Credentials enforcement using a firewall

US 10,425,387 B2
Filed: 04/04/2018
Issued: 09/24/2019
Est. Priority Date: 07/31/2015
Status: Active Grant

First Claim

Patent Images

1. A system for credentials enforcement using a firewall, comprising:

a processor of a network device configured to;

store a plurality of user credentials at the network device;

monitor network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials for external site authentication, wherein the determining of whether there is a match is based on a bloom filter, wherein the bloom filter is generated based at least in part on the plurality of user credentials, wherein the monitoring of the network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials for external site authentication comprises to;

determine whether a first hash of a first portion and a second portion of a first user credential of the plurality of user credentials included in the network traffic corresponds to a second hash of a third portion and a fourth portion of a second user credential of the bloom filter, the first portion and the second portion being non-overlapping and non-adjacent portions of the first user credential, the third portion and the fourth portion being non-overlapping and non-adjacent portions of the second user credential; and

in response to a determination that the first hash corresponds to the second hash, determine that there is a match; and

perform an action in response to a determination that the match is determined; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for credentials enforcement using a firewall are disclosed. In some embodiments, a system, process, and/or computer program product for enforcement using a firewall includes storing a plurality of user credentials at a network device; monitoring network traffic at the network device to determine if there is a match with one or more of the plurality of user credentials; and performing an action if the match is determined.

23 Citations

View as Search Results

20 Claims

1. A system for credentials enforcement using a firewall, comprising:
- a processor of a network device configured to;
  
  store a plurality of user credentials at the network device;
  
  monitor network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials for external site authentication, wherein the determining of whether there is a match is based on a bloom filter, wherein the bloom filter is generated based at least in part on the plurality of user credentials, wherein the monitoring of the network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials for external site authentication comprises to;
  
  determine whether a first hash of a first portion and a second portion of a first user credential of the plurality of user credentials included in the network traffic corresponds to a second hash of a third portion and a fourth portion of a second user credential of the bloom filter, the first portion and the second portion being non-overlapping and non-adjacent portions of the first user credential, the third portion and the fourth portion being non-overlapping and non-adjacent portions of the second user credential; and
  
  in response to a determination that the first hash corresponds to the second hash, determine that there is a match; and
  
  perform an action in response to a determination that the match is determined; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system recited in claim 1, wherein one or more of the plurality of user credentials includes a password.
  - 3. The system recited in claim 1, wherein one or more of the plurality of user credentials includes a username and a password.
  - 4. The system recited in claim 1, wherein the plurality of user credentials is stored in a cache on the network device.
  - 5. The system recited in claim 1, wherein the processor is further configured to:
    - receive the plurality of user credentials from an agent executed on an authentication server; and
      
      store the plurality of user credentials in a cache on the network device.
  - 6. The system recited in claim 1, wherein the processor is further configured to:
    - monitor network communications between a client and an external site; and
      
      determine if the client sends a request that includes user credentials for authentication at the external site.
  - 7. The system recited in claim 1, wherein the processor is further configured to:
    - monitor network communications between a client and an external site;
      
      determine if the client sends a request that includes user credentials for authentication at the external site; and
      
      perform an action in response to determining that the client sent the request that includes user credentials for authentication at the external site that match one or more of the plurality of user credentials stored at the network device.
  - 8. The system recited in claim 1, wherein the processor is further configured to:
    - monitor encrypted network communications between a client and an external site, wherein the encrypted network communications are encrypted using a first protocol; and
      
      determine if the client sends a request that includes user credentials for authentication at the external site.
  - 9. The system recited in claim 1, wherein the processor is further configured to:
    - monitor encrypted network communications between a client and an external site, wherein the encrypted network communications are encrypted using a first protocol;
      
      determine if the client sends a request that includes user credentials for authentication at the external site; and
      
      perform an action in response to determining that the client sent the request that includes user credentials for authentication at the external site that match one or more of the plurality of user credentials stored at the network device.
  - 10. The system recited in claim 1, wherein the processor is further configured to:
    - monitor encrypted network communications between a client and an external site, wherein the encrypted network communications are encrypted using a first protocol;
      
      decrypt the monitored encrypted network communications between the client and the external site to determine if the client sends a request that includes user credentials for authentication at the external site; and
      
      perform an action in response to determining that the client sent the request that includes user credentials for authentication at the external site that match one or more of the plurality of user credentials stored at the network device.
  - 11. The system recited in claim 1, wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site; and
      
      send a request to establish the encrypted session on behalf of the client to the external site.
  - 12. The system recited in claim 1, wherein the network device includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site; and
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device.
  - 13. The system recited in claim 1, wherein the network device includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device; and
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site.
  - 14. The system recited in claim 1, wherein the network device includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel; and
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on a firewall policy for credentials enforcement used in the external site authentication.
  - 15. The system recited in claim 1, wherein the network device includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      block the session traffic if a violation of a firewall policy is determined, wherein the firewall policy includes a policy for credentials enforcement used in the external site authentication.
  - 16. The system recited in claim 1, wherein the network device includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      generate an alert if a violation of a firewall policy is determined, wherein the firewall policy includes a policy for credentials enforcement used in the external site authentication.
  - 17. The system recited in claim 1, wherein the network device includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      block the client from accessing the external site if a violation of a firewall policy is determined, wherein the firewall policy includes a policy for credentials enforcement used in the external site authentication.
  - 18. The system recited in claim 1, wherein the network device includes a firewall device, and wherein the processor is further configured to:
    - intercept a request to establish an encrypted session from a client to an external site;
      
      send a request to establish the encrypted session on behalf of the client to the external site;
      
      send an encrypted session response to the client on behalf of the external site using a session key associated with the firewall device;
      
      decrypt encrypted session traffic between the client and the external site to monitor for a request from the client to create a tunnel using a first protocol with the external site;
      
      allow the request to create the tunnel;
      
      monitor decrypted session traffic between the client and the external site over the tunnel based on one or more firewall policies; and
      
      send a message to the client if a violation of a firewall policy is determined, wherein the firewall policy includes a policy for credentials enforcement used in the external site authentication.

19. A method for credentials enforcement using a firewall, comprising:
- storing a plurality of user credentials at a network device;
  
  monitoring network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials, wherein the determining of whether there is a match is based on a bloom filter, wherein the bloom filter is generated based at least in part on the plurality of user credentials, wherein the monitoring of the network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials for external site authentication comprises;
  
  determining whether a first hash of a first portion and a second portion of a first user credential of the plurality of user credentials included in the network traffic corresponds to a second hash of a third portion and a fourth portion of a second user credential of the bloom filter, the first portion and the second portion being non-overlapping and non-adjacent portions of the first user credential, the third portion and the fourth portion being non-overlapping and non-adjacent portions of the second user credential; and
  
  in response to a determination that the first hash corresponds to the second hash, determining that there is a match; and
  
  performing an action in response to a determination that the match is determined.

20. A computer program product for credentials enforcement using a firewall, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- storing a plurality of user credentials at a network device;
  
  monitoring network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials, wherein the determining of whether there is a match is based on a bloom filter, wherein the bloom filter is generated based at least in part on the plurality of user credentials, wherein the monitoring of the network traffic at the network device to determine whether there is a match with one or more of the plurality of user credentials for external site authentication comprises;
  
  determining whether a first hash of a first portion and a second portion of a first user credential of the plurality of user credentials included in the network traffic corresponds to a second hash of a third portion and a fourth portion of a second user credential of the bloom filter, the first portion and the second portion being non-overlapping and non-adjacent portions of the first user credential, the third portion and the fourth portion being non-overlapping and non-adjacent portions of the second user credential; and
  
  in response to a determination that the first hash corresponds to the second hash, determining that there is a match; and
  
  performing an action in response to a determination that the match is determined.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Ashley, Robert Earle, Lam, Ho Yu, Jin, Xuanyu, Deng, Suiqiang, Ettema, Taylor, Tesh, Robert
Primary Examiner(s)
Brown, Christopher J

Application Number

US15/945,129
Publication Number

US 20180309721A1
Time in Patent Office

538 Days
Field of Search

713168
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/554   involving event detection a...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

Credentials enforcement using a firewall

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Credentials enforcement using a firewall

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links