Distributed traffic scanning through data stream security tagging

US 20060156401A1
Filed: 01/12/2005
Published: 07/13/2006
Est. Priority Date: 01/12/2005
Status: Active Grant

First Claim

Patent Images

1. A method for data security scanning in a network, comprising:

acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;

ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic; and

determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing data security scanning in a network. A network device ascertains, based on a network'"'"'s security policy, security technologies that are should or must be applied to the network traffic. The network device applies the not yet applied security technologies, based on a determination that the not yet applied security technologies are available to the network device. Next, the network device tags the network traffic with a security marker indicating the not yet applied security technologies as applied to reflect the security technologies applied to the network traffic.

28 Citations

View as Search Results

84 Claims

1. A method for data security scanning in a network, comprising:
- acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;
  
  ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic; and
  
  determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - applying, by a security device on the network, at least one mandatory security technology of the not yet applied mandatory security technologies, based on a determination that the at least one mandatory technology are available to the security device; and
      
      indicating with a security marker in the network traffic the at least one mandatory security technology applied to the network traffic.
  - 3. The method of claim 1, wherein acquiring comprises acquiring a security policy of a network by a perimeter security device on the perimeter of the network.
  - 4. The method of claim 1, wherein ascertaining further comprises:
    - verifying the integrity of the security policy.
  - 5. The method of claim 1, wherein ascertaining further comprises:
    - verifying the authenticity of the security policy.
  - 6. The method of claim 1, wherein determining comprises receiving a digitally signed security marker.
  - 7. The method of claim 6, wherein determining comprises:
    - verifying the integrity of the security marker.
  - 8. The method of claim 7, wherein determining comprises:
    - verifying the authenticity of the digital signature associated with the security marker.

9. A system for data security scanning in a network, comprising:
- means for acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;
  
  means for ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic; and
  
  means for determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - means for applying, by a security device on the network, at least one mandatory security technology of the not yet applied mandatory security technologies, based on a determination that the at least one mandatory technology are available to the security device; and
      
      means for indicating with a security marker in the network traffic the at least one mandatory security technology applied to the network traffic.
  - 11. The system of claim 9, wherein the means for acquiring comprises means for acquiring a security policy of a network by a perimeter security device on the perimeter of the network.
  - 12. The system of claim 9, wherein the means for ascertaining further comprises:
    - means for verifying the integrity of the security policy.
  - 13. The system of claim 9, wherein the means for ascertaining further comprises:
    - means for verifying the authenticity of the security policy.
  - 14. The system of claim 9, wherein the means for determining comprises means for receiving a digitally signed security marker.
  - 15. The system of claim 14, wherein the means for determining comprises:
    - means for verifying the integrity of the security marker.
  - 16. The system of claim 15, wherein the means for determining comprises:
    - means for verifying the authenticity of the digital signature associated with the security marker.

17. A system for data security scanning in a network, comprising:
- a first network device for acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;
  
  a second network device for ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic; and
  
  a third network device for determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, further comprising:
    - a security device for applying at least one mandatory security technology of the not yet applied mandatory security technologies, based on a determination that the at least one mandatory technology are available to the security device, wherein the security device indicates with a security marker in the network traffic the at least one mandatory security technology applied to the network traffic.
  - 19. The system of claim 17, wherein the first network device comprises a perimeter security device for acquiring a security policy of a network.
  - 20. The system of claim 17, wherein the second network device further comprises:
    - a processor for verifying the integrity of the security policy.
  - 21. The system of claim 17, wherein the means for ascertaining further comprises:
    - a processor for verifying the authenticity of the security policy.
  - 22. The system of claim 17, wherein the third network device comprises a processor for receiving a digitally signed security marker.
  - 23. The system of claim 22, wherein the third network device comprises:
    - a processor for verifying the integrity of the security marker.
  - 24. The system of claim 23, wherein the third network device comprises:
    - a processor for verifying the authenticity of the digital signature associated with the security marker.

25. A system for data security scanning in a network, comprising:
- a processor; and
  
  a memory, wherein the processor and the memory are configured to perform a method comprising;
  
  acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;
  
  ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic; and
  
  determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The system of claim 25, wherein the processor and the memory are further configured to perform the method comprising:
    - applying at least one mandatory security technology of the not yet applied mandatory security technologies, based on a determination that the at least one mandatory technology are available to the processor; and
      
      indicating with a security marker in the network traffic the at least one mandatory security technology applied to the network traffic.
  - 27. The system of claim 25, wherein ascertaining further comprises:
    - verifying the integrity of the security policy.
  - 28. The system of claim 25, wherein ascertaining further comprises:
    - verifying the authenticity of the security policy.
  - 29. The system of claim 25, wherein determining comprises receiving a digitally signed security marker.
  - 30. The system of claim 29, wherein determining comprises:
    - verifying the integrity of the security marker.
  - 31. The method of claim 30, wherein determining comprises:
    - verifying the authenticity of the digital signature associated with the security marker.

