Policy-based content filtering

US 10,084,750 B2
Filed: 08/07/2017
Issued: 09/25/2018
Est. Priority Date: 11/22/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:

receiving a network connection, by a networking subsystem of a firewall device, wherein the connection is characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol;

determining, by the networking subsystem, whether to allow or deny the network connection by identifying a matching firewall policy from among a plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;

when the network connection is allowed by the matching firewall policy, then;

redirecting the network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules running within the firewall device that is configured to support the network service protocol;

retrieving, by the proxy module, a content processing configuration scheme of a plurality of content processing configuration schemes identified by the matching firewall policy, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol of the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform for the particular network service protocol; and

filtering application-level content associated with the network connection based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall maintains multiple configuration schemes, each defining a set of administrator-configurable content filtering process settings. The firewall also maintains a security policy database including multiple firewall security policies. At least one of the firewall security policies includes an associated configuration scheme and an action to take with respect to a particular network session based on a set of source Internet Protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol. Policy-based content filtering of network sessions is performed by: (i) identifying a firewall security policy matching traffic associated with the network session; (ii) identifying content filtering processes to be performed on the traffic based on the configuration scheme associated with the matching firewall security policy; and (iii) applying the identified content filtering processes to the traffic.

47 Citations

16 Claims

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
- receiving a network connection, by a networking subsystem of a firewall device, wherein the connection is characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol;
  
  determining, by the networking subsystem, whether to allow or deny the network connection by identifying a matching firewall policy from among a plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  when the network connection is allowed by the matching firewall policy, then;
  
  redirecting the network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules running within the firewall device that is configured to support the network service protocol;
  
  retrieving, by the proxy module, a content processing configuration scheme of a plurality of content processing configuration schemes identified by the matching firewall policy, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol of the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform for the particular network service protocol; and
  
  filtering application-level content associated with the network connection based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the network service protocol comprises HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) or Server Message Block/Common Internet File System (SMB/CIFS).
  - 3. The method of claim 1, further comprising receiving from a network administrator, by the firewall device, via a graphical user interface, selections indicative of one or more content filtering process settings of the set of administrator-configurable content filtering process settings for each of a plurality of network service protocols.
  - 4. The method of claim 1, wherein the determined network service protocol comprises HyperText Transport Protocol (HTTP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and Uniform Resource Locator (URL) blocking.
  - 5. The method of claim 1, wherein the determined network service protocol comprises File Transfer Protocol (FTP) and said filtering the application-level content of comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 6. The method of claim 1, wherein the determined network service protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking.
  - 7. The method of claim 1, wherein the determined network service protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 8. The method of claim 7, wherein said filename blocking comprises blocking transmission of specific file types.

9. A non-transitory computer-readable storage medium embodying instructions, which when executed by a firewall device, cause the firewall device to perform a method for processing application-level content, the method comprising:
- receiving a network connection, by a networking subsystem of a firewall device, wherein the connection is characterized by a source Internet Protocol (IP) address, a destination IP address and a network service protocol;
  
  determining, by the networking subsystem, whether to allow or deny the network connection by identifying a matching firewall policy from among a plurality of firewall security policies based on the source IP address, the destination IP address and the network service protocol and applying packet-layer firewall rules associated with the matching firewall policy;
  
  when the network connection is allowed by the matching firewall policy, then;
  
  redirecting the network connection, by the networking subsystem, to a proxy module of a plurality of proxy modules running within the firewall device that is configured to support the network service protocol;
  
  retrieving, by the proxy module, a content processing configuration scheme of a plurality of content processing configuration schemes identified by the matching firewall policy, wherein each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein each of the plurality of configuration schemes defines, for each particular network service protocol of the plurality of network service protocols, a set of administrator-configurable content filtering process settings that indicates one or more particular content filtering processes to perform for the particular network service protocol; and
  
  filtering application-level content associated with the network connection based on those content filtering processes of the one or more particular content filtering processes specified by the content processing configuration scheme specified by the matching firewall policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable storage medium of claim 9, wherein the network service protocol comprises HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) or Server Message Block/Common Internet File System (SMB/CIFS).
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein the method further comprises receiving from a network administrator, by the firewall device, via a graphical user interface, selections indicative of one or more content filtering process settings of the set of administrator-configurable content filtering process settings for each of a plurality of network service protocols.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises HyperText Transport Protocol (HTTP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and Uniform Resource Locator (URL) blocking.
  - 13. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises File Transfer Protocol (FTP) and said filtering the application-level content of comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 14. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking.
  - 15. The non-transitory computer-readable storage medium of claim 9, wherein the determined network service protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) and said filtering the application-level content comprises applying to the application-level content a plurality of antivirus scanning, filename blocking and quarantining.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein said filename blocking comprising blocking transmission of specific file types.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William J.
Primary Examiner(s)
Bechtel, Kevin

Application Number

US15/670,254
Publication Number

US 20170339107A1
Time in Patent Office

414 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

Policy-based content filtering

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based content filtering

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links