Performing security functions on a message payload in a network element

US 7,496,750 B2
Filed: 12/07/2004
Issued: 02/24/2009
Est. Priority Date: 12/07/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of performing security functions on a message payload in a network element, the method comprising the computer-implemented steps of:

intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element;

determining whether the headers of the data packets match a particular set of criteria;

in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and

in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element;

assembling payloads of the data packets into at least a portion of an application layer message;

determining whether the portion of the application layer message satisfies second criteria associated with a known message classification;

in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and

in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message;

wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for performing security functions on a message payload in a network element. According to one aspect, a network element receives one or more data packets. The network element performs a security function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets. According to another aspect, a network element receives a first request that is destined for a first application. The network element sends, to a second application that sent the first request, a second request for authentication information. The network element receives the authentication information and determines whether the authentication information is valid. If the authentication information is not valid, then the network element prevents the first request from being sent to the first application.

Citations

50 Claims

1. A method of performing security functions on a message payload in a network element, the method comprising the computer-implemented steps of:
- intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element;
  
  determining whether the headers of the data packets match a particular set of criteria;
  
  in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and
  
  in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element;
  
  assembling payloads of the data packets into at least a portion of an application layer message;
  
  determining whether the portion of the application layer message satisfies second criteria associated with a known message classification;
  
  in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and
  
  in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message;
  
  wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. A method as recited in claim 1, wherein the particular set of criteria comprises at least one of an IP source address, an IP destination address, a TCP source port, and a TCP destination port.
  - 3. A method as recited in claim 1, wherein performing the one or more security functions comprises performing the one or more security functions using a cryptographic key that is associated with an application, wherein the application is one of (a) an application that sent the one or more data packets and (b) an application for which the one or more data packets are destined.
  - 4. A method as recited in claim 3, wherein the cryptographic key is stored at the network element.
  - 5. A method as recited in claim 3, wherein the cryptographic key is managed by a central console that is separate from the network element, wherein the central console distributes cryptographic keys and manages lifecycles of cryptographic keys.
  - 6. A method as recited in claim 1, further comprising:
    - sending, from the network element, one or more data packets that contain at least an encrypted portion of the application layer message, wherein the one or more data packets received by the network element contained an unencrypted version of the encrypted portion.
  - 7. A method as recited in claim 1, further comprising:
    - sending, from the network element, one or more data packets that contain at least a decrypted portion of the application layer message, wherein the one or more data packets received by the network element contained an encrypted version of the decrypted portion.
  - 8. A method as recited in claim 1, wherein the network element is a network switch or router.
  - 9. A method as recited in claim 1, further comprising:
    - generating, at the network element, a digest based on the message;
      
      wherein performing the one or more security functions comprises encrypting the digest, thereby signing the message.
  - 10. A method as recited in claim 1, further comprising:
    - generating, at the network element, a first digest based on the message; and
      
      comparing the first digest to a second digest, thereby verifying the message;
      
      wherein performing the one or more security functions comprises decrypting the second digest.
  - 11. A method as recited in claim 1, wherein performing the particular functions on at least the portion of the application layer message comprises performing the one or more security functions on a portion of the application layer message that is located at a user-specified path in an XML document or a non-XML document.
  - 12. A method as recited in claim 1, wherein the application layer message comprises a multi-part MIME message, and further comprising handling each part of the multi-part MIME message separately and independently from each other part of the multi-part MIME message.
  - 13. A method as recited in claim 1, further comprising:
    - determining, from information contained in the one or more data packets, an identity of a sender or intended receiver of the one or more data packets;
      
      wherein performing the one or more security functions comprises performing the functions using a key that is associated with the identity.
  - 14. A method as recited in claim 1, further comprising:
    - determining a type of credential that is contained in the one or more data packets;
      
      based on the type of credential, selecting, from among a plurality of credential stores, a particular credential store that is associated with the type of credential; and
      
      comparing the credential with a credential that is stored in the particular credential store.
  - 15. A method as recited in claim 1, further comprising:
    - determining a type of credential that is contained in the one or more data packets;
      
      based on the type of credential, selecting, from among a plurality of destinations, a particular destination that is associated with the type of credential; and
      
      sending at least a portion of the application layer message toward the particular destination.
  - 16. A method as recited in claim 1, further comprising:
    - performing, at the network element, a function on a message that is a request message, a response message, an exception processing message, or a message that was not sent between a client application and a server application as a result of an event or trigger that occurred on the network element.
  - 17. A method as recited in claim 1, further comprising:
    - determining a particular content that is specified in the application layer message;
      
      determining whether the particular content satisfies a set of constraints; and
      
      in response to determining that the particular content satisfies the set of constraints, performing one or more specified actions.
  - 18. A method as recited in claim 1, further comprising:
    - looking up security information that is mapped to a username token that is specified in the application layer message; and
      
      sending the security information to a receiving application on behalf of a sending application;
      
      wherein the security information is a certificate or an assertion.
  - 19. A method as recited in claim 1, further comprising:
    - generating security information that is mapped to a username token that is specified in the application layer message; and
      
      sending the security information to a receiving application on behalf of a sending application;
      
      wherein the security information is a certificate or an assertion.
  - 20. A method as recited in claim 1, further comprising:
    - determining a first assertion that is contained in the application layer message;
      
      determining a second assertion that is contained in the application layer message, wherein the second assertion differs from the first assertion, and wherein the second assertion is an authoritative certification by a trusted authority concerning the application from which the application layer message originated;
      
      verifying the first assertion; and
      
      verifying the second assertion.
  - 21. A method as recited in claim 1, further comprising:
    - sending a challenge to an application;
      
      receiving a challenge-response that originated from the application;
      
      determining whether the challenge-response satisfies the challenge; and
      
      in response to determining that the challenge-response satisfies the challenge, performing one or more specified actions.
  - 22. A method as recited in claim 1, further comprising:
    - sending at least a portion of the application layer message using both a first application layer protocol and Secure Sockets Layer (SSL) protocol;
      
      wherein the application layer message was received at the network element using both SSL protocol and a second application layer protocol that differs from the first application layer protocol.
  - 23. A method as recited in claim 1, further comprising:
    - sending at least a portion of the application layer message using Secure Sockets Layer (SSL) protocol;
      
      wherein the application layer message was received at the network element as clear text.
  - 24. A method as recited in claim 1, further comprising:
    - sending at least a portion of the application layer message as clear text;
      
      wherein the application layer message was received at the network element using Secure Sockets Layer (SSL) protocol.

25. A volatile or non-volatile computer-readable medium carrying one or more sequences of instructions for performing security functions on a message payload in a network element, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element;
  
  determining whether the headers of the data packets match a particular set of criteria;
  
  in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and
  
  in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element;
  
  assembling payloads of the data packets into at least a portion of an application layer message;
  
  determining whether the portion of the application layer message satisfies second criteria associated with a known message classification;
  
  in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and
  
  in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message;
  
  wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.

26. An apparatus for performing security functions on a message payload in a network element, comprising:
- one or more processors;
  
  means for intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element;
  
  means for determining whether the headers of the data packets match a particular set of criteria;
  
  means for forwarding, in response to determining that the headers of the data packets do not match the particular set of criteria, the data packets to the destination address without performing one or more security functions; and
  
  means for determining whether to perform, at the network element, in response to determining that the headers of the data packets match the particular set of criteria, the one or more security functions relative to at least a portion of an application layer message by performing, comprising;
  
  means for assembling payloads of the data packets into at least a portion of an application layer message;
  
  means for determining whether the portion of the application layer message satisfies second criteria associated with a known message classification;
  
  means for forwarding, in response to determining that the portion of the application layer message does not satisfy the second criteria, the data packets to the destination address without performing the one or more security functions; and
  
  means for performing, in response to determining that the portion of the application layer message satisfies the second criteria, the one or more security functions on at least the portion of the application layer message;
  
  wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.

27. An apparatus for performing security functions on a message payload in a network element, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  intercepting, at the network element, one or more data packets comprising network layer or transport layer headers having a destination address that differs from an address of the network element;
  
  determining whether the headers of the data packets match a particular set of criteria;
  
  in response to determining that the headers of the data packets do not match the particular set of criteria, forwarding the data packets to the destination address without performing one or more security functions; and
  
  in response to determining that the headers of the data packets match the particular set of criteria, determining whether to perform the one or more security functions relative to at least a portion of an application layer message by performing, at the network element;
  
  assembling payloads of the data packets into at least a portion of an application layer message;
  
  determining whether the portion of the application layer message satisfies second criteria associated with a known message classification;
  
  in response to determining that the portion of the application layer message does not satisfy the second criteria, forwarding the data packets to the destination address without performing the one or more security functions; and
  
  in response to determining that the portion of the application layer message satisfies the second criteria, performing the one or more security functions on at least the portion of the application layer message;
  
