Policy based content filtering

US 9,762,540 B2
Filed: 07/04/2015
Issued: 09/12/2017
Est. Priority Date: 11/22/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:

maintaining, by a firewall device, a plurality of configuration schemes, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol in the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform;

maintaining, by the firewall device, a security policy database including information defining a plurality of firewall security policies, wherein the information defining the plurality of firewall security policies includes, for each one of the plurality of firewall security policies, information identifying an associated one of the plurality of configuration schemes and an action to take with respect to a particular network session based on a plurality of (i) a set of one or more source Internet Protocol (IP) addresses, (ii) a set of one or more destination IP addresses and (iii) a network service protocol;

receiving an incoming network connection, at a networking subsystem of the firewall device, the incoming connection being characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol;

determining, by the networking subsystem, the network service protocol of the incoming network connection;

determining, by the networking subsystem, whether to allow or deny the incoming network connection by identifying a matching firewall policy from among the plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;

when the incoming network connection is allowed by the action to take of the matching firewall policy, then;

redirecting the incoming network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules within the firewall device that is configured to support the network service protocol;

retrieving, by the proxy module, a content processing configuration scheme of the plurality of content processing configuration schemes identified by the matching firewall policy; and

processing, by the proxy module, application-level content spanning a plurality of packets of a packet stream associated with the incoming network connection by;

reconstructing the application-level content, including extracting and buffering content from the plurality of packets; and

filtering the application-level content based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy that are applicable to the determined network service protocol.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is received at a networking subsystem of a firewall. The connection is characterized by a source IP address, a destination IP address and a network service protocol. The network service protocol of the network connection is determined. A matching firewall policy is identified for the connection. When the connection is allowed, it is redirected to a proxy module that is configured to support the network service protocol. A content processing configuration scheme identified by the matching firewall policy is retrieved that includes multiple content processing configuration settings, specifying whether a particular type of content filtering is to be performed, for each of multiple network service protocols. Application-level content of a packet stream associated with the network connection is reconstructed and filtered based on the applicable content processing configuration settings.

41 Citations

16 Claims

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
- maintaining, by a firewall device, a plurality of configuration schemes, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol in the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform;
  
  maintaining, by the firewall device, a security policy database including information defining a plurality of firewall security policies, wherein the information defining the plurality of firewall security policies includes, for each one of the plurality of firewall security policies, information identifying an associated one of the plurality of configuration schemes and an action to take with respect to a particular network session based on a plurality of (i) a set of one or more source Internet Protocol (IP) addresses, (ii) a set of one or more destination IP addresses and (iii) a network service protocol;
  
  receiving an incoming network connection, at a networking subsystem of the firewall device, the incoming connection being characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol;
  
  determining, by the networking subsystem, the network service protocol of the incoming network connection;
  
  determining, by the networking subsystem, whether to allow or deny the incoming network connection by identifying a matching firewall policy from among the plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  when the incoming network connection is allowed by the action to take of the matching firewall policy, then;
  
  redirecting the incoming network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules within the firewall device that is configured to support the network service protocol;
  
  retrieving, by the proxy module, a content processing configuration scheme of the plurality of content processing configuration schemes identified by the matching firewall policy; and
  
  processing, by the proxy module, application-level content spanning a plurality of packets of a packet stream associated with the incoming network connection by;
  
  reconstructing the application-level content, including extracting and buffering content from the plurality of packets; and
  
  filtering the application-level content based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy that are applicable to the determined network service protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the network service protocol comprises HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) or Server Message Block/Common Internet File System (SMB/CIFS).
  - 3. The method of claim 1, further comprising receiving from a network administrator, by the firewall device, via a graphical user interface, selections indicative of one or more content filtering process settings of the set of administrator-configurable content filtering process settings for each of a plurality of network service protocols.
  - 4. The method of claim 1, wherein the determined network service protocol comprises HyperText Transport Protocol (HTTP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and Uniform Resource Locator (URL) blocking.
  - 5. The method of claim 1, wherein the determined network service protocol comprises File Transfer Protocol (FTP) and said filtering the application-level content of comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 6. The method of claim 1, wherein the determined network service protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking.
  - 7. The method of claim 1, wherein the determined network service protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 8. The method of claim 7, wherein said filename blocking comprises blocking transmission of specific file types.

9. A non-transitory computer-readable storage medium embodying instructions, which when executed by a firewall device, cause the firewall device to perform a method for processing application-level content, the method comprising:
- maintaining a plurality of configuration schemes, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol in the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform;
  
  maintaining a security policy database including information defining a plurality of firewall security policies, wherein the information defining the plurality of firewall security policies includes, for each one of the plurality of firewall security policies, information identifying an associated one of the plurality of configuration schemes and an action to take with respect to a particular network session based on a plurality of (i) a set of one or more source Internet Protocol (IP) addresses, (ii) a set of one or more destination IP addresses and (iii) a network service protocol;
  
  receiving an incoming network connection, at a networking subsystem of the firewall device, the incoming network connection being characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol;
  
  determining, by the networking subsystem, the network service protocol of the incoming network connection;
  
  determining, by the networking subsystem, whether to allow or deny the incoming network connection by identifying a matching firewall policy from among the plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  when the incoming network connection is allowed by the action to take of the matching firewall policy, then;
  
  redirecting the incoming network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules within the firewall device that is configured to support the network service protocol;
  
  retrieving, by the proxy module, a content processing configuration scheme of the plurality of content processing configuration schemes identified by the matching firewall policy; and
  
  processing, by the proxy module, application-level content spanning a plurality of packets of a packet stream associated with the incoming network connection by;
  
  reconstructing the application-level content, including extracting and buffering content from the plurality of packets; and
  
  filtering the application-level content based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy that are applicable to the determined network service protocol.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable storage medium of claim 9, wherein the network service protocol comprises HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) or Server Message Block/Common Internet File System (SMB/CIFS).
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein the method further comprises receiving from a network administrator, by the firewall device, via a graphical user interface, selections indicative of one or more content filtering process settings of the set of administrator-configurable content filtering process settings for each of a plurality of network service protocols.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises HyperText Transport Protocol (HTTP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and Uniform Resource Locator (URL) blocking.
  - 13. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises File Transfer Protocol (FTP) and said filtering the application-level content of comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 14. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking.
  - 15. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein said filename blocking comprises blocking transmission of specific file types.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William J.
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
BECHTEL, KEVIN M

Application Number

US14/791,422
Publication Number

US 20150312220A1
Time in Patent Office

801 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

Policy based content filtering

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Policy based content filtering

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links