Content filtering of remote file-system access protocols

US 8,347,373 B2
Filed: 05/08/2007
Issued: 01/01/2013
Est. Priority Date: 05/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprisingreceiving at a network device, logically interposed between a client and a server, a remote file-system access protocol request from the client, the remote file-system access protocol request representing a request to make a partial file access to a file associated with a share of the server;

the network device issuing the remote file-system access protocol request to the server on behalf of the client;

the network device implementing a single shared holding buffer for the file during a particular remote file-system access protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;

the network device buffering into the single shared holding buffer data being read from or written to the file as a result of the remote file-system access protocol request; and

responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, the network device determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a transparent proxy running within a network gateway logically interposed between a client and a server intercepts remote file-system access protocol requests/responses. Responsive to receipt of a remote file-system access protocol request from the client, the network gateway issues the remote file-system access protocol request to the server on behalf of the client. The network gateway buffers into a holding buffer associated with the network gateway data being read from or written to a file associated with a share of the server. Then, responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, the network gateway determines the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.

18 Citations

View as Search Results

52 Claims

1. A method comprisingreceiving at a network device, logically interposed between a client and a server, a remote file-system access protocol request from the client, the remote file-system access protocol request representing a request to make a partial file access to a file associated with a share of the server;
- the network device issuing the remote file-system access protocol request to the server on behalf of the client;
  
  the network device implementing a single shared holding buffer for the file during a particular remote file-system access protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  the network device buffering into the single shared holding buffer data being read from or written to the file as a result of the remote file-system access protocol request; and
  
  responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, the network device determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).
  - 3. The method of claim 1, wherein the single shared holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 4. The method of claim 1, wherein the single shared holding buffer is stored in allocated memory of the network device that is associated with a specific process running within the network device.
  - 5. The method of claim 1, further comprising the network device tracking usage and modification of the single shared holding buffer with a usage table.
  - 6. The method of claim 5, wherein the usage table contains information indicative of free and filled sections of the single shared holding buffer.
  - 7. The method of claim 6, wherein the predetermined event comprises determining the single shared holding buffer is full.
  - 8. The method of claim 1, wherein the predetermined event comprises determining the client is attempting to append data to the file.

9. A method comprising:
- creating (i) a plurality of holding buffers in which data collected from partial file accesses associated with a remote file-system access protocol is stored, (ii) a holding buffer context table, (iii) a file map table and (iv) a usage table corresponding to each holding buffer of the plurality of holding buffers within one or more computer-readable media, wherein each holding buffer corresponds to a single file, is used for both read and write accesses to the single file and is used for accesses to the single file by a plurality of remote processes by mapping different file IDs referring to the single file to the corresponding holding buffer;
  
  tracking within the holding buffer context table references to each of the plurality of holding buffers;
  
  mapping references to a common file to a common holding buffer of the plurality of holding buffers with the file map table;
  
  tracking modified and unmodified portions of the plurality of holding buffers using the usage table corresponding to each holding buffer;
  
  responsive to a predetermined event in relation to a holding buffer of the plurality of holding buffers, determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 10. The method of claim 9, wherein the one or more computer-readable media comprise non-persistent storage, such as random access memory.
  - 11. The method of claim 9, wherein the one or more computer-readable media comprise persistent storage, such as a hard-disk, flash disk or other non-volatile storage.
  - 12. The method of claim 10, wherein the non-persistent storage comprises shared memory that is accessible by a plurality of processes running within the network device.
  - 13. The method of claim 9, wherein elements of the file map table contain file identifiers.
  - 14. The method of claim 13, wherein the file identifiers consists of a number, a character string or sequence of binary digits.
  - 15. The method of claim 9, wherein elements of the file map table contain a reference to one or more of the plurality of holding buffers.
  - 16. The method of claim 9, wherein elements of the holding buffer context table contain a reference to one or more of the plurality of holding buffers.
  - 17. The method of claim 9, wherein elements of the holding buffer context table contain a reference count for each holding buffer of the plurality of holding buffers.
  - 18. The method of claim 9, wherein elements of the usage tables consist of one or more bits, bytes, numbers or strings.
  - 19. The method of claim 18, wherein each element of the usage tables corresponds to one or more bits or bytes of the corresponding holding buffer of the plurality of holding buffers.
  - 20. The method of claim 18, wherein the entries of the usage tables are indicative of a modified or unmodified state of corresponding portions of the corresponding holding buffers.
  - 21. The method of claim 9, wherein the predetermined event comprises determining the holding buffer is fully modified.
  - 22. The method of claim 9, wherein the predetermined event comprises an attempt to append data to the holding buffer.

23. A method comprisingreceiving at a network device, logically interposed between a client and a server, a remote file-system access protocol request from the client, the remote file-system access protocol request representing a random or sequential access to a portion of data of a file associated with a share of the server;
- the network device issuing the remote file-system access protocol request to the server on behalf of the client;
  
  the network device implementing a holding buffer for the file during a particular remote file-system access protocol session, wherein the holding buffer is used for both read and write accesses to the file and is shared by a plurality of processes running on the client and accessing the file by mapping different file IDs referring to the file to the holding buffer;
  
  the network device buffering into the holding buffer the portion of data being read from or written to the file responsive to the remote file-system access protocol request; and
  
  responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, the network device determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The method of claim 23, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).
  - 25. The method of claim 23, wherein the holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 26. The method of claim 23, wherein the holding buffer is stored in allocated memory of the network device that is associated with a specific process running within the network device.
  - 27. The method of claim 23, further comprising the network device tracking usage and modification of the holding buffer with a usage table.
  - 28. The method of claim 27, wherein the usage table contains information indicative of free and filled sections of the holding buffer.
  - 29. The method of claim 28, wherein the predetermined event comprises determining the holding buffer is full.
  - 30. The method of claim 23, wherein the predetermined event comprises determining the client is attempting to append data to the file.

31. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network device logically interposed between a client and a server, cause the one or more processors to perform a method comprising:
- receiving a remote file-system access protocol request from the client, the remote file-system access protocol request representing a request to make a partial file access to a file associated with a share of the server;
  
  issuing the remote file-system access protocol request to the server on behalf of the client;
  
  implementing a single shared holding buffer for the file during a particular remote file-system access protocol session, wherein the single shared holding buffer is used for both read and write accesses to the file and is used for accesses to the file by a plurality of processes running on the client by mapping different file IDs referring to the file to the single shared holding buffer;
  
  buffering into the single shared holding buffer data being read from or written to the file as a result of the remote file-system access protocol request; and
  
  responsive to a predetermined event in relation to the remote file-system access protocol or the holding buffer, determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
- - 32. The computer-readable storage medium of claim 31, wherein the remote file-system access protocol comprises Server Message Block (SMB)/Common Internet File System (CIFS).
  - 33. The computer-readable storage medium of claim 31, wherein the single shared holding buffer is stored in a shared memory of the network device that is accessible by a plurality of processes running within the network device.
  - 34. The computer-readable storage medium of claim 31, wherein the single shared holding buffer is stored in allocated memory of the network device that is associated with a specific process running within the network device.
  - 35. The computer-readable storage medium of claim 31, wherein the method further comprises tracking usage and modification of the single shared holding buffer with a usage table.
  - 36. The computer-readable storage medium of claim 35, wherein the usage table contains information indicative of free and filled sections of the single shared holding buffer.
  - 37. The computer-readable storage medium of claim 36, wherein the predetermined event comprises determining the single shared holding buffer is full.
  - 38. The computer-readable storage medium of claim 31, wherein the predetermined event comprises determining the client is attempting to append data to the file.

39. A network device comprising:
- one or more non-transitory storage devices having embodied therein one or more routines; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines to perform a method comprising;
  
  creating (i) a plurality of holding buffers in which data collected from partial file accesses associated with a remote file-system access protocol is stored, (ii) a holding buffer context table, (iii) a file map table and (iv) a usage table corresponding to each holding buffer of the plurality of holding buffers within the one or more non-transitory storage devices, wherein each holding buffer corresponds to a single file, is used for both read and write accesses to the single file and is used for accesses to the single file by a plurality of remote processes by mapping different file IDs referring to the single file to the corresponding holding buffer;
  
  tracking within the holding buffer context table references to each of the plurality of holding buffers;
  
  mapping references to a common file to a common holding buffer of the plurality of holding buffers with the file map table;
  
  tracking modified and unmodified portions of the plurality of holding buffers using the usage table corresponding to each holding buffer;
  
  responsive to a predetermined event in relation to a holding buffer of the plurality of holding buffers, determining the existence or non-existence of malicious, dangerous or unauthorized content contained within the holding buffer by performing content filtering on the holding buffer.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 40. The network device of claim 39, wherein the one or more non-transitory storage devices comprise non-persistent storage, such as random access memory.
  - 41. The network device of claim 39, wherein the one or more non-transitory storage devices comprise persistent storage, such as a hard-disk, flash disk or other non-volatile storage.
  - 42. The network device of claim 40, wherein the non-persistent storage comprises shared memory that is accessible by a plurality of processes running within the network device.
  - 43. The network device of claim 39, wherein elements of the file map table contain file identifiers.
  - 44. The network device of claim 43, wherein the file identifiers consists of a number, a character string or sequence of binary digits.
  - 45. The network device of claim 39, wherein elements of the file map table contain a reference to one or more of the plurality of holding buffers.
  - 46. The network device of claim 39, wherein elements of the holding buffer context table contain a reference to one or more of the plurality of holding buffers.
  - 47. The network device of claim 39, wherein elements of the holding buffer context table contain a reference count for each holding buffer of the plurality of holding buffers.
  - 48. The network device of claim 39, wherein elements of the usage tables consist of one or more bits, bytes, numbers or strings.
  - 49. The network device of claim 48, wherein each element of the usage tables corresponds to one or more bits or bytes of the corresponding holding buffer of the plurality of holding buffers.
  - 50. The network device of claim 48, wherein the entries of the usage tables are indicative of a modified or unmodified state of corresponding portions of the corresponding holding buffers.
  - 51. The network device of claim 39, wherein the predetermined event comprises determining the holding buffer is fully modified.
  - 52. The network device of claim 39, wherein the predetermined event comprises an attempt to append data to the holding buffer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William Jeffrey
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US11/746,046
Publication Number

US 20080282337A1
Time in Patent Office

2,065 Days
Field of Search

726/12, 726/24
US Class Current

726/12
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 16/00   Information retrieval; Data...

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06F 21/6218   to a system of files or obj...

H04L 49/90   Buffering arrangements

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/145   the attack involving the pr...

H04L 65/102   Gateways arrangements for c...

H04L 67/06   specially adapted for file ...

H04L 67/289   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

H04L 9/40   Network security protocols

Content filtering of remote file-system access protocols

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

52 Claims

Specification

Use Cases

Quick Links

Others

Content filtering of remote file-system access protocols

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

52 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others