DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE

US 20100095367A1
Filed: 10/30/2008
Published: 04/15/2010
Est. Priority Date: 10/09/2008
Status: Active Grant

First Claim

Patent Images

1. A network security appliance comprising:

an interface configured to receive a packet flow;

a control unit configured to support definition of a security policy to control access by the packet flow to a network, wherein the security policy specifies;

(a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and(b) actions to be applied to packet flows that match the match criteria,a rules engine configured to dynamically identify a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets, wherein the rules engine is configured to apply the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria,wherein upon the rules engine determining that the packet flow matches the static port lists, the control unit applies the actions specified by the security policy to the packet flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.

443 Citations

20 Claims

1. A network security appliance comprising:
- an interface configured to receive a packet flow;
  
  a control unit configured to support definition of a security policy to control access by the packet flow to a network, wherein the security policy specifies;
  
  (a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and(b) actions to be applied to packet flows that match the match criteria,a rules engine configured to dynamically identify a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets, wherein the rules engine is configured to apply the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria,wherein upon the rules engine determining that the packet flow matches the static port lists, the control unit applies the actions specified by the security policy to the packet flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The network security appliance of claim 1, wherein the rules engine is configured to perform deep packet inspection and signature-based application identification to dynamically identify the type of layer seven network application.
  - 3. The network security appliance of claim 2, wherein the rules engine is configured to dynamically identify the type of layer seven network application using the layer four port specified by the headers within the packets to select a set of patterns to apply for the signature-based application identification.
  - 4. The network security appliance of claim 1, further comprising:
    - a flow analysis module configured to analyze packet headers of packets in the packet flow to identify the layer four ports for a transport layer protocol associated with the packet flow; and
      
      a flow table updated by the flow analysis module and the rules engine to store the identified layer seven network application as identified by the rules engine, and layer four ports associated with the packet flow.
  - 5. The network security appliance of claim 1, further comprising a management module that presents a user interface to receive configuration information that defines the security policy.
  - 6. The network security appliance of claim 1,wherein the match criteria further includes a network source,further comprising a query module that identifies the network source associated with a received packet flow by querying a domain controller with a source Internet Protocol (IP) address associated with the packet flow to obtain one of a username or a user role associated with the source IP address.
  - 7. The network security appliance of claim 1, wherein the match criteria of the security policy further includes a network destination, wherein the network destination is defined as one of:
    - a destination Internet Protocol (IP) address, a set of destination IP addresses, and an output zone that defines a set of output interfaces.
  - 8. The network security appliance of claim 1, wherein the match criteria further includes a network source, wherein the network source of the packet flow is defined by the security policy in terms of one of a user and a user role.
  - 9. The network security appliance of claim 1, wherein the match criteria further includes a network source, wherein the network source of the packet flow is defined by the security policy in terms of one of:
    - a source IP address, a set of source IP addresses, and an input zone that defines a set of input interfaces.
  - 10. The network security appliance of claim 1, wherein the one or more layer four ports for the transport-layer protocol are defined by the security policy as a range of layer four ports.
  - 11. The network security appliance of claim 1, wherein the rules engine dynamically defines a new security policy that allows access by a matching packet flow to the network within a defined time period on a different layer four port than is specified by the specified match criteria of the security policy.
  - 12. The network security appliance of claim 1, wherein the actions specified by the security policy to be applied include logging one or more of:
    - whether a matching packet flow was allowed or denied, the identity of the user that was allowed or denied, what application was being used by the packet flow, what port was being used by the packet flow, and a timestamp indicating when a matching packet flow was detected.

13. A method for controlling access to a network with a network security appliance, comprising:
- receiving configuration information with a user interface of the network security appliance, wherein the configuration information specifies a security policy defined by;
  
  (a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and(b) actions to be applied to packet flows that match the match criteria;
  
  receiving a packet flow with an interface of the network security appliance;
  
  with a rules engine of the network security appliance, dynamically identifying a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets;
  
  with the rules engine, applying the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria; and
  
  upon the rules engine determining that the packet flow matches the static port lists, applying the actions specified by the security policy to the packet flow.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein dynamically identifying a type of layer seven network application associated with the received packet flow based on inspection of application-layer data comprises performing deep packet inspection and signature-based application identification to dynamically identify the type of layer seven network application.
  - 15. The method of claim 13, further comprising:
    - analyzing, with a flow analysis module, packet headers of packets in the packet flow to identify the layer four ports for a transport layer protocol associated with the packet flow; and
      
      updating a flow table updated with the flow analysis module and the rules engine to store the identified layer seven network application and layer four ports associated with the packet flow.
  - 16. The method of claim 13, wherein the match criteria of the security policy further includes a network destination, wherein the network destination is defined as one of:
    - a destination Internet Protocol (IP) address, a set of destination IP addresses, and an output zone that defines a set of output interfaces.
  - 17. The method of claim 13, wherein the match criteria further includes a network source, wherein the network source of the packet flow is defined by the security policy in terms of one of a user and a user role, further comprising:
    - identifying the network source associated with a received packet flow by querying a domain controller with a source Internet Protocol (IP) address associated with the packet flow to obtain one of a username or a user role associated with the source IP address.
  - 18. The method of claim 13, further comprising dynamically defining, with the rules engine, a new security policy that allows access by a matching packet flow to the network within a defined time period on a different layer four port than is specified by the specified match criteria of the security policy.
  - 19. The method of claim 13, wherein the actions specified by the security policy to be applied include logging one or more of:
    - whether a matching packet flow was allowed or denied, the identity of the user that was allowed or denied, what application was being used by the packet flow, what port was being used by the packet flow, and a timestamp indicating when a matching packet flow was detected.

20. A computer-readable medium comprising instructions for causing a programmable processor to:
- receive configuration information with a user interface of a network security appliance that controls access to a network, wherein the configuration information specifies a security policy defined by;
  
  (a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and(b) actions to be applied to packet flows that match the match criteria;
  
  receive a packet flow with an interface of the network security appliance;
  
  with a rules engine of the network security appliance, dynamically identify a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets;
  
  with the rules engine, apply the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria; and
  
  upon the rules engine determining that the packet flow matches the static port lists, apply the actions specified by the security policy to the packet flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Narayanaswamy, Krishna

Granted Patent

US 8,572,717 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

443 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

443 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links