×

Network application security policy enforcement

  • US 10,154,067 B2
  • Filed: 01/30/2018
  • Issued: 12/11/2018
  • Est. Priority Date: 02/10/2017
  • Status: Active Grant
First Claim
Patent Images

1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:

  • (A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine;

    (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network;

    (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent;

    (D) at the source local security agent, receiving the first set of network application security policies;

    (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system;

    (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request;

    (G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine;

    (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network;

    (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent;

    (J) at the destination local security agent, receiving the second set of network application security policies;

    (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system;

    (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request;

    (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; and

    (N) if the reconciliation engine determines that the third set of network application security policies does not cover the outgoing connection request and the incoming connection request, then instructing the source local security agent to terminate a first connection created in response to the outgoing connection request and instructing the destination local security agent to terminate a second connection created in response to the incoming connection request.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×