Distributed firewall implementation and control

US 8,079,073 B2
Filed: 05/05/2006
Issued: 12/13/2011
Est. Priority Date: 05/05/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing firewall services in a local area network having a plurality of devices comprising:

determining firewall service capabilities published by each of a first device and a second device in the local area network, the first device and the second device each coupled to a downstream side of a router in the local area network, the router configured to receive traffic destined for the first device and the second device;

determining that the firewall service capabilities published by the second device do not meet a firewall service requirement for the second device in the local area network;

determining that the firewall service capabilities published by the first device meet a firewall service requirement for the first device in the local area network and meet the firewall service requirement for the second device in the local area network;

configuring, by a controller, the router in the local area network to direct traffic destined for the second device to the first device over a first logical connection when the traffic destined for the second device is received by the router from an external network and to direct traffic destined for the second device to the second device over a second logical connection when the traffic destined for the second device is received by the router from the first device in the local area network; and

implementing, by the controller, a distributed firewall system including the first device and the second device in the local area network by configuring the first device to provide firewall service for itself to meet the firewall service requirement for the first device and to provide firewall service for the second device to meet the firewall service requirement for the second device according to the firewall service capabilities published by the first device, wherein the first device is configured to;

filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the first device when the traffic is destined for the first device,filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the second device when the traffic is destined for the second device,re-address the filtered traffic filtered according to the firewall service requirement for the second device to the second device, andtransmit the traffic re-addressed to the second device to the router for delivery to the second device over the second logical connection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more devices on a network may be configured to provide firewall services for other devices on the network. Each of the firewall service suppliers may publish its capability with respect to firewall services and the service receivers may publish their requirements for firewall services. A manager function may broker the requests and offers to match services and requirements. A default firewall service may be provided to devices not publishing their requirements. Network topologies may be re-configured to first route traffic addressed to a device to its corresponding firewall service provider.

98 Citations

View as Search Results

20 Claims

1. A method of providing firewall services in a local area network having a plurality of devices comprising:
- determining firewall service capabilities published by each of a first device and a second device in the local area network, the first device and the second device each coupled to a downstream side of a router in the local area network, the router configured to receive traffic destined for the first device and the second device;
  
  determining that the firewall service capabilities published by the second device do not meet a firewall service requirement for the second device in the local area network;
  
  determining that the firewall service capabilities published by the first device meet a firewall service requirement for the first device in the local area network and meet the firewall service requirement for the second device in the local area network;
  
  configuring, by a controller, the router in the local area network to direct traffic destined for the second device to the first device over a first logical connection when the traffic destined for the second device is received by the router from an external network and to direct traffic destined for the second device to the second device over a second logical connection when the traffic destined for the second device is received by the router from the first device in the local area network; and
  
  implementing, by the controller, a distributed firewall system including the first device and the second device in the local area network by configuring the first device to provide firewall service for itself to meet the firewall service requirement for the first device and to provide firewall service for the second device to meet the firewall service requirement for the second device according to the firewall service capabilities published by the first device, wherein the first device is configured to;
  
  filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the first device when the traffic is destined for the first device,filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the second device when the traffic is destined for the second device,re-address the filtered traffic filtered according to the firewall service requirement for the second device to the second device, andtransmit the traffic re-addressed to the second device to the router for delivery to the second device over the second logical connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising monitoring the local area network for information published by the plurality of devices.
  - 3. The method of claim 1, further comprising monitoring the local area network for a request for firewall services published by the second device.
  - 4. The method of claim 3, wherein the firewall service requirement for the second device in the local network is more restrictive than the request for firewall services published by the second device.
  - 5. The method of claim 1, further comprising selecting a default firewall service for a device in the local area network when no published information is available from the device.
  - 6. The method of claim 1, wherein an upstream device in the local area network sets open access for its firewall service when a downstream device in the local area network has firewall service capabilities that meet a minimum firewall service requirement for the local area network.
  - 7. The method of claim 1, further comprising:
    - receiving firewall service capabilities published by the first device and the second using a peer-to-peer protocol; and
      
      publishing a firewall service requirement for the local area network to the plurality of devices using the peer-to-peer protocol.

8. A local area network having a plurality of devices adapted for configurable firewall protection comprising:
- a first device coupled to a downstream side of a router, the first device having firewall service capabilities that meet a firewall service requirement for the first device in the local area network;
  
  a second device coupled to the downstream side of the router, the second device having firewall service capabilities that do not meet a firewall service requirement for the second device in the local area network; and
  
  a controller for implementing a distributed firewall system including the first device and the second device in the local area network when the firewall service capabilities of the first device meet the firewall service requirement for the first device in the local area network and meet the firewall service requirement for the second device in the local area network by;
  
  configuring the router in the local area network to direct traffic destined for the second device to the first device over a first logical connection when the traffic destined for the second device is received by the router from an external network and to direct traffic destined for the second device to the second device over a second logical connection when the traffic destined for the second device is received by the router from the first device in the local area network, andconfiguring the first device to provide firewall service for itself to meet the firewall service requirement for the first device and to provide firewall service for the second device to meet the firewall service requirement for the second device according to the firewall service capabilities of the first device, wherein the first device is configured to;
  
  filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the first device when the traffic is destined for the first device,filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the second device when the traffic is destined for the second device,re-address the traffic filtered according the firewall service requirement for the second device to the second device, andtransmit the traffic re-addressed to the second device to the router for delivery to the second device over the second logical connection.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 9. The local area network of claim 8, wherein the second device publishes a request for firewall services.
  - 10. The local area network of claim 8, wherein the controller configures the router to direct incoming traffic addressed to a smart phone to a personal computer when the firewall service capabilities of the smart phone do not meet a firewall service requirement for the local area network.
  - 11. The local area network of claim 8, wherein the first device shares out a network connection to the second device.
  - 12. The local area network of claim 8, wherein the first device publishes the firewall service capabilities of the first device.
  - 13. The local area network of claim 12, wherein the second device receives the published firewall service capabilities of the first device and directs a request for firewall services to the first device.
  - 14. The local area network of claim 8, wherein the controller monitors the local area network for firewall service capabilities and a firewall service requirements for each of the plurality of devices adapted for configurable firewall protection.
  - 15. The local area network of claim 14, wherein the controller is incorporated in one of the first device and the router.
  - 16. The local area network of claim 14, wherein the controller has a communication function for publishing a firewall service requirement for the local area network to each of the plurality of devices.
  - 17. The local area network of claim 16, wherein the first device supplies the second device with a more restrictive firewall service than a firewall service requested by the second device when the firewall service requirement published by the controller is more restrictive than the firewall service requested by the second device.
  - 18. The local area network of claim 14, wherein the controller assigns a default firewall service to a third device in the local area network that does not publish firewall service capabilities.
  - 19. The local area network of claim 8, wherein the firewall service capabilities of the first device and the firewall service capabilities of the second device are published using a peer-to-peer network discovery protocol.

20. A computer storage medium that does not consist of a signal, the computer storage medium storing computer-executable instructions that, when executed, cause a computing device to perform a method of providing firewall services in a local area network, the method comprising:
- determining firewall service capabilities published by each of a first device and a second device in the local area network, the first device and the second device each coupled to a downstream side of a router in the local area network, the router configured to receive traffic destined for the first device and the second device;
  
  determining that the firewall service capabilities published by the second device do not meet a firewall service requirement for the second device in the local area network;
  
  determining that the firewall service capabilities published by the first device meet a firewall service requirement for the first device in the local area network and meet the firewall service requirement for the second device in the local area network;
  
  configuring the router in the local area network to direct traffic destined for the second device to the first device over a first logical connection when the traffic destined for the second device is received by the router from an external network and to direct traffic destined for the second device to the second device over a second logical connection when the traffic destined for the second device is received by the router from the first device in the local area network; and
  
  implementing a distributed firewall system including the first device and the second device in the local area network by configuring the first device to provide firewall service for itself to meet the firewall service requirement for the first device and to provide firewall service for the second device to meet the firewall service requirement for the second device according to the firewall service capabilities published by the first device, wherein the first device is configured to;
  
  filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the first device when the traffic is destined for the first device,filter traffic directed to the first device by the router over the first logical connection according to the firewall service requirement for the second device when the traffic is destined for the second device,re-address the traffic filtered according to the firewall service requirement for the second device to the second device, andtransmit the traffic re-addressed to the second device to the router for delivery to the second device over the second logical connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Roberts, David A.
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US11/429,476
Publication Number

US 20070261111A1
Time in Patent Office

2,048 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/1441 Countermeasures against mal...

Distributed firewall implementation and control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed firewall implementation and control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links