Method of assisting an application to traverse a firewall

US 7,559,082 B2
Filed: 06/25/2003
Issued: 07/07/2009
Est. Priority Date: 06/25/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by an interception module communicating with a firewall via a first application programming interface, via a second application programming interface at least one policy established by a first user that permits at least one of an application and a service to connect to a network when the first user runs the at least one of the application and a service, wherein the at least one policy is stored among a plurality of policies in a policy cache of the interception module;

receiving, by the interception module a connect attempt, a listen attempt, or a combination thereof from the application or the service run by a second user;

extracting, by the interception module, user and application or service information from the connect attempt, the listen attempt, or the combination thereof;

determining, by the interception module, an identity of the second user and what application or what service is making the connect attempt, the listen attempt, or the combination thereof;

determining, by the interception module, whether the identity of the second user matches an identity of a user that established the at least one policy and whether the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy; and

when the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy and the identity of the second user matches the identity of the user that established the at least one policy, instructing, by the interception module, the firewall to automatically create a configuration to allow the connect attempt, the listen attempt, or the combination thereof, and storing the configuration in a filter cache of the interception module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application'"'"'s needs, and a firewall API is provided that informs the firewall or firewalls of the application'"'"'s needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.

26 Citations

View as Search Results

15 Claims

1. A computer-implemented method, comprising:
- receiving, by an interception module communicating with a firewall via a first application programming interface, via a second application programming interface at least one policy established by a first user that permits at least one of an application and a service to connect to a network when the first user runs the at least one of the application and a service, wherein the at least one policy is stored among a plurality of policies in a policy cache of the interception module;
  
  receiving, by the interception module a connect attempt, a listen attempt, or a combination thereof from the application or the service run by a second user;
  
  extracting, by the interception module, user and application or service information from the connect attempt, the listen attempt, or the combination thereof;
  
  determining, by the interception module, an identity of the second user and what application or what service is making the connect attempt, the listen attempt, or the combination thereof;
  
  determining, by the interception module, whether the identity of the second user matches an identity of a user that established the at least one policy and whether the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy; and
  
  when the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy and the identity of the second user matches the identity of the user that established the at least one policy, instructing, by the interception module, the firewall to automatically create a configuration to allow the connect attempt, the listen attempt, or the combination thereof, and storing the configuration in a filter cache of the interception module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising sending a notification to a user of a connect attempt, a listen attempt, or a combination thereof.
  - 3. The method of claim 2, wherein sending the notification comprises receiving a user input indicative of allowing a connection thereby creating at least one policy.
  - 4. The method of claim 1, wherein establishing the at least one policy further comprises receiving a policy from the application or service.
  - 5. The method of claim 4, wherein receiving the policy comprises receiving the policy via an application programming interface.
  - 6. The method of claim 4, wherein the policy received from the application or service comprises inbound or outbound restrictions using one or more of Internet Protocol addresses, information about a subnet, information about scope of the connection, or combinations thereof.
  - 7. The method of claim 4, wherein the policy received from the application or service comprises communication security level.
  - 8. The method of claim 7, wherein the communication security level comprises authentication.
  - 9. The method of claim 7, wherein the communication security level comprises encryption.
  - 10. The method of claim 1, wherein the firewall comprises a host firewall located on a computer comprising the application or the service.
  - 11. The method of claim 1 wherein the firewall comprises an edge firewall, and further comprising an agent to communicate information about the connection.
  - 12. The method of claim 1, wherein the firewall comprises an edge firewall, and further comprising an authenticated protocol to communicate information to the edge firewall about the connection.
  - 13. A computer-storage medium encoded with a computer program for performing the method recited in claim 11.

14. A computer system, comprising:
- a firewall; and
  
  an interception module communicating with the firewall via a first application programming interface, the interception module including a second application programming interface for establishing, by a first user, at least one policy that permits at least one of an application and a service to connect to a network when the first user runs the at least one of the application and a service, wherein the at least one policy is stored in a policy cache of the interception module, the interception module is configured and adapted to;
  
  intercept a request for a connect attempt, a listen attempt, or a combination thereof from the application or the service run by a second user;
  
  extract user and application or service information from the connect attempt, the listen attempt, or the combination thereof;
  
  identify the user and the application or the service from the user and application or service information;
  
  determine whether an identity of the second user matches an identity of a user that established the at least one policy and whether the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy; and
  
  when the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy and the identity of the second user matches the identity of the user that established the at least one policy, instructing the firewall to create a configuration to allow the connect attempt, the listen attempt, or the combination thereof, and storing the configuration in a filter cache of the interception module.
- View Dependent Claims (15)
- - 15. The computer system of claim 14 wherein the interception module comprises a firewall client for communicating information about the connect attempt, the listen attempt, or the combination thereof to an edge firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Morgan, Dennis, Burstein, Jonathan L., LeBlanc, David, Gavrilescu, Alexandru, Shelest, Art
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
SAN JUAN, MARTINJERIKO P

Application Number

US10/603,648
Publication Number

US 20050005165A1
Time in Patent Office

2,204 Days
Field of Search

None
US Class Current

726/14
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/029   Firewall traversal, e.g. tu...

Method of assisting an application to traverse a firewall

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method of assisting an application to traverse a firewall

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links