Security state aware firewall

US 8,060,927 B2
Filed: 10/31/2007
Issued: 11/15/2011
Est. Priority Date: 10/31/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a first and second packet, said first packet being from a first communication session and said second packet being from a second communication session;

classifying said first and second packet based on authentication of said first communication session and said second communication session, said first communication session being an unauthenticated session, said second communication session being an authenticated session;

applying a first policy to said first packet and a second policy to said second packet based on said classifying, said first policy comprising applying a low priority to said first packet, said second policy comprising applying a high priority to said second packet;

receiving a third packet, said third packet being from said first communication session, said first communication session having been changed to an authenticated session; and

applying said second policy to said third packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network firewall may apply policies to packets based on a security classification. Packets with an authenticated and established security connection may be handled at a high throughput while packets with unauthenticated connections may be handed at a low throughput or even discarded. In some embodiments, three or more levels of security classifications may be used to process packets at different speeds or priorities. In some embodiments, one device may classify and tag each packet, while another device within the network may process the packets according to the tags.

33 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving a first and second packet, said first packet being from a first communication session and said second packet being from a second communication session;
  
  classifying said first and second packet based on authentication of said first communication session and said second communication session, said first communication session being an unauthenticated session, said second communication session being an authenticated session;
  
  applying a first policy to said first packet and a second policy to said second packet based on said classifying, said first policy comprising applying a low priority to said first packet, said second policy comprising applying a high priority to said second packet;
  
  receiving a third packet, said third packet being from said first communication session, said first communication session having been changed to an authenticated session; and
  
  applying said second policy to said third packet.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - receiving a fourth packet, said fourth packet being from a third communication session, said third communication session being an authentication session having a higher level of authentication than said second communication session; and
      
      applying a third policy to said fourth packet.
  - 3. The method of claim 1, said authenticated session comprising a Layer 3 security service.
  - 4. The method of claim 3, said Layer 3 security service comprises IPsec.
  - 5. The method of claim 1, said first policy comprising tagging said first packet with a first tag, said first tag being adapted to be read by a first device and apply said first policy.
  - 6. The method of claim 1, said first policy comprising transmitting said first packet at a first transmission rate, said second policy comprising transmitting said second packet at a second transmission rate.

7. A device comprising:
- a first hardware connection that sends and receives packets;
  
  a classifier that determines a security status for an incoming packet;
  
  a policy applicator that applies adapted to apply a policy to said incoming packet based on said security status; and
  
  a policy implementor that allows said incoming packets with a first policy to pass at a first transmission rate and said incoming packets with a second policy to pass at a second transmission rate;
  
  said device that;
  
  receives a first and second packet, said first packet being from a first communication session and said second packet being from a second communication session;
  
  classifies said first and second packet based on authentication of said first communication session and said second communication session, said first communication session being an unauthenticated session, said second communication session being an authenticated session;
  
  applies a first policy to said first packet and a second policy to said second packet based on said classifying, said first policy comprising applying a low priority to said first packet, said second policy comprising applying a high priority to said second packet;
  
  receives a third packet, said third packet being from said first communication session, said first communication session having been changed to an authenticated session; and
  
  applies said second policy to said third packet.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The device of claim 7 further comprising a second connection adapted to send and receive packets.
  - 9. The device of claim 7, said first transmission rate being a zero transmission rate.
  - 10. The device of claim 7, said classifier being further adapted to determine a security status by evaluating the contents of said incoming packet.
  - 11. The device of claim 10, said security status comprising not authenticated and authenticated.
  - 12. The device of claim 11, said security status further comprising a first degree of authentication and a second degree of authentication.
  - 13. The device of claim 12, said first degree of authentication comprising a Layer 3 security mechanism, and said second degree of authentication comprising a transmitting device network address.
  - 14. The device of claim 7 further comprising a firewall adapted to block a plurality of ports.
  - 15. The device of claim 7, said policy implementor further adapted to tag said incoming packet, said tag being selected based on said security status and adapted to be detected by a downstream device.

16. A method comprising:
- receiving a first packet on a first connection;
  
  determining that said first packet is associated with a first session, said first session not being a secure session;
  
  transmitting said first packet at a low transmission rate on a second connection;
  
  receiving a second packet on said first connection;
  
  determining that said second packet is associated with a second session, said second session being a secure session;
  
  transmitting said second packet at a high transmission rate on said second connection;
  
  receiving a third packet on said first connection;
  
  determining that said third packet is associated with said first session;
  
  determining that said first session has changed to a secure session; and
  
  transmitting said third packet at said high transmission rate on said second connection.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, said secure session being a session with Layer 3 security.
  - 18. The method of claim 17, said Layer 3 security comprising IPsec.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Walker, Lee, Engdahl, Christopher J., Swander, Brian
Primary Examiner(s)
Dinh; Minh
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/981,427
Publication Number

US 20090113517A1
Time in Patent Office

1,476 Days
Field of Search

None
US Class Current

726/13
CPC Class Codes

H04L 47/2433   Allocation of priorities to...

H04L 47/2441   relying on flow classificat...

H04L 63/0254   Stateful filtering

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

Security state aware firewall

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security state aware firewall

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links