System and method for redirected firewall discovery in a network environment

US 8,713,668 B2
Filed: 10/17/2011
Issued: 04/29/2014
Est. Priority Date: 10/17/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-readable non-transitory medium comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations for redirected firewall discovery, the one or more operations comprising:

intercepting, at a first firewall in a network environment, a network flow from a source node;

when the first firewall does not have metadata associated with the network flow in a metadata cache of the first firewall or the first firewall is unable to retrieve the metadata associated with the network flow, sending a discovery redirect from a host manager to cause a firewall cache at the source node to include a second firewall;

receiving the metadata associated with the network flow at the second firewall; and

correlating, at the second firewall, the metadata with the network flow to apply a network policy at the second firewall to the network flow.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.

346 Citations

21 Claims

1. A computer-readable non-transitory medium comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations for redirected firewall discovery, the one or more operations comprising:
- intercepting, at a first firewall in a network environment, a network flow from a source node;
  
  when the first firewall does not have metadata associated with the network flow in a metadata cache of the first firewall or the first firewall is unable to retrieve the metadata associated with the network flow, sending a discovery redirect from a host manager to cause a firewall cache at the source node to include a second firewall;
  
  receiving the metadata associated with the network flow at the second firewall; and
  
  correlating, at the second firewall, the metadata with the network flow to apply a network policy at the second firewall to the network flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable non-transitory medium of claim 1, wherein the discovery redirect is an Internet Control Message Protocol packet.
  - 3. The computer-readable non-transitory medium of claim 1, wherein the discovery redirect is an Internet Control Message Protocol Destination Unreachable packet.
  - 4. The computer-readable non-transitory medium of claim 1, wherein the discovery redirect is an Internet Control Message Protocol Destination Unreachable packet for administratively prohibited communications.
  - 5. The computer-readable non-transitory medium of claim 1, wherein the discovery redirect comprises a hash-based message authentication code.
  - 6. The computer-readable non-transitory medium of claim 1, wherein the discovery redirect comprises a hash-based message authentication code with a shared secret.
  - 7. The computer-readable non-transitory medium of claim 1, wherein the discovery redirect comprises a private key encryption of a hash of the discovery redirect.
  - 8. The computer-readable non-transitory medium of claim 1, wherein the metadata is received on a metadata channel.
  - 9. The computer-readable non-transitory medium of claim 1, wherein the metadata is received using a Datagram Transport Layer Security protocol.
  - 10. The computer-readable non-transitory medium of claim 1, further comprising caching a first packet in the network flow.

11. A computer-readable non-transitory medium comprising one or more instructions that when executed on a processor configure the processor to perform one or more operations, the one or more operations, comprising:
- intercepting a network flow from a source node to a destination node at a firewall agent of the source node;
  
  holding a first packet of the network flow at the firewall agent of the source node;
  
  identifying, in a firewall cache by the firewall agent, a firewall for managing a route to the destination node;
  
  opening a metadata connection with the firewall;
  
  sending metadata associated with the network flow from the firewall agent to the firewall over the metadata connection while holding the first packet of the network flow; and
  
  releasing the network flow by sending the first packet of the network flow from the firewall agent to the firewall.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The computer-readable non-transitory medium of claim 11, wherein the network flow uses a Transmission Control Protocol and intercepting the network flow comprises detecting a SYN packet from the source node.
  - 13. The computer-readable non-transitory medium of claim 11, wherein the network flow uses an unreliable protocol and intercepting the network flow comprises caching a first packet of the flow until the metadata is sent.
  - 14. The computer-readable non-transitory medium of claim 11, wherein the metadata is sent using a Datagram Transport Layer Security protocol.
  - 15. The computer-readable non-transitory medium of claim 11, wherein the operations further comprise:
    - receiving a discovery redirect from a second firewall; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 16. The computer-readable non-transitory medium of claim 11, wherein the operations further comprise:
    - receiving a discovery redirect from a second firewall;
      
      updating a firewall cache to identify the second firewall for managing the route to the destination; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 17. The computer-readable non-transitory medium of claim 11, wherein the operations further comprise:
    - receiving a discovery redirect from a second firewall; and
      
      sending the metadata to the second firewall using a Datagram Transport Layer Security protocol.
  - 18. The computer-readable non-transitory medium of claim 11, wherein the operations further comprise:
    - receiving a discovery redirect from a second firewall;
      
      authenticating the discovery redirect with a message authentication code; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 19. The computer-readable non-transitory medium of claim 11, wherein the operations further comprise:
    - receiving a discovery redirect from a second firewall;
      
      authenticating the discovery redirect with a public key decryption of a hash of the discovery redirect; and
      
      sending the metadata to the second firewall over a metadata channel.
  - 20. The computer-readable non-transitory medium of claim 11, wherein the operations further comprise:
    - caching a first packet in the network flow;
      
      receiving a discovery redirect from a second firewall;
      
      sending the metadata to the second firewall over a metadata channel; and
      
      sending the first packet to the second firewall.
  - 21. The computer-readable non-transitory medium of claim 11, wherein the operations further comprise:
    - receiving a discovery redirect from a second firewall;
      
      updating a firewall cache to identify the second firewall for managing the route to the destination; and
      
      sending the metadata to the second firewall over a metadata channel; and
      
      wherein updating the firewall cache comprises adding a new entry for the destination node with a mask length incrementally modified over a prior entry for the destination node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey, Green, Michael W., Guzik, John Richard
Primary Examiner(s)
LE, CHAU D

Application Number

US13/275,249
Publication Number

US 20130097658A1
Time in Patent Office

925 Days
Field of Search

726 11- 14
US Class Current

726/14
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0442   wherein the sending and rec...

System and method for redirected firewall discovery in a network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

346 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for redirected firewall discovery in a network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

346 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links