Methods and systems for protecting a secured network

DC CAFC

US 10,091,246 B2
Filed: 01/24/2017
Issued: 10/02/2018
Est. Priority Date: 10/22/2012
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method comprising:

receiving, by at least one network security device located at a boundary of a network protected by the at least one network security device, a plurality of rule sets;

receiving a plurality of packets via a communication interface of the at least one network security device;

executing, at a first time and on a packet by packet basis, a first rule set specifying a first set of network addresses for which packets should be forwarded;

executing, at a second time and on a packet by packet basis, a second rule set specifying a second set of network addresses for which packets should be forwarded; and

executing, at a third time and on a packet by packet basis, a third rule set specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets.

194 Citations

20 Claims

1. A method comprising:
- receiving, by at least one network security device located at a boundary of a network protected by the at least one network security device, a plurality of rule sets;
  
  receiving a plurality of packets via a communication interface of the at least one network security device;
  
  executing, at a first time and on a packet by packet basis, a first rule set specifying a first set of network addresses for which packets should be forwarded;
  
  executing, at a second time and on a packet by packet basis, a second rule set specifying a second set of network addresses for which packets should be forwarded; and
  
  executing, at a third time and on a packet by packet basis, a third rule set specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of rule sets comprise at least one rule configured to identify spoofed source addresses, the method further comprising:
    - dropping, responsive to a determination by the at least one network security device that at least a portion of the plurality of packets comprise a spoofed source address based on criteria specified by the at least one rule, the at least a portion of the plurality of packets.
  - 3. The method of claim 1,wherein the plurality of packets are received via a first communication interface without a network layer address, andwherein the plurality of rule sets are received via a second communication interface of the at least one network security device having a network layer address.
  - 4. The method of claim 1, further comprising:
    - encapsulating, by the at least one network security device and responsive to a determination by the at least one network security device that at least a portion of the packets correspond to monitoring criteria specified by one or more of the plurality of rule sets, each packet of the at least a portion of the packets, with a header specifying a network address different from a destination network address specified by the packet.
  - 5. The method of claim 1, further comprising:
    - performing, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of rule sets on a plurality of packets associated with the network protected by the at least one network security device, wherein the at least one network security device is configured to perform the at least one of the multiple packet transformation functions specified by the plurality of rule sets on the plurality of packets by performing at least one packet transformation function other than forwarding or dropping the packets.
  - 6. The method of claim 1, wherein the plurality of rule sets comprises at least one rule specifying a parameter, the method further comprising:
    - routing, by the at least one network security device, at least one packet that matches the parameter to a network address different from a destination network address specified by the at least one packet,wherein the network address different from the destination network address specified by the at least one packet corresponds to a network device configured to copy information contained in the at least one packet and forward the at least one packet to the destination network address specified by the at least one packet.
  - 7. The method of claim 1, further comprising:
    - responsive to a determination by the at least one network security device that a portion of packets received from or destined for a host located in the network protected by the at least one network security device corresponds to criteria specified by the plurality of rule sets, dropping the portion of the packets.

8. A network security device comprising:
- at least one processor; and
  
  a memory storing instructions that when executed by the at least one processor cause the network security device to;
  
  receive, at the network security device, a plurality of rule sets;
  
  receive a plurality of packets via a communication interface of the network security device;
  
  execute, at a first time and on a packet by packet basis, a first rule set specifying a first set of network addresses for which packets should be forwarded;
  
  execute, at a second time and on a packet by packet basis, a second rule set specifying a second set of network addresses for which packets should be forwarded; and
  
