Network security policy enforcement using application session information and object attributes
First Claim
1. A method for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the method comprising:
- receiving a packet traversing on the computer network, said packet transmitted as part of an application session established between a client application and a server application;
generating session information from said packet, said session information including a client network address, a server network address;
associating said packet with an object from the directory using said session information, said object having at least one object attribute; and
enforcing a security policy defined for the network environment by using said session information and said at least one object attribute to determine whether said packet violates said security policy.
7 Assignments
0 Petitions
Accused Products
Abstract
A packet traversing on the computer network is received; session information is generated from the packet with the session information including a client network address and a server network address; the packet is associated with at least one object attribute from the directory by using the session information; and a security policy defined for the network environment is enforced by using the session information and the object attribute(s) to determine whether the packet violates the security policy.
-
Citations
70 Claims
-
1. A method for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the method comprising:
-
receiving a packet traversing on the computer network, said packet transmitted as part of an application session established between a client application and a server application;
generating session information from said packet, said session information including a client network address, a server network address;
associating said packet with an object from the directory using said session information, said object having at least one object attribute; and
enforcing a security policy defined for the network environment by using said session information and said at least one object attribute to determine whether said packet violates said security policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. An apparatus for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the apparatus comprising:
-
a means for receiving a packet traversing on the computer network, said packet having source network address, a source port ID, a destination network address, a destination port ID and a transport protocol type and said packet transmitted as part of an application session established between a client application and a server application;
a means for associating said packet with an object from the directory;
a means for generating session information from said packet; and
a means for enforcing a security policy defined for the network environment, said means for enforcing using said session information and said object to determine whether said packet violates said security policy. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. An apparatus for providing security on a networked environment having a directory service that maintains a directory of objects, and having at least one computer network through which a packet may traverse, the apparatus comprising:
-
a monitor that identifies an application session causing packets to traverse the networked environment, said monitor extracting said packets;
a collector that receives said packets from said monitor, creates a flow record from information obtained from said packets, and associates said flow record with a network object; and
wherein said collector regulates network usage of said network object using said network flow record. The apparatus of claim 50, wherein;
said collector includes program code that enforces a network policy defined for said network object by using said flow record to determine whether said application session complies with said network policy; and
wherein said collector provides instructions to said monitor for dropping a selected set of packet from said packets if said program code determines that said flow record includes data in violation of said network policy. - View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 64, 65, 66, 67, 69, 70)
-
-
61. The apparatus of claim 61, wherein:
-
said collector creates said association by extracting a user name and said network address from an event log entry maintained by an authentication service accessible on the networked environment;
selecting a network object having an attribute name matching said user name;
extracting at least one object attribute from said network object, said network object maintained in a directory service available on the networked environment; and
associating said at least one object attribute with said network address. - View Dependent Claims (62, 63)
-
-
68. The apparatus of claim 68, wherein said metadata information is within an application program category and describes characteristics associated with an application program type.
Specification