Multi-layer based method for implementing network firewalls

US 7,260,840 B2
Filed: 06/06/2003
Issued: 08/21/2007
Est. Priority Date: 06/06/2003
Status: Active Grant

First Claim

Patent Images

1. A method for implementing a firewall policy at a requesting stage, the requesting stage being a first stage from a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:

receiving, by the requesting stage, a packet from a second stage from the plurality of stages;

identifying, by the requesting stage, a set of parameters associated with the packet;

issuing a classify call including the set of parameters associated with the packet;

receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters; and

if the action is an instruction to allow the packet to continue network traversal, processing the packet according to a protocol implemented by the requesting stage and sending the packet to a third stage from the plurality of stages.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for implementing a firewall in a firewall architecture. The firewall architecture includes a plurality of network layers and a first firewall engine. The layers send packets and packet information to the first firewall engine, maintain and pass packet context to subsequent layers, and process the packets. The first firewall engine compares the packet information to one or more installed filters and returns an action to the layers indicating how to treat the packet.

151 Citations

28 Claims

1. A method for implementing a firewall policy at a requesting stage, the requesting stage being a first stage from a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
- receiving, by the requesting stage, a packet from a second stage from the plurality of stages;
  
  identifying, by the requesting stage, a set of parameters associated with the packet;
  
  issuing a classify call including the set of parameters associated with the packet;
  
  receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters; and
  
  if the action is an instruction to allow the packet to continue network traversal, processing the packet according to a protocol implemented by the requesting stage and sending the packet to a third stage from the plurality of stages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the action is the instruction to allow the packet to continue network traversal, further comprising:
    - processing the packet according to a layer protocol; and
      
      sending the packet to the third stage from the plurality of stages.
  - 3. The method of claim 1, wherein the packet is an outbound packet destined for a network device and wherein the set of parameters include information to be added to the packet according to a protocol implemented by the requesting stage.
  - 4. The method of claim 1, wherein the packet is an inbound packet received from a network device and wherein the set of parameters include information that the requesting stage parses from the inbound packet according to a protocol implemented by the requesting stage.
  - 5. The method of claim 1, wherein the plurality of stages execute within a kernel mode of an operating system.
  - 6. The method of claim 1 wherein the plurality of stages execute within a user mode of an operating system.
  - 7. The method of claim 1 further comprising:
    - receiving a packet context data structure from the second stage, the packet context including second stage data associated with the packet; and
      
      modifying the packet context data structure by adding the set of parameters.
  - 8. The method of claim 7 wherein parameters of the set of parameters includes identification of the requesting stage, the parameter type, and a value.
  - 9. The method of claim 7, wherein the requesting stage sends the modified packet context data structure to a next stage in the plurality of stages.

10. A method for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
- receiving from a requesting layer a set of packet parameters including first packet information associated with the requesting layer and second packet information associated with a packet context data structure;
  
  identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters;
  
  identifying the associated action from at least one of the matching filters; and
  
  if the associated action is an instruction to allow the packet to continue network traversal or an instruction to disallow the packet to continue network traversal, returning the associated action to the requesting layer.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein each filter in the set of matching filters has a priority and the associated action from a highest priority filter is a non-terminating action, further comprising:
    - identify the associated action from one or more lower priority filters in the set of matching filters until a terminating action is reached.
  - 12. The method of claim 10, wherein a filter from the set of matching filter identifies a callout module, further comprising:
    - sending the packet parameters and an identification of the filter from the set of matching filters to the callout module.
  - 13. The method of claim 12, wherein the callout modifies the packet context.
  - 14. The method of claim 10, wherein the firewall engine executes in a user mode of an operating system.
  - 15. The method of claim 10, wherein the firewall engine executes in a kernelmode of an operating system.

16. A method for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
- receiving, by the responding network device, an inbound packet from the initiating network device;
  
  determining whether the inbound packet is an authentication request;
  
  if the inbound packet is the authentication request;
  
  conducting a key negotiation between the initiating network device and the responding network device according to the key negotiation protocol;
  
  if the key negotiation is successful;
  
  creating a firewall filter that permits inbound packets sent from the initiating network device that conform to the key negotiation protocol; and
  
  if the inbound packet is not the authentication request;
  
  determining whether the initiating network device has been previously authenticated; and
  
  if the initiating network device has been previously authenticated, permitting the inbound packet.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein the firewall filter permits inbound packets conforming to a security settings between the initiating network device and the responding network device.
  - 18. The method of claim 16, wherein the firewall filter permits inbound packets designating address information of the responding network device.
  - 19. The method of claim 16 wherein the key negotiation is an IKE negotiation.

20. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy at a requesting stage, the requesting stage being a first stage from a plurality of stages in a firewall framework, the firewall framework further including a firewall engine having a plurality of installed filters, comprising:
- receiving, by the requesting stage, a packet from a second stage from the plurality of stages;
  
  identifying, by the requesting stage, a set of parameters associated with the packet;
  
  issuing a classify call including the set of parameters associated with the packet;
  
  receiving, in response to the classify call, an action according to the firewall policy designated by at least one of the plurality of the installed filters; and
  
  if the action is an instruction to allow the packet to continue network traversal, processing the packet according to a protocol implemented by the requesting stage and sending the packet to a third stage from the plurality of stages.
- View Dependent Claims (21, 22)
- - 21. The computer-readable medium of claim 20, wherein the action is the instruction to allow the packet to continue network traversal, further comprising:
    - processing the packet according to a layer protocol; and
      
      sending the packet to the third stage from the plurality of stages.
  - 22. The computer-readable medium of claim 20 further comprising:
    - receiving a packet context data structure from the second stage, the packet context including second stage data associated with the packet; and
      
      modifying the packet context data structure by adding the set of parameters.

23. A computer-readable medium for executing computer-readable instructions for implementing a firewall policy in a firewall engine comprising a set of installed filters, the installed filters each comprising a set of filter conditions and an associated action, comprising:
- receiving from a requesting layer a set of packet parameters including first packet information associated with the requesting layer and second packet information associated with a packet context data structure;
  
  identifying a set of matching filters, each filter in the set of matching filters having filter conditions corresponding the packet parameters;
  
  identifying the associated action from at least one of the matching filters; and
  
  if the associated action is an instruction to allow the packet to continue network traversal or an instruction to disallow the packet to continue network traversal, returning the associated action to the requesting layer.
- View Dependent Claims (24, 25)
- - 24. The computer-readable medium of claim 23, wherein each filter in the set of matching filters has a priority and the associated action from a highest priority filter is a non-terminating action, further comprising:
    - identify the associated action from one or more lower priority filters in the set of matching filters until a terminating action is reached.
  - 25. The computer-readable medium of claim 23, wherein a filter from the set of matching filter identifies a callout module, further comprising:
    - sending the packet parameters and an identification of the filter from the set of matching filters to the callout module.

26. A computer-readable medium for executing computer-readable instructions for permitting network communication between an initiating network device and a responding network device, the responding network device including a firewall for preventing unsolicited network communications, comprising:
- receiving, by the responding network device, an inbound packet from the initiating network device;
  
  determining whether the inbound packet is an authentication request;
  
  if the inbound packet is the authentication request;
  
  conducting a key negotiation between the initiating network device and the responding network device according to the key negotiation protocol;
  
  if the key negotiation is successful;
  
  creating a firewall filter that permits inbound packets sent from the initiating network device that conform to the key negotiation protocol; and
  
  if the inbound packet is not the authentication request;
  
  determining whether the initiating network device has been previously authenticated; and
  
  if the initiating network device has been previously authenticated, permitting the inbound packet.
- View Dependent Claims (27, 28)
- - 27. The computer-readable medium of claim 26, wherein the firewall filter permits inbound packets conforming to security settings between the initiating network device and the responding network device.
  - 28. The computer-readable medium of claim 26, wherein the firewall filter permits inbound packets designating address information of the responding network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Swander, Brian D., Pall, Gurdeep Singh, Rao, Nagampalli S. S. Narasimha
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Ho; Thomas

Application Number

US10/456,770
Publication Number

US 20050022011A1
Time in Patent Office

1,537 Days
Field of Search

726 11- 14, 726/26, 709/232, 709/238, 709/332, 705/54
US Class Current

726/13
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0823   using certificates cryptogr...

Multi-layer based method for implementing network firewalls

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

151 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-layer based method for implementing network firewalls

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links