SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE IN AN APPLICATION FIREWALL
First Claim
Patent Images
1. A system for determining whether to allow a connection between a first computer and a second computer, comprising:
- a receiver, operable to receive data into a buffer from one of the first computer or the second computer; and
a connection state engine, operable to;
record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer;
read the data from the buffer;
apply a security policy to the data; and
deny use of the connection between the first computer and the second computer without forwarding the data, based on the application of the security policy to the data.
9 Assignments
0 Petitions
Accused Products
Abstract
System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.
10 Citations
22 Claims
-
1. A system for determining whether to allow a connection between a first computer and a second computer, comprising:
-
a receiver, operable to receive data into a buffer from one of the first computer or the second computer; and a connection state engine, operable to; record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request from the first computer; read the data from the buffer; apply a security policy to the data; and deny use of the connection between the first computer and the second computer without forwarding the data, based on the application of the security policy to the data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of determining whether to deny use of a connection between a first computer and a second computer, comprising:
-
receiving and storing in a buffer data received from one of the first computer or the second computer; receiving a connection request acknowledgement from the second computer responsive to a connection request from the first computer; recording connection state information associated with the connection request acknowledgement; and determining whether to deny use of the connection responsive to the data stored in the buffer, without forwarding the data stored in the buffer. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A machine readable medium, on which are stored instructions for applying a security policy to a connection between a first computer and a second computer, comprising instructions that when executed cause a machine to:
-
record connection state information responsive to receipt of an acknowledgement by the second computer of a connection request by the first computer; read from a buffer data received from one of the first computer or the second computer; apply the security policy to the data; and promote a message containing the data to a proxy, responsive to applying the security policy to the data; and change the connection to a proxy connection via the proxy, responsive to the promoted message. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification