REDUCING ERROR IN SECURITY ENFORCEMENT BY A NETWORK SECURITY SYSTEM (NSS)

US 20180309795A1
Filed: 04/20/2018
Published: 10/25/2018
Est. Priority Date: 04/21/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, including:

reducing error in security enforcement by a network security system (abbreviated NSS), includingthe NSS receiving over a monitored channel a plurality of connection access requests from an endpoint routing client running on a device, the requests including loss prevention inspectable requests and connection preserving requests;

the NSS decrypting an incoming connection access request and determining conformance or non-conformance of the connection access request with semantic and content requirements of a protocol established for the monitored channel;

based on the determination, the NSS classifying the connection access request as loss prevention inspectable or connection preserving;

in response to classifying the connection access request as loss prevention inspectable, the NSS forwarding the loss prevention inspectable connection access request to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection, wherein the DILPA is interposed between the device and a first server at a destination specified by the loss prevention inspectable connection access request; and

in response to classifying the connection access request as connection preserving, the NSS sending the connection preserving connection access request to a second server at a destination specified by the connection preserving connection access request, preventing request termination and error generation by the NSS.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The technology disclosed relates to reducing error in security enforcement by a network security system (abbreviated NSS). The NSS classifies incoming connection access requests as loss prevention inspectable or connection preserving by determining their conformance or non-conformance with semantic and content requirements of HTTP and HTTPs protocols. The NSS forwards the loss prevention inspectable connection access requests to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection. The NSS directly sends the connection preserving connection access requests to the destination servers, preventing connection termination and error generation.

Citations

20 Claims

1. A computer-implemented method, including:
- reducing error in security enforcement by a network security system (abbreviated NSS), includingthe NSS receiving over a monitored channel a plurality of connection access requests from an endpoint routing client running on a device, the requests including loss prevention inspectable requests and connection preserving requests;
  
  the NSS decrypting an incoming connection access request and determining conformance or non-conformance of the connection access request with semantic and content requirements of a protocol established for the monitored channel;
  
  based on the determination, the NSS classifying the connection access request as loss prevention inspectable or connection preserving;
  
  in response to classifying the connection access request as loss prevention inspectable, the NSS forwarding the loss prevention inspectable connection access request to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection, wherein the DILPA is interposed between the device and a first server at a destination specified by the loss prevention inspectable connection access request; and
  
  in response to classifying the connection access request as connection preserving, the NSS sending the connection preserving connection access request to a second server at a destination specified by the connection preserving connection access request, preventing request termination and error generation by the NSS.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer-implemented method of claim 1, wherein the semantic and content requirements apply to request methods, request header fields, request payload metadata, and request payload body content of the protocol established for the monitored channel.
  - 3. The computer-implemented method of claim 1, wherein the monitored channel is Port 80 and the established protocol is Hypertext Transfer Protocol (abbreviated HTTP).
  - 4. The computer-implemented method of claim 1, wherein the monitored channel is Port 443 and the established protocol is Hypertext Transfer Protocol Secure (abbreviated HTTPS).
  - 5. The computer-implemented method of claim 1, further including:
    - the NSS receiving over the monitored channel a plurality of connection access responses from destination servers, the responses including loss prevention inspectable responses and connection preserving responses;
      
      the NSS decrypting an incoming connection access response and determining conformance or non-conformance of the connection access response with semantic and content requirements of the protocol established for the monitored channel;
      
      based on the determination, the NSS classifying the connection access response as loss prevention inspectable or connection preserving;
      
      in response to classifying the connection access response as loss prevention inspectable, the NSS forwarding the loss prevention inspectable connection access response to the DILPA for deep inspection; and
      
      in response to classifying the connection access response as connection preserving, the NSS directly sending the connection preserving connection access response to a requesting client device, preventing response termination and error generation by the NSS.
  - 6. The computer-implemented method of claim 5, wherein the semantic and content requirements apply to response methods, response header fields, response payload metadata, and response payload body content of the protocol established for the monitored channel.
  - 7. The computer-implemented method of claim 1, further including the NSS:
    - receiving a given connection access request that invokes a requested non-HTTP protocol on a requested HTTP channel, and determining that the requested non-HTTP protocol is a connection preserving protocol based on non-conformance with the semantic and content requirements of the HTTP; and
      
      based on the determination, internally bypassing deep inspection by the DILPA of the given connection access request, including sending the given connection access request to a given destination server specified by the given connection access request and relaying responses from the given destination server directly to the device.
  - 8. The computer-implemented method of claim 1, further including the NSS:
    - receiving a given connection access request that invokes a requested non-HTTPS protocol on a requested HTTPS channel, and determining that the requested non-HTTPS protocol is a connection preserving protocol based on non-conformance with the semantic and content requirements of the HTTPS; and
      
      based on the determination, internally bypassing deep inspection by the DILPA of the given connection access request, including sending the given connection access request to a given destination server specified by the given connection access request and relaying responses from the given destination server directly to the device.
  - 9. The computer-implemented method of claim 1, further including the NSS:
    - receiving a given connection access request that invokes a requested non-HTTP protocol on a requested HTTPS channel, and determining that the requested non-HTTP protocol is a connection preserving protocol based on non-conformance with the semantic and content requirements of the HTTPS; and
      
      based on the determination, internally bypassing deep inspection by the DILPA of the given connection access request, including sending the given connection access request to a given destination server specified by the given connection access request and relaying responses from the given destination server directly to the device.
  - 10. The computer-implemented method of claim 1, further including the NSS:
    - receiving an incoming connection access request from the endpoint routing client, the connection access request issued by an application client running on the device and comprising a server name identification (abbreviated SNI) that identifies the application;
      