  execute, at a third time and on a packet by packet basis, a third rule set specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The network security device of claim 8, wherein the plurality of rule sets comprise at least one rule configured to identify spoofed source addresses,wherein the instructions, when executed by the at least one processor, cause the network security device to drop, responsive to a determination by the network security device that at least a portion of the plurality of packets comprise a spoofed source address based on criteria specified by at least one rule, the at least a portion of the plurality of packets.
  - 10. The network security device of claim 8,wherein the plurality of packets are received via a first communication interface without a network layer address, andwherein the plurality of rule sets are received via a second communication interface of the network security device having a network layer address.
  - 11. The network security device of claim 8, wherein the instructions, when executed by the at least one processor, cause the network security device to:
    - encapsulate, by the network security device and responsive to a determination by the network security device that at least a portion of the packets correspond to monitoring criteria specified by one or more of the plurality of rule sets, each packet of the at least a portion of the packets, with a header specifying a network address different from a destination network address specified by the packet.
  - 12. The network security device of claim 8, wherein the instructions, when executed by the at least one processor, cause the network security device to:
    - perform, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of rule sets on the plurality of packets associated with a network protected by the network security device, wherein the network security device is configured to perform the at least one of the multiple packet transformation functions specified by the plurality of rule sets on the plurality of packets by performing at least one packet transformation function other than forwarding or dropping packets.
  - 13. The network security device of claim 8, wherein the plurality of rule sets comprises at least one rule specifying a parameter, andwherein the instructions, when executed by the at least one processor, cause the network security device to:
    - route, by the network security device, at least one packet that matches the parameter to a network address different from a destination network address specified by the at least one packet,wherein the network address different from the destination network address specified by the at least one packet corresponds to a network device configured to copy information contained in the at least one packet and forward the at least one packet to the destination network address specified by the at least one packet.
  - 14. The network security device of claim 8, wherein the instructions, when executed by the at least one processor, cause the network security device to:
    - responsive to a determination by the network security device that a portion of packets received from or destined for a host located in a network protected by the network security device corresponds to criteria specified by the plurality of rule sets, drop the portion of the packets.

15. One or more non-transitory computer-readable media comprising instructions that when executed by a computing system cause the computing system to:
- receive, at the computing system located at a boundary of a network protected by the computing system, a plurality of rule sets;
  
  receive a plurality of packets via a communication interface of the computing system;
  
  execute, at a first time and on a packet by packet basis, a first rule set specifying a first set of network addresses for which packets should be forwarded;
  
  execute, at a second time and on a packet by packet basis, a second rule set specifying a second set of network addresses for which packets should be forwarded; and
  
  execute, at a third time and on a packet by packet basis, a third rule set specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory computer-readable media of claim 15,wherein the plurality of rule sets comprise at least one rule configured to identify spoofed source addresses, andwherein the instructions, when executed by the computing system, cause the computing system to drop, responsive to a determination by the computing system that at least a portion of the plurality of packets comprise a spoofed source address based on criteria specified by at least one rule, the at least a portion of the plurality of packets.
  - 17. The one or more non-transitory computer-readable media of claim 15,wherein the plurality of packets are received via a first communication interface of the computing system without a network layer address, andwherein the plurality of rule sets are received via a second communication interface of the computing system having a network layer address.
  - 18. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the computing system, cause the computing system to:
    - encapsulate, by the computing system and responsive to a determination by the computing system that at least a portion of the plurality of packets correspond to monitoring criteria specified by one or more of the plurality of rule sets, each packet of the at least a portion of the packets, with a header specifying a network address different from a destination network address specified by the packet.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the computing system, cause the computing system to:
    - perform, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of rule sets on the plurality of packets associated with the network protected by the computing system, wherein the computing system is configured to perform the at least one of the multiple packet transformation functions specified by the plurality of rule sets on the plurality of packets by performing at least one packet transformation function other than forwarding or dropping the packets.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the plurality of rule sets comprises at least one rule specifying a parameter, andwherein the instructions, when executed by the computing system, cause the computing system to:
    - route, by the computing system, at least one packet that matches the parameter to a network address different from a destination network address specified by the at least one packet,wherein the network address different from the destination network address specified by the at least one packet corresponds to a network device configured to copy information contained in the at least one packet and forward the at least one packet to the destination network address specified by the at least one packet.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Rogers, Steven, Moore, Sean
Primary Examiner(s)
Chang, Kenneth W

Application Number

US15/413,834
Publication Number

US 20170359382A1
Time in Patent Office

616 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Methods and systems for protecting a secured network

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

194 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for protecting a secured network

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

194 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links