Policy-based content filtering
First Claim
1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
- receiving a network connection, by a networking subsystem of a firewall device, wherein the connection is characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol;
determining, by the networking subsystem, whether to allow or deny the network connection by identifying a matching firewall policy from among a plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
when the network connection is allowed by the matching firewall policy, then;
redirecting the network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules running within the firewall device that is configured to support the network service protocol;
retrieving, by the proxy module, a content processing configuration scheme of a plurality of content processing configuration schemes identified by the matching firewall policy, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol of the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform for the particular network service protocol; and
filtering application-level content associated with the network connection based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol. Policy-based content filtering of network sessions is performed by: (i) identifying a firewall security policy matching traffic associated with the network session; (ii) identifying content filtering processes to be performed on the traffic based on the configuration scheme associated with the matching firewall security policy; and (iii) applying the identified content filtering processes to the traffic.
47 Citations
16 Claims
-
1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
-
receiving a network connection, by a networking subsystem of a firewall device, wherein the connection is characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol; determining, by the networking subsystem, whether to allow or deny the network connection by identifying a matching firewall policy from among a plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy; when the network connection is allowed by the matching firewall policy, then; redirecting the network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules running within the firewall device that is configured to support the network service protocol; retrieving, by the proxy module, a content processing configuration scheme of a plurality of content processing configuration schemes identified by the matching firewall policy, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol of the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform for the particular network service protocol; and filtering application-level content associated with the network connection based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium embodying instructions, which when executed by a firewall device, cause the firewall device to perform a method for processing application-level content, the method comprising:
-
receiving a network connection, by a networking subsystem of a firewall device, wherein the connection is characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol; determining, by the networking subsystem, whether to allow or deny the network connection by identifying a matching firewall policy from among a plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy; when the network connection is allowed by the matching firewall policy, then; redirecting the network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules running within the firewall device that is configured to support the network service protocol; retrieving, by the proxy module, a content processing configuration scheme of a plurality of content processing configuration schemes identified by the matching firewall policy, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol of the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform for the particular network service protocol; and filtering application-level content associated with the network connection based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification