Methods and systems for context-based application firewalls

US 9,160,710 B2
Filed: 12/30/2010
Issued: 10/13/2015
Est. Priority Date: 06/25/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initiating a user session with a client device in a multitenant environment that stores data for multiple client entities each identified by a tenant identifier (ID) having one or more users associated with the tenant ID, wherein users of each of multiple client entities can only access data identified by a tenant ID associated with the respective client entity, and wherein the multitenant environment is provided by an entity separate from the client entities, and provides on-demand service to the client entities where resource identifiers are treated differently for different tenants, and wherein the multitenant environment can be modified on a per-tenant basis, the user session to access a remote resource on a server device coupled with the client device over a network, wherein the connection between the client device and the remote resource is through an application firewall, wherein the application firewall provides application level or higher analysis of network traffic;

performing an application firewall context setup with the firewall in response to the user session, wherein the application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall, wherein the context is shared between the application firewall and one or more web-based applications to be used by both the application firewall and the one or more web-based applications to make security evaluations and wherein the application firewall and the one or more web-based applications reside on different network layers and wherein the context information is sent between peer systems within the multitenant environment;

creating a response to provide information from the remote resource to the client device, wherein the response further comprises metadata to be used to update the firewall context information;

updating the firewall context information using the application firewall based on the metadata; and

transmitting the response to the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Context-based application firewall functionality. A user session is initiated with a client device. The user session allows access a remote resource on a server device coupled with the client device over a network. The connection between the client device and the remote resource is through an application firewall. An application firewall context setup is performed with the application firewall in response to the user session. The application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall. A response is created to provide information from the remote resource to the client device. The response includes metadata to be used to update the firewall context information. The firewall context information is updated with the application firewall based on the metadata. The response is transmitted to the client device.

Citations

29 Claims

1. A method comprising:
- initiating a user session with a client device in a multitenant environment that stores data for multiple client entities each identified by a tenant identifier (ID) having one or more users associated with the tenant ID, wherein users of each of multiple client entities can only access data identified by a tenant ID associated with the respective client entity, and wherein the multitenant environment is provided by an entity separate from the client entities, and provides on-demand service to the client entities where resource identifiers are treated differently for different tenants, and wherein the multitenant environment can be modified on a per-tenant basis, the user session to access a remote resource on a server device coupled with the client device over a network, wherein the connection between the client device and the remote resource is through an application firewall, wherein the application firewall provides application level or higher analysis of network traffic;
  
  performing an application firewall context setup with the firewall in response to the user session, wherein the application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall, wherein the context is shared between the application firewall and one or more web-based applications to be used by both the application firewall and the one or more web-based applications to make security evaluations and wherein the application firewall and the one or more web-based applications reside on different network layers and wherein the context information is sent between peer systems within the multitenant environment;
  
  creating a response to provide information from the remote resource to the client device, wherein the response further comprises metadata to be used to update the firewall context information;
  
  updating the firewall context information using the application firewall based on the metadata; and
  
  transmitting the response to the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising:
    - processing a reply from the client device with the firewall based on the firewall context information;
      
      transmitting the reply from the firewall to the remote resource; and
      
      processing the reply with the remote resource based on the application context information.
  - 3. The method of claim 1 wherein the multitenant environment comprises a multitenant database environment.
  - 4. The method of claim 1 further comprising performing an application context setup with the remote resource on the server device in response to the user session, the application context information to be used during the user session to perform network and application security operations with the remote resource.
  - 5. The method of claim 1 further comprising:
    - transmitting at least the response from the firewall to the client device;
      
      presenting the response to a user of the client device;
      
      receiving user-generated input from the user of the client device; and
      
      sending the reply from the client device to the firewall based on the user generated input.
  - 6. The method of claim 1 wherein the firewall context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 7. The method of claim 1 wherein the firewall context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 8. The method of claim 1 wherein the firewall context information comprises one or more of:
    - session information and/or score information.
  - 9. The method of claim 1 wherein the application context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 10. The method of claim 1 wherein the application context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 11. The method of claim 1 wherein the application context information comprises one or more of:
    - session information and/or score information.

12. An article comprising a non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processors to:
- initiate a user session with a client device in a multitenant environment that stores data for multiple client entities each identified by a tenant identifier (ID) having one or more users associated with the tenant ID, wherein users of each of multiple client entities can only access data identified by a tenant ID associated with the respective client entity, and wherein the multitenant environment is provided by an entity separate from the client entities, and provides on-demand service to the client entities where resource identifiers are treated differently for different tenants, and wherein the multitenant environment can be modified on a per-tenant basis, the user session to access a remote resource on a server device coupled with the client device over a network, wherein the connection between the client device and the remote resource is through an application firewall, wherein the application firewall provides application level or higher analysis of network traffic;
  
  perform an application firewall context setup with the firewall in response to the user session, wherein the application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall, wherein the context is shared between the application firewall and one or more web-based applications to be used by both the application firewall and the one or more web-based applications to make security evaluations and wherein the application firewall and the one or more web-based applications reside on different network layers and wherein the context information is sent between peer systems within the multitenant environment;
  
  create a response to provide information from the remote resource to the client device, wherein the response further comprises metadata to be used to update the firewall context information;
  
  update the firewall context information using the application firewall based on the metadata; and
  
  transmit the response to the client device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The article of claim 12 further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - process a reply from the client device with the firewall based on the firewall context information;
      
      transmit the reply from the firewall to the remote resource; and
      
      process the reply with the remote resource based on the application context information.
  - 14. The article of claim 12 wherein the multitenant environment comprises a multitenant database environment.
  - 15. The article of claim 12 further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform an application context setup with the remote resource on the server device in response to the user session, the application context information to be used during the user session to perform network and application security operations with the remote resource.
  - 16. The article of claim 12 further comprising instructions that, when executed by the one or more processors, cause the one or more processors to:
    - transmit at least the response from the firewall to the client device;
      
      present the response to a user of the client device;
      
      receive user-generated input from the user of the client device; and
      
      send the reply from the client device to the firewall based on the user generated input.
  - 17. The article of claim 12 wherein the firewall context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 18. The article of claim 12 wherein the firewall context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 19. The article of claim 12 wherein the firewall context information comprises one or more of:
    - session information and/or score information.
  - 20. The article of claim 12 wherein the application context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 21. The article of claim 12 wherein the application context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 22. The article of claim 12 wherein the application context information comprises one or more of:
    - session information and/or score information.

23. A system comprising:
- one or more user systems;
  
  one or more firewalls; and
  
  one or more server systems communicatively coupled with the one or more user systems and the one or more firewalls, the server system to provide a multitenant environment where resource identifiers are treated differently for different tenants, and wherein the multitenant environment can be modified on a per-tenant basis, wherein the multitenant environment includes data for multiple client entities, each identified by a tenant identifier (ID) having one or more users associated with the tenant ID, users of each of multiple client identities can only access data identified by a tenant ID associated with the respective client entity, and the multitenant environment is at least a hosted database provided by an entity separate from the client entities, and provides on-demand database service to the client entities, the server system and the one or more firewalls further to initiate a user session with a selected user system of the one or more user systems, the user session to access a resource on the server system,wherein the connection between the user system and the server system is through a selected firewall from the one or more firewalls, to perform a firewall context setup with the selected firewall in response to the user session, wherein the context is shared between the selected firewall and one or more web-based applications to be used by both the selected firewall and the one or more web-based applications to make security evaluations and wherein the selected firewall and the one or more web-based applications reside on different network layers and wherein the selected firewall provides application level or higher analysis of network traffic and wherein the context information is sent between peer systems within the multitenant environment,wherein the firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the selected firewall, to create a response with the server system, the response to provide information from the server system to the selected user system,wherein the response further comprises metadata to be used to update the firewall context information, to transmit the response with the metadata from the server system to the selected firewall, to update the firewall context information with the selected firewall based on the metadata, to process a reply from the selected user system with the selected firewall based on the firewall context information, to transmit the reply from the selected firewall to the server system, and to process the reply with the server system based on the application context information.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The system of claim 23 wherein the firewall context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 25. The system of claim 23 wherein the firewall context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 26. The system of claim 23 wherein the firewall context information comprises one or more of:
    - session information and/or score information.
  - 27. The system of claim 23 wherein the application context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 28. The system of claim 23 wherein the application context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 29. The system of claim 23 wherein the application context information comprises one or more of:
    - session information and/or score information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gluck, Yoel
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
NGUYEN, NGOC THACH D

Application Number

US12/982,725
Publication Number

US 20110321150A1
Time in Patent Office

1,748 Days
Field of Search

726/11, 726/12, 726/13
US Class Current

1/1
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/168   above the transport layer

Methods and systems for context-based application firewalls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for context-based application firewalls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links