32. A computer-readable medium containing instructions for performing a method for data security scanning in a network, the method comprising:
- acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;
  
  ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic; and
  
  determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. The computer-readable medium of claim 32, wherein the method further comprises:
    - applying, by a security device on the network, at least one mandatory security technology of the not yet applied mandatory security technologies, based on a determination that the at least one mandatory technology are available to the security device; and
      
      indicating with a security marker in the network traffic the at least one mandatory security technology applied to the network traffic.
  - 34. The computer-readable medium of claim 32, wherein acquiring comprises acquiring a security policy of a network by a perimeter security device on the perimeter of the network.
  - 35. The computer-readable medium of claim 32, wherein ascertaining further comprises:
    - verifying the integrity of the security policy.
  - 36. The computer-readable medium of claim 32, wherein ascertaining further comprises:
    - verifying the authenticity of the security policy.
  - 37. The computer-readable medium of claim 32, wherein determining comprises receiving a digitally signed security marker.
  - 38. The computer-readable medium of claim 37, wherein determining comprises:
    - verifying the integrity of the security marker.
  - 39. The computer-readable medium of claim 38, wherein determining comprises:
    - verifying the authenticity of the digital signature associated with the security marker.

40. A method for data security scanning in a network, comprising:
- acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;
  
  ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic;
  
  determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic; and
  
  determining whether the mandatory security technologies that have not been applied to the network traffic are available to the destination network device.
- View Dependent Claims (41, 42)
- - 41. The method of claim 40, further comprising:
    - applying, by the destination network device, the mandatory security technologies that have not been applied to the network traffic, based on a determination that the mandatory security technologies that have not been applied to the network traffic are available to the destination network device.
  - 42. The method of claim 40, further comprising:
    - rejecting the network traffic by the destination network device, based on a determination that the mandatory security technologies that have not been applied to the network traffic are not available to the destination network device.

43. A system for data security scanning in a network, comprising:
- means for acquiring a security policy of a network for network traffic being transmitted from outside the network to a destination network device;
  
  means for ascertaining, based on the security policy, mandatory security technologies required to be applied to the network traffic;
  
  means for determining, based on a security marker associated with the network traffic, mandatory security technologies that are not yet applied to the network traffic; and
  
  means for determining whether the mandatory security technologies that have not been applied to the network traffic are available to the destination network device.
- View Dependent Claims (44, 45)
- - 44. The system of claim 43, further comprising:
    - means for applying, by the destination network device, the mandatory security technologies that have not been applied to the network traffic, based on a determination that the mandatory security technologies that have not been applied to the network traffic are available to the destination network device.
  - 45. The system of claim 43, further comprising:
    - means for rejecting the network traffic by the destination network device, based on a determination that the mandatory security technologies that have not been applied to the network traffic are not available to the destination network device.

46. A method for data security scanning in a network, comprising:
- receiving a request from a destination network device for network traffic from outside a network;
  
  acquiring a security policy of the network for network traffic being transmitted from outside the network to the destination network device;
  
  ascertaining, based on the security policy, mandatory security technologies that are required to be applied to the network traffic; and
  
  sending a query to at least one network device located on an intended path of the network traffic to the destination network device, the query soliciting an assistance offer from the at least one network device for assistance in applying the mandatory security technologies.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 47. The method of claim 46, further comprising:
    - transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination from the assistance offer that at least one network device has volunteered to apply the mandatory security technologies.
  - 48. The method of claim 46, further comprising:
    - transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination that the destination network device is configured to reject unsecured network traffic, wherein the unsecured network traffic is network traffic that has not been scanned with the mandatory security technologies.
  - 49. The method of claim 46, wherein sending comprises sending the query based on a determination of the size of the network traffic.
  - 50. The method of claim 46, wherein receiving comprises receiving by a perimeter security device on the perimeter of the network.
  - 51. The method of claim 46, wherein ascertaining further comprises:
    - verifying the integrity of the security policy.
  - 52. The method of claim 46, wherein ascertaining further comprises:
    - verifying the authenticity of the security policy.
  - 53. The method of claim 47, wherein the at least one network device digitally signs the assistance offer.
  - 54. The method of claim 53, wherein transmitting further comprises:
    - verifying the integrity of the assistance offer.
  - 55. The method of claim 54, wherein transmitting further comprises:
    - verifying the authenticity of one or more digital signatures associated with the assistance offer.

