IDENTITY AND POLICY-BASED NETWORK SECURITY AND MANAGEMENT SYSTEM AND METHOD

US 20100100949A1
Filed: 08/02/2007
Published: 04/22/2010
Est. Priority Date: 07/06/2007
Status: Active Grant

First Claim

Patent Images

1. A method for managing a network connection between a source and a destination for the transmission of at least one data packet, the method comprising the steps of:

receiving a login request from a user, wherein the login request comprises a user IP address, and login credentials;

identifying a profile associated with the user, wherein the profile comprises user data and at least one user-specific policy;

determining if the user is authentic by comparing the login credentials with the user data of the identified profile;

determining if the login request is authorized by applying the at least one user-specific policy of the identified profile;

creating and storing identity information related to the authorized user, wherein the identity information comprises the profile and the user IP address;

receiving the at least one data packet from the source, wherein the at least one packet comprises a source IP address and a destination IP address;

identifying a connection object associated with the connection based at least on the source IP address and the destination IP address;

associating the identified connection object with the at least one packet;

identifying the identity information associated with the authorized user based on the source IP address;

updating the identified connection object with the identified identity information; and

applying at least a portion of the identified identity information to the connection.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing security for a network connecting a source and a destination. The system and method provide a security and management system between the source and the destination which is configured to apply rules and policies which are specific to the user to the connection between the source and the destination. The user-specific policies are used to govern.

174 Citations

26 Claims

1. A method for managing a network connection between a source and a destination for the transmission of at least one data packet, the method comprising the steps of:
- receiving a login request from a user, wherein the login request comprises a user IP address, and login credentials;
  
  identifying a profile associated with the user, wherein the profile comprises user data and at least one user-specific policy;
  
  determining if the user is authentic by comparing the login credentials with the user data of the identified profile;
  
  determining if the login request is authorized by applying the at least one user-specific policy of the identified profile;
  
  creating and storing identity information related to the authorized user, wherein the identity information comprises the profile and the user IP address;
  
  receiving the at least one data packet from the source, wherein the at least one packet comprises a source IP address and a destination IP address;
  
  identifying a connection object associated with the connection based at least on the source IP address and the destination IP address;
  
  associating the identified connection object with the at least one packet;
  
  identifying the identity information associated with the authorized user based on the source IP address;
  
  updating the identified connection object with the identified identity information; and
  
  applying at least a portion of the identified identity information to the connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising the step of creating the connection object based at least in part on source IP address and the destination IP address.
  - 3. The method of claim 1, wherein the step of determining if the login request is authorized comprises applying a user-specific access time policy.
  - 4. The method of claim 1, wherein the step of determining if the login request is authorized comprises applying a user-specific quota policy.
  - 5. The method of claim 1, further comprising the steps of:
    - identifying a firewall rule associated with the at least one packet and the updated connection object,applying the firewall rule to the at least one packet of the connection; and
      
      performing a firewall action for the at least one packet based on the application of the firewall rule, wherein the action is selected from the group consisting of;
      
      accept, drop, and reject.
  - 6. The method of claim 1, further comprising the steps of applying override policy information to override at least a portion of the user-specific policy.
  - 7. The method of claim 5, further comprising the steps of:
    - identifying at least one management policy associated with the connection object; and
      
      applying the at least one identified management policy to the at least one packet.
  - 8. The method of claim 6, wherein the at least one management policy comprises an application security policy.
  - 9. The method of claim 6, wherein the at least one management policy comprises a destination network address translation policy.
  - 10. The method of claim 6, wherein the at least one management policy comprises a source network address translation policy.
  - 11. The method of claim 6, wherein the at least one management policy comprises a intrusion detection and prevention policy.
  - 12. The method of claim 6, wherein the at least one management policy comprises a bandwidth management policy.
  - 13. The method of claim 6, wherein the at least one management policy comprises a routing policy.

14. A system for managing a network connection between a source and a destination for the transmission of at least one data packet, the system comprising:
- a login module configured to;
  
  receive a login request from a user, wherein the login request comprises a user IP address, and login credentials,identify a profile associated with the user, wherein the profile comprises user data and at least one user-specific policy,determine if the user is authentic by comparing the login credentials with the user data of the identified profile,determine if the login request is authorized by applying the at least one user-specific policy of the identified profile, andcreate identity information related to the authorized user, wherein the identity information comprises the profile and the user IP address;
  
  a user IP map communicatively connected to the login module, the user IP map configured to store the identity information; and
  
  a connection tracker communicatively connected to the source and the user IP map, the connection tracker configured to;
  
  receive the at least one data packet from the source, wherein the at least one packet comprises a source IP address and a destination IP address,identify a connection object associated with the connection based at least on the source IP address and the destination IP address,associate the connection object with the at least one packet,identify the identity information stored in the user TP map which is associated with the authorized user,update the connection object with the identified identity information, andapply at least a portion of the identified identity information to the connection.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the connection tracker is configured to create the connection object.
  - 16. The system of claim 14, wherein the login module is configured to determine if the login request is authorized by applying a user-specific access time policy.
  - 17. The system of claim 14, wherein the login module is configured to determine if the login request is authorized by applying a user-specific quota policy.
  - 18. The system of claim 14, further comprising a firewall module communicatively connected to the connection tracker, the firewall module configured to:
    - identify a firewall rule associated with the at least one packet and the updated connection object,apply the firewall rule to the at least one packet of the connection, andperform a firewall action for the at least one packet based on the application of the firewall rule, wherein the action is selected from the group consisting of;
      
      accept, drop, and reject.
  - 19. The system of claim 18, wherein the firewall module is configured to apply override policy information to override at least a portion of the user-specific policy
  - 20. The system of claim 18, further comprising a management module communicatively connected to the firewall module, the management module configured to:
    - identify at least one management policy associated with the connection object; and
      
      apply the at least one identified management policy to the at least one packet.
  - 21. The system of claim 19, wherein the at least one management policy comprises an application security policy.
  - 22. The system of claim 19, wherein the at least one management policy comprises a destination network address translation policy.
  - 23. The system of claim 19, wherein the at least one management policy comprises a source network address translation policy.
  - 24. The system of claim 19, wherein the at least one management policy comprises a intrusion detection and prevention policy.
  - 25. The system of claim 19, wherein the at least one management policy comprises a bandwidth management policy.
  - 26. The system of claim 19, wherein the at least one management policy comprises a routing policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Pandya, Sumit, Shah, Nishit Shanfibhai, Sonwane, Abhilash Vijay, Modhwadiya, Rajesh Hardasbhai, Malek, Sarfaraz Mohammedhanif, Mahadevia, Jimit Hareshkumau

Granted Patent

US 8,984,620 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 61/2503   Translation of Internet pro...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

IDENTITY AND POLICY-BASED NETWORK SECURITY AND MANAGEMENT SYSTEM AND METHOD

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

IDENTITY AND POLICY-BASED NETWORK SECURITY AND MANAGEMENT SYSTEM AND METHOD

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others