SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE
First Claim
Patent Images
1. A system for applying a security policy to connections between a computer on a first network and a computer on a second network, comprising:
- a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request; and
a connection state engine connected to the buffer;
wherein the connection state engine receives a connection request from one of the computers for a connection to the other computer and records state associated with the connection request;
wherein the connection state engine receives an acknowledgement from the other computer and records state associated with the acknowledgement;
wherein the buffer receives data from one of the computers, wherein the data is associated with the connection request; and
wherein the connection state engine reads the data from the buffer and denies the connection based on an application of a security policy to the data without forwarding the data.
10 Assignments
0 Petitions
Accused Products
Abstract
System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.
-
Citations
13 Claims
-
1. A system for applying a security policy to connections between a computer on a first network and a computer on a second network, comprising:
-
a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request; and a connection state engine connected to the buffer; wherein the connection state engine receives a connection request from one of the computers for a connection to the other computer and records state associated with the connection request; wherein the connection state engine receives an acknowledgement from the other computer and records state associated with the acknowledgement; wherein the buffer receives data from one of the computers, wherein the data is associated with the connection request; and wherein the connection state engine reads the data from the buffer and denies the connection based on an application of a security policy to the data without forwarding the data. - View Dependent Claims (2, 3, 4)
-
-
5. A system for applying a security policy to connections between a computer on a first network and a computer on a second network, comprising:
-
a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request; one or more proxies connected to the buffer; and a connection state engine connected to the buffer and the proxies; wherein the connection state engine receives a connection request from one of the computers for a connection to the other computer and records state associated with the connection request; wherein the connection state engine receives an acknowledgement from the other computer and records state associated with the acknowledgement; wherein the buffer receives data from one of the computers, wherein the data is associated with the connection request; and wherein the connection state engine reads the data from the buffer, determines whether the connection should be promoted to one of the proxies based on an application of a security policy to the data; and
promotes the connection to a selected one of the proxies when it determines the connection should be promoted; andwherein the selected proxy reads state associated with the connection request and the connection acknowledgement and establishes socket connections to the two computers as a function of the recorded state such that the connection changes into a proxy connection. - View Dependent Claims (6, 7, 8, 9)
-
-
10. In a system for applying a security policy to connections between a computer on a first network and a computer on a second network, a method of determining whether to deny the connection, comprising:
-
receiving a connection request from the computer on the first network; recording state associated with the connection request; receiving a request acknowledgement from the computer on the second network; recording state associated with the connection acknowledgement; storing in a buffer data received from one of the computers after the request acknowledgement; and determining, without a proxy and as a function of the data stored in the buffer, whether to deny the connection; wherein, when the connection is denied, no data is forwarded to the other computer.
-
-
11. The method of claim 11, wherein determining includes determining to deny the connection if the connection request is for an HTTP message.
-
12. In a system for applying a security policy to connections between a computer on a first network and a computer on a second network, a method of determining whether to deny the connection, comprising:
-
receiving a connection request from the computer on the first network; recording state associated with the connection request; receiving a request acknowledgement from the computer on the second network; recording state associated with the connection acknowledgement; storing in a buffer data associated with the connection request, wherein the data is received from one of the computers after the request acknowledgement; determining, as a function of the data stored in the buffer, whether to promote the message to a proxy; receiving, at the proxy, information corresponding to the message; and establishing socket connections to the two computers as a function of the recorded state such that the connection changes into a proxy connection. - View Dependent Claims (13)
-
Specification