a cookie consistency check as the security check, the cookie consistency check verifying whether or not a cookie is part of the session.
  - 5. The method of claim 4, wherein step (d) further comprises communicating the one or more cookies to the first core to perform the cookie consistency check and wherein step (e) further comprises, the second application firewall module receiving as the result an indicator of a cookie of the one or more cookies not in the session.
  - 6. The method of claim 5, further comprises dropping, by the second application firewall module, the cookie from the session.
  - 7. The method of claim 1, wherein step (b) further comprises receiving the request comprising a form and wherein step (c) further comprises determining, by the second application firewall module, to perform a form field consistency check as the security check, the form field consistency check verifying whether or not the form was modified.
  - 8. The method of claim 7, wherein step (d) further comprises determining the form is tagged with a form identifier and communicating by the second application firewall module a second request to the first core for information on the form to perform the form field consistency check.
  - 9. The method of claim 8, wherein step (e) further comprises receiving from the first core a form data structure for performing by the second application firewall data the form field consistency check instead of the first core.
  - 10. The method of claim 7, wherein step (d) further comprises determining the form is not tagged with a form identifier and communicating by the second application firewall module a data structure for the form.
  - 11. The method of claim 9, wherein step (e) further comprises receiving from the first core the result of the form field consistency check.
  - 12. The method of claim 1, further comprising receiving by the second application firewall module from the first core one or more cookies stored in the application firewall session data on the first core.
  - 13. The method of claim 12, further comprising generating, by the second application firewall module, new signature cookies if a response to the request from the server includes cookies in the set-cookie header.

14. A system for processing application firewall checks in a multi-core intermediary device, the method comprising:
- a first application firewall module executing on a first core of a multi-core intermediary device storing application firewall session data to memory accessible by the first core, the first core establishing a session for a user;
  
  a second application firewall module executing on a second core of the multi-core intermediary device receiving a request from the user via the session, the request comprising a session identifier identifying the first core as establishing the session;
  
  the second application firewall module determining to perform on the request a security check of a plurality of security checks;
  
  the second application firewall module communicating a first portion of the request corresponding to the security check to the first core identified by the session identifier;
  
  the second application firewall module receiving from the first core a result of the security check performed by the first core on the first portion of the request using the stored application firewall session data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein step (b) further comprises receiving, the request comprising a uniform resource locator (URL) and wherein step (c) further comprises determining, by the second application firewall module, to perform a URL closure check as the security check, the URL closure check verifying whether or not the URL has previously traversed the intermediary device.
  - 16. The system of claim 15, wherein step (d) further comprises communicating, the URL to the first core to perform the URL closure check and wherein step (e) further comprises, the second application firewall module receiving as the result one of a pass or fail of the URL closure check.
  - 17. The system of claim 14, wherein step (b) further comprises receiving, the request comprising one or more cookies and wherein step (c) further comprises determining, by the second application firewall module, to perform a cookie consistency check as the security check, the cookie consistency check verifying whether or not a cookie is part of the session.
  - 18. The system of claim 17, wherein step (d) further comprises communicating the one or more cookies to the first core to perform the cookie consistency check and wherein step (e) further comprises, the second application firewall module receiving as the result an indicator of a cookie of the one or more cookies not in the session.
  - 19. The system of claim 18, further comprises dropping by the second application firewall module the cookie from the session.
  - 20. The system of claim 14, wherein step (b) further comprises receiving the request comprising a form and wherein step (c) further comprises determining, by the second application firewall module, to perform a form field consistency check as the security check, the form field consistency check verifying whether or not the form was modified.
  - 21. The system of claim 20, wherein step (d) further comprises determining the form is tagged with a form identifier and communicating by the second application firewall module a second request to the first core for information on the form to perform the form field consistency check.
  - 22. The system of claim 21, wherein step (e) further comprises receiving from the first core a form data structure for performing by the second application firewall data the form field consistency check instead of the first core.
  - 23. The system of claim 20, wherein step (d) further comprises determining the form is not tagged with a form identifier and communicating by the second application firewall module a data structure for the form.
  - 24. The system of claim 22, wherein step (e) further comprises receiving from the first core the result of the form field consistency check.
  - 25. The system of claim 14, further comprising receiving by the second application firewall module from the first core one or more cookies stored in the application firewall session data on the first core.
  - 26. The system of claim 25, further comprising generating, by the second application firewall module, new signature cookies if a response to the request from the server includes cookies in the set-cookie header.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Chauhan, Abhishek, Mirani, Rajiv, Anderson, Craig, Reddy, Anoop

Granted Patent

US 8,438,626 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 9/54   Interprogram communication

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

SYSTEMS AND METHODS FOR PROCESSING APPLICATION FIREWALL SESSION INFORMATION ON OWNER CORE IN MULTIPLE CORE SYSTEM

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR PROCESSING APPLICATION FIREWALL SESSION INFORMATION ON OWNER CORE IN MULTIPLE CORE SYSTEM

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links