Policy-based content filtering

US 8,656,479 B2
Filed: 06/18/2012
Issued: 02/18/2014
Est. Priority Date: 11/22/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:

redirecting a first network connection associated with a first network service protocol, by a networking subsystem implemented within a kernel of an operating system of a firewall device, to a first proxy module of a plurality of proxy modules within the firewall device that is configured to support the first network service protocol, wherein at least two of the plurality of proxy modules are configured to support different network service protocols;

retrieving, by the first proxy module, one or more content processing configuration schemes associated with a matching firewall policy for the first network service protocol and the first network connection; and

processing, by the first proxy module, application-level content of a packet stream associated with the network connection by;

reassembling the application-level content from a plurality of packets of the packet stream; and

scanning the application-level content based on the retrieved one or more content processing configuration schemes.

View all claims

0 Assignments

Timeline View

Assignment View

1 Petition

Accused Products

Abstract

Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a network connection is redirected by a networking subsystem implemented within a kernel of an operating system of a firewall device to a proxy module within the firewall device that is configured to support a network service protocol associated with the network connection. The proxy module retrieves one or more content processing configuration schemes associated with a matching firewall policy for the network service protocol and the network connection. The content processing configuration schemes each include multiple content processing configuration settings for each of one or more network service protocols. Application-level content of a packet stream associated with the network connection is then processed by the proxy module reassembling the application-level content from multiple packets of the packet stream and scanning the application-level content based on the retrieved content processing configuration schemes.

15 Citations

View as Search Results

34 Claims

1. A computer-implemented method for processing application-level content of network service protocols, the method comprising:
- redirecting a first network connection associated with a first network service protocol, by a networking subsystem implemented within a kernel of an operating system of a firewall device, to a first proxy module of a plurality of proxy modules within the firewall device that is configured to support the first network service protocol, wherein at least two of the plurality of proxy modules are configured to support different network service protocols;
  
  retrieving, by the first proxy module, one or more content processing configuration schemes associated with a matching firewall policy for the first network service protocol and the first network connection; and
  
  processing, by the first proxy module, application-level content of a packet stream associated with the network connection by;
  
  reassembling the application-level content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on the retrieved one or more content processing configuration schemes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, further comprising:
    - receiving the first network connection, at the networking subsystem;
      
      determining, by the networking subsystem, the first network service protocol; and
      
      identifying, by the networking subsystem, the matching firewall policy.
  - 3. The method of claim 1, wherein the first network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common Internet File System (SMB/CIFS).
  - 4. The method of claim 2, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies based on a source network address associated with the first network connection, a destination network address associated with the first network connection and the first network service protocol.
  - 5. The method of claim 1, wherein during the retrieving, the one or more content processing configuration schemes are selected from a plurality of predefined content processing configuration schemes.
  - 6. The method of claim 1, further comprising authenticating a user associated with the first network connection and rejecting the first network connection if the authentication is unsuccessful.
  - 7. The method of claim 6, wherein the authenticated user is associated with one or more user groups.
  - 8. The method of claim 7, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
  - 9. The method of claim 6, wherein the retrieved one or more content processing configuration schemes are determined by an identity of the authenticated user.
  - 10. The method of claim 1, wherein the plurality of proxy modules are implemented within the kernel.
  - 11. The method of claim 1, wherein the plurality of proxy modules are implemented as applications executing in a user space provided by the operating system.
  - 12. The method of claim 1, wherein the plurality of proxy modules are selected from a plurality of proxy subsystems provided to handle multiple protocols and multiple instances of a proxy module.
  - 13. The method of claim 12, wherein the first network service protocol comprises HyperText Transport Protocol (HTTP) and said scanning the application-level content comprises performing a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering, and Uniform Resource Locator (URL) blocking
  - 14. The method of claim 12, wherein a second network service protocol of the different network service protocols comprises File Transfer Protocol (FTP) and said scanning the application-level content of the packet stream associated with a second network connection comprises performing a plurality of antivirus scanning, filename blocking and quarantining.
  - 15. The method of claim 12, wherein a second network service protocol of the different network service protocols Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and said scanning the application-level content of the packet stream associated with a second network connection comprises performing a plurality of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking.
  - 16. The method of claim 12, wherein a second network service protocol of the different network service protocols Server Message Block/Common Internet File System (SMB/CIFS) and said scanning the application-level content of the packet stream associated with a second network connection comprises performing a plurality of antivirus scanning, filename blocking and quarantining.

