Methods and systems for protecting a secured network
DCFirst Claim
1. A method comprising:
- provisioning a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding packet transformation function; and
configuring the packet security gateway to;
receive, via a communication interface of the packet security gateway that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise;
first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and
second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway;
responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and
modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway.
2 Assignments
Litigations
1 Petition
Accused Products
Abstract
Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets.
275 Citations
20 Claims
-
1. A method comprising:
-
provisioning a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding packet transformation function; and configuring the packet security gateway to; receive, via a communication interface of the packet security gateway that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise; first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway; responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
at least one processor; and memory storing instructions that when executed by the at least one processor cause the system to; provision a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding packet transformation function; and configure the packet security gateway to; receive, via a communication interface that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise; first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway; responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors, cause a computing system to:
-
provision a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding network protective action; and configure the packet security gateway to; receive, via a communication interface that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise; first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway; responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification