Performing security functions on a message payload in a network element
First Claim
1. A method of performing security functions on a message payload in a network element, the method comprising the computer-implemented steps of:
- intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element;
determining whether the headers of the data packets match a particular set of criteria;
in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and
in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element;
assembling payloads of the data packets into at least a portion of an application layer message;
determining whether the portion of the application layer message satisfies second criteria associated with a known message classification;
in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and
in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message;
wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for performing security functions on a message payload in a network element. According to one aspect, a network element receives one or more data packets. The network element performs a security function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets. According to another aspect, a network element receives a first request that is destined for a first application. The network element sends, to a second application that sent the first request, a second request for authentication information. The network element receives the authentication information and determines whether the authentication information is valid. If the authentication information is not valid, then the network element prevents the first request from being sent to the first application.
-
Citations
50 Claims
-
1. A method of performing security functions on a message payload in a network element, the method comprising the computer-implemented steps of:
-
intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element; determining whether the headers of the data packets match a particular set of criteria; in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element; assembling payloads of the data packets into at least a portion of an application layer message; determining whether the portion of the application layer message satisfies second criteria associated with a known message classification; in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message; wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A volatile or non-volatile computer-readable medium carrying one or more sequences of instructions for performing security functions on a message payload in a network element, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element; determining whether the headers of the data packets match a particular set of criteria; in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element; assembling payloads of the data packets into at least a portion of an application layer message; determining whether the portion of the application layer message satisfies second criteria associated with a known message classification; in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message; wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.
-
-
26. An apparatus for performing security functions on a message payload in a network element, comprising:
-
one or more processors; means for intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element; means for determining whether the headers of the data packets match a particular set of criteria; means for forwarding, in response to determining that the headers of the data packets do not match the particular set of criteria, the data packets to the destination address without performing one or more security functions; and means for determining whether to perform, at the network element, in response to determining that the headers of the data packets match the particular set of criteria, the one or more security functions relative to at least a portion of an application layer message by performing, comprising; means for assembling payloads of the data packets into at least a portion of an application layer message; means for determining whether the portion of the application layer message satisfies second criteria associated with a known message classification; means for forwarding, in response to determining that the portion of the application layer message does not satisfy the second criteria, the data packets to the destination address without performing the one or more security functions; and means for performing, in response to determining that the portion of the application layer message satisfies the second criteria, the one or more security functions on at least the portion of the application layer message; wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.
-
-
27. An apparatus for performing security functions on a message payload in a network element, comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom; a processor; one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element; determining whether the headers of the data packets match a particular set of criteria; in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element; assembling payloads of the data packets into at least a portion of an application layer message; determining whether the portion of the application layer message satisfies second criteria associated with a known message classification; in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message; wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
Specification