Network security policy enforcement using application session information and object attributes

US 20060236370A1
Filed: 05/24/2006
Published: 10/19/2006
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A method for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the method comprising:

receiving a packet traversing on the computer network, said packet transmitted as part of an application session established between a client application and a server application;

generating session information from said packet, said session information including a client network address, a server network address;

associating said packet with an object from the directory using said session information, said object having at least one object attribute; and

enforcing a security policy defined for the network environment by using said session information and said at least one object attribute to determine whether said packet violates said security policy.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet traversing on the computer network is received; session information is generated from the packet with the session information including a client network address and a server network address; the packet is associated with at least one object attribute from the directory by using the session information; and a security policy defined for the network environment is enforced by using the session information and the object attribute(s) to determine whether the packet violates the security policy.

Citations

70 Claims

1. A method for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the method comprising:
- receiving a packet traversing on the computer network, said packet transmitted as part of an application session established between a client application and a server application;
  
  generating session information from said packet, said session information including a client network address, a server network address;
  
  associating said packet with an object from the directory using said session information, said object having at least one object attribute; and
  
  enforcing a security policy defined for the network environment by using said session information and said at least one object attribute to determine whether said packet violates said security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein said generating session information includes extracting a source network address, source port ID, a destination network address, a destination port ID and a transport protocol type from said packet.
  - 3. The method of claim 1, wherein said generating session information further includes:
    - extracting a source network address and a destination network address from said packet; and
      
      using said source network address as said server network address and said destination network address as said client network address if said source port ID is equivalent to a well-known or registered port ID and said packet is not a TCP SYN packet.
  - 4. The method of claim 1, wherein said generating session information further includes:
    - extracting a source network address and a destination network address from said packet; and
      
      using said destination network address as said server network address and said source network address as said client network address if said destination port ID is equivalent to a well-known or registered port ID and said packet is not a TCP SYN packet.
  - 5. The method of claim 1, wherein said generating session information further includes:
    - extracting a source network address and a destination network address from said packet; and
      
      using said source network address as said client network address and said destination network address as said server network address if said packet is a SYN packet.
  - 6. The method of claim 1, wherein said generating session information includes:
    - extracting a transport protocol type from said packet; and
      
      determining an application program type for said application session.
  - 7. The method of claim 6, wherein said determining an application program type includes:
    - extracting a source network address from said packet;
      
      determining whether said packet is a SYN packet, if said transport protocol type is TCP; and
      
      extracting a port ID from said packet if said port ID is equivalent to a well-known or registered port ID, and using said port ID to select an application program type based on well known or registered port numbers, if said transport protocol type is TCP and said packet is not a SYN packet.
  - 8. The method of claim 6, wherein said determining an application program type includes:
    - extracting a source network address;
      
      extracting a port ID from said packet if said port ID is equivalent to a well-known or registered port ID, and using said port ID to select an application program type based on well known or registered port numbers if said transport protocol type is UDP.
  - 9. The method of claim 6, wherein said generating session information further includes generating metadata from said packet.
  - 10. The method of claim 9, wherein said metadata includes data specific to said application session.
  - 11. The method of claim 9, wherein said application session is within a particular application program category and said metadata includes characteristics particular to said application program category.
  - 12. The method of claim 9, wherein said metadata information includes a file name of any data transferred by said packets from said application protocol session and a type for said data.
  - 13. The method of claim 9, wherein said metadata includes an Instant Messenger ID.
  - 14. The method of claim 9, wherein said associating said packet with an object includes selecting said object by matching said client network address with a network address having an association with said object.
  - 15. The method of claim 14, wherein said association is in the form of object attributes defined for said object, said object including a name attribute, group ID attribute or organizational ID attribute.
  - 16. The method of claim 15, further including:
    - creating said association by extracting a user name and said network address from an event log entry maintained by an authentication service accessible on the networked environment;
      
      selecting an object having an attribute name matching said user name;
      
      extracting at least one object attribute from said object, said object maintained by a directory service available on the networked environment; and
      
      associating said at least one object attribute with said network address.
  - 17. The method of claim 15, further including:
    - creating said association by extracting a user ID and said network address from an authentication packet traversing on the networked environment;
      
      selecting an object having an attribute name matching said user ID;
      
      extracting at least one object attribute from said object, said object maintained by a directory service available on the networked environment; and
      
