Methods and systems for protecting a secured network

US 10,567,437 B2
Filed: 08/24/2018
Issued: 02/18/2020
Est. Priority Date: 10/22/2012
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method comprising:

provisioning a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding packet transformation function; and

configuring the packet security gateway to;

receive, via a communication interface of the packet security gateway that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise;

first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and

second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway;

responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and

modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets.

275 Citations

20 Claims

1. A method comprising:
- provisioning a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding packet transformation function; and
  
  configuring the packet security gateway to;
  
  receive, via a communication interface of the packet security gateway that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise;
  
  first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and
  
  second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway;
  
  responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and
  
  modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the provisioning comprises provisioning the packet security gateway with at least one packet filtering rule configured to identify spoofed source addresses; and
      
      the configuring comprises configuring the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets comprises a source address corresponding to packet matching criterion specified by the at least one packet filtering rule, drop the at least a portion of the received packets.
  - 3. The method of claim 1, wherein:
    - the provisioning comprises provisioning the packet security gateway with at least one packet filtering rule configured to identify malicious network traffic based on information received from a subscription service; and
      
      the configuring comprises configuring the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets comprises data corresponding to packet matching criterion specified by the at least one packet filtering rule and included in the information received from the subscription service, drop the at least a portion of the received packets.
  - 4. The method of claim 1, wherein:
    - the provisioning comprises provisioning the packet security gateway with the one or more packet filtering rules via a communication interface of the packet security gateway having a network-layer address.
  - 5. The method of claim 1, comprising configuring the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets corresponds to packet matching criterion specified by the one or more packet filtering rules, encapsulate each packet of the at least a portion of the received packets with a header specifying a network address different from a destination network address specified by the packet.
  - 6. The method of claim 1, comprising configuring the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets correspond to packet matching criterion specified by the one or more packet filtering rules, route each packet of the at least a portion of the packets toward its destination network-layer address via a layer-2 virtual local area network (VLAN) such that the packet is routed differently than if it had been routed based on its destination network-layer address.
  - 7. The method of claim 1, comprising:
    - receiving, by the packet security gateway, a policy information update; and
      
      at least one of create or alter, based on the policy information update received by the packet security gateway, at least one a-packet matching criterion associated with malicious network traffic and a packet transformation function of one or more packet filtering rules.

8. A system comprising:
- at least one processor; and
  
  memory storing instructions that when executed by the at least one processor cause the system to;
  
  provision a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding packet transformation function; and
  
  configure the packet security gateway to;
  
  receive, via a communication interface that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise;
  
  first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and
  
  second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway;
  
  responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and
  
  modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to:
    - provision the packet security gateway with at least one packet filtering rule configured to identify spoofed source addresses; and
      
      configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets comprises a source address corresponding to packet matching criterion specified by the at least one packet filtering rule, drop the at least a portion of the received packets.
  - 10. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to:
    - provision the packet security gateway with at least one packet filtering rule configured to identify malicious network traffic based on information received from a subscription service; and
      
      configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets comprises data corresponding to packet matching criterion specified by the at least one packet filtering rule and included in the information received from the subscription service, drop the at least a portion of the received packets.
  - 11. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to:
    - provision the packet security gateway with the one or more packet filtering rules via a communication interface of the packet security gateway having a network-layer address.
  - 12. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets corresponds to packet matching criterion specified by the one or more packet filtering rules, encapsulate each packet of the at least a portion of the packets with a header specifying a network address different from a destination network address specified by the packet.
  - 13. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets corresponds to packet matching criterion specified by the one or more packet filtering rules, route each packet of the at least a portion of the received packets toward its destination network-layer address via a layer-2 virtual local area network (VLAN) such that the packet is routed differently than if it had been routed based on its destination network-layer address.
  - 14. The system of claim 8, wherein the instructions, when executed by the at least one processor, cause the system to configure the packet security gateway to:
    - receiving, by the packet security gateway, a policy information update; and
      
      at least one of create or alter, based on the policy information update received by the packet security gateway, at least one packet matching criterion associated with malicious network traffic and a packet transformation function of one or more packet filtering rules.

15. One or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors, cause a computing system to:
- provision a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, with one or more packet filtering rules to be applied to all network traffic traversing the boundary, wherein each packet filtering rule comprises at least one packet matching criterion associated with malicious network traffic and a corresponding network protective action; and
  
  configure the packet security gateway to;
  
  receive, via a communication interface that does not have a network-layer address, network traffic traversing the boundary via the packet security gateway, wherein the network traffic comprises received packets and is associated with each host of a plurality of hosts located in the network protected by the packet security gateway, and wherein the received packets comprise;
  
  first packets traversing the boundary, via the packet security gateway, that originate from outside the network protected by the packet security gateway and are destined for the plurality of hosts; and
  
  second packets traversing the boundary, via the packet security gateway, that originate from the plurality of hosts located in the network and are destined for devices in the one or more networks other than the network protected by the packet security gateway;
  
  responsive to a determination by the packet security gateway that a portion of the received packets corresponds to at least one packet matching criterion specified by the one or more packet filtering rules, drop the portion of the received packets; and
  
  modify a switching matrix of a local area network (LAN) switch associated with the packet security gateway such that the LAN switch is configured to drop the portion of the received packets responsive to the determination by the packet security gateway.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more processors, cause the computing system to:
    - provision the packet security gateway with at least one packet filtering rule configured to identify spoofed source addresses; and
      
      configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets comprises a source address corresponding to packet matching criterion specified by the at least one packet filtering rule, drop the at least a portion of the received packets.
  - 17. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more processors, cause the computing system to:
    - provision the packet security gateway with at least one packet filtering rule configured to identify malicious network traffic based on information received from a subscription service; and
      
      configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets comprises data corresponding to packet matching criterion specified by the at least one packet filtering rule and included in the information received from the subscription service, drop the at least a portion of the received packets.
  - 18. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more processors, cause the computing system to:
    - provision the packet security gateway with the one or more packet filtering rules via a communication interface of the packet security gateway having a network-layer address.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more processors, cause the computing system to configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets corresponds to packet matching criterion specified by the one or more packet filtering rules, encapsulate each packet of the at least a portion of the packets with a header specifying a network address different from a destination network address specified by the packet.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the one or more processors, cause the computing system to configure the packet security gateway to, responsive to a determination by the packet security gateway that at least a portion of the received packets correspond to packet matching criterion specified by the one or more packet filtering rules, route each packet of the at least a portion of the received packets toward its destination network-layer address via a layer-2 virtual local area network (VLAN) such that the packet is routed differently than if it had been routed based on its destination network-layer address.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Rogers, Steven, Moore, Sean
Primary Examiner(s)
Chang, Kenneth W

Application Number

US16/111,524
Publication Number

US 20190230128A1
Time in Patent Office

543 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Methods and systems for protecting a secured network

First Claim

2 Assignments

Litigations

1 Petition

Accused Products

Abstract

275 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for protecting a secured network

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

275 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others