Policy-driven kernel-based security implementation
First Claim
1. A method of improving security processing in a computing network, comprising:
- providing security processing in an operating system kernel;
providing first and second application programs which make use of the operating system kernel during execution;
providing security policy information that is usable for more than one executing application program;
executing the first application program;
selectably encrypting at least one remote communication of the executing first application program using the provided security processing in the operating system kernel, under conditions specified by the security policy information;
executing the second application program; and
selectably encrypting at least one remote communication of the executing second application program using the provided security processing in the operating system kernel, under conditions specified by the security policy information.
2 Assignments
0 Petitions
Accused Products
Abstract
Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques.
-
Citations
17 Claims
-
1. A method of improving security processing in a computing network, comprising:
-
providing security processing in an operating system kernel; providing first and second application programs which make use of the operating system kernel during execution; providing security policy information that is usable for more than one executing application program; executing the first application program; selectably encrypting at least one remote communication of the executing first application program using the provided security processing in the operating system kernel, under conditions specified by the security policy information; executing the second application program; and selectably encrypting at least one remote communication of the executing second application program using the provided security processing in the operating system kernel, under conditions specified by the security policy information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for improving security processing in a computing network, comprising:
-
means for performing security processing in an operating system kernel; security policy information that is usable for more than one executing application program specifying at least one condition under which the means for performing security processing is to be activated; means for executing first and second application programs which make use of the operating system kernel during execution; means for selectably encrypting, according to the conditions specified by the security policy information, at least one remote communication of the executing first application program and at least one remote communication of the executing second application program using the means for performing security processing.
-
-
17. A computer program product for improving security processing in a computing network, the computer program product comprising:
-
a computer usable medium having computer readable program code embodied therein, the computer usable medium comprising; computer-readable program code configured to perform security processing in an operating system kernel; computer-readable program code configured to access security policy information that is usable for more than one executing application program, the security policy information specifying at least one condition under which the computer-readable program code configured to perform security processing is to be activated; computer-readable program code configured to execute first and second application programs which make use of the operating system kernel during execution; and computer-readable program code configured to selectably encrypt, according to the conditions specified by the security policy information, at least one remote communication of the executing first application program and at least one remote communication of the executing second application program using the computer-readable program code configured to perform security processing.
-
Specification