Policy-based content filtering

US 8,813,215 B2
Filed: 11/29/2013
Issued: 08/19/2014
Est. Priority Date: 11/22/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:

defining, within a firewall device, one or more content processing configuration schemes, each of the one or more content processing configuration schemes including a plurality of content processing configuration settings for one or more network service protocols;

storing, by the firewall device, the one or more content processing configuration schemes;

associating, by the firewall device, one or more of the stored content processing configuration schemes with a firewall policy;

receiving an incoming network connection, at a networking subsystem of the firewall device the incoming connection being characterized by a source network address, a destination network address and a network service protocol;

determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;

if the incoming connection is allowed, then;

redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol;

retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy; and

processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection byreconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and

scanning the application-level content based on the retrieved one or more content processing configuration schemes.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for processing application-level content of network service protocols. According to one embodiment, one or more content processing configuration schemes are defined within a firewall device. Each of the one or more content processing configuration schemes including multiple content processing configuration settings for one or more network service protocols. The one or more content processing configuration schemes are stored by the firewall device. One or more of the stored content processing configuration schemes are associated with a firewall policy by the firewall device.

Citations

16 Claims

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
- defining, within a firewall device, one or more content processing configuration schemes, each of the one or more content processing configuration schemes including a plurality of content processing configuration settings for one or more network service protocols;
  
  storing, by the firewall device, the one or more content processing configuration schemes;
  
  associating, by the firewall device, one or more of the stored content processing configuration schemes with a firewall policy;
  
  receiving an incoming network connection, at a networking subsystem of the firewall device the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
  
  determining, by the networking subsystem, whether to allow or deny the incoming connection by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  if the incoming connection is allowed, then;
  
  redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol;
  
  retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy; and
  
  processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection byreconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on the retrieved one or more content processing configuration schemes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common Internet File System (SMB/CIFS).
  - 3. The method of claim 1, further comprising authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.
  - 4. The method of claim 3, wherein the authenticated user is associated with one or more user groups.
  - 5. The method of claim 4, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
  - 6. The method of claim 5, wherein the retrieved one or more content processing configuration schemes are determined by an identity of the authenticated user.
  - 7. The method of claim 1, wherein the one or more content processing configuration schemes have different control levels over the different services.
  - 8. The method of claim 1, wherein the firewall policy, the one or more configuration schemes and other parameters are stored in a configuration database.

9. A computer system comprising:
- non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  defining one or more content processing configuration schemes, each of the one or more content processing configuration schemes including a plurality of content processing configuration settings for one or more network service protocols;
  
  storing the one or more content processing configuration schemes;
  
  associating one or more of the stored content processing configuration schemes with a firewall policy;
  
  receiving an incoming network connection, at a networking subsystem of a firewall device, the incoming connection being characterized by a source network address, a destination network address and a network service protocol;
  
  determining, by the networking subsystem, whether to allow or deny the incoming by identifying a matching firewall policy based on the source network address, the destination network address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  if the incoming connection is allowed, then;
  
  redirecting the incoming network connection, by the networking subsystem, to a proxy module of one or more proxy modules within the firewall device that is configured to support the network service protocol;
  
  retrieving, by the proxy module, one or more content processing configuration schemes associated with the matching firewall policy; and
  
  processing, by the proxy module, application-level content of a packet stream associated with the incoming network connection byreconstructing the application-level content, including extracting and buffering content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on the retrieved one or more content processing configuration schemes.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common Internet File System (SMB/CIFS).
  - 11. The system of claim 9, wherein the method further comprises authenticating a user associated with the incoming connection and rejecting the incoming connection if the authentication is unsuccessful.
  - 12. The system of claim 11, wherein the authenticated user is associated with one or more user groups.
  - 13. The system of claim 12, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
  - 14. The system of claim 13, wherein the retrieved one or more content processing configuration schemes are determined by an identity of the authenticated user.
  - 15. The system of claim 9, wherein the one or more content processing configuration schemes have different control levels over the different services.
  - 16. The system of claim 9, wherein the firewall policy, the one or more configuration schemes and other parameters are stored in a configuration database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William J.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US14/093,133
Publication Number

US 20140090013A1
Time in Patent Office

263 Days
Field of Search

None
US Class Current

726/12
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

Policy-based content filtering

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based content filtering

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links