Security System with Methodology Providing Verified Secured Individual End Points

US 20050273850A1
Filed: 03/29/2005
Published: 12/08/2005
Est. Priority Date: 06/07/2004
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access to a particular application, the method comprising:

defining firewall rules specifying filtering conditions for incoming network traffic, said firewall rules including an application attribute that allows individual rules to be associated with specific applications, said firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet;

intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created;

examining the extended attributes for said particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application;

if the given end point complies with said additional conditions, allowing the end point to communicate with the particular application; and

otherwise blocking the end point to prevent communication with the particular application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system with methodology providing verified secured individual end points is described. In one embodiment, for example, a method of the present invention is described for controlling access to a particular application, the method comprises steps of: defining firewall rules specifying filtering conditions for incoming network traffic, the firewall rules including an application attribute that allows individual rules to be associated with specific applications, the firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet; intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created; examining the extended attributes for the particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application; if the given end point complies with the additional conditions, allowing the end point to communicate with the particular application; and otherwise blocking the end point to prevent communication with the particular application.

Citations

50 Claims

1. A method for controlling access to a particular application, the method comprising:
- defining firewall rules specifying filtering conditions for incoming network traffic, said firewall rules including an application attribute that allows individual rules to be associated with specific applications, said firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet;
  
  intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created;
  
  examining the extended attributes for said particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application;
  
  if the given end point complies with said additional conditions, allowing the end point to communicate with the particular application; and
  
  otherwise blocking the end point to prevent communication with the particular application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said additional conditions includes a condition requiring the given end point to authenticate itself.
  - 3. The method of claim 1, wherein said additional conditions includes a condition requiring the given end point to encrypt its communication with the particular application.
  - 4. The method of claim 1, wherein said additional conditions includes a condition requiring the given end point to first verify compliance with an end point security policy.
  - 5. The method of claim 4, wherein said condition requiring the given end point to verify compliance with an end point security policy includes:
    - requiring the given end point to first register with a security policy management server, which provides an appropriate security policy that is enforced at the given end point.
  - 6. The method of claim 5, wherein said condition requiring the given end point to verify compliance with a security policy includes:
    - receiving a communication from the security policy management server indicating that the given end point complies with the appropriate security policy.
  - 7. The method of claim 1, wherein each firewall rule specifies a source, a destination, and a protocol.
  - 8. The method of claim 7, wherein each firewall rule specifies an action of Allow or Reject, wherein each action is associated with extended attributes specifying additional conditions that are applied in order to fulfill the firewall rule.
  - 9. The method of claim 1, wherein malicious network traffic destined for the particular application is blocked before ever reaching the particular application.
  - 10. The method of claim 1, wherein vulnerabilities of applications are blocked from exploitation by blocking malicious network traffic at a point before the network traffic has an opportunity to invoke code of applications.
  - 11. A computer-readable medium having processor-executable instructions for performing the method of claim 1.
  - 12. A downloadable set of processor-executable instructions for performing the method of claim 1.

13. A method for protecting a software program potentially having vulnerabilities from exploitation by malicious network traffic, the method comprising:
- creating a firewall that is able to monitor network traffic on a software program-specific basis, such that network traffic to a particular software program is monitored according to software program-specific rules that are specifically created for protecting that particular software program;
  
  monitoring incoming network traffic and intercepting any incoming network traffic that is determined to be destined for the particular software program;
  
  before allowing the network traffic to be received by the particular software program, determining whether the network traffic complies with the software program-specific rules that are applicable for protecting the particular software program;
  
  if the network traffic is determined to comply, allowing the network traffic to reach the particular software program; and
  
  otherwise blocking the network traffic at a point before the network traffic may invoke execution of program code of the particular software program.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein said vulnerabilities include susceptibility to a buffer overflow attack.
  - 15. The method of claim 13, wherein the software program-specific rules identify the particular software program based on the particular software program'"'"'s name.
  - 16. The method of claim 13, wherein the software program-specific rules include a rule that network traffic destined for the particular software program is only permitted from an end point that has first authenticated itself.
  - 17. The method of claim 13, wherein the software program-specific rules include a rule that network traffic destined for the particular software program is only permitted from an end point that has first verified that it complies with an end point security policy.
  - 18. The method of claim 17, wherein the software program-specific rules include a requirement that the end point first register with a security policy management server, which provides an appropriate security policy that is enforced at the end point.
  - 19. The method of claim 18, wherein the software program-specific rules include a requirement of separate verification from the security policy management server indicating that the end point complies with the appropriate security policy.
  - 20. The method of claim 13, wherein the software program-specific rules include a rule that network traffic destined for the particular software program is only permitted from an end point that will encrypt network traffic sent to the particular software program.
  - 21. The method of claim 13, wherein each software program-specific rule specifies a source, a destination, and a protocol, in addition to indicating a specific software program.
  - 22. The method of claim 21, wherein each software program-specific rule specifies an action of Allow or Reject, and wherein each action is associated with extended attributes specifying additional conditions that are applied in order to fulfill the rule.
  - 23. A computer-readable medium having processor-executable instructions for performing the method of claim 13.
  - 24. A downloadable set of processor-executable instructions for performing the method of claim 13.

