Securing internal services in a distributed environment

US 10,425,504 B1
Filed: 03/05/2018
Issued: 09/24/2019
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

intercepting a service packet comprising a service call from a source appliance at a server;

determining that the service call is for an internal service provided by the source appliance;

determining that the service packet comprises client information with one or more client process properties;

demultiplexing the service packet;

determining that one or more rule attributes associated with the internal service match the one or more client process properties;

removing the client information from the service packet; and

forwarding the service call to the server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are methods, systems, and processes to secure internal services in a distributed computing environment. A service packet that includes a service call from a source appliance is intercepted at a server. A determination is made that the service call is for an internal service provided by the source appliance and includes client information with client process properties. The service packet is demultiplexed. A determination is made that rule attributes associated with the internal service match the client process properties. The client information is removed from the service packet and the service call is forwarded to the server.

Citations

20 Claims

1. A computer-implemented method comprising:
- intercepting a service packet comprising a service call from a source appliance at a server;
  
  determining that the service call is for an internal service provided by the source appliance;
  
  determining that the service packet comprises client information with one or more client process properties;
  
  demultiplexing the service packet;
  
  determining that one or more rule attributes associated with the internal service match the one or more client process properties;
  
  removing the client information from the service packet; and
  
  forwarding the service call to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, whereinthe client information is retrieved from source kernel memory of the source appliance.
  - 3. The computer-implemented method of claim 2, whereinthe one or more client process properties comprise a user context, a user group context, a client program name, a parent process name, or a terminal type.
  - 4. The computer-implemented method of claim 1, whereindetermining that the service packet comprises the client information with the one or more client process properties comprises determining whether at least one rule of one or more rules for the internal service is defined or specified in a rule set.
  - 5. The computer-implemented method of claim 4, whereineach rule of the one or more rules comprises the one or more rule attributes, andeach rule attribute of the one or more rule attributes corresponds to a client process property of the one or more client process properties.
  - 6. The computer-implemented method of claim 1, whereinthe service call comprises an identifier, andthe identifier identifies the internal service.
  - 7. The computer-implemented method of claim 4, whereinthe internal service is protected if the rule set comprises at least one rule of the one or more rules for an identifier specified in the service call, andthe internal service is unprotected if the rule set does not comprise at least one rule of the one or more rules for the identifier specified in the service call.

8. A non-transitory computer readable storage medium storing program instructions executable to:
- intercept a service packet comprising a service call from a source appliance at a server;
  
  determine that the service call is for an internal service provided by the source appliance;
  
  determine that the service packet comprises client information with one or more client process properties;
  
  demultiplex the service packet;
  
  determine that one or more rule attributes associated with the internal service match the one or more client process properties;
  
  remove the client information from the service packet; and
  
  forward the service call to the server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage medium of claim 8, wherein the client information is retrieved from source kernel memory of the source appliance.
  - 10. The non-transitory computer readable storage medium of claim 8, whereinthe one or more client process properties comprise a user context, a user group context, a client program name, a parent process name, or a terminal type.
  - 11. The non-transitory computer readable storage medium of claim 8, whereindetermining that the service packet comprises the client information with the one or more client process properties comprises determining whether at least one rule of one or more rules for the internal service is defined or specified in a rule set.
  - 12. The non-transitory computer readable storage medium of claim 11, whereineach rule of the one or more rules comprises the one or more rule attributes, andeach rule attribute of the one or more rule attributes corresponds to a client process property of the one or more client process properties.
  - 13. The non-transitory computer readable storage medium of claim 8, whereinthe service call comprises an identifier, andthe identifier identifies the internal service.
  - 14. The non-transitory computer readable storage medium of claim 11, whereinthe internal service is protected if the rule set comprises at least one rule of the one or more rules for an identifier specified in the service call, andthe internal service is unprotected if the rule set does not comprise at least one rule of the one or more rules for the identifier specified in the service call.

15. A system comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors, wherein the memory stores program instructions executable by the one or more processors to;
  
  intercept a service packet comprising a service call from a source appliance at a server;
  
  determine that the service call is for an internal service provided by the source appliance;
  
  determine that the service packet comprises client information with one or more client process properties;
  
  demultiplex the service packet;
  
  determine that one or more rule attributes associated with the internal service match the one or more client process properties;
  
  remove the client information from the service packet; and
  
  forward the service call to the server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, whereinthe client information is retrieved from source kernel memory of the source appliance, andthe one or more client process properties comprise a user context, a user group context, a client program name, a parent process name, or a terminal type.
  - 17. The system of claim 15, whereindetermining that the service packet comprises the client information with the one or more client process properties comprises determining whether at least one rule of one or more rules for the internal service is defined or specified in a rule set.
  - 18. The system of claim 17, whereineach rule of the one or more rules comprises the one or more rule attributes, andeach rule attribute of the one or more rule attributes corresponds to a client process property of the one or more client process properties.
  - 19. The system of claim 15, whereinthe service call comprises an identifier, andthe identifier identifies the internal service.
  - 20. The system of claim 17, whereinthe internal service is protected if the rule set comprises at least one rule of the one or more rules for an identifier specified in the service call, andthe internal service is unprotected if the rule set does not comprise at least one rule of the one or more rules for the identifier specified in the service call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Inventors
Goel, Vikas
Primary Examiner(s)
Gilles, Jude Jean

Application Number

US15/911,519
Time in Patent Office

568 Days
Field of Search

709203, 709219, 709224, 709218, 709227
US Class Current
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/629   to features or functions of...

H04L 63/0227   Filtering policies mail mes...

H04L 67/01   Protocols

H04L 67/60   Scheduling or organising th...

Securing internal services in a distributed environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing internal services in a distributed environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links