56. A system for data security scanning in a network, comprising:
- means for receiving a request from a destination network device for network traffic from outside a network;
  
  means for acquiring a security policy of the network for network traffic being transmitted from outside the network to the destination network device;
  
  means for ascertaining, based on the security policy, mandatory security technologies that are required to be applied to the network traffic; and
  
  means for sending a query to at least one network device located on an intended path of the network traffic to the destination network device, the query soliciting an assistance offer from the at least one network device for assistance in applying the mandatory security technologies.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 57. The system of claim 56, further comprising:
    - means for transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination from the assistance offer that at least one network device has volunteered to apply the mandatory security technologies.
  - 58. The system of claim 56, further comprising:
    - means for transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination that the destination network device is configured to reject unsecured network traffic, wherein the unsecured network traffic is network traffic that has not been scanned with the mandatory security technologies.
  - 59. The system of claim 56, wherein the means for sending comprises means for sending the query based on a determination of the size of the network traffic.
  - 60. The system of claim 56, wherein the means for receiving comprises means for receiving by a perimeter security device on the perimeter of the network.
  - 61. The system of claim 56, wherein the means for ascertaining further comprises:
    - means for verifying the integrity of the security policy.
  - 62. The system of claim 56, wherein the means for ascertaining further comprises:
    - means for verifying the authenticity of the security policy.
  - 63. The system of claim 57, wherein the at least one network device digitally signs the assistance offer.
  - 64. The system of claim 63, wherein the means for transmitting further comprises:
    - means for verifying the integrity of the assistance offer.
  - 65. The system of claim 64, wherein the means for transmitting further comprises:
    - means for verifying the authenticity of one or more digital signatures associated with the assistance offer.

66. A system for data security scanning in a network, comprising:
- a processor; and
  
  a memory, wherein the processor and the memory are configured to perform a method comprising;
  
  receiving a request from a destination network device for network traffic from outside a network;
  
  acquiring a security policy of the network for network traffic being transmitted from outside the network to the destination network device;
  
  ascertaining, based on the security policy, mandatory security technologies that are required to be applied to the network traffic; and
  
  sending a query to at least one network device located on an intended path of the network traffic to the destination network device, the query soliciting an assistance offer from the at least one network device for assistance in applying the mandatory security technologies.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74)
- - 67. The system of claim 66, wherein the processor and the memory are further configured to perform the method comprising:
    - transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination from the assistance offer that at least one network device has volunteered to apply the mandatory security technologies.
  - 68. The system of claim 66, wherein the processor and the memory are further configured to perform the method comprising:
    - transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination that the destination network device is configured to reject unsecured network traffic, wherein the unsecured network traffic is network traffic that has not been scanned with the mandatory security technologies.
  - 69. The system of claim 66, wherein sending comprises sending the query based on a determination of the size of the network traffic.
  - 70. The system of claim 66, wherein ascertaining further comprises:
    - verifying the integrity of the security policy.
  - 71. The system of claim 66, wherein ascertaining further comprises:
    - verifying the authenticity of the security policy.
  - 72. The system of claim 67, wherein the at least one network device digitally signs the assistance offer.
  - 73. The system of claim 72, wherein transmitting further comprises:
    - verifying the integrity of the assistance offer.
  - 74. The system of claim 73, wherein transmitting further comprises:
    - verifying the authenticity of one or more digital signatures associated with the assistance offer.

75. A computer-readable medium containing instructions for performing a method for data security scanning in a network, the method comprising:
- receiving a request from a destination network device for network traffic from outside a network;
  
  acquiring a security policy of the network for network traffic being transmitted from outside the network to the destination network device;
  
  ascertaining, based on the security policy, mandatory security technologies that are required to be applied to the network traffic; and
  
  sending a query to at least one network device located on an intended path of the network traffic to the destination network device, the query soliciting an assistance offer from the at least one network device for assistance in applying the mandatory security technologies.
- View Dependent Claims (76, 77, 78, 79, 80, 81, 82, 83, 84)
- - 76. The computer-readable medium of claim 75, wherein the method further comprises:
    - transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination from the assistance offer that at least one network device has volunteered to apply the mandatory security technologies.
  - 77. The computer-readable medium of claim 75, wherein the method further comprises:
    - transmitting the network traffic, without applying security technologies, along the intended path of the network traffic to the destination device, based on a determination that the destination network device is configured to reject unsecured network traffic, wherein the unsecured network traffic is network traffic that has not been scanned with the mandatory security technologies.
  - 78. The computer-readable medium of claim 75, wherein sending comprises sending the query based on a determination of the size of the network traffic.
  - 79. The computer-readable medium of claim 75, wherein receiving comprises receiving by a perimeter security device on the perimeter of the network.
  - 80. The computer-readable medium of claim 75, wherein ascertaining further comprises:
    - verifying the integrity of the security policy.
  - 81. The computer-readable medium of claim 75, wherein ascertaining further comprises:
    - verifying the authenticity of the security policy.
  - 82. The computer-readable medium of claim 76, wherein the at least one network device digitally signs the assistance offer.
  - 83. The computer-readable medium of claim 82, wherein transmitting further comprises:
    - verifying the integrity of the assistance offer.
  - 84. The computer-readable medium of claim 83, wherein transmitting further comprises:
    - verifying the authenticity of one or more digital signatures associated with the assistance offer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Limited (Gen Digital Inc.)
Inventors
Gauvin, William J., Lin, David T., Newstadt, Keith G.

Granted Patent

US 7,620,974 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/126 the source of the received ...

H04L 63/1408 by monitoring network traff...

Distributed traffic scanning through data stream security tagging

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

84 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed traffic scanning through data stream security tagging

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

84 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links