      associating said at least one object attribute with said network address.
  - 18. The method of claim 17, further including verifying said network address by determining whether said network object is logged onto to a computing device assigned with said network address on the networked environment.
  - 19. The method of claim 1, wherein said using said session information and said object to determine whether said packet violates said security policy includes using a name attribute, group ID attribute or organizational ID attribute obtained from said object.
  - 20. The method of claim 1, wherein said enforcing includes dropping said packet if said packet violates said security network policy.
  - 21. The method of claim 20, wherein said packet violates said security policy if said session information includes a particular application protocol session type.
  - 22. The method of claim 1, wherein said enforcing includes reporting said application session.
  - 23. The method of claim 1, wherein said packet violates said security policy if said session information includes a particular type of metadata.
  - 24. The method of claim 1, wherein said packet violates said security policy if said session information includes metadata that matches particular data content.
  - 25. The method of claim 1, wherein said packet violates said security policy if said session information includes a selected source address.
  - 26. The method of claim 1, wherein said packet violates said security policy if said session information includes a selected destination address.

27. An apparatus for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the apparatus comprising:
- a means for receiving a packet traversing on the computer network, said packet having source network address, a source port ID, a destination network address, a destination port ID and a transport protocol type and said packet transmitted as part of an application session established between a client application and a server application;
  
  a means for associating said packet with an object from the directory;
  
  a means for generating session information from said packet; and
  
  a means for enforcing a security policy defined for the network environment, said means for enforcing using said session information and said object to determine whether said packet violates said security policy.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 28. The apparatus of claim 27, wherein said session information includes a client network address, said source port ID, a server network address and said destination port ID, and an application protocol type.
  - 29. The apparatus of claim 28, wherein said means for generating session information selects said source network address as said server network address and said client network address as said destination network address if said source port ID is equivalent to a well-known or registered port ID and said packet is not a TCP SYN packet.
  - 30. The method of claim 28, wherein said means for generating session information selects said destination network address as said server network address and said source network address as said client network address if said destination port ID is equivalent to a well-known or registered port ID and said packet is not a TCP SYN packet.
  - 31. The method of claim 28, wherein said means for generating session information selects said source network address as said client network address and said destination network address as said server network address if said packet is a SYN packet.
  - 32. The apparatus of claim 27, wherein said means for generating session information generates metadata from data within a data field of said packet if said data is found in said data field.
  - 33. The apparatus of claim 32, wherein said metadata includes data specific to said application session.
  - 34. The apparatus of claim 32, wherein said application session is within a particular application program category and said metadata includes characteristics particular to said application program category.
  - 35. The apparatus of claim 32, wherein said metadata information includes a file name of any data transferred by said packets from said application protocol session and a type for said data.
  - 36. The apparatus of claim 32, wherein said metadata information includes data transferred by said packets from said application protocol session, a type for said data and an Instant Messenger ID.
  - 37. The apparatus of claim 32, wherein said means for associating a packet with an object includes a means for selecting said object by matching said client network address with a network address having an association with said object.
  - 38. The apparatus of claim 37, wherein said association is in the form of object attributes defined for said object, said object including a name attribute, group ID attribute or organizational ID attribute.
  - 39. The apparatus of claim 38, further including:
    - means for creating said association by extracting a user name and said network address from an event log entry maintained by an authentication service accessible on the networked environment;
      
      means for selecting an object having an attribute name matching said user name;
      
      means for extracting at least one object attribute from said object, said object maintained by a directory service available on the networked environment; and
      
      means for associating said at least one object attribute with said network address.
  - 40. The apparatus of claim 38, further including:
    - means for creating said association by extracting a user ID and said network address from an authentication packet traversing on the networked environment;
      
      means for selecting an object having an attribute name matching said user ID;
      
      means extracting at least one object attribute from said object, said object maintained by a directory service available on the networked environment; and
      
      means for associating said at least one object attribute with said network address.
  - 41. The apparatus of claim 40, further including a means for verifying said network address by determining whether said network object is logged onto to a computing device assigned with said network address on the networked environment.
  - 42. The apparatus of claim 27, wherein said object includes a name attribute, group ID attribute or organizational ID attribute obtained from said object when said.
  - 43. The apparatus of claim 27, wherein said means for enforcing drops said packet if said packet violates said security network policy.
  - 44. The apparatus of claim 43, wherein said packet violates said security policy if said session information includes a particular application protocol session type.
  - 45. The apparatus of claim 27, wherein said means for enforcing includes reporting said application session.
  - 46. The apparatus of claim 27, wherein said packet violates said security policy if said session information includes a particular type of metadata.
  - 47. The apparatus of claim 27, wherein said packet violates said security policy if said session information includes metadata that matches particular data content.
  - 48. The apparatus of claim 27, wherein said packet violates said security policy if said session information includes a particular source address.
  - 49. The apparatus of claim 27, wherein said packet violates said security policy if said session information includes a particular destination address.

50. An apparatus for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the apparatus comprising:
- a monitor that identifies an application session causing packets to traverse the networked environment, said monitor extracting said packets;
  
  a collector that receives said packets from said monitor, creates a flow record from information obtained from said packets, and associates said flow record with a network object; and
  
  wherein said collector regulates network usage of said network object using said network flow record. The apparatus of claim 50, wherein;
  
  said collector includes program code that enforces a network policy defined for said network object by using said flow record to determine whether said application session complies with said network policy; and
  
  wherein said collector provides instructions to said monitor for dropping a selected set of packet from said packets if said program code determines that said flow record includes data in violation of said network policy.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 64, 65, 66, 67, 69, 70)
- - 51. The apparatus of claim 50, wherein said program code determines that said flow record violates said network policy if said program code determines that said packets indicate that said application session is within a selected application program category.
  - 52. The apparatus of claim 51, wherein said monitor drops said selected set of packets if said application session is of a selected application program type.
  - 53. The apparatus of claim 50, wherein said monitor drops said selected set of packets if said selected set of packets have content matching a selected data type.
  - 54. The apparatus of claim 50, wherein said monitor drops said selected set of packets if said selected set of packets have content matching a selected data content.
  - 55. The apparatus of claim 50, wherein said monitor drops said selected set of packets if said selected set of packets have content matching a selected source address.
  - 56. The apparatus of claim 50, wherein said monitor drops said selected set of packets if said selected set of packets have content matching a selected destination address.
  - 57. The apparatus of claim 50, wherein said information includes data used by said application session.
  - 58. The apparatus of claim 50, wherein said information includes data having known protocol encoding associated with at least one certain application program type.
  - 59. The apparatus of claim 50, wherein:
    - said information includes a client source address; and
      
      said collector associates said network flow with said network object by matching said client source address with a network address having an association with said network object.
  - 60. The apparatus of claim 59, wherein said association is in the form of object attributes defined for said network object, said object attributes including a name attribute, group ID attribute or organizational ID attribute.
  - 64. The apparatus of claim 50, wherein said regulation of said network usage further includes said monitor dropping a selected number of packets from said packets according to a network policy defined for the networked environment.
  - 65. The apparatus of claim 50, wherein said regulation of said network usage further includes said monitor dropping a selected number of packets from said packets if said packets carry data equivalent to said metadata information selected by said network policy for enforcement.
  - 66. The apparatus of claim 50, wherein said information includes metadata information.
  - 67. The apparatus of claim 66, wherein said metadata information is specific to an application program type and describes characteristics associated with application program type.
  - 69. The apparatus of claim 67, wherein said metadata information includes a file name of data transferred by said packets during said application session and a type.
  - 70. The apparatus of claim 67, wherein said metadata information includes an Instant Messenger ID.

61. The apparatus of claim 61, wherein:
- said collector creates said association by extracting a user name and said network address from an event log entry maintained by an authentication service accessible on the networked environment;
  
  selecting a network object having an attribute name matching said user name;
  
  extracting at least one object attribute from said network object, said network object maintained in a directory service available on the networked environment; and
  
  associating said at least one object attribute with said network address.
- View Dependent Claims (62, 63)
- - 62. The apparatus of claim 61, wherein:
    - said collector creates said association by extracting a user ID and said network address from an authentication packet traversing on the networked environment;
      
      selecting a network object having an attribute name matching said user ID;
      
      extracting at least one object attribute from said network object, said network object maintained in a directory service available on the networked environment; and
      
      associating said at least one object attribute with said network address.
  - 63. The apparatus of claim 61, wherein said collector verifies said network address by determining whether said network object is logged onto to a computing device assigned with said network address on the networked environment.

68. The apparatus of claim 68, wherein said metadata information is within an application program category and describes characteristics associated with an application program type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
PacketMotion Incorporated (Broadcom, Inc.)
Inventors
John, Pramond, Fong, Rendell Koon Gum, Chang, Ai-Lan, Lassig, Daniel J., Jee, Emmanuel W.

Granted Patent

US 8,214,875 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 11/30   Monitoring

H04L 2101/663   Transport layer addresses, ...

H04L 61/00   Network arrangements, proto...

H04L 61/4511   using domain name system [DNS]

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/146   Markers for unambiguous ide...

Network security policy enforcement using application session information and object attributes

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

Network security policy enforcement using application session information and object attributes

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links