Methods and systems for context-based application firewalls

US 9,407,606 B2
Filed: 10/02/2015
Issued: 08/02/2016
Est. Priority Date: 06/25/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing a context setup with an application level firewall running on a hardware computing device in response to initiation of a user session to access a remote resource, wherein the application level firewall provides application level or higher analysis of network traffic and utilizes context information shared between the application firewall and one or more web-based applications to be used during the user session to perform network and application security operations with the application firewall and at least one of the one or more web-based applications to make security evaluations;

receiving, with the application level firewall, a response to provide information from at least one web-based application to at least one client hardware computing device, wherein the response comprises at least metadata to be used to update the firewall context information;

updating the context information using the application level firewall based on the metadata; and

transmitting, with the application level firewall, the response to the client hardware computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Context-based application firewall functionality. A user session is initiated with a client device. The user session allows access a remote resource on a server device coupled with the client device over a network. The connection between the client device and the remote resource is through an application firewall. An application firewall context setup is performed with the application firewall in response to the user session. The application firewall context comprises firewall context information to be used during the user session to perform network and application security operations with the application firewall. A response is created to provide information from the remote resource to the client device. The response includes metadata to be used to update the firewall context information. The firewall context information is updated with the application firewall based on the metadata. The response is transmitted to the client device.

129 Citations

26 Claims

1. A method comprising:
- performing a context setup with an application level firewall running on a hardware computing device in response to initiation of a user session to access a remote resource, wherein the application level firewall provides application level or higher analysis of network traffic and utilizes context information shared between the application firewall and one or more web-based applications to be used during the user session to perform network and application security operations with the application firewall and at least one of the one or more web-based applications to make security evaluations;
  
  receiving, with the application level firewall, a response to provide information from at least one web-based application to at least one client hardware computing device, wherein the response comprises at least metadata to be used to update the firewall context information;
  
  updating the context information using the application level firewall based on the metadata; and
  
  transmitting, with the application level firewall, the response to the client hardware computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the remote resource comprises a resource that is available in a multitenant environment.
  - 3. The method of claim 2 wherein the multitenant environment comprises a multitenant database environment that stores data for multiple client entities each identified by a tenant identifier (ID) having one or more users associated with the tenant ID, wherein users of each of multiple client entities can only access data identified by a tenant ID associated with the respective client entity, and wherein the multitenant database is a hosted database provided by an entity separate from the client entities, and provides on-demand database service to the client entities.
  - 4. The method of claim 1 wherein the firewall context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 5. The method of claim 1 wherein the firewall context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 6. The method of claim 1 wherein the firewall context information comprises one or more of:
    - session information and/or score information.
  - 7. The method of claim 1 wherein the application context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 8. The method of claim 1 wherein the application context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 9. The method of claim 1 wherein the application context information comprises one or more of:
    - session information and/or score information.

10. An article comprising a non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processors to:
- perform a context setup with an application level firewall running on a hardware computing device in response to initiation of a user session to access a remote resource, wherein the application level firewall provides application level or higher analysis of network traffic and utilizes context information shared between the application firewall and one or more web-based applications to be used during the user session to perform network and application security operations with the application firewall and at least one of the one or more web-based applications to make security evaluations;
  
  receive, with the application level firewall, a response to provide information from at least one web-based application to at least one client hardware computing device, wherein the response comprises at least metadata to be used to update the firewall context information;
  
  update the context information using the application level firewall based on the metadata; and
  
  transmit, with the application level firewall, the response to the client hardware computing device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The article of claim 10, wherein the remote resource comprises a resource that is available in a multitenant environment.
  - 12. The article of claim 11 wherein the multitenant environment comprises a multitenant database environment that stores data for multiple client entities each identified by a tenant identifier (ID) having one or more users associated with the tenant ID, wherein users of each of multiple client entities can only access data identified by a tenant ID associated with the respective client entity, and wherein the multitenant database is a hosted database provided by an entity separate from the client entities, and provides on-demand database service to the client entities.
  - 13. The article of claim 10 further comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform an application context setup with the remote resource on the server device in response to the user session, the application context information to be used during the user session to perform network and application security operations with the remote resource.
  - 14. The article of claim 10 wherein the firewall context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 15. The article of claim 10 wherein the firewall context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 16. The article of claim 10 wherein the firewall context information comprises one or more of:
    - session information and/or score information.
  - 17. The article of claim 10 wherein the application context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 18. The article of claim 10 wherein the application context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 19. The article of claim 10 wherein the application context information comprises one or more of:
    - session information and/or score information.

20. A system comprising:
- one or more application level firewalls; and
  
  one or more server hardware computing systems communicatively coupled with the one or more remote user hardware computing systems and the one or more application level firewalls, the server systems to perform a context setup with an application level firewall running on a hardware computing device in response to initiation of a user session, wherein the application level firewall provides application level or higher analysis of network traffic and utilizes context information shared between the application firewall and one or more web-based applications to be used during the user session to perform network and application security operations with the application firewall and at least one of the one or more web-based applications to make security evaluations, to receive, with the application level firewall, a response to provide information from at least one web-based application to at least one client hardware computing device, wherein the response comprises at least metadata to be used to update the firewall context information, to update the context information using the application level firewall based on the metadata, and to transmit, with the application level firewall, the response to the client hardware computing device.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The system of claim 20 wherein the firewall context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 22. The system of claim 20 wherein the firewall context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 23. The system of claim 20 wherein the firewall context information comprises one or more of:
    - session information and/or score information.
  - 24. The system of claim 20 wherein the application context information comprises one or more of:
    - translation information, field validation information and/or request/response validation information.
  - 25. The system of claim 20 wherein the application context information comprises one or more of:
    - traffic policy information, user information and/or organization information.
  - 26. The system of claim 25 wherein the application context information comprises one or more of:
    - session information and/or score information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gluck, Yoel
Primary Examiner(s)
Leung, Robert
Assistant Examiner(s)
NGUYEN, NGOC THACH D

Application Number

US14/874,225
Publication Number

US 20160028692A1
Time in Patent Office

305 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/168   above the transport layer

Methods and systems for context-based application firewalls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

129 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for context-based application firewalls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links