METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK

US 20150304354A1
Filed: 04/16/2014
Published: 10/22/2015
Est. Priority Date: 10/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by each of a plurality of packet security gateways associated with a security policy management server and from the security policy management server, a dynamic security policy that includes at least one rule specifying application-layer packet-header information and a packet transformation function to be performed on packets comprising the application-layer packet-header information;

receiving, by a packet security gateway of the plurality of packet security gateways, packets associated with a network protected by the packet security gateway;

identifying, by the packet security gateway, from amongst the packets associated with the network protected by the packet security gateway, and on a packet-by-packet basis, one or more packets comprising the application-layer packet-header information; and

performing, by the packet security gateway and on a packet-by-packet basis, the packet transformation function on each of the one or more packets comprising the application-layer packet-header information.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets.

Citations

20 Claims

1. A method, comprising:
- receiving, by each of a plurality of packet security gateways associated with a security policy management server and from the security policy management server, a dynamic security policy that includes at least one rule specifying application-layer packet-header information and a packet transformation function to be performed on packets comprising the application-layer packet-header information;
  
  receiving, by a packet security gateway of the plurality of packet security gateways, packets associated with a network protected by the packet security gateway;
  
  identifying, by the packet security gateway, from amongst the packets associated with the network protected by the packet security gateway, and on a packet-by-packet basis, one or more packets comprising the application-layer packet-header information; and
  
  performing, by the packet security gateway and on a packet-by-packet basis, the packet transformation function on each of the one or more packets comprising the application-layer packet-header information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the at least one rule indicates that packets having the application-layer packet-header information should have an accept packet transformation function performed on them, and wherein performing the packet transformation function on each of the one or more packets comprising the application-layer packet-header information comprises the packet security gateway forwarding each of the one or more packets comprising the application-layer packet-header information toward its respective destination.
  - 3. The method of claim 1, wherein the at least one rule indicates that packets having the application-layer packet-header information should have a deny packet transformation function performed on them, and wherein performing the packet transformation function on each of the one or more packets comprising the application-layer packet-header information comprises the packet security gateway dropping each of the one or more packets comprising the application-layer packet-header information.
  - 4. The method of claim 1, wherein the application-layer packet-header information identifies one or more hypertext transfer protocol (HTTP) packets, and wherein identifying the one or more packets comprising the application-layer packet-header information comprises determining by the packet security gateway that the one or more packets comprising the application-layer packet-header information are amongst the one or more HTTP packets.
  - 5. The method of claim 4, wherein the one or more HTTP packets comprise an HTTP GET method call, and wherein determining that the one or more packets comprising the application-layer packet-header information are amongst the one or more HTTP packets comprises determining that the one or more packets comprising the application-layer packet-header information are associated with the HTTP GET method call.
  - 6. The method of claim 5, wherein the HTTP GET method call specifies a uniform resource identifier (URI), and wherein determining that the one or more packets comprising the application-layer packet-header information are associated with the HTTP GET method call comprises determining that the one or more packets comprising the application-layer packet-header information originated from or are destined for a network address corresponding to the URI.
  - 7. The method of claim 4, wherein the one or more HTTP packets comprise an HTTP PUT method call, and wherein determining that the one or more packets comprising the application-layer packet-header information are amongst the one or more HTTP packets comprises determining that the one or more packets comprising the application-layer packet-header information are associated with the HTTP PUT method call.
  - 8. The method of claim 7, wherein the HTTP PUT method call specifies a uniform resource identifier (URI), and wherein determining that the one or more packets comprising the application-layer packet-header information are associated with the HTTP PUT method call comprises determining that the one or more packets comprising the application-layer packet-header information originated from or are destined for a network address corresponding to the URI.
  - 9. The method of claim 1, wherein the at least one rule comprises a five-tuple specifying one or more transport-layer protocols, a range of source addresses, a range of source ports, a range of destination addresses, and a range of destination ports, and wherein identifying the one or more packets comprising the application-layer packet-header information comprises determining by the packet security gateway that each of the one or more packets comprising the application-layer packet-header information corresponds to at least one of the one or more transport-layer protocols, has a source address within the range of source addresses, a source port within the range of source ports, a destination address within the range of destination addresses, and a destination port within the range of destination ports.