      looking up the SNI in an error bypass list and determining that the application client is pinned to an application-specific certificate and does not trust a NSS certificate; and
      
      based on the determination, internally bypassing deep inspection by the DILPA of the connection access request, including sending the connection access request to a destination server specified by the connection access request and relaying responses from the destination server directly to the device.
  - 11. The computer-implemented method of claim 1, further including the NSS:
    - receiving an incoming connection access request from the endpoint routing client, the connection access request issued by an application client running on the device and comprising a host header that identifies the application;
      
      looking up the host header in an error bypass list and determining that the application client is pinned to an application-specific certificate and does not trust a NSS certificate; and
      
      based on the determination, internally bypassing deep inspection by the DILPA of the connection access request, including sending the connection access request to a destination server specified by the connection access request and relaying responses from the destination server directly to the device.
  - 12. The computer-implemented method of claim 1, further including the NSS:
    - receiving a connection access request from the endpoint routing client, the connection access request issued by an application client running on the device and not comprising a server name identification (abbreviated SNI) that identifies the application;
      
      receiving a response to the connection access request from a destination server specified by the connection access request that comprises a certificate with the SNI which identifies the application;
      
      looking up the SNI in an error bypass list and determining that the application client is pinned to an application-specific certificate and does not trust a NSS certificate; and
      
      based on the determination, internally bypassing deep inspection by the DILPA of the response.
  - 13. The computer-implemented method of claim 1, further including the NSS:
    - receiving a connection access request from the endpoint routing client, the connection access request issued by an application client running on the device and not comprising a host header that identifies the application;
      
      receiving a response to the connection access request from a destination server specified by the connection access request that comprises a certificate with the host header which identifies the application;
      
      looking up the host header in an error bypass list and determining that the application client is pinned to an application-specific certificate and does not trust a NSS certificate; and
      
      based on the determination, internally bypassing deep inspection by the DILPA of the response.
  - 14. The computer-implemented method of claim 1, further including the NSS:
    - receiving, from a destination server, a connection access response comprising a certificate;
      
      inspecting the certificate for validation and detecting a certificate error; and
      
      based on the detection, internally bypassing deep inspection by the DILPA of the connection access response.
  - 15. The computer-implemented method of claim 14, wherein the certificate error is caused by at least one of an untrusted root certificate and an incomplete certificate chain.
  - 16. The computer-implemented method of claim 14, wherein the certificate error is caused by an unsupported cipher, further including blocking the connection access response.
  - 17. The computer-implemented method of claim 1, further including the NSS:
    - detecting a protocol error while processing a connection access request from a requesting client device; and
      
      preserving the connection access request by terminating further processing and directly forwarding the connection access request to a specified destination server.
  - 18. The computer-implemented method of claim 1, further including the NSS:
    - detecting a protocol error while processing a connection access response from a destination server; and
      
      preserving the connection access response by terminating further processing and directly forwarding the connection access response to a requesting client device.

19. A non-transitory computer readable storage medium impressed with computer program instructions to reduce error in security enforcement by a network security system (abbreviated NSS), the instructions, when executed on a processor, implement a method comprising:
- the NSS receiving over a monitored channel a plurality of connection access requests from an endpoint routing client running on a device, the requests including loss prevention inspectable requests and connection preserving requests;
  
  the NSS decrypting an incoming connection access request and determining conformance or non-conformance of the connection access request with semantic and content requirements of a protocol established for the monitored channel;
  
  based on the determination, the NSS classifying the connection access request as loss prevention inspectable or connection preserving;
  
  in response to classifying the connection access request as loss prevention inspectable, the NSS forwarding the loss prevention inspectable connection access request to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection, wherein the DILPA is interposed between the device and a first server at a destination specified by the loss prevention inspectable connection access request; and
  
  in response to classifying the connection access request as connection preserving, the NSS sending the connection preserving connection access request to a second server at a destination specified by the connection preserving connection access request, preventing request termination and error generation by the NSS.

20. A system including one or more processors coupled to memory, the memory loaded with computer instructions to reduce error in security enforcement by a network security system (abbreviated NSS), the instructions, when executed on the processors, implement actions comprising:
- the NSS receiving over a monitored channel a plurality of connection access requests from an endpoint routing client running on a device, the requests including loss prevention inspectable requests and connection preserving requests;
  
  the NSS decrypting an incoming connection access request and determining conformance or non-conformance of the connection access request with semantic and content requirements of a protocol established for the monitored channel;
  
  based on the determination, the NSS classifying the connection access request as loss prevention inspectable or connection preserving;
  
  in response to classifying the connection access request as loss prevention inspectable, the NSS forwarding the loss prevention inspectable connection access request to a data inspection and loss prevention appliance (abbreviated DILPA) for deep inspection, wherein the DILPA is interposed between the device and a first server at a destination specified by the loss prevention inspectable connection access request; and
  
  in response to classifying the connection access request as connection preserving, the NSS sending the connection preserving connection access request to a second server at a destination specified by the connection preserving connection access request, preventing request termination and error generation by the NSS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netskope Incorporated
Original Assignee
Netskope Incorporated
Inventors
ITHAL, Ravi, NARAYANASWAMY, Krishna

Granted Patent

US 10,819,749 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

REDUCING ERROR IN SECURITY ENFORCEMENT BY A NETWORK SECURITY SYSTEM (NSS)

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REDUCING ERROR IN SECURITY ENFORCEMENT BY A NETWORK SECURITY SYSTEM (NSS)

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links