Methods and systems for protecting a secured network
First Claim
Patent Images
1. A method comprising:
- receiving, by a server and from a first computing device, a first security update comprising a first set of network addresses;
updating, by the server, one or more rules stored in a memory of the server to include the first set of network addresses;
receiving, by the server and from a second computing device, a second security update comprising a second set of network addresses;
determining, by the server, that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses;
responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses;
identifying, by the server, the at least a portion of network addresses included in the first set of network addresses;
identifying, by the server, at least one of the one or more rules stored in the memory of the server that specifies a range of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and
updating, by the server, the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses;
transmitting, by the server and to at least one packet security gateway, at least one of the one or more updated rules;
causing executing, by the packet security gateway and on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises;
executing, by the at least one packet security gateway, a first rule during a first period of time based on a first subset of network addresses;
executing, by the at least one packet security gateway, a second rule during a second period of time based on a second subset of network addresses; and
executing, by the at least one packet security gateway, a third rule during a third period of time based on a third subset of network addresses,wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, andwherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets.
196 Citations
20 Claims
-
1. A method comprising:
-
receiving, by a server and from a first computing device, a first security update comprising a first set of network addresses; updating, by the server, one or more rules stored in a memory of the server to include the first set of network addresses; receiving, by the server and from a second computing device, a second security update comprising a second set of network addresses; determining, by the server, that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses; responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses; identifying, by the server, the at least a portion of network addresses included in the first set of network addresses; identifying, by the server, at least one of the one or more rules stored in the memory of the server that specifies a range of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and updating, by the server, the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses; transmitting, by the server and to at least one packet security gateway, at least one of the one or more updated rules; causing executing, by the packet security gateway and on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises; executing, by the at least one packet security gateway, a first rule during a first period of time based on a first subset of network addresses; executing, by the at least one packet security gateway, a second rule during a second period of time based on a second subset of network addresses; and executing, by the at least one packet security gateway, a third rule during a third period of time based on a third subset of network addresses, wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, and wherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more non-transitory computer-readable media having instructions stored thereon, that when executed by one or more computers, cause the one or more computers to:
-
receive a first security update comprising a first set of network addresses; update at least one of one or more rules based on at least a portion of the first set of network addresses; receive a second security update comprising a second set of network addresses; determine that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses; responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses; identify the at least a portion of network addresses included in the first set of network addresses; identify at least one of the one or more rules that specifies a ramie of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and update the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses; transmit the at least one of the one or more updated rules; and cause executing, on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises; executing a first rule during a first period of time based on a first subset of network addresses; executing a second rule during a second period of time based on a second subset of network addresses; and executing a third rule during a third period of time based on a third subset of network addresses, wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, and wherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a server comprising; one or more processors; and memory storing instructions that, when executed by the one or more processors of the server, cause the server to; receive a first security update comprising a first set of network addresses; update one or more rules stored in the memory of the server to include the first set of network addresses; receive a second security update comprising a second set of network addresses; determine that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses; and responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses; identify, by the server, the at least a portion of network addresses included in the first set of network addresses; identify at least one of the one or more rules stored in the memory of the server that specifies a range of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and update the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses; and a gateway comprising; one or more processors; and memory storing instructions that, when executed by the one or more processors of the gateway, cause the gateway to; receive, from the server, one or more updated rules; receive a plurality of packets associated with a network protected by the gateway; filter, on a packet by packet basis, the plurality of packets based on a rule set comprising at least the one or more updated rules; and execute, on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises; executing a first rule during a first period of time based on a first subset of network addresses; executing a second rule during a second period of time based on a second subset of network addresses; and executing a third rule during a third period of time based on a third subset of network addresses, wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, and wherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification