Multi-layered firewall architecture
First Claim
1. A firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:
- a set of layer processors, wherein each layer processor in the set is associated with a respective layer within a protocol stack, each layer processor being capable of processing layer parameters for the packet being processed by the layer processor and each layer processor being further capable of forming a requesting layer that receives a packet context from another layer processor, issues a classification request that includes the layer parameters, the packet and the packet context, and modifies the packet context by adding the layer parameters; and
a first firewall engine of a kernel mode including;
a layer interface for receiving the classification request from the requesting layer and for returning an action to the requesting layer,a set of installed filters, anda lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface; and
a second firewall engine of a user mode including;
a filter module for replicating filtering of the packet by the first firewall engine for at least one layer processor of the user mode and installing a new filter to the set of installed filters.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system are provided for implementing a firewall architecture in a network device. The firewall architecture includes a plurality of network layers, a first firewall engine, and one or more callout modules. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet. The callouts provide additional functionality such as intrusion detection, logging, and parental control features.
67 Citations
38 Claims
-
1. A firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:
-
a set of layer processors, wherein each layer processor in the set is associated with a respective layer within a protocol stack, each layer processor being capable of processing layer parameters for the packet being processed by the layer processor and each layer processor being further capable of forming a requesting layer that receives a packet context from another layer processor, issues a classification request that includes the layer parameters, the packet and the packet context, and modifies the packet context by adding the layer parameters; and a first firewall engine of a kernel mode including; a layer interface for receiving the classification request from the requesting layer and for returning an action to the requesting layer, a set of installed filters, and a lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface; and a second firewall engine of a user mode including; a filter module for replicating filtering of the packet by the first firewall engine for at least one layer processor of the user mode and installing a new filter to the set of installed filters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of communicating between a first layer process and a firewall process in an operating system, comprising the steps of:
-
selecting a first layer process and a firewall process of a kernel mode of the operating system, wherein communication between the first layer process and the firewall process of the kernel mode is replicated by communication between a first layer process and a firewall process of a user mode of the operating system; issuing, by the first layer process, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, and a packet context received from a second layer process; receiving, by the firewall process of the kernel mode, the classify call; identifying, by the firewall process of the kernel mode, at least one matching filter from a set of installed filters, wherein filters are installed to the set of installed filters by the firewall process of the user mode, wherein the firewall process of the kernel mode uses the at least one layer parameter and the packet context to identify the at least one matching filter, and wherein the packet context includes at least one entry including a layer identification field identifying the first layer process and the at least one layer parameter, and a value including the at least one layer parameter; and issuing, by the firewall process of the kernel mode, an action identified from the at least one matching filter using the at least one layer parameter. - View Dependent Claims (14, 15)
-
-
16. A method of communicating between a firewall process and a callout process in an operating system, comprising the steps of:
-
selecting a firewall process and a callout process of a kernel mode of the operating system; issuing, by the firewall process of the kernel mode, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, a packet context, and a matching filter identification, wherein the matching filter is identified from a set of filters installed by a firewall process of a user mode of the operating system, and wherein the packet context includes at least one entry including a layer identification field identifying the firewall process and the at least one layer parameter, and a value including the at least one layer parameter; receiving, by the callout process, the classify call; performing, by the callout process, a programmed function on the protocol packet; and issuing, by the callout process, an action identified from the plurality of parameters in the classify call. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A computer-readable medium encoded with computer-readable instructions for facilitating a firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:
-
a set of layer processors, wherein each layer processor in the set is associated with a respective layer within a protocol stack, each layer processor being capable of processing layer parameters for the packet being processed by the layer processor and each layer processor being further capable of forming a requesting layer that receives a packet context from a previous layer processor, issues a classification request that includes the layer parameters, the packet and the packet context, and modifies the packet context by adding the layer parameters; and a first firewall engine of an operating system kernel mode including; a layer interface for receiving the classification request from the requesting layer and for returning an action to the requesting layer, a set of installed filters, and a lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface; and a second firewall engine of an operating system user mode including; a filter module for replicating filtering of the packet by the first firewall engine for at least one layer processor of the operating system user mode and installing a new filter to the set of installed filters. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A computer-readable medium encoded with computer-readable instructions for communicating between a first layer process and a firewall process in an operating system, comprising the steps of:
-
selecting a first layer process and a firewall process of a kernel mode of the operating system, wherein communication between the first layer process and the firewall process of the kernel mode is replicated by communication between a first layer process and a firewall process of a user mode of the operating system; issuing, by the first layer process, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, and a packet context received from a second layer process; receiving, by the firewall process of the kernel mode, the classify call; identifying, by the firewall process of the kernel mode, at least one matching filter from a set of installed filters, wherein filters are installed to the set of installed filters by the firewall process of the user mode, wherein the firewall process of the kernel mode uses the at least one layer parameter and the packet context to identify the at least one matching filter, and wherein the packet context includes at least one entry including a layer identification field identifying the first layer process and the at least one layer parameter, and a value including the at least one layer parameter; and issuing, by the firewall process of the kernel mode, an action identified from the at least one matching filter using the at least one layer parameter. - View Dependent Claims (29, 30)
-
-
31. A computer-readable medium encoded with computer-executable instructions for communicating between a firewall process and a callout process in an operating system, comprising the steps of:
-
selecting a firewall process and a callout process of a kernel mode of the operating system; issuing, by the firewall process of the kernel mode, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, a packet context, and a matching filter identification, wherein the matching filter is identified from a set of filters installed by a firewall process of a user mode of the operating system, and wherein the packet context includes at least one entry including a layer identification field identifying the firewall process and the at least one layer parameter, and a value including the at least one layer parameter; receiving, by the callout process, the classify call; performing, by the callout process, a programmed function on the protocol packet; and issuing, by the callout process, an action identified from the plurality of parameters in the classify call. - View Dependent Claims (32, 33)
-
-
34. A functional interface implemented as at least one layer interface and/or at least one callout interface for allowing a requesting layer to obtain a policy for a packet, either directly from a firewall engine or from a callout through the firewall engine, the requesting layer being one of a plurality of layers within a protocol stack, comprising a classify method, comprising:
-
the packet received by the requesting layer; a set of parameters associated with the packet, the set of parameters including data processed by the requesting layer; a packet context received by the requesting layer from another layer of the plurality of layers, wherein the packet context includes at least one entry including a layer identification field identifying the another layer and at least one parameter from the set of parameters, and a value including at least one parameter from the set of parameters; and an action to be returned to the requesting layer identifying a first policy to be applied to the packet, wherein the action is returned by the firewall engine comprising a firewall engine of a kernel mode of an operating system and/or a firewall engine of a user mode of the operating system, and wherein the policy is identified from a set of filters installed by the firewall process of the user mode. - View Dependent Claims (35, 36, 37, 38)
-
Specification