System and method for limiting data leakage in an application firewall

US 9,762,539 B2
Filed: 10/26/2015
Issued: 09/12/2017
Est. Priority Date: 06/15/2011
Status: Active Grant

First Claim

Patent Images

1. A firewall system for determining whether to allow a connection between a first computer and a second computer, comprising:

a receiver, operable configured to receive data from one of the first computer or the second computer and transfer the data into a buffer; and

a connection state engine, operable configured to;

record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer, wherein the connection state information comprises portions of packets received and sent during creation of the connection;

establish the connection between the first computer and the second computer via the firewall system;

read the data from the buffer;

apply a security policy to the data;

promote a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required;

change the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and

determine whether to deny use of the connection responsive to the data in the buffer without forwarding the data.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.

Citations

20 Claims

1. A firewall system for determining whether to allow a connection between a first computer and a second computer, comprising:
- a receiver, operable configured to receive data from one of the first computer or the second computer and transfer the data into a buffer; and
  
  a connection state engine, operable configured to;
  
  record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer, wherein the connection state information comprises portions of packets received and sent during creation of the connection;
  
  establish the connection between the first computer and the second computer via the firewall system;
  
  read the data from the buffer;
  
  apply a security policy to the data;
  
  promote a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required;
  
  change the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and
  
  determine whether to deny use of the connection responsive to the data in the buffer without forwarding the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the connection state engine is further operable configured to:
    - identify and control access to applications.
  - 3. The system of claim 1, wherein the security policy is based on named sockets.
  - 4. The system of claim 1, wherein the security policy denies use of the connection responsive to the connection request being for a hypertext transport protocol message.
  - 5. The system of claim 1, wherein the security policy comprises a hierarchical set of rules.
  - 6. The system of claim 1, wherein the buffer is sized to receive and buffer data associated with the connection request.
  - 7. The system of claim 1, wherein the connection state engine is further operable configured to:
    - record initial state information associated with the connection request prior to receiving the acknowledgement from the second computer.
  - 8. The system of claim 7, wherein the connection state engine is further operable configured to:
    - record option parameters associated with the connection request prior to receiving the acknowledgement from the second computer.

9. A method of determining whether to deny use of a connection between a first computer and a second computer, comprising:
- receiving a connection request acknowledgement from the second computer responsive to a connection request from the first computer;
  
  recording connection state information associated with the connection request acknowledgement, wherein the connection state information comprises portions of packets received and sent during creation of the connection;
  
  establishing the connection between the first computer and the second computer via a firewall;
  
  receiving data from one of the first computer or the second computer;
  
  transferring the data into a buffer of the firewall;
  
  applying a security policy to the data;
  
  promoting a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required;
  
  changing the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and
  
  determining whether to deny use of the connection responsive to the data stored in the buffer, without forwarding the data stored in the buffer.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, further comprising:
    - sizing the buffer for buffering data associated with the connection request.
  - 11. The method of claim 9, further comprising:
    - recording initial state information associated with the connection request prior to receiving the connection request acknowledgement from the second computer.
  - 12. The method of claim 9, further comprising:
    - recording option parameters associated with the connection request prior to receiving the acknowledgement from the second computer.
  - 13. The method of claim 9, wherein the security policy comprises a set of hierarchical rules based on a reputation of a sender of the data.

14. A non-transitory machine readable medium, on which are stored instructions for applying a security policy to a connection between a first computer and a second computer, comprising instructions that when executed cause a machine to:
- record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request by the first computer, wherein the connection state information comprises portions of packets received and sent during creation of the connection;
  
  establish the connection between the first computer and the second computer via a firewall;
  
  receive data from one of the first computer or the second computer and transfer the data into a buffer of the firewall;
  
  read the data from the buffer data;
  
  apply the security policy to the data; and
  
  promote a message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required;
  
  change the connection from a direct connection via the firewall to a proxy connection via the proxy, responsive to the promoted message; and
  
  determine whether to deny use of the connection responsive to the data in the buffer without forwarding the data in the buffer.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The machine readable medium of claim 14, wherein the security policy comprises a set of hierarchical rules based on reputation information associated with a sender of the data.
  - 16. The machine readable medium of claim 15, wherein the instruction further comprise instructions that when executed cause the machine to dynamically assign the reputation information to the sender of the data.
  - 17. The machine readable medium of claim 14, wherein the instructions further comprise instructions that when executed cause the machine to:
    - identify and control access to applications.
  - 18. The machine readable medium of claim 14, wherein the instructions further comprise instructions that when executed cause the machine to:
    - record initial state information associated with the connection request.
  - 19. The machine readable medium of claim 14, wherein the instructions further comprise instructions that when executed cause the machine to:
    - record option parameters associated with the connection request.
  - 20. The machine readable medium of claim 14, wherein the instructions that when executed cause the machine to promote the message containing the data to a proxy, responsive to applying the security policy to the data and determining that additional review of the data is required comprise instructions that when executed cause the machine to:
    - record state associated with the acknowledgement; and
      
      establish socket connections to the first and second computer as a function of the recorded state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Meyer, Paul, Diehl, David, Minear, Spencer
Primary Examiner(s)
Tolentino, Roderick

Application Number

US14/923,084
Publication Number

US 20160043995A1
Time in Patent Office

687 Days
Field of Search

726 28- 30
US Class Current
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/20 for managing network securi...

System and method for limiting data leakage in an application firewall

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for limiting data leakage in an application firewall

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links