Method of assisting an application to traverse a firewall
First Claim
1. A computer-implemented method, comprising:
- receiving, by an interception module communicating with a firewall via a first application programming interface, via a second application programming interface at least one policy established by a first user that permits at least one of an application and a service to connect to a network when the first user runs the at least one of the application and a service, wherein the at least one policy is stored among a plurality of policies in a policy cache of the interception module;
receiving, by the interception module a connect attempt, a listen attempt, or a combination thereof from the application or the service run by a second user;
extracting, by the interception module, user and application or service information from the connect attempt, the listen attempt, or the combination thereof;
determining, by the interception module, an identity of the second user and what application or what service is making the connect attempt, the listen attempt, or the combination thereof;
determining, by the interception module, whether the identity of the second user matches an identity of a user that established the at least one policy and whether the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy; and
when the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy and the identity of the second user matches the identity of the user that established the at least one policy, instructing, by the interception module, the firewall to automatically create a configuration to allow the connect attempt, the listen attempt, or the combination thereof, and storing the configuration in a filter cache of the interception module.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application'"'"'s needs, and a firewall API is provided that informs the firewall or firewalls of the application'"'"'s needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.
26 Citations
15 Claims
-
1. A computer-implemented method, comprising:
-
receiving, by an interception module communicating with a firewall via a first application programming interface, via a second application programming interface at least one policy established by a first user that permits at least one of an application and a service to connect to a network when the first user runs the at least one of the application and a service, wherein the at least one policy is stored among a plurality of policies in a policy cache of the interception module; receiving, by the interception module a connect attempt, a listen attempt, or a combination thereof from the application or the service run by a second user; extracting, by the interception module, user and application or service information from the connect attempt, the listen attempt, or the combination thereof; determining, by the interception module, an identity of the second user and what application or what service is making the connect attempt, the listen attempt, or the combination thereof; determining, by the interception module, whether the identity of the second user matches an identity of a user that established the at least one policy and whether the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy; and when the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy and the identity of the second user matches the identity of the user that established the at least one policy, instructing, by the interception module, the firewall to automatically create a configuration to allow the connect attempt, the listen attempt, or the combination thereof, and storing the configuration in a filter cache of the interception module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer system, comprising:
-
a firewall; and an interception module communicating with the firewall via a first application programming interface, the interception module including a second application programming interface for establishing, by a first user, at least one policy that permits at least one of an application and a service to connect to a network when the first user runs the at least one of the application and a service, wherein the at least one policy is stored in a policy cache of the interception module, the interception module is configured and adapted to; intercept a request for a connect attempt, a listen attempt, or a combination thereof from the application or the service run by a second user; extract user and application or service information from the connect attempt, the listen attempt, or the combination thereof; identify the user and the application or the service from the user and application or service information; determine whether an identity of the second user matches an identity of a user that established the at least one policy and whether the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy; and when the connect attempt, the listen attempt, or the combination thereof comply with the at least one policy and the identity of the second user matches the identity of the user that established the at least one policy, instructing the firewall to create a configuration to allow the connect attempt, the listen attempt, or the combination thereof, and storing the configuration in a filter cache of the interception module. - View Dependent Claims (15)
-
Specification