Applying a Packet Routing Policy to an Application Session
First Claim
1. A method for routing data packets of an application session, the method comprising:
- inspecting, by a security gateway, a data packet for an application session and storing a host identity and application session time in an application session record;
determining, by a security gateway, from the data packet for the application session a user identity and storing the user identity in the application session record;
determining, by a security gateway, a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity and access session time match the host identity and application session time of the application session record;
storing the second user identity in the application session record;
determining, by the security gateway, at least one packet routing policy applicable to the application session, the at least one packet routing policy comprising a host network address, an application network address, and a forwarding interface;
receiving, at the security gateway, a second data packet for the application session, the second data packet comprising a source network address and a destination network address;
comparing, by the security gateway, the source network address from the second data packet with the host network address of the at least one packet routing policy, or comparing the destination network address from the second data packet with the application network address of the at least one packet routing policy; and
in response to finding a match between the source network address from the second data packet and the host network address of the at least one packet routing policy, or a match between the destination network address from the second data packet and the application network address of the at least one packet routing policy, processing the second data packet using the forwarding interface of the at least one packet routing policy by the security gateway.
1 Assignment
0 Petitions
Accused Products
Abstract
A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy.
-
Citations
24 Claims
-
1. A method for routing data packets of an application session, the method comprising:
-
inspecting, by a security gateway, a data packet for an application session and storing a host identity and application session time in an application session record; determining, by a security gateway, from the data packet for the application session a user identity and storing the user identity in the application session record; determining, by a security gateway, a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity and access session time match the host identity and application session time of the application session record; storing the second user identity in the application session record; determining, by the security gateway, at least one packet routing policy applicable to the application session, the at least one packet routing policy comprising a host network address, an application network address, and a forwarding interface; receiving, at the security gateway, a second data packet for the application session, the second data packet comprising a source network address and a destination network address; comparing, by the security gateway, the source network address from the second data packet with the host network address of the at least one packet routing policy, or comparing the destination network address from the second data packet with the application network address of the at least one packet routing policy; and in response to finding a match between the source network address from the second data packet and the host network address of the at least one packet routing policy, or a match between the destination network address from the second data packet and the application network address of the at least one packet routing policy, processing the second data packet using the forwarding interface of the at least one packet routing policy by the security gateway. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
a security gateway, wherein the security gateway; inspects a data packet for an application session and stores a host identity and application session time in an application session record; determines from the data packet for the application session a user identity and stores the user identity in the application session record; determines a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity and access session time match the host identity and application session time of the application session record; stores the second user identity in the application session record; determines at least one packet routing policy applicable to the application session, the at least one packet routing policy comprising a host network address, an application network address, and a forwarding interface; receives a second data packet for the application session, the second data packet comprising a source network address and a destination network address; compares the source network address from the second data packet with the host network address of the at least one packet routing policy, or compares the destination network address from the second data packet with the application network address of the at least one packet routing policy; and in response to finding a match between the source network address from the second data packet and the host network address of the at least one packet routing policy, or a match between the destination network address from the second data packet and the application network address of the at least one packet routing policy, processes the second data packet using the forwarding interface of the at least one packet routing policy by the security gateway. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
17. A non-transitory computer readable storage medium having computer readable program code embodied therewith for routing data packets of an application session, the computer readable program code configured to:
-
inspect, by a security gateway, a data packet for an application session and storing a host identity and application session time in an application session record; determine, by a security gateway, from the data packet for the application session a user identity and store the user identity in the application session record; determine, by a security gateway, a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity and access session time match the host identity and application session time of the application session record; store the second user identity in the application session record; determine, by the security gateway, at least one packet routing policy applicable to the application session, the at least one packet routing policy comprising a host network address, an application network address, and a forwarding interface; receive, at the security gateway, a second data packet for the application session, the second data packet comprising a source network address and a destination network address; compare, by the security gateway, the source network address from the second data packet with the host network address of the at least one packet routing policy, or compare the destination network address from the second data packet with the application network address of the at least one packet routing policy; and in response to finding a match between the source network address from the second data packet and the host network address of the at least one packet routing policy, or a match between the destination network address from the second data packet and the application network address of the at least one packet routing policy, process the second data packet using the forwarding interface of the at least one packet routing policy by the security gateway. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification