System and method for limiting data leakage in an application firewall
First Claim
Patent Images
1. A firewall system for determining whether to allow a connection between a first computer and a second computer, comprising:
- a receiver, operable configured to receive data from one of the first computer or the second computer and transfer the data into a buffer; and
a connection state engine, operable configured to;
record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer, wherein the connection state information comprises portions of packets received and sent during creation of the connection;
establish the connection between the first computer and the second computer via the firewall system;
read the data from the buffer;
apply a security policy to the data;
promote a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required;
change the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and
determine whether to deny use of the connection responsive to the data in the buffer without forwarding the data.
9 Assignments
0 Petitions
Accused Products
Abstract
System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.
-
Citations
20 Claims
-
1. A firewall system for determining whether to allow a connection between a first computer and a second computer, comprising:
-
a receiver, operable configured to receive data from one of the first computer or the second computer and transfer the data into a buffer; and a connection state engine, operable configured to; record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer, wherein the connection state information comprises portions of packets received and sent during creation of the connection; establish the connection between the first computer and the second computer via the firewall system; read the data from the buffer; apply a security policy to the data; promote a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required; change the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and determine whether to deny use of the connection responsive to the data in the buffer without forwarding the data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of determining whether to deny use of a connection between a first computer and a second computer, comprising:
-
receiving a connection request acknowledgement from the second computer responsive to a connection request from the first computer; recording connection state information associated with the connection request acknowledgement, wherein the connection state information comprises portions of packets received and sent during creation of the connection; establishing the connection between the first computer and the second computer via a firewall; receiving data from one of the first computer or the second computer; transferring the data into a buffer of the firewall; applying a security policy to the data; promoting a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required; changing the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and determining whether to deny use of the connection responsive to the data stored in the buffer, without forwarding the data stored in the buffer. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A non-transitory machine readable medium, on which are stored instructions for applying a security policy to a connection between a first computer and a second computer, comprising instructions that when executed cause a machine to:
-
record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request by the first computer, wherein the connection state information comprises portions of packets received and sent during creation of the connection; establish the connection between the first computer and the second computer via a firewall; receive data from one of the first computer or the second computer and transfer the data into a buffer of the firewall; read the data from the buffer data; apply the security policy to the data; and promote a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required; change the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and determine whether to deny use of the connection responsive to the data in the buffer without forwarding the data in the buffer. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification