Security System with Methodology Providing Verified Secured Individual End Points
First Claim
1. A method for controlling access to a particular application, the method comprising:
- defining firewall rules specifying filtering conditions for incoming network traffic, said firewall rules including an application attribute that allows individual rules to be associated with specific applications, said firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet;
intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created;
examining the extended attributes for said particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application;
if the given end point complies with said additional conditions, allowing the end point to communicate with the particular application; and
otherwise blocking the end point to prevent communication with the particular application.
1 Assignment
0 Petitions
Accused Products
Abstract
A security system with methodology providing verified secured individual end points is described. In one embodiment, for example, a method of the present invention is described for controlling access to a particular application, the method comprises steps of: defining firewall rules specifying filtering conditions for incoming network traffic, the firewall rules including an application attribute that allows individual rules to be associated with specific applications, the firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet; intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created; examining the extended attributes for the particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application; if the given end point complies with the additional conditions, allowing the end point to communicate with the particular application; and otherwise blocking the end point to prevent communication with the particular application.
-
Citations
50 Claims
-
1. A method for controlling access to a particular application, the method comprising:
-
defining firewall rules specifying filtering conditions for incoming network traffic, said firewall rules including an application attribute that allows individual rules to be associated with specific applications, said firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet;
intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created;
examining the extended attributes for said particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application;
if the given end point complies with said additional conditions, allowing the end point to communicate with the particular application; and
otherwiseblocking the end point to prevent communication with the particular application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for protecting a software program potentially having vulnerabilities from exploitation by malicious network traffic, the method comprising:
-
creating a firewall that is able to monitor network traffic on a software program-specific basis, such that network traffic to a particular software program is monitored according to software program-specific rules that are specifically created for protecting that particular software program;
monitoring incoming network traffic and intercepting any incoming network traffic that is determined to be destined for the particular software program;
before allowing the network traffic to be received by the particular software program, determining whether the network traffic complies with the software program-specific rules that are applicable for protecting the particular software program;
if the network traffic is determined to comply, allowing the network traffic to reach the particular software program; and
otherwiseblocking the network traffic at a point before the network traffic may invoke execution of program code of the particular software program. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An improved firewall system for controlling access to a particular application, the system comprising:
-
a plurality of firewall rules specifying filtering conditions for incoming network traffic, including rules that include an application attribute that allows individual rules to be associated with specific applications, said firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet;
a module for intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created;
a module for examining the extended attributes for said particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application; and
a module for allowing the end point to communicate with the particular application only if the given end point complies with said additional conditions. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A firewall system providing application-specific protection against exploitation of vulnerabilities by malicious network traffic, the system comprising:
-
a plurality of firewall rules for configuring the firewall system to monitor network traffic on an application-specific basis, such that network traffic to a particular software program is monitored according to rules specifically created for protecting that particular software program;
a module for monitoring incoming network traffic and intercepting any incoming network traffic that is determined to be destined for the particular software program;
a module for determining whether the network traffic complies with the application-specific rules that are applicable for protecting the particular software program before allowing the network traffic to be received by the particular software program; and
a module for allowing the network traffic to reach the particular software program if the network traffic is determined to comply, and otherwise blocking any traffic that does not comply at a point before the network traffic may invoke execution of program code of the particular software program. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44)
-
-
45. A security system providing secured individual end points for end points that may connect to a server, the system comprising:
-
means for monitoring network traffic at the server on a per-application basis, such that network traffic to a particular software program is monitored according to rules specifically created for protecting that particular software program;
means, responsive to said means for monitoring, for negotiating security between the server and a particular end point attempting to communicate with the particular software program, for establishing that a given end point is a secured end point; and
means for rejecting any incoming network packets that are determined to be destined for the particular software program and which originate from an end point that has not successfully completed negotiation with the server. - View Dependent Claims (46, 47, 48, 49, 50)
-
Specification