Security state aware firewall
First Claim
Patent Images
1. A method comprising:
- receiving a first and second packet, said first packet being from a first communication session and said second packet being from a second communication session;
classifying said first and second packet based on authentication of said first communication session and said second communication session, said first communication session being an unauthenticated session, said second communication session being an authenticated session;
applying a first policy to said first packet and a second policy to said second packet based on said classifying, said first policy comprising applying a low priority to said first packet, said second policy comprising applying a high priority to said second packet;
receiving a third packet, said third packet being from said first communication session, said first communication session having been changed to an authenticated session; and
applying said second policy to said third packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A network firewall may apply policies to packets based on a security classification. Packets with an authenticated and established security connection may be handled at a high throughput while packets with unauthenticated connections may be handed at a low throughput or even discarded. In some embodiments, three or more levels of security classifications may be used to process packets at different speeds or priorities. In some embodiments, one device may classify and tag each packet, while another device within the network may process the packets according to the tags.
33 Citations
18 Claims
-
1. A method comprising:
-
receiving a first and second packet, said first packet being from a first communication session and said second packet being from a second communication session; classifying said first and second packet based on authentication of said first communication session and said second communication session, said first communication session being an unauthenticated session, said second communication session being an authenticated session; applying a first policy to said first packet and a second policy to said second packet based on said classifying, said first policy comprising applying a low priority to said first packet, said second policy comprising applying a high priority to said second packet; receiving a third packet, said third packet being from said first communication session, said first communication session having been changed to an authenticated session; and applying said second policy to said third packet. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A device comprising:
-
a first hardware connection that sends and receives packets; a classifier that determines a security status for an incoming packet;
a policy applicator that applies adapted to apply a policy to said incoming packet based on said security status; anda policy implementor that allows said incoming packets with a first policy to pass at a first transmission rate and said incoming packets with a second policy to pass at a second transmission rate; said device that; receives a first and second packet, said first packet being from a first communication session and said second packet being from a second communication session; classifies said first and second packet based on authentication of said first communication session and said second communication session, said first communication session being an unauthenticated session, said second communication session being an authenticated session; applies a first policy to said first packet and a second policy to said second packet based on said classifying, said first policy comprising applying a low priority to said first packet, said second policy comprising applying a high priority to said second packet; receives a third packet, said third packet being from said first communication session, said first communication session having been changed to an authenticated session; and applies said second policy to said third packet. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
receiving a first packet on a first connection; determining that said first packet is associated with a first session, said first session not being a secure session; transmitting said first packet at a low transmission rate on a second connection; receiving a second packet on said first connection; determining that said second packet is associated with a second session, said second session being a secure session; transmitting said second packet at a high transmission rate on said second connection; receiving a third packet on said first connection; determining that said third packet is associated with said first session; determining that said first session has changed to a secure session; and transmitting said third packet at said high transmission rate on said second connection. - View Dependent Claims (17, 18)
-
Specification