Early policy evaluation of multiphase attributes in high-performance firewalls

US 9,306,955 B2
Filed: 06/29/2015
Issued: 04/05/2016
Est. Priority Date: 09/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a policy at a network device, the policy comprising a multiphase condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;

establishing phase specific policies for each phase of the plurality of phases in which the multiphase attribute becomes known, wherein the phase specific policies include phase specific conditions which correspond to phases of the plurality of phases in which the multiphase attribute becomes known, wherein establishing the phase specific policies comprises ordering the phase specific conditions according to an order of the plurality of phases in which the multiphase attribute becomes known;

evaluating the multiphase transaction at the network device according to the phase specific policies until a policy decision of the policy is determined, the policy decision including a decision to either allow or deny traffic, andapplying the policy to the traffic.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy is established comprising a condition having a multiphase attribute of a multiphase transaction. Phase specific policies are established for each phase in which the multiphase attribute may become known. The multiphase transaction is evaluated according to the phase specific policies at each phase of the multiphase transaction in which the multiphase attribute may become known until a policy decision of the policy is determined.

Citations

20 Claims

1. A method comprising:
- establishing a policy at a network device, the policy comprising a multiphase condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;
  
  establishing phase specific policies for each phase of the plurality of phases in which the multiphase attribute becomes known, wherein the phase specific policies include phase specific conditions which correspond to phases of the plurality of phases in which the multiphase attribute becomes known, wherein establishing the phase specific policies comprises ordering the phase specific conditions according to an order of the plurality of phases in which the multiphase attribute becomes known;
  
  evaluating the multiphase transaction at the network device according to the phase specific policies until a policy decision of the policy is determined, the policy decision including a decision to either allow or deny traffic, andapplying the policy to the traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein establishing the phase specific policies comprises ordering the phase specific conditions and multiphase condition according to the phases of the transaction.
  - 3. The method of claim 2, wherein the policy further comprises a single phase condition having a single phase attribute, and wherein establishing the phase specific policies comprises including the single phase condition in each phase specific policy and ordering the phase specific conditions, the multiphase condition and the single phase condition according to an order of the plurality of phases in which the multiphase attribute becomes known and a phase in which the single phase attribute becomes known.
  - 4. The method of claim 1, wherein evaluating comprises constructing a data structure according to the phase specific policies, and determining the policy decision from the data structure.
  - 5. The method of claim 4, wherein constructing the data structure comprises constructing a decision tree.
  - 6. The method of claim 4, wherein constructing the data structure comprises constructing one of a binary decision diagram or a ternary decision diagram.
  - 7. The method of claim 1, wherein the phases of the multiphase transaction comprise messages sent according to a network communication protocol.

8. An apparatus comprising:
- a memory;
  
  a network interface unit configured to enable network communications; and
  
  a processor coupled to the memory and the network interface unit, wherein the processor is configured to;
  
  establish a policy comprising a multiphase condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;
  
  establish phase specific policies for each phase of the plurality of phases in which the multiphase attribute becomes known, wherein the phase specific policies include phase specific conditions which correspond to phases of the plurality of phases in which the multiphase attribute becomes known, wherein the processor establishes the phase specific policies by ordering the phase specific conditions according to an order of the plurality of phases in which the multiphase attribute becomes known;
  
  evaluate the multiphase transaction according to the phase specific policies until a policy decision of the policy is determined, the policy decision including a decision to either allow or deny traffic, andapply the policy to the traffic.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the processor is further configured to establish the phase specific policies by ordering the phase specific conditions and multiphase condition according to the phases of the transaction.
  - 10. The apparatus of claim 9, wherein the policy further comprises a single phase condition having a single phase attribute, and the processor is further configured to establish the phase specific policies by including the single phase condition in each phase specific policy and order the phase specific conditions, the multiphase condition and the single phase condition according to an order of the plurality of phases in which the multiphase attribute becomes known and a phase in which the single phase attribute becomes known.
  - 11. The apparatus of claim 8, wherein the processor is further configured to evaluate the multiphase transaction by constructing a data structure according to the phase specific policies, and determining the policy decision from the data structure.
  - 12. The apparatus of claim 11, wherein the processor is configured to construct the data structure by constructing a decision tree.
  - 13. The apparatus of claim 11, wherein the processor is configured to construct the data structure by constructing one of a binary decision diagram or a ternary decision diagram.
  - 14. The apparatus of claim 8, wherein the phases of the multiphase transaction comprise messages sent according to a network communication protocol.

15. A non-transitory computer readable tangible storage media encoded with instructions that, when executed by a processor, cause the processor to:
- establish a policy comprising a multiphase condition having a multiphase attribute of a multiphase transaction, wherein the multiphase attribute comprises an attribute that becomes known at one or more of a plurality of phases of the multiphase transaction, and the multiphase condition comprises a condition that is met at one or more of the plurality of phases;
  
  establish phase specific policies for each phase of the plurality of phases in which the multiphase attribute becomes known, wherein the phase specific policies include phase specific conditions which correspond to phases of the plurality of phases in which the multiphase attribute becomes known, and wherein the instructions cause the processor to establish the phase specific policies by ordering the phase specific conditions according to an order of the plurality of phases in which the multiphase attribute becomes known;
  
  evaluate the multiphase transaction according to the phase specific policies until a policy decision of the policy is determined, the policy decision including a decision to either allow or deny traffic, andapply the policy to the traffic.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage media of claim 15, wherein the instructions cause the processor to establish the phase specific policies by ordering the phase specific conditions and multiphase condition according to the phases of the transaction.
  - 17. The computer readable storage media of claim 16, wherein the policy further comprises a single phase condition having a single phase attribute, and wherein the instructions cause the processor to establish the phase specific policies by including the single phase condition in each phase specific policy and ordering the phase specific conditions, the multiphase condition and the single phase condition according to an order of the plurality of phases in which the multiphase attribute becomes known and a phase in which the single phase attribute becomes known.
  - 18. The computer readable storage media of claim 15, wherein the instructions cause the processor to evaluate the multiphase transaction by constructing a data structure according to the phase specific policies, and determining the policy decision from the data structure.
  - 19. The computer readable storage media of claim 18, wherein the instructions cause the processor to construct the data structure by constructing one of a decision tree, a binary decision diagram or a ternary decision diagram.
  - 20. The computer readable storage media of claim 15, wherein the phases of the multiphase transaction comprise messages sent according to a network communication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Luo, Haiyan, Shankar, Hari, Odnert, Daryl, Koduri, Niranjan
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
GIDDINS, NELSON S

Application Number

US14/753,743
Publication Number

US 20150304340A1
Time in Patent Office

281 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/6218   to a system of files or obj...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/105   Multiple levels of security

Early policy evaluation of multiphase attributes in high-performance firewalls

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Early policy evaluation of multiphase attributes in high-performance firewalls

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links