  wherein each of the one or more security functions is any of an encryption function, a decryption function, a digest function, an authentication function, an authorization function, or an auditing function.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 28. The apparatus of claim 27, wherein the particular set of criteria comprises at least one of an IP source address, an IP destination address, a TCP source port, and a TCP destination port.
  - 29. The apparatus of claim 27, wherein performing the one or more security functions comprises performing the particular functions using a cryptographic key that is associated with an application, wherein the application is one of (a) an application that sent the one or more data packets and (b) an application for which the one or more data packets are destined.
  - 30. The apparatus of claim 29, wherein the cryptographic key is stored at the network element.
  - 31. The apparatus of claim 29, wherein the cryptographic key is managed by a central console that is separate from the network element, wherein the central console distributes cryptographic keys and manages lifecycles of cryptographic keys.
  - 32. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - sending, from the network element, one or more data packets that contain at least an encrypted portion of the application layer message, wherein the one or more data packets received by the network element contained an unencrypted version of the encrypted portion.
  - 33. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - sending, from the network element, one or more data packets that contain at least a decrypted portion of the application layer message, wherein the one or more data packets received by the network element contained an encrypted version of the decrypted portion.
  - 34. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - generating, at the network element, a digest based on the message;
      
      wherein performing the one or more security functions comprises encrypting the digest, thereby signing the message.
  - 35. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - generating, at the network element, a first digest based on the message; and
      
      comparing the first digest to a second digest, thereby verifying the message;
      
      wherein performing the one or more security functions comprises decrypting the second digest.
  - 36. The apparatus of claim 27, wherein performing the one or more security functions on at least the portion of the application layer message comprises performing the one or more security functions on a portion of the application layer message that is located at a user-specified path in an XML document or a non-XML document.
  - 37. The apparatus of claim 27, wherein the application layer message comprises a multi-part MIME message, and further comprising handling each part of the multi-part MIME message separately and independently from each other part of the multi-part MIME message.
  - 38. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - determining, from information contained in the one or more data packets, an identity of a sender or intended receiver of the one or more data packets;
      
      wherein performing the one or more security functions comprises performing the functions using a key that is associated with the identity.
  - 39. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - determining, from information contained in the one or more data packets, an identity of a sender or intended receiver of the one or more data packets;
      
      wherein performing the one or more security function wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of;
      
      comprises performing the functions using a key that is associated with the identity.
  - 40. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - determining a type of credential that is contained in the one or more data packets;
      
      based on the type of credential, selecting, from among a plurality of destinations, a particular destination that is associated with the type of credential; and
      
      sending at least a portion of the application layer message toward the particular destination.
  - 41. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - performing, at the network element, a function on a message that is a request message, a response message, an exception processing message, or a message that was not sent between a client application and a server application as a result of an event or trigger that occurred on the network element.
  - 42. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - determining a particular content that is specified in the application layer message;
      
      determining whether the particular content satisfies a set of constraints; and
      
      in response to determining that the particular content satisfies the set of constraints, performing one or more specified actions.
  - 43. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - looking up security information that is mapped to a username token that is specified in the application layer message; and
      
      sending the security information to a receiving application on behalf of a sending application;
      
      wherein the security information is a certificate or an assertion.
  - 44. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - generating security information that is mapped to a username token that is specified in the application layer message; and
      
      sending the security information to a receiving application on behalf of a sending application;
      
      wherein the security information is a certificate or an assertion.
  - 45. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - determining a first assertion that is contained in the application layer message;
      
      determining a second assertion that is contained in the application layer message, wherein the second assertion differs from the first assertion, and wherein the second assertion is an authoritative certification by a trusted authority concerning the application from which the application layer message originated;
      
      verifying the first assertion; and
      
      verifying the second assertion.
  - 46. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - sending a challenge to an application;
      
      receiving a challenge-response that originated from the application;
      
      determining whether the challenge-response satisfies the challenge; and
      
      in response to determining that the challenge-response satisfies the challenge, performing one or more specified actions.
  - 47. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - sending at least a portion of the application layer message using both a first application layer protocol and Secure Sockets Layer (SSL) protocol;
      
      wherein the application layer message was received at the network element using both SSL protocol and a second application layer protocol that differs from the first application layer protocol.
  - 48. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - sending at least a portion of the application layer message using Secure Sockets Layer (SSL) protocol;
      
      wherein the application layer message was received at the network element as clear text.
  - 49. The apparatus of claim 27, wherein the sequences of instructions further comprises instructions, which, when executed by the processor, cause the processor to carry out the steps of:
    - sending at least a portion of the application layer message as clear text;
      
      wherein the application layer message was received at the network element using Secure Sockets Layer (SSL) protocol.
  - 50. The apparatus of claim 27, wherein the network element is a network router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Iyer, Subramanian N., Srinivasan, Subramanian, Kumar, Sandeep, Anthias, Tefcros, Wiborg, Christopher R.
Primary Examiner(s)
COLIN, CARL G

Application Number

US11/007,421
Publication Number

US 20060123226A1
Time in Patent Office

1,540 Days
Field of Search

713/153, 713/154, 713/160, 726/13, 370/351, 370/389, 709/226
US Class Current

713/154
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

Performing security functions on a message payload in a network element

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Performing security functions on a message payload in a network element

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links