Computerized system and method for advanced network content processing

US 9,253,155 B2
Filed: 12/29/2014
Issued: 02/02/2016
Est. Priority Date: 01/13/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a plurality of packets at a first interface of a firewall device;

identifying, by the firewall device, a first transmission protocol according to which network content distributed among a first subset of packets of the plurality of packets is formatted;

redirecting, by the firewall device, the first subset of packets to a first proxy module executing on the firewall device based on the identified first transmission protocol;

extracting the network content from the first subset of packets and buffering at least a portion of the network content by the first proxy module;

processing, by the first proxy module, the buffered portion of the network content in accordance with at least one content processing rule selected from a plurality of content processing rules based on the identified first transmission protocol, wherein the plurality of content processing rules includes one or more content filtering rules;

identifying, by the firewall device, a second transmission protocol, distinct from the first transmission protocol, according to which network content distributed among a second subset of packets of the plurality of packets is formatted; and

redirecting, by the firewall device, the second subset of packets to a second proxy module executing on the firewall device based on the identified second transmission protocol.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized system and method for processing network content in accordance with at least one content processing rule is provided. According to one embodiment, the network content is received at a first interface. A transmission protocol according to which the received network content is formatted is identified and used to intercept at least a portion of the received network content. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected portion of network content. The buffered network content is scanned in accordance with a scanning criterion and processed in accordance with the at least one content processing rule based on the result of the scanning. The processed portion of network content may be forwarded using a second interface.

53 Citations

View as Search Results

19 Claims

1. A computer-implemented method comprising:
- receiving a plurality of packets at a first interface of a firewall device;
  
  identifying, by the firewall device, a first transmission protocol according to which network content distributed among a first subset of packets of the plurality of packets is formatted;
  
  redirecting, by the firewall device, the first subset of packets to a first proxy module executing on the firewall device based on the identified first transmission protocol;
  
  extracting the network content from the first subset of packets and buffering at least a portion of the network content by the first proxy module;
  
  processing, by the first proxy module, the buffered portion of the network content in accordance with at least one content processing rule selected from a plurality of content processing rules based on the identified first transmission protocol, wherein the plurality of content processing rules includes one or more content filtering rules;
  
  identifying, by the firewall device, a second transmission protocol, distinct from the first transmission protocol, according to which network content distributed among a second subset of packets of the plurality of packets is formatted; and
  
  redirecting, by the firewall device, the second subset of packets to a second proxy module executing on the firewall device based on the identified second transmission protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein said processing the buffered portion of the network content comprises filtering the buffered portion of the network content.
  - 3. The computer-implemented method of claim 1, further comprising selecting, by the first proxy module, an additional content processing rule from the plurality of content processing rules based on traffic selectors associated with the network content.
  - 4. The computer-implemented method of claim 1, further comprising forwarding the processed portion of the network content to a destination through a second interface of the firewall device.
  - 5. The computer-implemented method of claim 4, wherein at least one of the first and second interfaces are networking interfaces selected from a group consisting of a Virtual Local Area Network (VLAN) interface, a Point-to-Point Protocol over Ethernet (PPPoE) interface and an Internet Protocol Security (IPsec) tunnel interface.
  - 6. The computer-implemented method of claim 1, wherein the first transmission protocol comprises an (IM) protocol type, a peer-to-peer protocol type, an e-mail protocol type, a web browsing protocol type, a file sharing protocol type or a network news protocol type.
  - 7. The computer-implemented method of claim 6, wherein the second transmission protocol is Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) or telnet protocol.
  - 8. The computer-implemented method of claim 1, wherein said processing the buffered portion of the network content comprises performing anti-malware scanning of the buffered portion of the network content.
  - 9. The computer-implemented method of claim 1, wherein said processing the buffered portion of the network content comprises one or more of filtering banned words, blocking specific Uniform Resource Locators (URLs) and blocking transmission of specific file types.

10. A firewall device comprising:
- a first physical interface operable to receive a plurality of packets formatted in accordance with a plurality of transmission protocols;
  
  a first proxy module and a second proxy module, each executing on the firewall device and coupled in communication with the first physical interface; and
  
  a networking subsystem, coupled in communication with the first proxy module and the second proxy module, operable to;
  
  identify a first transmission protocol of the plurality of transmission protocols according to which network content distributed among a first subset of packets of the plurality of packets is formatted,redirect the first subset of packets to the first proxy module based on the identified first transmission protocol;
  
  identify a second transmission protocol, distinct from the first transmission protocol, according to which network content distributed among a second subset of packets of the plurality of packets is formatted;
  
  redirect the second subset of packets to the second proxy module based on the identified second transmission protocol;
  
  wherein the first proxy module is configured to extract the network content from the first subset of packets, buffer at least a portion of the network content, and process the buffered portion of the network content in accordance with the at least one content processing rule selected from a plurality of content processing rules including one or more content filtering rules based on the identified transmission protocol.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The firewall device of claim 10, wherein the first proxy module is operable to scan the buffered portion of the network content in accordance with at least one scanning criterion.
  - 12. The firewall device of claim 10, wherein the first proxy module further comprises:
    - a first proxy buffering engine operable to buffer the portion of the network content;
      
      at least one scanning engine operable to process the buffered portion of the network content in accordance with the at least one content processing rule; and
      
      a proxy forwarding engine operable to forward the processed portion of the network content to a second physical interface of the firewall device.
  - 13. The firewall device of claim 10, further comprising a rule server operable to provide the at least one content processing rule to the proxy module via a network.
  - 14. The firewall device of claim 10, further comprising a second physical interface operable to forward the processed portion of the network content to a destination.
  - 15. The firewall device of claim 10, wherein the first transmission protocol comprises an (IM) protocol type, a peer-to-peer protocol type, an e-mail protocol type, a web browsing protocol type, or a file sharing protocol type.
  - 16. The firewall device of claim 15, wherein the second transmission protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) or telnet protocol.
  - 17. The firewall device of claim 10, wherein the first proxy module is operable to filter the buffered portion of the network content.

18. A non-transitory computer-readable storage medium embodying one or more sequences of instructions, which when executed by one or more processors of a firewall device, causes the one or more processors to perform a method comprising:
- receiving a plurality of packets at a first interface of a firewall device;
  
  identifying a first transmission protocol according to which network content distributed among a first subset of packets of the plurality of packets is formatted;
  
  redirecting the first subset of packets to a first proxy module executing on the firewall device based on the identified first transmission protocol;
  
  extracting the network content from the first subset of packets and buffering at least a portion of the network content by the first proxy module;
  
  processing, by the first proxy module, the buffered portion of the network content in accordance with at least one content processing rule selected from a plurality of content processing rules based on the identified first transmission protocol, wherein the plurality of content processing rules includes one or more content filtering rules;
  
  identifying a second transmission protocol, distinct from the first transmission protocol, according to which network content distributed among a second subset of packets of the plurality of packets is formatted; and
  
  redirecting the second subset of packets to a second proxy module executing on the firewall device based on the identified second transmission protocol.
- View Dependent Claims (19)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein at least said identifying a first transmission protocol and said redirecting the first subset of packets to a first proxy module are performed within a kernel of an operating system of the firewall device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Krywaniuk, Andrew
Primary Examiner(s)
Mehedi, Morshed

Application Number

US14/584,396
Publication Number

US 20150113630A1
Time in Patent Office

400 Days
Field of Search

726/11
US Class Current

1/1
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 63/02   for separating internal fro...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Computerized system and method for advanced network content processing

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Computerized system and method for advanced network content processing

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links