Secure labeling of network flows
First Claim
1. A computer program product for managing network flows at an endpoint in a network, computer program product comprising computer executable code embodied in a nontransitory computer readable medium that, when executing on one or more computing devices, performs operations comprising:
- providing a first key to the endpoint;
receiving a data structure from a source on the endpoint, the data structure including a payload and a header;
generating, at the endpoint, a label for the data structure, the label including information about the source of the data structure on the endpoint;
using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure;
transmitting the data structure from the endpoint to a remote location through a network device for the network;
at the network device, verifying an authenticity of the cryptographic signature using a corresponding second key; and
based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the network.
4 Assignments
0 Petitions
Accused Products
Abstract
An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.
-
Citations
20 Claims
-
1. A computer program product for managing network flows at an endpoint in a network, computer program product comprising computer executable code embodied in a nontransitory computer readable medium that, when executing on one or more computing devices, performs operations comprising:
-
providing a first key to the endpoint; receiving a data structure from a source on the endpoint, the data structure including a payload and a header; generating, at the endpoint, a label for the data structure, the label including information about the source of the data structure on the endpoint; using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure; transmitting the data structure from the endpoint to a remote location through a network device for the network; at the network device, verifying an authenticity of the cryptographic signature using a corresponding second key; and based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the network. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for managing network flows at an endpoint in a network, the method comprising:
-
providing a first key to the endpoint; receiving a data structure from a source on the endpoint, the data structure including at least a header; generating, at the endpoint, a label for the data structure, the label including information about the source of the data structure on the endpoint; using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure; transmitting the data structure from the endpoint to a remote location through a network device for the network; at the network device, verifying an authenticity of the cryptographic signature using a corresponding second key; and based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the network. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A system comprising:
-
an endpoint including a first memory, a first processor, and a network interface configured to couple the endpoint in a communicating relationship with a data network, the first processor configured to execute instructions stored in the first memory to perform operations of receiving a first key to the endpoint, receiving a data structure from a source on the endpoint, the data structure including at least a header, generating a label for the data structure, the label including information about the source of the data structure on the endpoint, using the first key provided to the endpoint, adding a cryptographic signature for the label to the header of the data structure, and transmitting the data structure from the endpoint to a remote location through a network device for the data network; and the network device of the data network, the network device including a second memory and a second processor, the second processor configured to execute instructions stored in the second memory to perform operations of verifying an authenticity of the cryptographic signature using a corresponding second key, and, based on the information about the source of the data structure and the authenticity of the label, applying a routing rule at the network device to conditionally route the data structure to the remote location accessible from the endpoint through the data network. - View Dependent Claims (13, 14, 15)
-
-
16. A method for managing network flows at a network device, the method comprising:
-
providing a first key to an endpoint; receiving, at the network device, a data structure from a source on the endpoint, the data structure including a label including information about the source of the data structure on the endpoint, and the label having a cryptographic signature added using the first key provided to the endpoint; processing the data structure on the network device to extract the label having the cryptographic signature; verifying an authenticity of the cryptographic signature using a corresponding second key; and based on information about the source of the data structure and the authenticity of the cryptographic signature of the label, applying a routing rule at the network device to conditionally route the data structure to a remote location accessible from the endpoint through the network. - View Dependent Claims (17, 18, 19, 20)
-
Specification