Early policy evaluation of multiphase attributes in high-performance firewalls

US 9,100,366 B2
Filed: 09/13/2012
Issued: 08/04/2015
Est. Priority Date: 09/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a policy at a proxy device, the policy comprising a multiphase condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;

establishing phase specific policies for each phase of the plurality of phases in which the multiphase attribute becomes known;

evaluating the multiphase transaction at the proxy device according to the phase specific policies at each phase of the plurality of phases until a policy decision of the policy is determined;

wherein establishing phase specific policies comprises establishing phase specific conditions each evaluating a phase of the transaction in which the multiphase attribute becomes known, andwherein establishing the policy comprises establishing the policy including a condition having a single phase attribute, and wherein establishing the phase specific policies comprises including the single-phase condition in each phase specific policy and ordering the phase specific conditions, the multiphase condition, and the single-phase condition according to an order of the phases in which the single phase attribute and the multiphase attribute become known.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy is established comprising a condition having a multiphase attribute of a multiphase transaction. Phase specific policies are established for each phase in which the multiphase attribute may become known. The multiphase transaction is evaluated according to the phase specific policies at each phase of the multiphase transaction in which the multiphase attribute may become known until a policy decision of the policy is determined.

Citations

14 Claims

1. A method comprising:
- establishing a policy at a proxy device, the policy comprising a multiphase condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;
  
  establishing phase specific policies for each phase of the plurality of phases in which the multiphase attribute becomes known;
  
  evaluating the multiphase transaction at the proxy device according to the phase specific policies at each phase of the plurality of phases until a policy decision of the policy is determined;
  
  wherein establishing phase specific policies comprises establishing phase specific conditions each evaluating a phase of the transaction in which the multiphase attribute becomes known, andwherein establishing the policy comprises establishing the policy including a condition having a single phase attribute, and wherein establishing the phase specific policies comprises including the single-phase condition in each phase specific policy and ordering the phase specific conditions, the multiphase condition, and the single-phase condition according to an order of the phases in which the single phase attribute and the multiphase attribute become known.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein establishing phase specific policies comprises ordering the phase specific conditions and multiphase condition according to the phases of the transaction.
  - 3. The method of claim 1, wherein:
    - establishing the policy further comprises establishing the policy including a plurality of conditions, wherein each of the plurality of conditions evaluates a multiphase attribute of the transaction; and
      
      establishing phase specific policies comprises establishing phase specific conditions of each of the plurality of conditions for the phases in which the multiphase attributes may become known.
  - 4. The method of claim 1, wherein evaluating comprises constructing a data structure according to the phase specific policies, and determining the policy decision from the data structure.
  - 5. The method of claim 4, wherein constructing a data structure comprises constructing a decision tree.
  - 6. The method of claim 4, wherein constructing the data structure comprises constructing one of a binary decision diagram or a ternary decision diagram.
  - 7. The method of claim 1, wherein the phases of the multiphase transaction comprise messages sent according to a network communication protocol.

8. An apparatus comprising:
- a memory;
  
  a network interface; and
  
  a processor coupled to the memory and the network interface, wherein the processor is configured to;
  
  establish a policy, the policy comprising a multiphase condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;
  
  establish phase specific policies for each phase of the plurality of phases in which the multiphase attribute becomes known;
  
  evaluate the multiphase transaction according to the phase specific policies at each phase of the plurality of phases until a policy decision of the policy is determined; and
  
  establish phase specific conditions each evaluating a phase of the transaction in which the multiphase attribute becomes known;
  
  wherein the processor is configured to establish the policy byestablishing the policy including a condition having a single phase attribute, and wherein establishing the phase specific policies comprises including the single-phase condition in each phase specific policy and ordering the phase specific conditions, the multiphase condition, and the single-phase condition according to an order of the phases in which the single phase attribute and the multiphase attribute become known.
- View Dependent Claims (9, 10, 11)
- - 9. The apparatus of claim 8, wherein the processor is further configured to construct a data structure according to the phase specific policies, and determine the policy decision from the data structure.
  - 10. The apparatus of claim 9, wherein the processor is further configured to construct a decision tree.
  - 11. The apparatus of claim 8, wherein the network interface is configured to receive multiphase transactions according to a network communication protocol.

12. A non-transitory computer readable tangible storage media encoded with instructions that, when executed by a processor, cause the processor to:
- establish a policy, the policy comprising a condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;
  
  establish phase specific policies for each phase in which the multiphase attribute becomes known;
  
  evaluate the multiphase transaction according to the phase specific policies at each phase of the plurality of phases own until a policy decision of the policy is determined; and
  
  establish phase specific conditions each evaluating a phase of the transaction in which the multiphase attribute becomes known,wherein the instructions that cause the processor to establish the policy comprise instructions that cause the processor toestablish the policy including a condition having a single phase attribute, and wherein establish the phase specific policies comprises including the single-phase condition in each phase specific policy and order the phase specific conditions, the multiphase condition, and the single-phase condition according to an order of the phases in which the single phase attribute and the multiphase attribute become known.
- View Dependent Claims (13, 14)
- - 13. The computer readable tangible storage media of claim 12, wherein the instructions further cause the processor to construct a data structure according to the phase specific policies, and determine the policy decision from the data structure.
  - 14. The computer readable tangible storage media of claim 13, wherein the instructions further cause the processor to construct a decision tree.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Luo, Haiyan, Shankar, Hari, Odnert, Daryl, Koduri, Niranjan
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
GIDDINS, NELSON S

Application Number

US13/613,829
Publication Number

US 20140075497A1
Time in Patent Office

1,055 Days
Field of Search

726/1, 726/11, 726/13
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/6218   to a system of files or obj...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/105   Multiple levels of security

Early policy evaluation of multiphase attributes in high-performance firewalls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Early policy evaluation of multiphase attributes in high-performance firewalls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links