Multi-layer based method for implementing network firewalls
First Claim
1. A method for implementing a firewall policy at a requesting stage, the requesting stage being a first stage from a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
- receiving, by the requesting stage, a packet from a second stage from the plurality of stages;
identifying, by the requesting stage, a set of parameters associated with the packet;
issuing a classify call including the set of parameters associated with the packet;
receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters; and
if the action is an instruction to allow the packet to continue network traversal, processing the packet according to a protocol implemented by the requesting stage and sending the packet to a third stage from the plurality of stages.
3 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for implementing a firewall in a firewall architecture. The firewall architecture includes a plurality of network layers and a first firewall engine. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet.
-
Citations
28 Claims
-
1. A method for implementing a firewall policy at a requesting stage, the requesting stage being a first stage from a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
-
receiving, by the requesting stage, a packet from a second stage from the plurality of stages; identifying, by the requesting stage, a set of parameters associated with the packet; issuing a classify call including the set of parameters associated with the packet; receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters; and if the action is an instruction to allow the packet to continue network traversal, processing the packet according to a protocol implemented by the requesting stage and sending the packet to a third stage from the plurality of stages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
-
receiving from a requesting layer a set of packet parameters including first packet information associated with the requesting layer and second packet information associated with a packet context data structure; identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters; identifying the associated action from at least one of the matching filters; and if the associated action is an instruction to allow the packet to continue network traversal or an instruction to disallow the packet to continue network traversal, returning the associated action to the requesting layer. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
-
receiving, by the responding network device, an inbound packet from the initiating network device; determining whether the inbound packet is an authentication request; if the inbound packet is the authentication request; conducting a key negotiation between the initiating network device and the responding network device according to the key negotiation protocol; if the key negotiation is successful; creating a firewall filter that permits inbound packets sent from the initiating network device that conform to the key negotiation protocol; and if the inbound packet is not the authentication request; determining whether the initiating network device has been previously authenticated; and if the initiating network device has been previously authenticated, permitting the inbound packet. - View Dependent Claims (17, 18, 19)
-
-
20. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy at a requesting stage, the requesting stage being a first stage from a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
-
receiving, by the requesting stage, a packet from a second stage from the plurality of stages; identifying, by the requesting stage, a set of parameters associated with the packet; issuing a classify call including the set of parameters associated with the packet; receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters; and if the action is an instruction to allow the packet to continue network traversal, processing the packet according to a protocol implemented by the requesting stage and sending the packet to a third stage from the plurality of stages. - View Dependent Claims (21, 22)
-
-
23. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
-
receiving from a requesting layer a set of packet parameters including first packet information associated with the requesting layer and second packet information associated with a packet context data structure; identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters; identifying the associated action from at least one of the matching filters; and if the associated action is an instruction to allow the packet to continue network traversal or an instruction to disallow the packet to continue network traversal, returning the associated action to the requesting layer. - View Dependent Claims (24, 25)
-
-
26. A computer-readable medium for executing computer-readable instructions for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
-
receiving, by the responding network device, an inbound packet from the initiating network device; determining whether the inbound packet is an authentication request; if the inbound packet is the authentication request; conducting a key negotiation between the initiating network device and the responding network device according to the key negotiation protocol; if the key negotiation is successful; creating a firewall filter that permits inbound packets sent from the initiating network device that conform to the key negotiation protocol; and if the inbound packet is not the authentication request; determining whether the initiating network device has been previously authenticated; and if the initiating network device has been previously authenticated, permitting the inbound packet. - View Dependent Claims (27, 28)
-
Specification