Communication security system

US 20030131245A1
Filed: 01/06/2003
Published: 07/10/2003
Est. Priority Date: 01/04/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for enforcing a security policy at computers comprising:

accepting credentials from a first user at a first computer;

receiving data characterizing a policy for use of the first computer by the first user; and

mediating access between applications executed on the first computer and computing resources according to the received policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for secure application-to-application communication over the Internet uses a combination of application message interception, centralized policy management, and generic secure data connectivity layer for applications. Intercepting messages at an application layer enables use of application-specific security policies prior to the messages for different applications merging at lower levels of a communication protocol stack, and enables securing of the application messages as early as possible in the path to a peer application. The centralized policy management enables enforcement of security policies on multiple computers, both within and outside and enterprise network and protects against circumvention of security features specified by the policies. Data is transported between applications executing on different computers using a generic connectivity layer, which enables communication through firewalls that limit to particular ports and protocols, for example, allowing only HTTP-based communication on standard IP ports. Optionally, the approach complements VPN solutions by passing application-specific control information to VPN endpoints to enable those endpoints to perform application-specific processing while maintaining confidentiality of the application messages themselves.

Citations

34 Claims

1. A method for enforcing a security policy at computers comprising:
- accepting credentials from a first user at a first computer;
  
  receiving data characterizing a policy for use of the first computer by the first user; and
  
  mediating access between applications executed on the first computer and computing resources according to the received policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1 wherein the computing resources include resources hosted on remote computers.
  - 3. The method of claim 2 wherein mediating access to the computing resources includes mediating access to remote applications.
  - 4. The method of claim 2 wherein mediating access to the computing resources includes mediating access to a remote file system.
  - 5. The method of claim 1 wherein the computing resources include resources hosted locally on the first computer.
  - 6. The method of claim 5 wherein mediating access to the computing resources includes mediating access to a local file system.
  - 7. The method of claim 1 further comprising providing a security module on the first computer that receives data characterizing the policy.
  - 8. The method of claim 7 wherein mediating the access between the applications and the computing resources includes intercepting communication between the applications and the resources at the security module.
  - 9. The method of claim 8 further comprising preventing communication between the applications and the computing resources without mediation using the security module.
  - 10. The method of claim 8 wherein intercepting communication includes binding operating system services with procedures implemented by the security module.
  - 11. The method of claim 9 wherein binding operating system services includes binding input/output services.
  - 12. The method of claim 11 wherein binding input/output services includes binding Windows Winsock services with procedures implemented by the security module.
  - 13. The method of claim 1 further comprising authenticating the user based on the credentials.
  - 14. The method of claim 13 wherein authenticating the user includes applying biometric authentication techniques.
  - 15. The method of claim 13 further comprising providing the policy to the first computer according the authentication of the user
  - 16. The method of claim 1 further comprising maintaining a database for policy data remote from the first computer, and providing the policy includes retrieving the policy from said database.
  - 17. The method of claim 13 wherein receiving the policy includes verifying the authenticity of data representing the policy.
  - 18. The method of claim 17 wherein the received policy is cryptographically signed and verifying the authenticity of the data representing the policy includes verifying the cryptographic signature.
  - 19. The method of claim 1 wherein the received policy identifies an application to which it is applicable.
  - 20. The method of claim 1 wherein the received policy identifies a user activity to which it is applicable.
  - 21. The method of claim 1 wherein the received policy identifies computing resources to which it is applicable.
  - 22. The method of claim 1 wherein the received policy identifies allowable actions to be performed in the mediated access.
  - 23. The method of claim 1 wherein mediating access to the computing resources includes selectively encrypting communication between the applications and the computing resources.
  - 24. The method of claim 1 wherein mediating access to the computing resources includes limiting access to the computing resources according to the received policy.
  - 25. The method of claim 24 wherein limiting access to the computing resources includes prohibiting access to one or more of the computing resources.
  - 26. The method of claim 1 further comprising receiving multiple policies, each identifying specific applications and computing resources such that different policies are associated with different combinations of applications and computing resources.
  - 27. The method of claim 1 wherein mediating access to the computing resources includes accessing metadata associated with one of the computing resources, and restricting access to the resource according to the metadata.
  - 28. The method of claim 27 wherein the policy comprises the metadata.
  - 29. The method of claim 27 further comprising retrieving the metadata from a computer that is remote from the first computer.
  - 30. The method of claim 1 further comprising mediating access to computing resources local to the first computer by applications in communication with remote computing resources.
  - 31. The method of claim 30 wherein mediating access to local computing resources includes restricting access to local files of the first computer.
  - 32. The method of claim 1 further comprising accepting credentials from the first user at a second computer, receiving the policy for that user at the second computer, and mediating access between applications executed on the first computer and computing resources that are remote from the first computer.

33. Software stored on a computer-readable medium comprising instructions for causing a computer system to perform functions comprising:
- accepting credentials from a first user at a first computer;
  
  receiving data characterizing a policy for use of the first computer by the first user; and
  
  mediating access between applications executed on the first computer and computing resources according to the received policy.

34. A system for enforcing a security policy at computers comprising:
- means for accepting credentials from a first user at a first computer;
  
  means for receiving data characterizing a policy for use of the first computer by the first user; and
  
  means for mediating access between applications executed on the first computer and computing resources according to the received policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab 7 Networks, Inc.
Original Assignee
Lab 7 Networks, Inc.
Inventors
Linderman, Michael

Application Number

US10/337,180
Publication Number

US 20030131245A1
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0861   using biometrical features,...

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

Communication security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Communication security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links