SECURE LABELING OF NETWORK FLOWS
First Claim
1. A computer program product for managing network flows at an endpoint, computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
- receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network;
generating a label for the network message, the label including information about a source of the network message on the endpoint;
cryptographically signing the label to provide a signed label verifying an identity of the endpoint;
adding the signed label to the header of the network message; and
transmitting the network message from the endpoint to the remote location through the data network.
4 Assignments
0 Petitions
Accused Products
Abstract
An enterprise security system is improved by instrumenting endpoints to explicitly label network flows with cryptographically secure labels that identify an application or other source of each network flow. Cryptographic techniques may be used, for example, to protect the encoded information in the label from interception by third parties or to support cryptographic authentication of a source of each label. A label may provide health, status, or other heartbeat information for the endpoint, and may be used to identify compromised endpoints, to make routing decisions for network traffic (e.g., allowing, blocking, rerouting, etc.), to more generally evaluate the health of an endpoint that is sourcing network traffic, or for any other useful purpose.
-
Citations
20 Claims
-
1. A computer program product for managing network flows at an endpoint, computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of:
-
receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network; generating a label for the network message, the label including information about a source of the network message on the endpoint; cryptographically signing the label to provide a signed label verifying an identity of the endpoint; adding the signed label to the header of the network message; and transmitting the network message from the endpoint to the remote location through the data network. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for managing network flows at an endpoint, the method comprising:
-
receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network; generating a label for the network message, the label including information about a source of the network message on the endpoint; encrypting the label with a cryptographic key, thereby providing an encrypted label; adding the encrypted label to the header of the network message; and transmitting the network message from the endpoint to the remote location through the data network. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
an endpoint including a network interface configured to couple the endpoint in a communicating relationship with a data network; a memory on the endpoint; and a processor on the endpoint, the processor configured to execute instructions stored in the memory to perform the steps of receiving a network message from a process executing on the endpoint, wherein the process is based on an application and wherein the network message includes a payload and a header, the network message addressed to a remote location accessible from the endpoint through a data network;
generating a label for the network message, the label including information about a source of the network message on the endpoint;
encrypting the label with a cryptographic key, thereby providing an encrypted label;
adding the encrypted label to the header of the network message; and
transmitting the network message from the endpoint to the remote location through the data network. - View Dependent Claims (14, 15)
-
-
16. A method for managing network flows at a network device, the method comprising:
-
receiving a network message from an endpoint at the network device, the network message including a source address for the endpoint, a destination address for an intended recipient of the network message, an encrypted label that identifies an application that generated the network message on the endpoint, and a payload of data; processing the network message on the network device to extract the label; decrypting the encrypted label with a cryptographic key to provide a decrypted label; and routing the network message based on the decrypted label. - View Dependent Claims (17, 18, 19, 20)
-
Specification