SECURITY POLICY ENFORCEMENT

US 20140196108A1
Filed: 07/31/2012
Published: 07/10/2014
Est. Priority Date: 08/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method of operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second network endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the method comprising:

intercepting, by one or more processors, a handshake message transmitted over the network between the first and second network endpoints;

extracting, by one or more processors, from the handshake message an identification of a security standard selected for the communication between the first and second network endpoints;

determining, by one or more processors, a validity status of the identified security standard based on the security policy; and

preventing, by one or more processors, communication between the first and second network endpoints based on a negatively determined validity status of the identified security standard.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the method comprising the steps of: intercepting a handshake message transmitted over the network between the first and second endpoints; extracting from the handshake message an identification of a security standard selected for the communication between the first and second endpoints; determining a validity status of the identified security standard based on the security policy; and preventing communication between the first and second endpoints based on a negatively determined validity status of the identified security standard.

Citations

20 Claims

1. A method of operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second network endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the method comprising:
- intercepting, by one or more processors, a handshake message transmitted over the network between the first and second network endpoints;
  
  extracting, by one or more processors, from the handshake message an identification of a security standard selected for the communication between the first and second network endpoints;
  
  determining, by one or more processors, a validity status of the identified security standard based on the security policy; and
  
  preventing, by one or more processors, communication between the first and second network endpoints based on a negatively determined validity status of the identified security standard.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - permitting, by one or more processors, communication between the first and second network endpoints based on a positively determined validity status of the identified security standard.
  - 3. The method of claim 2, further comprising:
    - preventing, by one or more processors, communication between the first and second network endpoints based on a determination of an authorization component using an identification of each of the first and second network endpoints.
  - 4. The method of claim 1, wherein the security standard is a cipher suite.
  - 5. The method of claim 1, wherein the security policy identifies at least one of:
    - at least one key exchange method;
      
      at least one encryption algorithm;
      
      at least one message digest algorithm; and
      
      at least one minimum key length.
  - 6. The method of claim 5, wherein the security standard identifies at least one of:
    - a key exchange method;
      
      an encryption algorithm;
      
      and a message digest algorithm.
  - 7. The method of claim 2, wherein the security policy indicates whether resumption of a communication session is allowable.
  - 8. The method of claim 2, wherein the interceptor is a transparent proxy.

9. A network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the network message interceptor being in communication with the network and external to the first and second network endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the network message interceptor comprising:
- intercepting means for intercepting a handshake message transmitted over the network between the first and second network endpoints;
  
  extracting means for extracting from the handshake message an identification of a security standard selected for the communication between the first and second network endpoints;
  
  determining means for determining a validity status of the identified security standard based on the security policy; and
  
  preventing means for preventing communication between the first and second network endpoints based on a negatively determined validity status of the identified security standard.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network message interceptor of claim 9, further comprising:
    - permitting means for permitting communication between the first and second network endpoints based on a positively determined validity status of the identified security standard
  - 11. The network message interceptor of claim 10, further comprising:
    - preventing means for preventing communication between the first and second network endpoints based on a determination of an authorization component using an identification of each of the first and second network endpoints.
  - 12. The network message interceptor of claim 9, wherein the security standard is a cipher suite.
  - 13. The network message interceptor of claim 9, wherein the security policy identifies at least one of:
    - at least one key exchange method;
      
      at least one encryption algorithm;
      
      at least one message digest algorithm; and
      
      at least one minimum key length.
  - 14. The network message interceptor of claim 9, wherein the security standard identifies at least one of:
    - a key exchange method;
      
      an encryption algorithm; and
      
      a message digest algorithm.
  - 15. The network message interceptor of claim 9, wherein the security policy indicates whether resumption of a communication session is allowable.
  - 16. The network message interceptor of claim 9, wherein the intercepting means is a transparent proxy.

17. A computer program product for operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second network endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the computer program product comprising a computer readable storage medium having program code embodied therewith, the program code readable and executable by a processor to perform a method comprising:
- intercepting a handshake message transmitted over the network between the first and second network endpoints;
  
  extracting from the handshake message an identification of a security standard selected for the communication between the first and second network endpoints;
  
  determining a validity status of the identified security standard based on the security policy; and
  
  preventing communication between the first and second network endpoints based on a negatively determined validity status of the identified security standard.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein the method further comprises:
    - permitting communication between the first and second network endpoints based on a positively determined validity status of the identified security standard.
  - 19. The computer program product of claim 18, wherein the method further comprises:
    - preventing communication between the first and second network endpoints based on a determination of an authorization component using an identification of each of the first and second network endpoints.
  - 20. The computer program product of claim 17, wherein the security standard is a cipher suite.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taiwan Semiconductor Manufacturing Company Limited
Original Assignee
International Business Machines Corporation
Inventors
Deakin, Oliver M., Nicholson, Robert B., Barr, Arthur J., Thorne, Colin J.

Granted Patent

US 9,288,234 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

SECURITY POLICY ENFORCEMENT

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY POLICY ENFORCEMENT

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links