INCORPORATING NETWORK CONNECTION SECURITY LEVELS INTO FIREWALL RULES

US 20120185929A1
Filed: 03/22/2012
Published: 07/19/2012
Est. Priority Date: 05/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method of regulating a transmission using a firewall enforcing a set of two or more firewall rules, the firewall evaluating the set of firewall rules sequentially in an order to determine whether the transmission should be allowed past the firewall, the method comprising:

determining whether properties of the transmission meet parameters of one firewall rule of the set of firewall rules, wherein the determining comprisesdetermining whether the properties of the transmission meet at least one first parameter of the firewall rule, anddetermining whether the properties of the transmission meet at least one second parameter of the firewall rule, the at least one second parameter relating to one or more types of connection security;

when it is determined that the properties of the transmission meet the at least one first parameter and do not meet the at least one second parameter, blocking the communication with the firewall without determining whether the properties of the transmission meet parameters of a next firewall rule of the set of firewall rules following the firewall rule in the order; and

when it is determined that the properties of the transmission meet the at least one first parameter and meet the at least one second parameter, taking an action regarding the transmission that is specified by the firewall rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

6 Citations

View as Search Results

20 Claims

1. A method of regulating a transmission using a firewall enforcing a set of two or more firewall rules, the firewall evaluating the set of firewall rules sequentially in an order to determine whether the transmission should be allowed past the firewall, the method comprising:
- determining whether properties of the transmission meet parameters of one firewall rule of the set of firewall rules, wherein the determining comprisesdetermining whether the properties of the transmission meet at least one first parameter of the firewall rule, anddetermining whether the properties of the transmission meet at least one second parameter of the firewall rule, the at least one second parameter relating to one or more types of connection security;
  
  when it is determined that the properties of the transmission meet the at least one first parameter and do not meet the at least one second parameter, blocking the communication with the firewall without determining whether the properties of the transmission meet parameters of a next firewall rule of the set of firewall rules following the firewall rule in the order; and
  
  when it is determined that the properties of the transmission meet the at least one first parameter and meet the at least one second parameter, taking an action regarding the transmission that is specified by the firewall rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - when it is determined that the properties of the transmission do not meet the at least one first parameter, determining whether the properties of the transmission meet the parameters of the next firewall rule of the set of firewall rules.
  - 3. The method of claim 1, wherein taking the action specified by the firewall rule comprises allowing the transmission through the firewall.
  - 4. The method of claim 1, wherein:
    - determining whether the properties of the transmission meet the at least one first parameter of the firewall rule comprises evaluating at least one transmission characteristic of the transmission, anddetermining whether the properties of the transmission meet the at least one second parameter of the firewall rule comprises evaluating the transmission for the one or more types of connection security.
  - 5. The method of claim 4, wherein evaluating the at least one transmission characteristic comprises evaluating one or more transmission characteristics selected from a group of transmission characteristics consisting of source address, destination address, source port, destination port, protocol, data size, and source application.
  - 6. The method of claim 4, wherein determining whether the properties of the transmission meet the at least one second parameter of the firewall rule comprises determining whether the properties meet at least one connection security level, the at least one connection security level being specified as a constraint of a connection security policy regulating connections between a first device and a second device.
  - 7. The method of claim 6, wherein determining whether properties of the transmission meet the at least one connection security level comprises determining whether connection security for the transmission meets or exceeds the at least one connection security level.
  - 8. The method of claim 4, wherein evaluating the transmission for the one or more types of connection security comprises evaluating the transmission for a type of connection security selected from a group of types of connection security consisting of authentication, integrity checking, encryption, and anti-replay.
  - 9. The method of claim 8, wherein evaluating the transmission for one or more types of connection security comprises evaluating the transmission to determine, when the transmission uses a type of connection security, a level of security of the type of connection security used.

10. At least one computer-readable storage medium having encoded thereon computer-executable instructions that, when executed by at least one computer, cause the at least one computer to carry out a method of regulating a transmission using a firewall enforcing a set of two or more firewall rules, the firewall evaluating the set of firewall rules sequentially in an order to determine whether the transmission should be allowed past the firewall, the method comprising:
- determining whether properties of the transmission meet parameters of one firewall rule of the set of firewall rules, the parameters of the firewall rule comprising at least one first parameter relating to at least one transmission characteristic and at least one second parameter relating to one or more types of connection security, the determining comprising evaluating the at least one transmission characteristic of the transmission and evaluating the transmission for the one or more types of connection security;
  
  when it is determined that the at least one transmission characteristic of the transmission meets the at least one first parameter and the connection security of the transmission does not meet the at least one second parameter,determining whether the firewall rule indicates that the transmission should be blocked when the at least one first parameter is met and the at least one second parameter is not met, andwhen the firewall rule indicates that the transmission should be blocked when the at least one second parameter is not met, blocking the communication with the firewall without determining whether the properties of the transmission meet parameters of a next firewall rule of the set of firewall rules following the firewall rule in the order; and
  
  when it is determined that the properties of the transmission meet the at least one first parameter and meet the at least one second parameter, taking an action regarding the transmission that is specified by the firewall rule.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The at least one computer-readable storage medium of claim 10, wherein the method further comprises:
    - when it is determined that the at least one transmission characteristic of the transmission does not meet the at least one first parameter, determining whether the properties of the transmission meet the parameters of the next firewall rule of the set of firewall rules.
  - 12. The at least one computer-readable storage medium of claim 10, wherein evaluating the at least one transmission characteristic of the transmission comprises evaluating one or more transmission characteristics selected from a group of transmission characteristics consisting of source address, destination address, source port, destination port, protocol, data size, and source application.
  - 13. The at least one computer-readable storage medium of claim 10, wherein determining whether the connection security of the transmission meets the at least one second parameter of the firewall rule comprises determining whether the connection security meets at least one connection security level, the at least one connection security level being specified as a constraint of a connection security policy regulating connections between a first device and a second device.
  - 14. The at least one computer-readable storage medium of claim 10, wherein evaluating the transmission for one or more types of connection security comprises evaluating the transmission to determine, when the transmission uses a type of connection security, a level of security of the type of connection security used.
  - 15. The at least one computer-readable storage medium of claim 10, wherein determining whether the firewall rule indicates that the transmission should be blocked comprises determining whether a parameter of the firewall rule indicates that the transmission should be blocked when the at least one first parameter is met and the at least one second parameter is not met.

16. An apparatus comprising:
- at least one processor; and
  
  at least one computer-readable storage medium having encoded thereon processor-executable instructions that, when executed by the at least one processor, cause the at least one computer to carry out a method of regulating a transmission using a firewall enforcing a set of two or more firewall rules, the firewall evaluating the set of firewall rules sequentially in an order to determine whether the transmission should be allowed past the firewall, the method comprising;
  
  determining whether properties of the transmission meet parameters of one firewall rule of the set of firewall rules, wherein the determining comprisesdetermining whether the properties meet at least one first parameter of the firewall rule, anddetermining whether the properties meet at least one second parameter of the firewall rule, the at least one second parameter relating to one or more types of connection security;
  
  when it is determined that the properties of the transmission meet the at least one first parameter and do not meet the at least one second parameter,determining whether the transmission should be blocked when the at least one first parameter is met and the at least one second parameter is not met, andwhen the transmission should be blocked when the at least one second parameter is not met, blocking the communication with the firewall without determining whether the properties of the transmission meet parameters of a next firewall rule of the set of firewall rules following the firewall rule in the order; and
  
  when it is determined that the properties of the transmission meet the at least one first parameter and meet the at least one second parameter, taking an action regarding the transmission that is specified by the firewall rule.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein determining whether the transmission should be blocked when the at least one first parameter is met and the at least one second parameter is not met comprises evaluating a configuration of the firewall, separate from the set of firewall rules, to determine whether the configuration indicates that the transmission should be blocked when the at least one first parameter is met and the at least one second parameter is not met.
  - 18. The apparatus of claim 16, wherein determining whether the transmission should be blocked when the at least one first parameter is met and the at least one second parameter is not met comprises determining whether a parameter of the firewall rule indicates that the transmission should be blocked when the at least one first parameter is met and the at least one second parameter is not met.
  - 19. The apparatus of claim 16, wherein the method further comprises:
    - when the properties of the transmission do not meet the at least one first parameter, determining whether the properties of the transmission meet the parameters of the next firewall rule of the set of firewall rules.
  - 20. The apparatus of claim 16, wherein:
    - determining whether the properties of the transmission meet the at least one first parameter of the firewall rule comprises evaluating at least one transmission characteristic of the transmission, anddetermining whether the properties of the transmission meet the at least one second parameter of the firewall rule comprises evaluating the transmission for the one or more types of connection security.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yariv, Eran, Abzarian, David, Diaz-Cuellar, Gerardo

Granted Patent

US 8,776,208 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/126 the source of the received ...

INCORPORATING NETWORK CONNECTION SECURITY LEVELS INTO FIREWALL RULES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INCORPORATING NETWORK CONNECTION SECURITY LEVELS INTO FIREWALL RULES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links