Network application security policy enforcement
First Claim
1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
- (A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine;
(B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network;
(C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent;
(D) at the source local security agent, receiving the first set of network application security policies;
(E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system;
(F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request;
(G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine;
(H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network;
(I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent;
(J) at the destination local security agent, receiving the second set of network application security policies;
(K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system;
(L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request;
(M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; and
(N) if the reconciliation engine determines that the third set of network application security policies does not cover the outgoing connection request and the incoming connection request, then instructing the source local security agent to terminate a first connection created in response to the outgoing connection request and instructing the destination local security agent to terminate a second connection created in response to the incoming connection request.
3 Assignments
0 Petitions
Accused Products
Abstract
A system validates the establishment and/or continuation of a connection between two applications over a network using a three-stage process: (1) a local security agent on the same source system as the source application validates the connection against a set of policies stored locally on the source system; (2) a local security agent on the same destination system as the destination application validates the connection against a set of policies stored locally on the destination system; and (3) a reconciliation engine, after receiving connection and application state information from both the source and destination local security agents, validates the connection against a master set of policies. The connection is allowed or blocked depending on the outcome of the three-stage validation. This system protects against policy violations that are not detected by traditional systems without requiring alterations to the source and destination applications or the network traffic between them.
52 Citations
28 Claims
-
1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
-
(A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request; (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; and (N) if the reconciliation engine determines that the third set of network application security policies does not cover the outgoing connection request and the incoming connection request, then instructing the source local security agent to terminate a first connection created in response to the outgoing connection request and instructing the destination local security agent to terminate a second connection created in response to the incoming connection request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising at least one non-transitory computer readable medium having computer program instructions stored thereon, wherein the computer program instructions are executable by at least one computer processor to perform a method, the method comprising:
-
(A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request; (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; and (N) if the reconciliation engine determines that the third set of network application security policies does not cover the outgoing connection request and the incoming connection request, then instructing the source local security agent to terminate a first connection created in response to the outgoing connection request and instructing the destination local security agent to terminate a second connection created in response to the incoming connection request. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
-
(A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request; (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; (N) at the source local security agent, in response to determining that the first set of policies does not cover the outgoing connection request, temporarily blocking the outgoing connection request; and (O) at the source local security agent, in response to receiving an instruction from the reconciliation engine to allow the outgoing connection request, allowing a connection in response to the outgoing connection request.
-
-
26. A system comprising at least one non-transitory computer readable medium having computer program instructions stored thereon, wherein the computer program instructions are executable by at least one computer processor to perform a method, the method comprising:
-
(A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request; (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; (N) at the source local security agent, in response to determining that the first set of policies does not cover the outgoing connection request, temporarily blocking the outgoing connection request; and (O) at the source local security agent, in response to receiving an instruction from the reconciliation engine to allow the outgoing connection request, allowing a connection in response to the outgoing connection request.
-
-
27. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
-
(A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request; (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; (N) at the destination local security agent, in response to determining that the second set of policies does not cover the incoming connection request, temporarily blocking the incoming connection request; and (O) at the destination local security agent, in response to receiving an instruction from the reconciliation engine to allow the incoming connection request, allowing a connection in response to the incoming connection request.
-
-
28. A system comprising at least one non-transitory computer readable medium having computer program instructions stored thereon, wherein the computer program instructions are executable by at least one computer processor to perform a method, the method comprising:
-
(A) at a source local security agent on a source computer system comprising at least one first microprocessor, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system comprising at least one second microprocessor, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request; (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies; (N) at the destination local security agent, in response to determining that the second set of policies does not cover the incoming connection request, temporarily blocking the incoming connection request; and (O) at the destination local security agent, in response to receiving an instruction from the reconciliation engine to allow the incoming connection request, allowing a connection in response to the incoming connection request.
-
Specification