25. An improved firewall system for controlling access to a particular application, the system comprising:
- a plurality of firewall rules specifying filtering conditions for incoming network traffic, including rules that include an application attribute that allows individual rules to be associated with specific applications, said firewall rules also including extended attributes that allow specification of additional conditions that a given end point is required to meet;
  
  a module for intercepting incoming network traffic destined for a particular application for which a particular application-specific firewall rule has been created;
  
  a module for examining the extended attributes for said particular application-specific firewall rule, for determining what additional conditions the given end point must comply with in order to communicate with the particular application; and
  
  a module for allowing the end point to communicate with the particular application only if the given end point complies with said additional conditions.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The system of claim 25, wherein said additional conditions includes a condition requiring the given end point to authenticate itself.
  - 27. The system of claim 25, wherein said additional conditions includes a condition requiring the given end point to encrypt its communication with the particular application.
  - 28. The system of claim 25, wherein said additional conditions includes a condition requiring the given end point to first verify compliance with an end point security policy.
  - 29. The system of claim 28, wherein said condition requiring the given end point to verify compliance with an end point security policy includes:
    - a module for requiring the given end point to first register with a security policy management server, which provides an appropriate security policy that is enforced at the given end point.
  - 30. The system of claim 29, wherein said condition requiring the given end point to verify compliance with a security policy includes a requirement that independent verification from the security policy management server must first be received indicating that the given end point complies with the appropriate security policy.
  - 31. The system of claim 25, wherein each firewall rule specifies a source, a destination, and a protocol.
  - 32. The system of claim 31, wherein each firewall rule specifies an action of Allow or Reject, wherein each action is associated with extended attributes specifying additional conditions that are applied in order to fulfill the firewall rule.
  - 33. The system of claim 25, wherein malicious network traffic bound for the particular application is blocked before ever reaching the particular application.
  - 34. The system of claim 25, wherein vulnerabilities of applications are blocked from exploitation, by blocking malicious network traffic at a point before the network traffic has an opportunity to invoke code of applications.

35. A firewall system providing application-specific protection against exploitation of vulnerabilities by malicious network traffic, the system comprising:
- a plurality of firewall rules for configuring the firewall system to monitor network traffic on an application-specific basis, such that network traffic to a particular software program is monitored according to rules specifically created for protecting that particular software program;
  
  a module for monitoring incoming network traffic and intercepting any incoming network traffic that is determined to be destined for the particular software program;
  
  a module for determining whether the network traffic complies with the application-specific rules that are applicable for protecting the particular software program before allowing the network traffic to be received by the particular software program; and
  
  a module for allowing the network traffic to reach the particular software program if the network traffic is determined to comply, and otherwise blocking any traffic that does not comply at a point before the network traffic may invoke execution of program code of the particular software program.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 36. The system of claim 35, wherein said vulnerabilities include susceptibility to a buffer overflow attack.
  - 37. The system of claim 35, wherein said rules identify the particular software program based on the particular software program'"'"'s name.
  - 38. The system of claim 35, wherein said rules include a rule that network traffic destined for the particular software program is only permitted from an end point that has first authenticated itself.
  - 39. The system of claim 35, wherein said rules include a rule that network traffic destined for the particular software program is only permitted from an end point that has first verified that it complies with an end point security policy.
  - 40. The system of claim 39, wherein said rule requiring the end point to verify compliance with an end point security policy requires the end point to first register with a security policy management server, which provides an appropriate security policy that is enforced at the given end point.
  - 41. The system of claim 40, wherein the application-specific rules require independent verification from the security policy management server indicating that the end point complies with the appropriate security policy.
  - 42. The system of claim 35, wherein said rules include a rule that network traffic destined for the particular software program is only permitted from an end point that will encrypt network traffic sent to the particular software program.
  - 43. The system of claim 35, wherein each application-specific rule specifies a source, a destination, and a protocol, in addition to indicating a specific software program.
  - 44. The system of claim 43, wherein each application-specific rule specifies an action of Allow or Reject, wherein each action is associated with extended attributes specifying additional conditions that are applied in order to fulfill the rule.

45. A security system providing secured individual end points for end points that may connect to a server, the system comprising:
- means for monitoring network traffic at the server on a per-application basis, such that network traffic to a particular software program is monitored according to rules specifically created for protecting that particular software program;
  
  means, responsive to said means for monitoring, for negotiating security between the server and a particular end point attempting to communicate with the particular software program, for establishing that a given end point is a secured end point; and
  
  means for rejecting any incoming network packets that are determined to be destined for the particular software program and which originate from an end point that has not successfully completed negotiation with the server.
- View Dependent Claims (46, 47, 48, 49, 50)
- - 46. The system of claim 45, wherein the network packets that are rejected are blocked at a point before they may trigger execution of program code of the particular software program.
  - 47. The system of claim 45, wherein said secured end point is one that is authenticated.
  - 48. The system of claim 45, wherein said secured end point is one that is verified to have a desired security policy in place.
  - 49. The system of claim 48, further comprising:
    - an arbitration server that each end point must separately negotiate with, in order to obtain an appropriate security policy.
  - 50. The system of claim 45, wherein said secured end point is one that agrees to encrypt network packets sent to the particular software program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Freund, Gregor P.

Granted Patent

US 8,136,149 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Security System with Methodology Providing Verified Secured Individual End Points

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Security System with Methodology Providing Verified Secured Individual End Points

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links