Method for providing authoritative application-based routing and an improved application firewall
First Claim
1. A method for providing an improved application firewall, the method comprising the steps of:
- receiving, at one or more first computing devices, from a second computing device, a hash of an application requesting network access, along with associated information associated with the second computing device executing the application;
determining, at the one or more first computing devices, an application identifier for the application using the received hash and the received associated information;
communicating, at the one or more first computing devices, the application identifier to the second computing device and a third computing device executing the firewall to increase efficiency in validation and lookup processes of the firewall by correlating multiple disparate flows originating from the second computing device to an associated single application executing thereon identified by a given application identifier tagged to a given packet, wherein, for each packet having a given application identifier received at the firewall, the third computing device executing the firewall;
references a network information database with the received application identifier to limit a comparison, by a policy engine associated with the firewall, of the received packet to a reduced set of application network behavior information of a plurality of application network behavior information stored on the network information database, wherein a set of application network behavior information, collectively defines a normal or abnormal traffic associated with a given application; and
signals termination of the received packet or further inspection of the received packet if the referenced one or more behavior information associated with the received application identifier match one or more abnormal flow patterns.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for providing authoritative application-based routing and an improved application firewall, as well as a method for application classification, is described. The first embodiment, which provides a method for authoritative application-based routing, comprises tagging packets with an application identifier, and pushing the tagged packets to the network to enable the application identifier to be used in routing and priority decisions. In the second embodiment, a method for improving application firewall comprises using the application identifier to minimize the amount of processing required by the firewall when analyzing packet information.
97 Citations
15 Claims
-
1. A method for providing an improved application firewall, the method comprising the steps of:
-
receiving, at one or more first computing devices, from a second computing device, a hash of an application requesting network access, along with associated information associated with the second computing device executing the application; determining, at the one or more first computing devices, an application identifier for the application using the received hash and the received associated information; communicating, at the one or more first computing devices, the application identifier to the second computing device and a third computing device executing the firewall to increase efficiency in validation and lookup processes of the firewall by correlating multiple disparate flows originating from the second computing device to an associated single application executing thereon identified by a given application identifier tagged to a given packet, wherein, for each packet having a given application identifier received at the firewall, the third computing device executing the firewall; references a network information database with the received application identifier to limit a comparison, by a policy engine associated with the firewall, of the received packet to a reduced set of application network behavior information of a plurality of application network behavior information stored on the network information database, wherein a set of application network behavior information, collectively defines a normal or abnormal traffic associated with a given application; and signals termination of the received packet or further inspection of the received packet if the referenced one or more behavior information associated with the received application identifier match one or more abnormal flow patterns. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus comprising:
-
a network interface; a processor operatively coupled to the network interface; and a memory having instructions stored thereon, wherein the instructions, when executed by the processor, cause the processor to; reference, with a tag embedded within a packet received at the network interface, a network information database and limit a comparison, by a policy engine associated with the apparatus, of the received packet to a reduced set of application network behavior information of a plurality of application network behavior information stored on the network information database, wherein a set of application network behavior information, collectively defines a normal or abnormal traffic associated with a given application; and signal termination of the received packet or further inspection of the received packet if the referenced one or more behavior information associated with the received tag match one or more abnormal flow patterns; wherein, the received tag embedded within the packet is referenced to a plurality of tags, each of the plurality of tags being associated with an application executing on a given computing device having originated the packet, the application having been determined by a correlation of multiple disparate flows originating from the computing device using i) a hash of the application and ii) associated information associated with the computing device. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification