Multi-layered firewall architecture

US 7,509,673 B2
Filed: 06/06/2003
Issued: 03/24/2009
Est. Priority Date: 06/06/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:

a set of layer processors, wherein each layer processor in the set is associated with a respective layer within a protocol stack, each layer processor being capable of processing layer parameters for the packet being processed by the layer processor and each layer processor being further capable of forming a requesting layer that receives a packet context from another layer processor, issues a classification request that includes the layer parameters, the packet and the packet context, and modifies the packet context by adding the layer parameters; and

a first firewall engine of a kernel mode including;

a layer interface for receiving the classification request from the requesting layer and for returning an action to the requesting layer,a set of installed filters, anda lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface; and

a second firewall engine of a user mode including;

a filter module for replicating filtering of the packet by the first firewall engine for at least one layer processor of the user mode and installing a new filter to the set of installed filters.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are provided for implementing a firewall architecture in a network device. The firewall architecture includes a plurality of network layers, a first firewall engine, and one or more callout modules. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet. The callouts provide additional functionality such as intrusion detection, logging, and parental control features.

67 Citations

View as Search Results

38 Claims

1. A firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:
- a set of layer processors, wherein each layer processor in the set is associated with a respective layer within a protocol stack, each layer processor being capable of processing layer parameters for the packet being processed by the layer processor and each layer processor being further capable of forming a requesting layer that receives a packet context from another layer processor, issues a classification request that includes the layer parameters, the packet and the packet context, and modifies the packet context by adding the layer parameters; and
  
  a first firewall engine of a kernel mode including;
  
  a layer interface for receiving the classification request from the requesting layer and for returning an action to the requesting layer,a set of installed filters, anda lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface; and
  
  a second firewall engine of a user mode including;
  
  a filter module for replicating filtering of the packet by the first firewall engine for at least one layer processor of the user mode and installing a new filter to the set of installed filters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The firewall framework of claim 1, wherein the lookup component further uses the packet context for identifying the at least one matching filter.
  - 3. The firewall framework of claim 2, wherein the firewall engine further comprises:
    - a callout interface for sending the layer parameters, the packet context, and the packet to a callout, wherein the callout analyzes the packet and returns the action to the firewall engine.
  - 4. The firewall framework of claim 2, wherein the requesting layer passes the packet context to a next layer.
  - 5. The firewall framework of claim 1 of the user mode, further comprising:
    - a policy provider for establishing the new filter.
  - 6. The firewall framework of claim 1, wherein each of the installed filters comprises:
    - a filter condition including a type-data pair, the type defining the size of the data and the data including a filter parameter, and the action.
  - 7. The firewall framework of claim 6, wherein the filter parameter includes a range of values.
  - 8. The firewall framework of claim 6, wherein the filter comprises a weight factor defining a priority of the filter.
  - 9. The firewall framework of claim 1, wherein the set of layer processors further comprises:
    - a link layer having layer parameters including an interface number and source and destination MAC addresses;
      
      an network layer having layer parameters including a source and destination IP address;
      
      a transport layer having layer parameters including source and destination ports; and
      
      an application layer having layer parameters including a stream of data.
  - 10. The firewall framework of claim 9, wherein the network layer is further divided into a fragment layer and a fully assembled layer, the fragment layer processing IP packet fragments and the frilly assembled layer processing complete IP packets, each of the fragment layer and the fully assembled layer issuing the classify request.
  - 11. The firewall framework of claim 1, wherein the set of layer processors of the kernel mode includes an application layer having layer parameters.
  - 12. The firewall framework of claim 1, wherein the first firewall engine executes in an operating system user mode.

13. A method of communicating between a first layer process and a firewall process in an operating system, comprising the steps of:
- selecting a first layer process and a firewall process of a kernel mode of the operating system, wherein communication between the first layer process and the firewall process of the kernel mode is replicated by communication between a first layer process and a firewall process of a user mode of the operating system;
  
  issuing, by the first layer process, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, and a packet context received from a second layer process;
  
  receiving, by the firewall process of the kernel mode, the classify call;
  
  identifying, by the firewall process of the kernel mode, at least one matching filter from a set of installed filters, wherein filters are installed to the set of installed filters by the firewall process of the user mode, wherein the firewall process of the kernel mode uses the at least one layer parameter and the packet context to identify the at least one matching filter, and wherein the packet context includes at least one entry including a layer identification field identifying the first layer process and the at least one layer parameter, and a value including the at least one layer parameter; and
  
  issuing, by the firewall process of the kernel mode, an action identified from the at least one matching filter using the at least one layer parameter.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein the first layer process is a new process, further comprising:
    - issuing, by the first layer process, an add layer call.
  - 15. The method of claim 13, wherein the first layer process is an existing process, further comprising:
    - issuing, by the first layer process, a delete layer call.

16. A method of communicating between a firewall process and a callout process in an operating system, comprising the steps of:
- selecting a firewall process and a callout process of a kernel mode of the operating system;
  
  issuing, by the firewall process of the kernel mode, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, a packet context, and a matching filter identification, wherein the matching filter is identified from a set of filters installed by a firewall process of a user mode of the operating system, and wherein the packet context includes at least one entry including a layer identification field identifying the firewall process and the at least one layer parameter, and a value including the at least one layer parameter;
  
  receiving, by the callout process, the classify call;
  
  performing, by the callout process, a programmed function on the protocol packet; and
  
  issuing, by the callout process, an action identified from the plurality of parameters in the classify call.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the callout process is a parental control module maintaining a cache of acceptable resource location, further comprising:
    - examining the packet to identify a resource location and comparing the resource location to the acceptable locations.
  - 18. The method of claim 17, wherein the action issued by the callout process is block and the protocol packet is prevented from network traversal.
  - 19. The method of claim 17, wherein the action issued by the callout process is permit and the protocol packet is permitted to further traverse the network.
  - 20. The method of claim 16, wherein the callout process is a logging module, further comprising storing in a memory the protocol packet.
  - 21. The method of claim 16, wherein the callout process is a security module, further comprising:
    - determining, by the security module, that the protocol packet is required to conform to a security protocol;
      
      verifying that the protocol packet conforms to the security protocol.
  - 22. The method of claim 21, wherein the security protocol is an IPSec security protocol.

23. A computer-readable medium encoded with computer-readable instructions for facilitating a firewall framework implemented within a computer system for providing multi-layering filtering of a packet, comprising:
- a set of layer processors, wherein each layer processor in the set is associated with a respective layer within a protocol stack, each layer processor being capable of processing layer parameters for the packet being processed by the layer processor and each layer processor being further capable of forming a requesting layer that receives a packet context from a previous layer processor, issues a classification request that includes the layer parameters, the packet and the packet context, and modifies the packet context by adding the layer parameters; and
  
  a first firewall engine of an operating system kernel mode including;
  
  a layer interface for receiving the classification request from the requesting layer and for returning an action to the requesting layer,a set of installed filters, anda lookup component for identifying at least one matching filter from the set of installed filters and identifying from the matching filter the action to be returned by the layer interface; and
  
  a second firewall engine of an operating system user mode including;
  
  a filter module for replicating filtering of the packet by the first firewall engine for at least one layer processor of the operating system user mode and installing a new filter to the set of installed filters.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The computer-readable medium of claim 23, wherein the lookup component further uses the packet context for identifying the at least one matching filter.
  - 25. The computer-readable medium of claim 24, wherein the firewall engine further comprises:
    - a callout interface for sending the first layer parameters, the packet context, and the packet to a callout, wherein the callout analyzes the packet and returns the action to the firewall engine.
  - 26. The computer-readable medium of claim 24, wherein the requesting layer passes the packet context to a next layer.
  - 27. The computer-readable medium of claim 23, further comprising:
    - a policy provider for establishing the new filter.

