SYSTEM AND METHOD FOR REDIRECTED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT

US 20130097658A1
Filed: 10/17/2011
Published: 04/18/2013
Est. Priority Date: 10/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving metadata from a host over a metadata channel;

intercepting a network flow from the host; and

correlating the metadata with the network flow to apply a network policy to the network flow.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.

61 Citations

23 Claims

1. A method, comprising:
- receiving metadata from a host over a metadata channel;
  
  intercepting a network flow from the host; and
  
  correlating the metadata with the network flow to apply a network policy to the network flow.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein the metadata channel uses a Datagram Transport Layer Security protocol.

3. A method, comprising:
- intercepting a network flow from a source node;
  
  sending a discovery redirect to the source node;
  
  receiving metadata associated with the network flow; and
  
  correlating the metadata with the network flow to apply a network policy to the network flow.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 4. The method of claim 3, wherein the discovery redirect is an Internet Control Message Protocol packet.
  - 5. The method of claim 3, wherein the discovery redirect is an Internet Control Message Protocol Destination Unreachable packet.
  - 6. The method of claim 3, wherein the discovery redirect is an Internet Control Message Protocol Destination Unreachable packet for administratively prohibited communications.
  - 7. The method of claim 3, wherein the discovery redirect comprises a hash-based message authentication code.
  - 8. The method of claim 3, wherein the discovery redirect comprises a hash-based message authentication code with a shared secret.
  - 9. The method of claim 3, wherein the discovery redirect comprises a private key encryption of a hash of the discovery redirect.
  - 10. The method of claim 3, wherein the metadata is received on a metadata channel.
  - 11. The method of claim 3, wherein the metadata is received using a Datagram Transport Layer Security protocol.
  - 12. The method of claim 3, further comprising caching a first packet in the network flow.

13. A method, comprising:
- intercepting a network flow from a source node to a destination node;
  
  identifying a firewall for managing a route to the destination node;
  
  sending metadata associated with the network flow to the firewall; and
  
  releasing the network flow.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method of claim 13, wherein the network flow uses a Transmission Control Protocol and intercepting the network flow comprises detecting a SYN packet from the source node.
  - 15. The method of claim 13, wherein the network flow uses an unreliable protocol and intercepting the network flow comprises caching a first packet of the flow until the metadata is sent.
  - 16. The method of claim 13, wherein the metadata is sent using a Datagram Transport Layer Security protocol.
  - 17. The method of claim 13, further comprising:
    - receiving a discovery redirect from a second firewall; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 18. The method of claim 13, further comprising:
    - receiving a discovery redirect from a second firewall;
      
      updating a firewall cache to identify the second firewall for managing the route to the destination; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 19. The method of claim 13, further comprisingreceiving a discovery redirect from a second firewall;
    - andsending the metadata to the second firewall using a Datagram Transport Layer Security protocol.
  - 20. The method of claim 13, further comprising:
    - receiving a discovery redirect from a second firewall;
      
      authenticating the discovery redirect with a message authentication code; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 21. The method of claim 13, further comprising:
    - receiving a discovery redirect from a second firewall;
      
      authenticating the discovery redirect with a public key decryption of a hash of the discovery redirect; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 22. The method of claim 13, further comprising:
    - caching a first packet in the network flow;
      
      receiving a discovery redirect from a second firewall;
      
      sending the metadata to the second firewall over a metadata channel; and
      
      sending the first packet to the second firewall.
  - 23. The method of claim 13, further comprising:
    - receiving a discovery redirect from a second firewall;
      
      updating a firewall cache to identify the second firewall for managing the route to the destination; and
      
      sending the metadata to the second firewall over a metadata channel;
      
      wherein updating the firewall cache comprises adding a new entry for the destination node with a mask length incrementally modified over a prior entry for the destination node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey, Green, Michael W., Guzik, John Richard

Granted Patent

US 8,713,668 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0442   wherein the sending and rec...

SYSTEM AND METHOD FOR REDIRECTED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR REDIRECTED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links