Resource-free prioritizing in high availability external security systems
First Claim
1. A method operative in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
- configuring first and second channels between the agent and the external security device;
providing, via the first channel, session user information received from the client;
providing, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and
prioritizing processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state.
1 Assignment
0 Petitions
Accused Products
Abstract
A database access control system is augmented to provide additional functionality to enable an external security device (e.g., an EDSM) to fully and accurately assess a database query against one or more security policies even when the EDSM is overloaded. To this end, a pair of channels is established between the ISA and the ESM, wherein the channel pair includes a first channel that is expected to have relatively low packet rate, and a second channel that is expected to have a relatively high packet rate. Packets representing initial session information (i.e., user information sent at the beginning of a user session) are directed to the first channel, whereas packets received following session establishment are directed to the second channel, because the latter are likely to be present during a potential overload scenario.
14 Citations
19 Claims
-
1. A method operative in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
-
configuring first and second channels between the agent and the external security device; providing, via the first channel, session user information received from the client; providing, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and prioritizing processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Apparatus for use in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to; establish first and second channels between the agent and the external security device; provide, via the first channel, session user information received from the client; provide, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and prioritize processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product, comprising:
-
a non-transitory computer readable medium; and computer program instructions held in the non-transitory computer readable medium in association with a database access control system wherein database requests directed by a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, the computer program instructions executable by a processor and comprising program code configured to; establish first and second channels between the agent and the external security device; provide, via the first channel, session user information received from the client; provide, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and prioritize processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A database access control system operated in association with a database client application, and a database server, comprising:
-
an agent executed in hardware and configured to intercept a database protocol packet stream as the database client application directs requests to the database server; and a security mechanism executed in hardware and configured to receive a database protocol packet that has been forwarded by the agent for validation; wherein for a configurable number of packets in the intercepted database protocol packet stream that include session user information associated with initiation of a new session, the agent marks each such database protocol packet and outputs the database protocol packet as marked; wherein following processing of the configurable number of packets in the database protocol stream, outputting from the agent one or more follow-on data packets in the database protocol stream; wherein the security mechanism prioritizes processing of any marked database protocol packet over a database protocol packet that is not so marked.
-
Specification