Methods and systems for protecting a secured network

US 10,142,372 B2
Filed: 01/24/2017
Issued: 11/27/2018
Est. Priority Date: 04/16/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a server and from a first computing device, a first security update comprising a first set of network addresses;

updating, by the server, one or more rules stored in a memory of the server to include the first set of network addresses;

receiving, by the server and from a second computing device, a second security update comprising a second set of network addresses;

determining, by the server, that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses;

responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses;

identifying, by the server, the at least a portion of network addresses included in the first set of network addresses;

identifying, by the server, at least one of the one or more rules stored in the memory of the server that specifies a range of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and

updating, by the server, the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses;

transmitting, by the server and to at least one packet security gateway, at least one of the one or more updated rules;

causing executing, by the packet security gateway and on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises;

executing, by the at least one packet security gateway, a first rule during a first period of time based on a first subset of network addresses;

executing, by the at least one packet security gateway, a second rule during a second period of time based on a second subset of network addresses; and

executing, by the at least one packet security gateway, a third rule during a third period of time based on a third subset of network addresses,wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, andwherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets.

196 Citations

20 Claims

1. A method comprising:
- receiving, by a server and from a first computing device, a first security update comprising a first set of network addresses;
  
  updating, by the server, one or more rules stored in a memory of the server to include the first set of network addresses;
  
  receiving, by the server and from a second computing device, a second security update comprising a second set of network addresses;
  
  determining, by the server, that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses;
  
  responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses;
  
  identifying, by the server, the at least a portion of network addresses included in the first set of network addresses;
  
  identifying, by the server, at least one of the one or more rules stored in the memory of the server that specifies a range of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and
  
  updating, by the server, the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses;
  
  transmitting, by the server and to at least one packet security gateway, at least one of the one or more updated rules;
  
  causing executing, by the packet security gateway and on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises;
  
  executing, by the at least one packet security gateway, a first rule during a first period of time based on a first subset of network addresses;
  
  executing, by the at least one packet security gateway, a second rule during a second period of time based on a second subset of network addresses; and
  
  executing, by the at least one packet security gateway, a third rule during a third period of time based on a third subset of network addresses,wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, andwherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - identifying at least two rules, of the one or more rules stored in the memory of the server, that each specify a range of network addresses comprising the at least a portion of network addresses; and
      
      combining the at least two of the one or more rules into a rule that specifies a range of network addresses that includes network addresses specified by each of the at least two rules and the one or more other network addresses included in the second set of network addresses.
  - 3. The method of claim 1, wherein the one or more rules stored in the memory of the server include a rule specifying a set of network addresses for which associated packets should be dropped and a rule specifying that all packets associated with network addresses outside the set of network addresses should be forwarded.
  - 4. The method of claim 1, wherein the one or more rules stored in the memory of the server include at least one rule specifying a set of network addresses for which associated packets should be forwarded and a rule specifying that all packets associated with network addresses outside the set of network addresses should be dropped.
  - 5. The method of claim 1, wherein the one or more rules stored in the memory of the server includes at least one rule specifying a set of network addresses and an additional parameter.
  - 6. The method of claim 5, wherein the additional parameter comprises at least one Session Initiation Protocol (SIP) Uniform Resource Identifier (URI).
  - 7. The method of claim 5, further comprising:
    - causing routing, by the packet security gateway and on a packet-by-packet basis, packets that fall within the specified set of network addresses and that match the additional parameter to a monitoring device network address different from a packet specified destination network address.
  - 8. The method of claim 1,wherein the first subset of network addresses correspond to mission critical network devices,wherein the second subset of network addresses correspond to trusted network devices, andwherein the third subset of network addresses correspond to all network devices that would be allowed under ordinary circumstances.

9. One or more non-transitory computer-readable media having instructions stored thereon, that when executed by one or more computers, cause the one or more computers to:
- receive a first security update comprising a first set of network addresses;
  
  update at least one of one or more rules based on at least a portion of the first set of network addresses;
  
  receive a second security update comprising a second set of network addresses;
  
  determine that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses;
  
  responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses;
  
  identify the at least a portion of network addresses included in the first set of network addresses;
  
  identify at least one of the one or more rules that specifies a ramie of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and
  
  update the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses;
  
  transmit the at least one of the one or more updated rules; and
  
  cause executing, on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises;
  
  executing a first rule during a first period of time based on a first subset of network addresses;
  
  executing a second rule during a second period of time based on a second subset of network addresses; and
  
  executing a third rule during a third period of time based on a third subset of network addresses,wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, andwherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The one or more non-transitory computer-readable media of claim 9, having instructions stored thereon, that when executed by one or more computers, further cause the one or more computers to:
    - identify at least two rules, of the one or more rules, that each specify a range of network addresses comprising the at least a portion of network addresses; and
      
      combine the at least two of the one or more rules into a rule that specifies a range of network addresses that includes network addresses specified by each of the at least two rules and the one or more other network addresses included in the second set of network addresses.
  - 11. The one or more non-transitory computer-readable media of claim 9, having instructions stored thereon, that when executed by the one or more computers, further cause the one or more computers to:
    - remove duplicate network addresses from the at least one of one or more rules.
  - 12. The one or more non-transitory computer-readable media method of claim 9,wherein the first subset of network addresses correspond to mission critical network devices,wherein the second subset of network addresses correspond to trusted network devices, andwherein the third subset of network addresses correspond to all network devices that would be allowed under ordinary circumstances.
  - 13. The one or more non-transitory computer-readable media of claim 9, having instructions stored thereon. that when executed by the one or more computers, further cause the one or more computers to:
    - cause routing, on a packet-by-packet basis, packets associated with the first subset of network addresses to a first forwarding queue; and
      
      cause routing, on a packet-by-packet basis, packets associated with the second subset of network addresses to a second forwarding queue, wherein the first forwarding queue has a different queueing policy than the second forwarding queue.
  - 14. The one or more non-transitory computer-readable media of claim 13, wherein the first forwarding queue has a higher forwarding rate than the second forwarding queue.

15. A system comprising:
- a server comprising;
  
  one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors of the server, cause the server to;
  
  receive a first security update comprising a first set of network addresses;
  
  update one or more rules stored in the memory of the server to include the first set of network addresses;
  
  receive a second security update comprising a second set of network addresses;
  
  determine that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses; and
  
  responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses;
  
  identify, by the server, the at least a portion of network addresses included in the first set of network addresses;
  
  identify at least one of the one or more rules stored in the memory of the server that specifies a range of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and
  
  update the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses; and
  
  a gateway comprising;
  
  one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors of the gateway, cause the gateway to;
  
  receive, from the server, one or more updated rules;
  
  receive a plurality of packets associated with a network protected by the gateway;
  
  filter, on a packet by packet basis, the plurality of packets based on a rule set comprising at least the one or more updated rules; and
  
  execute, on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises;
  
  executing a first rule during a first period of time based on a first subset of network addresses;
  
  executing a second rule during a second period of time based on a second subset of network addresses; and
  
  executing a third rule during a third period of time based on a third subset of network addresses,wherein the first period of time is followed by the second period of time, and the second period of time is followed by the third period of time, andwherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the instructions, when executed by the one or more processors of the server, cause the server to:
    - remove duplicate network addresses from the at least one of the one or more rules.
  - 17. The system of claim 15,wherein the first subset of network addresses correspond to mission critical network devices,wherein the second subset of network addresses correspond to trusted network devices, andwherein the third subset of network addresses correspond to all network devices that would be allowed under ordinary circumstances.
  - 18. The system of claim 15, further comprising instructions, when executed by the one or more processors of the server, cause the server to:
    - identify at least two rules, of the one or more rules stored in the memory of the server, that each specify a range of network addresses comprising the at least a portion of network addresses; and
      
      combine the at least two of the one or more rules into a rule that specifies a range of network addresses that includes network addresses specified by each of the at least two rules and the one or more other network addresses included in the second set of network addresses.
  - 19. The system of claim 15, further comprising instructions, when executed by the one or more processors of the gateway, cause the gateway to:
    - cause routing, on a packet-by-packet basis, packets associated with the first subset of network addresses to a first forwarding queue; and
      
      cause routing, on a packet-by-packet basis, packets associated with the second subset of network addresses to a second forwarding queue, wherein the first forwarding queue has a different queueing policy than the second forwarding queue.
  - 20. The system of claim 19, wherein the first forwarding queue has a higher forwarding rate than the second forwarding queue.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Rogers, Steven, Moore, Sean, Ahn, David K., Geremia, Peter P.
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Huang, Cheng-Feng

Application Number

US15/414,117
Publication Number

US 20170359383A1
Time in Patent Office

672 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/06   for supporting key manageme...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 65/1069   Session establishment or de...

H04L 67/02   based on web technology, e....

Methods and systems for protecting a secured network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

196 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for protecting a secured network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links