Auditing and policy control at SSH endpoints

US 10,091,239 B2
Filed: 01/24/2013
Issued: 10/02/2018
Est. Priority Date: 01/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, in a firewall from a policy server, policy information including instructions for interception of encrypted communications;

intercepting and decrypting, in the firewall at least a part of an encrypted communication, at a packets level, according to a first encrypted protocol in accordance with the policy information; and

sending at least a part of the decrypted communication from the firewall to an audit server using a network protocol,wherein the firewall is a device that performs stateful inspection of data packets, andwherein the audit server is not within the firewall.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

SSH sessions and other protocol sessions (e.g., RDP) may be audited using an interceptor embedded within an SSH server or other protocol server. Operations performed over an SSH connection may be controlled, including controlling what files are transferred.

48 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving, in a firewall from a policy server, policy information including instructions for interception of encrypted communications;
  
  intercepting and decrypting, in the firewall at least a part of an encrypted communication, at a packets level, according to a first encrypted protocol in accordance with the policy information; and
  
  sending at least a part of the decrypted communication from the firewall to an audit server using a network protocol,wherein the firewall is a device that performs stateful inspection of data packets, andwherein the audit server is not within the firewall.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the first encrypted protocol is the Secure Shell (SSH) protocol, the Virtual Network Computing (VNC) protocol, or the Remote Desktop Protocol (RDP) protocol.
  - 3. The method of claim 1, further comprising:
    - intercepting a sent packet belonging to the communication before it is encrypted by the firewall; and
      
      intercepting a received packet belonging to the communication after it has been decrypted by the firewall.
  - 4. The method of claim 1, further comprising:
    - making a policy decision about whether to allow a port forwarding request.
  - 5. The method of claim 1, further comprising:
    - deciding whether to allow an intercepted protocol operation based on a policy rule received from the policy server, where the protocol operation is selected from the group consisting of;
      
      opening a port forwarding channel, opening a session channel, transferring a file, opening a file, creating a file, modifying a file, reading a file, removing a file, renaming a file, advertising a device, opening a device, advertising a printer, and opening a printer.
  - 6. The method of claim 1, further comprising:
    - intercepting a request to transfer data using the first encrypted protocol and accepting or rejecting the request based on a response from a data loss prevention (DLP) system to a query about the data.

7. A firewall comprising:
- one or more processors; and
  
  at least one non-transitory memory comprising program code for causing, with the one or more processors, the firewall to;
  
  receive, from a policy server, policy information including instructions for interception of encrypted communications;
  
  intercept and decrypt at least a part of an encrypted communication, at a packets level, according to a first encrypted protocol in accordance with the policy information; and
  
  send at least a part of the decrypted communication to an audit server using a network protocol,wherein the firewall is a device that performs stateful inspection of data packets, andwherein the audit server is not within the firewall.
- View Dependent Claims (8, 9, 10)
- - 8. The firewall of claim 7, wherein the at least one memory further comprises program code for causing the firewall to:
    - intercept a sent packet belonging to the communication before it is encrypted by the firewall; and
      
      intercept a received packet belonging to the communication after it has been decrypted by the firewall.
  - 9. The firewall of claim 7, wherein the at least one memory further comprises program code for causing the firewall to:
    - decide whether to allow an intercepted operation defined in the first encrypted protocol based on policy received from the policy server.
  - 10. The firewall of claim 7, wherein the at least one memory further comprises program code for causing the firewall to:
    - block a request to transfer data using the first encrypted protocol in response to data loss prevention system (DLP) identifying the data as data whose transfer is not allowed.

11. A computer program product for a firewall stored on a non-transitory computer-readable medium comprising program code operable to cause the firewall to:
- receive, from a policy server, policy information including instructions for interception of encrypted communications;
  
  intercept and decrypt at least a part of an encrypted communication, at a packets level, according to a first encrypted protocol in accordance with the policy information; and
  
  send at least a part of the decrypted communication to an audit server using a network protocol,wherein the firewall is a device that performs stateful inspection of data packets, andwherein the audit server is not within the firewall.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer program product of claim 11, wherein the first encrypted protocol is the Secure Shell (SSH) protocol.
  - 13. The computer program product of claim 11, wherein the first encrypted protocol is the Remote Desktop Protocol (RDP).
  - 14. The computer program product of claim 11, further comprising program code operable to cause the firewall to:
    - intercept a sent packet belonging to the communication before it is encrypted by the server; and
      
      intercept a received packet belonging to the communication after it has been decrypted by the server.
  - 15. The computer program product of claim 11, further comprising program code operable to cause the firewall to:
    - make a policy decision about whether to allow a request defined in the first encrypted protocol.
  - 16. The computer program code of claim 11, further comprising program code operable to cause the computer toact as a server for Secure Shell (SSH) connection, andsend information related to the Secure Shell connection to the audit server in plaintext.
  - 17. The computer program code of claim 11, further comprising program code operable to cause the computer toact as a client for Secure Shell (SSH) connection, andsend information related to the Secure Shell connection to the audit server in plaintext.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Ylonen, Tatu J., Lavitt, Samuel Douglas
Primary Examiner(s)
Williams, Jeffery

Application Number

US13/749,005
Publication Number

US 20130191631A1
Time in Patent Office

2,077 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/1483   service impersonation, e.g....

H04L 63/16   Implementing security featu...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

Auditing and policy control at SSH endpoints

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Auditing and policy control at SSH endpoints

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links