System and method for host-initiated firewall discovery in a network environment

US 8,800,024 B2
Filed: 10/17/2011
Issued: 08/05/2014
Est. Priority Date: 10/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting, on a source node, a network flow to a destination node having a network address;

determining a discovery action associated with the network address in a firewall cache;

sending, from the source node, a discovery query to identify a firewall to be used in a route for sending the network flow to the destination node, wherein the discovery query is based on the discovery action associated with the network address in the firewall cache;

receiving, at the source node, a discovery result from the firewall, the discovery result including a firewall address and a firewall port of the firewall;

authenticating the discovery result;

updating the discovery action in the firewall cache with the firewall address and the firewall port when the discovery result is authenticated;

sending metadata associated with the network flow to the firewall; and

releasing the network flow from the source node.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes intercepting a network flow to a destination node having a network address and sending a discovery query based on a discovery action associated with the network address in a firewall cache. A discovery result may be received and metadata associated with the flow may be sent to a firewall before releasing the network flow. In other embodiments, a discovery query may be received from a source node and a discovery result sent to the source node, wherein the discovery result identifies a firewall for managing a route to a destination node. Metadata may be received from the source node over a metadata channel. A network flow from the source node to the destination node may be intercepted, and the metadata may be correlated with the network flow to apply a network policy to the network flow.

342 Citations

24 Claims

1. A method, comprising:
- intercepting, on a source node, a network flow to a destination node having a network address;
  
  determining a discovery action associated with the network address in a firewall cache;
  
  sending, from the source node, a discovery query to identify a firewall to be used in a route for sending the network flow to the destination node, wherein the discovery query is based on the discovery action associated with the network address in the firewall cache;
  
  receiving, at the source node, a discovery result from the firewall, the discovery result including a firewall address and a firewall port of the firewall;
  
  authenticating the discovery result;
  
  updating the discovery action in the firewall cache with the firewall address and the firewall port when the discovery result is authenticated;
  
  sending metadata associated with the network flow to the firewall; and
  
  releasing the network flow from the source node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the discovery query is sent in an Internet Control Message Protocol packet.
  - 3. The method of claim 1, wherein the discovery query is sent in an Internet Control Message Protocol echo message.
  - 4. The method of claim 1, wherein the discovery query is sent in a User Datagram Protocol.
  - 5. The method of claim 1, wherein the metadata is sent using a Datagram Transport Layer Security protocol.
  - 6. The method of claim 1, wherein the discovery query comprises a message authentication code.
  - 7. The method of claim 1, wherein the discovery query comprises a hash-based message authentication code.
  - 8. The method of claim 1, further comprising authenticating the discovery result with a message authentication code.
  - 9. The method of claim 1, wherein the discovery query comprises a hash-based message authentication code with a shared secret.
  - 10. The method of claim 1, wherein the discovery query comprises a public key encryption of a hash of the discovery query.
  - 11. The method of claim 1, further comprising authenticating the discovery result with a public key decryption of a hash of the discovery result.
  - 12. The method of claim 1, further comprising correlating the metadata with the network flow to apply a network policy to the network flow.

13. At least one non-transitory computer readable medium having instructions stored thereon for discovering a firewall, the instructions when executed by at least one processor cause the processor to:
- intercept, on a source node, a network flow to a destination node having a network address;
  
  determine a discovery action associated with the network address in a firewall cache;
  
  send, from the source node, a discovery query to identify a firewall to be used in a route to send the network flow to the destination node, wherein the discovery query is based on the discovery action associated with the network address in the firewall cache;
  
  receive, at the source node, a discovery result from the firewall, the discovery result including a firewall address and a firewall port of the firewall;
  
  authenticate the discovery result;
  
  update the discovery action in the firewall cache with the firewall address and the firewall port when the discovery result is authenticated;
  
  send metadata associated with the network flow to the firewall; and
  
  release the network flow from the source node.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The at least one non-transitory computer readable medium of claim 13, wherein the discovery query is sent in an Internet Control Message Protocol packet.
  - 15. The at least one non-transitory computer readable medium of claim 13, wherein the discovery query is sent in an Internet Control Message Protocol echo message.
  - 16. The at least one non-transitory computer readable medium of claim 13, wherein the discovery query is sent in a User Datagram Protocol.
  - 17. The at least one non-transitory computer readable medium of claim 13, wherein the metadata is sent using a Datagram Transport Layer Security protocol.
  - 18. The at least one non-transitory computer readable medium of claim 13, wherein the discovery query comprises a message authentication code.
  - 19. The at least one non-transitory computer readable medium of claim 13, wherein the discovery query comprises a hash-based message authentication code.
  - 20. The at least one non-transitory computer readable medium of claim 13, wherein the instructions, when executed by the at least one processor, further cause the processor to authenticate the discovery result with a message authentication code.
  - 21. The at least one non-transitory computer readable medium of claim 13, wherein the discovery query comprises a hash-based message authentication code with a shared secret.
  - 22. The at least one non-transitory computer readable medium of claim 13, wherein the discovery query comprises a public key encryption of a hash of the discovery query.
  - 23. The at least one non-transitory computer readable medium of claim 13, wherein the instructions, when executed by the at least one processor, further cause the processor to authenticate the discovery result with a public key decryption of a hash of the discovery result.
  - 24. The at least one non-transitory computer readable medium of claim 13, wherein the instructions, when executed by the at least one processor, further cause the processor to correlate the metadata with the network flow to apply a network policy to the network flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey, Green, Michael W., Guzik, John Richard
Primary Examiner(s)
LE, CHAU D

Application Number

US13/275,196
Publication Number

US 20130097692A1
Time in Patent Office

1,023 Days
Field of Search

726 11- 14
US Class Current

726/14
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/30   Authentication, i.e. establ...

H04L 61/2514   between local and global IP...

H04L 63/0254   Stateful filtering

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/10   for controlling access to d...

H04L 67/51   Discovery or management the...

System and method for host-initiated firewall discovery in a network environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

342 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for host-initiated firewall discovery in a network environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

342 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links