Computerized system and method for policy-based content filtering

US 7,966,654 B2
Filed: 11/22/2005
Issued: 06/21/2011
Est. Priority Date: 11/22/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:

receiving an incoming network connection, at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;

determining, by the networking subsystem, the network service protocol of the incoming network connection;

determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;

if the incoming connection is allowed, then;

redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol;

retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and

processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection byreconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and

scanning the application-level content based on the retrieved one or more content processing configuration schemes.

View all claims

1 Assignment

Timeline View

Assignment View

1 Petition

Accused Products

Abstract

Firewalls and other filtering gateways have become common security devices for improving computer network security. As more features and functionality are added to these devices they become quite complex to configure. By associating configuration schemes with firewall policies, configuration can be simplified without compromising flexibility. Administrators have more options to filter different traffic streams based on their type and sources. They also have increased flexibility to be able to filter traffic on a per user basis, through authentication mechanisms tied to various filtering options.

52 Citations

View as Search Results

30 Claims

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
- receiving an incoming network connection, at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
  
  determining, by the networking subsystem, the network service protocol of the incoming network connection;
  
  determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  if the incoming connection is allowed, then;
  
  redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol;
  
  retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and
  
  processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection byreconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on the retrieved one or more content processing configuration schemes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common Internet File System (SMB/CIFS).
  - 3. The method of claim 1, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies.
  - 4. The method of claim 3, wherein if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy.
  - 5. The method of claim 1, wherein during the retrieving, the one or more content processing configuration schemes are selected from a plurality of predefined content processing configuration schemes.
  - 6. The method of claim 1, further comprising authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.
  - 7. The method of claim 6, wherein the authenticated user is associated with one or more user groups.
  - 8. The method of claim 7, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
  - 9. The method of claim 6, wherein the retrieved one or more content processing configuration schemes are determined by an identity of the authenticated user.
  - 22. The method of claim 1, further comprising:
    - receiving, by the networking subsystem, a second incoming network connection associated with a second network service protocol that is different from the network service protocol;
      
      determining, by the networking subsystem, whether to allow or deny the second incoming connection based on the matching firewall policy and applying packet-layer firewall rules associated with the matching firewall policy;
      
      if the second incoming connection is allowed, then;
      
      redirecting the second incoming network connection to a second proxy module of one or more proxy modules within the firewall device that is configured to support the second network service protocol;
      
      retrieving, by the second proxy module, the one or more content processing configuration schemes associated with the matching firewall policy; and
      
      processing, by the second proxy module, application-level content of a packet stream associated with the second incoming network connection byreconstructing the application-level content of the packet stream associated with the second incoming network connection, including extracting and buffering content from a plurality of packets of the packet stream; and
      
      scanning the application-level content of the packet stream associated with the second incoming network connection based on the retrieved one or more content processing configuration schemes; and
      
      wherein the plurality of content processing configuration settings for the network service protocol are different from the plurality of content processing configuration settings for the second network service protocol.
  - 23. The method of claim 22, wherein the network service protocol comprises HyperText Transport Protocol (HTTP) and said scanning the application-level content comprises performing a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering, and Uniform Resource Locator (URL) blocking
  - 24. The method of claim 23, wherein the second network service protocol comprises File Transfer Protocol (FTP) and said scanning the application-level content of the packet stream associated with the second incoming network connection comprises performing a plurality of antivirus scanning, filename blocking and quarantining.
  - 25. The method of claim 23, wherein the second network service protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and said scanning the application-level content of the packet stream associated with the second incoming network connection comprises performing a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking.
  - 26. The method of claim 23, wherein the second network service protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) and said scanning the application-level content of the packet stream associated with the second incoming network connection comprises performing a plurality of antivirus scanning, filename blocking and quarantining.

10. A firewall system for processing application-level content of network service protocols, the firewall system comprising:
- a non-transitory memory having stored therein a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes, each content processing configuration scheme of the plurality of content processing configuration schemes including a plurality of content processing configuration settings for each of a plurality of network protocols;
  
  a networking interface operable to receive a network connection;
  
  one or more proxy modules each operable to support one or more network protocols of the plurality of network protocols; and
  
  a networking subsystem operable to (i) receive the network connection from the networking interface, (ii) apply packet-layer firewall rules associated with a firewall policy of the plurality of firewall policies that is appropriate for the network connection and (ii) redirect the network connection to a proxy module of the one or more proxy modules based on a network protocol associated with the network connection if the network connection is allowed by the packet-layer firewall rules; and
  
  wherein the proxy module processes application-level content of a packet stream associated with the network connection byreconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system.
- View Dependent Claims (11, 12, 27, 28, 29, 30)
- - 11. The firewall system of claim 10, wherein the proxy module retrieves the one or more content processing configuration schemes from the configuration database.
  - 12. The firewall system of claim 10, wherein the processing of application-level content by the proxy module comprises applying filters to the application-level content.
  - 27. The firewall system of claim 10, wherein the network service protocol comprises HyperText Transport Protocol (HTTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking, quarantining, banned word filtering, and Uniform Resource Locator (URL) blocking.
  - 28. The firewall system of claim 10, wherein the network service protocol comprises File Transfer Protocol (FTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.
  - 29. The firewall system of claim 10, wherein the network service protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking
  - 30. The firewall system of claim 10, wherein the network service protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.

13. A non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system, cause the firewall system to perform a method for processing application-level content, the method comprising:
- determining, by a networking subsystem of the firewall system, the network service protocol of the incoming network connection, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
  
  determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  if the incoming connection is allowed, then;
  
  redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules of the firewall system that is configured to support the network service protocol;
  
  retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy, the one or more content processing configuration schemes each including a plurality of content processing configuration settings for each of one or more network service protocols; and
  
  processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection byreconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on the retrieved one or more content processing configuration schemes.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The computer-readable storage medium of claim 13, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common Internet File System (SMB/CIFS).
  - 15. The computer-readable storage medium of claim 13, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies.
  - 16. The computer-readable storage medium of claim 15, wherein if the plurality of predefined firewall policies does not contain the matching firewall policy, a default firewall policy is identified as the matching firewall policy.
  - 17. The computer-readable storage medium of claim 13, wherein during the retrieving, the one or more content processing configuration schemes are selected from a plurality of predefined content processing configuration schemes.
  - 18. The computer-readable storage medium of claim 13, wherein the method further comprises authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.
  - 19. The computer-readable storage medium of claim 18, wherein the authenticated user is associated with one or more user groups.
  - 20. The computer-readable storage medium of claim 19, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
  - 21. The computer-readable storage medium of claim 18, wherein the retrieved one or more content processing configuration schemes are determined by an identity of the authenticated user.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William J.
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/283,891
Publication Number

US 20070118893A1
Time in Patent Office

2,037 Days
Field of Search

726/11, 726/1, 726/12
US Class Current

726/11
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

Computerized system and method for policy-based content filtering

First Claim

1 Assignment

1 Petition

Accused Products

Abstract

52 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Computerized system and method for policy-based content filtering

First Claim

1 Assignment

Subscription Required

Subscription Required

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links