10. A method, comprising:
- receiving, by each of a plurality of packet security gateways associated with a security policy management server and from the security policy management server, a dynamic security policy that includes at least one rule specifying packet-identification criteria and a packet transformation function comprising a packet digest logging function to be performed on packets corresponding to the packet-identification criteria;
  
  receiving, by a packet security gateway of the plurality of packet security gateways, packets associated with a network protected by the packet security gateway;
  
  identifying, by the packet security gateway, from amongst the packets associated with the network protected by the packet security gateway, and on a packet-by-packet basis, one or more packets corresponding to the packet-identification criteria; and
  
  performing, by the packet security gateway and on a packet-by-packet basis, the packet digest logging function on each of the one or more packets corresponding to the packet-identification criteria.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein performing the packet digest logging function on each of the one or more packets corresponding to the packet-identification criteria comprises:
    - identifying a subset of information specified by the packet digest logging function for each of the one or more packets corresponding to the packet-identification criteria; and
      
      generating, for each of the one or more packets corresponding to the packet-identification criteria, a record comprising the subset of information specified by the packet digest logging function.
  - 12. The method of claim 11, wherein the subset of information comprises at least one of a portion of data from the packet, a source address of the packet, a source port of the packet, a destination address of the packet, a destination port of the packet, a transport-protocol type of the packet, a uniform resource identifier (URI) from the packet, an arrival time of the packet, a size of the packet, a flow direction of the packet, an identifier of an interface of the packet security gateway that received the packet, or one or more media access control (MAC) addresses associated with the packet.
  - 13. The method of claim 11, comprising:
    - temporarily storing data in a memory of the packet security gateway, the data comprising the subset of information specified by the packet digest logging function for each of the one or more packets corresponding to the packet-identification criteria; and
      
      utilizing, by the packet security gateway, the data to generate a message comprising the subset of information specified by the packet digest logging function for each of the one or more packets corresponding to the packet-identification criteria.
  - 14. The method of claim 13 comprising communicating, by the packet security gateway and to the security policy management server, the message comprising the subset of information specified by the packet digest logging function for each of the one or more packets corresponding to the packet-identification criteria.
  - 15. The method of claim 11, comprising reformatting, for each of the one or more packets corresponding to the packet-identification criteria, the subset of information specified by the packet digest logging function in accordance with a logging system standard.
  - 16. The method of claim 15, wherein reformatting the subset of information specified by the packet digest logging function in accordance with the logging system standard comprises reformatting the subset of information specified by the packet digest logging function in accordance with a syslog logging system standard.
  - 17. The method of claim 10, wherein the packet-identification criteria comprises a five-tuple specifying one or more transport-layer protocols, a range of source addresses, a range of source ports, a range of destination addresses, and a range of destination ports, and wherein identifying the one or more packets corresponding to the packet-identification criteria comprises determining by the packet security gateway that each of the one or more packets corresponding to the packet-identification criteria corresponds to at least one of the one or more transport-layer protocols, has a source address within the range of source addresses, a source port within the range of source ports, a destination address within the range of destination addresses, and a destination port within the range of destination ports.
  - 18. The method of claim 10, wherein the packet-identification criteria comprises application-layer packet-header information, and wherein identifying the one or more packets corresponding to the packet-identification criteria comprises determining by the packet security gateway that each of the one or more packets corresponding to the packet-identification criteria comprises at least a portion of the application-layer packet-header information.

19. A method, comprising:
- receiving, by a security policy management server and from a computing device, a security update comprising a set of network addresses;
  
  updating, by the security policy management server, one or more rules stored in a memory of the security policy management server to include the set of network addresses;
  
  receiving, by the security policy management server and from a different computing device, a security update comprising a different set of network addresses;
  
  determining, by the security policy management server, that the different set of network addresses includes at least a portion of network addresses included in the set of network addresses; and
  
  responsive to determining that the different set of network addresses includes the at least a portion of network addresses included in the set of network addresses;
  
  identifying, by the security policy management server, the at least a portion of network addresses included in the set of network addresses;
  
  identifying, by the security policy management server, at least one of the one or more rules stored in the memory of the security policy management server that specifies a range of network addresses comprising the at least a portion of network addresses; and
  
  updating, by the security policy management server, the at least one of the one or more rules to include one or more other network addresses included in the different set of network addresses.
- View Dependent Claims (20)
- - 20. The method of claim 19, comprising:
    - identifying at least two rules, of the one or more rules stored in the memory of the security policy management server, that each specify a range of network addresses comprising the at least a portion of network addresses; and
      
      combining the at least two of the one or more rules into a rule that specifies a range of network addresses that includes network addresses specified by each of the at least two rules and the one or more other network addresses included in the different set of network addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Rogers, Steven, Moore, Sean, Ahn, David K., Geremia, Peter P.

Granted Patent

US 9,565,213 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/06   for supporting key manageme...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 65/1069   Session establishment or de...

H04L 67/02   based on web technology, e....

METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links