17. A firewall system for processing application-level content of network service protocols, the firewall system comprising:
- a non-transitory memory having stored therein a configuration database including a plurality of firewall policies and a plurality of content processing configuration schemes;
  
  a networking interface receiving a network connection;
  
  a plurality of proxy modules each supporting one or more network protocols of the plurality of network protocols, wherein at least two of the plurality of proxy modules are configured to support different network service protocols; and
  
  a networking subsystem (i) receiving the network connection from the networking interface, (ii) identifying a firewall policy of the plurality of firewall policies that is appropriate for the network connection and (iii) redirecting the network connection to a proxy module of the plurality of proxy modules based on a network protocol associated with the network connection; and
  
  wherein the proxy module processes application-level content of a packet stream associated with the network connection by;
  
  reassembling the application-level content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on one or more content processing configuration schemes of the plurality of content processing configuration schemes that have been associated with the firewall policy by an administrator of the firewall system.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The firewall system of claim 17, wherein the networking interface comprises a physical network interface.
  - 19. The firewall system of claim 17, wherein the networking interface comprises a logical network interface.
  - 20. The firewall system of claim 17, wherein the proxy module retrieves the one or more content processing configuration schemes from the configuration database.
  - 21. The firewall system of claim 17, wherein the processing of application-level content by the proxy module comprises applying filters to the application-level content.
  - 22. The firewall system of claim 17, wherein the network service protocol comprises HyperText Transport Protocol (HTTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking, quarantining, banned word filtering, and Uniform Resource Locator (URL) blocking.
  - 23. The firewall system of claim 17, wherein the network service protocol comprises File Transfer Protocol (FTP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.
  - 24. The firewall system of claim 17, wherein the network service protocol comprises Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking, quarantining, banned word filtering and spam blocking.
  - 25. The firewall system of claim 17, wherein the network service protocol comprises Server Message Block/Common Internet File System (SMB/CIFS) and wherein the plurality of content processing configuration settings include content processing configuration settings for each of antivirus scanning, filename blocking and quarantining.

26. A non-transitory computer-readable storage medium tangibly embodying instructions, which when executed by a firewall system, cause the firewall system to perform a method for processing application-level content, the method comprising:
- redirecting a network connection associated with a network service protocol, by a networking subsystem implemented within a kernel of an operating system of a firewall device, to a proxy module of a plurality of proxy modules within the firewall device that is configured to support the network service protocol, wherein at least two of the plurality of proxy modules are configured to support different network service protocols;
  
  retrieving, by the proxy module, one or more content processing configuration schemes associated with a matching firewall policy for the network service protocol and the network connection; and
  
  processing, by the proxy module, application-level content of a packet stream associated with the network connection by;
  
  reassembling the application-level content from a plurality of packets of the packet stream; and
  
  scanning the application-level content based on the retrieved one or more content processing configuration schemes.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The computer-readable storage medium of claim 26, wherein the method further comprises:
    - receiving, by the networking subsystem, the network connection;
      
      determining, by the networking subsystem, the network service protocol; and
      
      identifying, by the networking subsystem, the matching firewall policy.
  - 28. The computer-readable storage medium of claim 26, wherein the network service protocol comprises at least one of a group consisting of HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP) and Server Message Block/Common Internet File System (SMB/CIFS).
  - 29. The computer-readable storage medium of claim 27, wherein during the identifying, the matching firewall policy is selected from a plurality of predefined firewall policies.
  - 30. The computer-readable storage medium of claim 26, wherein during the retrieving, the one or more content processing configuration schemes are selected from a plurality of predefined content processing configuration schemes.
  - 31. The computer-readable storage medium of claim 26, wherein the method further comprises authenticating a user associated with the network connection and rejecting the network connection if the authentication is unsuccessful.
  - 32. The computer-readable storage medium of claim 31, wherein the authenticated user is associated with one or more user groups.
  - 33. The computer-readable storage medium of claim 32, wherein the retrieved one or more content processing configuration schemes are assigned to the one or more user groups.
  - 34. The computer-readable storage medium of claim 31, wherein the retrieved one or more content processing configuration schemes are determined by an identity of the authenticated user.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Crawford, William J.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US13/526,510
Publication Number

US 20120254978A1
Time in Patent Office

610 Days
Field of Search

None
US Class Current

726/12
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

Policy-based content filtering

First Claim

0 Assignments

1 Petition

Accused Products

Abstract

15 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based content filtering

First Claim

0 Assignments

Subscription Required

Subscription Required

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links