28. A computer-readable medium encoded with computer-readable instructions for communicating between a first layer process and a firewall process in an operating system, comprising the steps of:
- selecting a first layer process and a firewall process of a kernel mode of the operating system, wherein communication between the first layer process and the firewall process of the kernel mode is replicated by communication between a first layer process and a firewall process of a user mode of the operating system;
  
  issuing, by the first layer process, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, and a packet context received from a second layer process;
  
  receiving, by the firewall process of the kernel mode, the classify call;
  
  identifying, by the firewall process of the kernel mode, at least one matching filter from a set of installed filters, wherein filters are installed to the set of installed filters by the firewall process of the user mode, wherein the firewall process of the kernel mode uses the at least one layer parameter and the packet context to identify the at least one matching filter, and wherein the packet context includes at least one entry including a layer identification field identifying the first layer process and the at least one layer parameter, and a value including the at least one layer parameter; and
  
  issuing, by the firewall process of the kernel mode, an action identified from the at least one matching filter using the at least one layer parameter.
- View Dependent Claims (29, 30)
- - 29. The computer-readable medium of claim 28, wherein the first layer process is a new process, further comprising:
    - issuing, by the first layer process, an add layer call.
  - 30. The computer-readable medium of claim 28, wherein the first layer process is an existing process, further comprising:
    - issuing, by the first layer process, a delete layer call.

31. A computer-readable medium encoded with computer-executable instructions for communicating between a firewall process and a callout process in an operating system, comprising the steps of:
- selecting a firewall process and a callout process of a kernel mode of the operating system;
  
  issuing, by the firewall process of the kernel mode, a classify call having a plurality of parameters comprising a protocol packet, at least one layer parameter, a packet context, and a matching filter identification, wherein the matching filter is identified from a set of filters installed by a firewall process of a user mode of the operating system, and wherein the packet context includes at least one entry including a layer identification field identifying the firewall process and the at least one layer parameter, and a value including the at least one layer parameter;
  
  receiving, by the callout process, the classify call;
  
  performing, by the callout process, a programmed function on the protocol packet; and
  
  issuing, by the callout process, an action identified from the plurality of parameters in the classify call.
- View Dependent Claims (32, 33)
- - 32. The computer-readable medium of claim 31, wherein the callout process is a logging module, further comprising storing in a memory the protocol packet.
  - 33. The computer-readable medium of claim 31, wherein the callout process is an security module, further comprising:
    - determining, by the security module, that the protocol packet is required to conform to a security protocol;
      
      verifying that the protocol packet conforms to the security protocol.

34. A functional interface implemented as at least one layer interface and/or at least one callout interface for allowing a requesting layer to obtain a policy for a packet, either directly from a firewall engine or from a callout through the firewall engine, the requesting layer being one of a plurality of layers within a protocol stack, comprising a classify method, comprising:
- the packet received by the requesting layer;
  
  a set of parameters associated with the packet, the set of parameters including data processed by the requesting layer;
  
  a packet context received by the requesting layer from another layer of the plurality of layers, wherein the packet context includes at least one entry including a layer identification field identifying the another layer and at least one parameter from the set of parameters, and a value including at least one parameter from the set of parameters; and
  
  an action to be returned to the requesting layer identifying a first policy to be applied to the packet, wherein the action is returned by the firewall engine comprising a firewall engine of a kernel mode of an operating system and/or a firewall engine of a user mode of the operating system, and wherein the policy is identified from a set of filters installed by the firewall process of the user mode.
- View Dependent Claims (35, 36, 37, 38)
- - 35. The functional interface of claim 34, further comprising:
    - an add layer method for allowing a new layer to be added to the plurality of layers.
  - 36. The functional interface of claim 34, further comprising:
    - a delete layer method for removing an existing layer from the plurality of layers.
  - 37. The functional interface of claim 34, further comprising:
    - a policy context defining a second policy to be applied to the packet.
  - 38. The functional interface of claim 37, wherein the first policy is a firewall policy and the second policy is a non-firewall policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Swander, Brian D., Mayfield, Paul G.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US10/456,766
Publication Number

US 20050022010A1
Time in Patent Office

2,118 Days
Field of Search

713/152, 726/11
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0254   Stateful filtering

H04L 63/164   at the network layer

Multi-layered firewall architecture

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-layered firewall architecture

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links