SYSTEM AND METHOD FOR USING VARIABLE SECURITY TAG LOCATION IN NETWORK COMMUNICATIONS

US 20090144818A1
Filed: 11/10/2008
Published: 06/04/2009
Est. Priority Date: 11/10/2008
Status: Active Grant

First Claim

Patent Images

1. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:

selecting at least one placement location among a plurality of locations to embed the security tag in each packet of the packetized communication;

receiving, at the receiving node, each packet of the packetized communication, each packet having the security tag embedded at the selected placement location;

authenticating, at the receiving node, the embedded security tag in each packet; and

if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of packet security management to ensure a secure connection from one network node to another. The method includes creating a security tag for each packet in a network session, selecting one of a number of possible tag locations within the packet, inserting the security tag at that location, transmitting the tagged packets from a sending node to the receiving node, authenticating the packets'"'"' security tags at the receiving node, and dropping non-authenticated packets. The method also includes determining best possible tag locations when sending a packet and locating a security tag when receiving a packet.

Citations

21 Claims

1. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
- selecting at least one placement location among a plurality of locations to embed the security tag in each packet of the packetized communication;
  
  receiving, at the receiving node, each packet of the packetized communication, each packet having the security tag embedded at the selected placement location;
  
  authenticating, at the receiving node, the embedded security tag in each packet; and
  
  if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the authenticating of the security tag in each packet of the packetized communication includes:
    - if a location placement message had been sent by the receiving node, checking a location in each packet of the packetized communication indicated by the location placement message for the security tag; and
      
      determining if the security tag at the checked location is authentic.
  - 3. The method according to claim 1, wherein the authenticating of the security tag in each packet of the packetized communication includes:
    - if the receiving node had not previously specify a fixed tag location, or if the receiving node is unable to locate the security tag in the fixed tag location, checking, by the receiving node, a size of one or both of;
      
      (1) an IP option field;
      
      or (2) a TCP option field of the respective packet of the packetized communication;
      
      if the size of the IP option field or the TCP option field for the respective packet is greater than or equal to a size of the security tag embedded in the respective packet, determining for the option field or fields that are greater than or equal to the size of the security tag, if the security tag is embedded in the IP option field or TCP option field;
      
      if the security tag is embedded in either the IP option field or the TCP option field, determining for each packet of the packetized communication if the security tag in the determined option field is authentic.
  - 4. The method according to claim 3, wherein the authenticating of the security tag in each packet of the packetized communication further includes:
    - if the size of the IP option field and the TCP option field for the respective packet is less than the size of the security tag, checking a beginning and an ending of a payload field of the respective packet to determine whether the security tag is located therein; and
      
      if the security tag is located in the beginning or the end of the payload field of the respective packet, determine for each packet of the packetized communication if the located security tag is authentic.
  - 5. The method according to claim 1, wherein the authenticating of the security tag in each packet of the packetized communication includes:
    - quarantining each packet associated with an unauthenticated security tag; and
      
      sending each packet associated with the unauthenticated security tag for analysis.
  - 6. The method according to claim 1, further comprising:
    - passing, by the receiving node, each packet of the packet communication that is authenticated to the secured resource on the network.
  - 7. The method according to claim 1, wherein the step of dropping the respective packet includes, if the security tag in the respective packet is not authenticated, preventing access by the respective packet having the security tag which is not authenticated to a secured resource.
  - 8. The method according to claim 1, wherein the step of selecting the at least one placement location includes the steps of:
    - storing, in the receiving node, tag placement information based on network conditions that affect selection of the placement location of the security tag in accordance with address ranges of nodes in the network;
      
      sending, by the receiving node to the sending node, the tag placement information indicating the network conditions that affect the selection of the placement location; and
      
      establishing, by a sending node, the at least one placement location for each packet of the packetized communication based on the tag placement information associated with an address of the sending node.
  - 9. The method according to claim 1, wherein the step of selecting the at least one placement location includes the steps of:
    - establishing, by the receiving node, the at least one placement location; and
      
      transmitting, by the receiving node, a placement message indicating the at least one placement location of the security tag in each of the packetized communication packet.
  - 10. The method according to claim 1, wherein the step of selecting the at least one placement location further includes:
    - receiving, by the receiving node from a sending node, a test packet having a plurality of security tags embedded in predetermined placement locations;
      
      choosing, by the receiving node, one or more locations corresponding to one or more of the predetermined placement locations in the test packet where the security tags are to be embedded in each packet of the packetized communication; and
      
      sending a placement message, from the receiving node to the sending node, that indicates the at least one placement location according to the chosen one or more predetermined placement locations.

11. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted from a sending node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
- selecting at least one placement location among a plurality of placement locations to embed the security tag in each packet of the packetized communication;
  
  inserting, by the sending node, the security tag at the selected at least one placement location for each packet of the packetized communication, as a tagged packet; and
  
  transmitting, by the sending node, each tagged packet.
- View Dependent Claims (12, 13)
- - 12. The method according to claim 11, wherein:
    - the step of selecting the at least one placement location includes the step of receiving, by the sending node, a placement message indicating one or more placement locations among the plurality of placement locations to insert the security tag; and
      
      the step of inserting the security tag at the selected at least one placement location includes inserting the security tag in each tagged packet at the one or more placement locations indicated in the placement message.
  - 13. The method according to claim 11, wherein the step of selecting the at least one placement location to embed the security tags includes:
    - establishing the at least one placement location as being in one or more of;
      
      (1) a transport payload portion of each packet;
      
      (2) a TCP option portion of each packet;
      
      or (3) an IP option portion of each packet.

14. A method for processing a security tag embedded in a plurality of packets of a packetized communication, the packets being transmitted from a sending node to a receiving node in a network, the security tag including security information regarding the packetized communication, the method comprising the steps of:
- selecting a placement location among a plurality of placement locations to embed the security tag in each packet of the packetized communication;
  
  authenticating, at the receiving node, each of the embedded security tags located at the selected placement location for the packets of the packetized communication; and
  
  passing packets that are authenticated to a secured resource on the network.
- View Dependent Claims (15, 16)
- - 15. The method according to claim 14, further comprising the step of:
    - preventing, by the receiving node, access by each respective packet of the packet communication to a secured resource;
      
      (1) if the respective packet does not have the security tag embedded at the selected placement location;
      
      or (2) if the respective packet has the security tag embedded at the selected placement location and the security tag is not authenticated.
  - 16. The method according to claim 15, further comprising:
    - embedding the security tag at the selected placement location for each packet of the packetized communication sent by the receiving mode in accordance with the placement location indicated in a placement message.

17. A sending node for transmitting packets toward a receiving node in a packetized communication network, comprising:
- a placement determination unit for selecting at least one placement location among a plurality of placement locations for at least one security tag to be embedded in each of a plurality of packets of a packetized communication;
  
  an insertion unit for inserting the security tag at the at least one placement location for each of the packets, as tagged packets; and
  
  a transmission unit for transmitting the tagged packets from the sending node toward the receiving node.
- View Dependent Claims (18)
- - 18. The sending node according to claim 17, wherein the sending node receives network conditions information associated with an address of the sending node to select the at least one placement location.

19. A receiving node for receiving packets sent by a sending node in a packetized communication network, comprising:
- a receiving unit for receiving the packets from the sending node; and
  
  a packet processor for authenticating, at the receiving node, a security tag embedded in each of the packets, wherein the packet processor prevents access by a respective packet of the packetized communication to a secured resource;
  
  (1) if the respective, received packet does not have the security tag embedded in a selected one of a plurality of placement locations or (2) if the security tag embedded at the selected one of the plurality of placement locations is not authenticated.
- View Dependent Claims (20)
- - 20. The receiving node according to claim 19, further comprising:
    - a network conditions table for storing information indicating network conditions that affect selection of the placement locations for different ranges of addresses of nodes on the packetized communication network; and
      
      a transmitting unit for sending, to the sending node, the network conditions table.

21. A computer readable storage medium for storing computer code to execute the method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
- selecting at least one placement location among a plurality of locations to embed the security tag in each packet of the packetized communication;
  
  receiving, at the receiving node, each packet of the packetized communication, each packet having the security tag embedded at the selected placement location;
  
  authenticating, at the receiving node, the embedded security tag in each packet; and
  
  if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Applied Identity, Co.
Inventors
Bettadapura, Vijayashree S., Kumar, Srinivas

Granted Patent

US 8,990,573 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

SYSTEM AND METHOD FOR USING VARIABLE SECURITY TAG LOCATION IN NETWORK COMMUNICATIONS

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR USING VARIABLE SECURITY TAG LOCATION IN NETWORK COMMUNICATIONS

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links