DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE
First Claim
1. A network security appliance comprising:
- an interface configured to receive a packet flow;
a control unit configured to support definition of a security policy to control access by the packet flow to a network, wherein the security policy specifies;
(a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and(b) actions to be applied to packet flows that match the match criteria,a rules engine configured to dynamically identify a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets, wherein the rules engine is configured to apply the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria,wherein upon the rules engine determining that the packet flow matches the static port lists, the control unit applies the actions specified by the security policy to the packet flow.
1 Assignment
0 Petitions
Accused Products
Abstract
A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.
443 Citations
20 Claims
-
1. A network security appliance comprising:
-
an interface configured to receive a packet flow; a control unit configured to support definition of a security policy to control access by the packet flow to a network, wherein the security policy specifies; (a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and (b) actions to be applied to packet flows that match the match criteria, a rules engine configured to dynamically identify a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets, wherein the rules engine is configured to apply the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria, wherein upon the rules engine determining that the packet flow matches the static port lists, the control unit applies the actions specified by the security policy to the packet flow. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for controlling access to a network with a network security appliance, comprising:
-
receiving configuration information with a user interface of the network security appliance, wherein the configuration information specifies a security policy defined by; (a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and (b) actions to be applied to packet flows that match the match criteria; receiving a packet flow with an interface of the network security appliance; with a rules engine of the network security appliance, dynamically identifying a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets; with the rules engine, applying the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria; and upon the rules engine determining that the packet flow matches the static port lists, applying the actions specified by the security policy to the packet flow. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A computer-readable medium comprising instructions for causing a programmable processor to:
-
receive configuration information with a user interface of a network security appliance that controls access to a network, wherein the configuration information specifies a security policy defined by; (a) match criteria that include a layer seven network application, and a static port list of one or more layer four ports for a transport-layer protocol, and (b) actions to be applied to packet flows that match the match criteria; receive a packet flow with an interface of the network security appliance; with a rules engine of the network security appliance, dynamically identify a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets; with the rules engine, apply the security policy, after the dynamic identification of the layer seven network application, to determine whether the packet flow matches the static port lists specified by the match criteria; and upon the rules engine determining that the packet flow matches the static port lists, apply the actions specified by the security policy to the packet flow.
-
Specification