Methods and apparatus for trusted application centric QoS provisioning
First Claim
1. A method of identifying prioritized network traffic comprising:
- establishing a trusted environment operable to scrutinize network traffic sent via a particular node;
communicating the establishment of the trusted environment to a data communications device coupled to a communications network;
establishing a connection operable to transport network traffic to the communications network on behalf of a particular application; and
selectively identifying network traffic corresponding to the particular application;
setting a service level designator in each packet of the network traffic that is sent via the particular node;
wherein the particular node is responsive to a service level in the service level designator for determining traffic priority;
selectively enabling recognition of the service level designator in predetermined attributes of packets sent via the particular node;
wherein the method is performed by one or more processors.
1 Assignment
0 Petitions
Accused Products
Abstract
A security agent extends the trust barrier, or trust point, from network gateway nodes to end user devices. A security agent operable to scrutinize network traffic executes on the user device and compares QoS marking attempts with the established QoS marking policy in effect. The security agent examines network traffic attributes deterministic of connection attempts by user processes. Attempts to apply inappropriate or disallowed QoS markings, as dictated by the QoS marking policy, are detected and disallowed. Therefore, only user connections consistent with the QoS marking policy are permitted into the network. Network admission control (NAC) mechanisms ensure that the security agent is the only access point from the user device to the secure network, and the security agent communicates the establishment of the trusted access point to the network gateway, thus ensuring that the network gateway may trust service level designations emanating from the user device executing the security agent.
-
Citations
24 Claims
-
1. A method of identifying prioritized network traffic comprising:
-
establishing a trusted environment operable to scrutinize network traffic sent via a particular node; communicating the establishment of the trusted environment to a data communications device coupled to a communications network; establishing a connection operable to transport network traffic to the communications network on behalf of a particular application; and selectively identifying network traffic corresponding to the particular application; setting a service level designator in each packet of the network traffic that is sent via the particular node;
wherein the particular node is responsive to a service level in the service level designator for determining traffic priority;selectively enabling recognition of the service level designator in predetermined attributes of packets sent via the particular node; wherein the method is performed by one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A data communications device for identifying prioritized network traffic comprising:
-
one or more processors; a network node device operable to couple to an edge device for establishing a trusted environment operable to scrutinize network traffic sent via a particular network node; a security agent operable to communicate the establishment of the trusted environment to a data communications device coupled to a communications network, the security agent further adapted to establish a connection operable to transport network traffic to the communications network on behalf of a particular application; and a packet mapper in the security agent operable to selectively identifying network traffic corresponding to the particular application;
setting a service level designator in each packet of the network traffic that is sent via a particular node;
wherein the particular node is responsive to a service level in the service level designator for determining traffic priority;
selectively enabling recognition of the service level designator in predetermined attributes of packets sent via the particular node. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method of marking prioritized network traffic comprising:
-
establishing a trusted environment operable to scrutinize network traffic sent via a particular node; communicating the establishment of the trusted environment to a data communications device coupled to a communications network; establishing a connection operable to transport network traffic to the communications network on behalf of a particular application; and setting a service level designator in each packet of the network traffic that is sent via the particular node;
wherein the particular node is responsive to a service level in the service level designator for determining traffic priority;selectively enabling recognition of the service level designator in predetermined attributes of packets sent via the particular node; selectively identifying network traffic corresponding to the particular application; executing a security agent in the trusted environment for; identifying connections corresponding to user applications on a user device; scrutinizing all connections between the user device and the data communications device, the data communications device further comprising a network gateway operable to recognize and enforce the service level designator; and marking the service level designator in packets transported over the identified connections with corresponding service level markings according to a marking policy having predetermined values for setting the service level designator; wherein the method is performed by one or more processors.
-
-
23. A computer program product having a computer readable medium operable to store computer program logic embodied in computer program code encoded thereon as an encoded set of processor based instructions, comprising:
-
computer program code for establishing a trusted environment operable to scrutinize network traffic sent via a particular node; computer program code for executing a security agent on a user device, the security agent operable to scrutinize network traffic emanating from the user device, and further operable to modify the service level designator; computer program code for communicating the establishment of the trusted environment to a data communications device coupled to a communications network; computer program code for setting a service level designator in each packet of the network traffic that is sent via the particular node;
wherein the particular node is responsive to a service level in the service level designator for determining traffic priority;computer program code for selectively enabling recognition of the service level designator in predetermined attributes of packets sent via the particular node; computer program code for establishing a trusted connection from the security agent to a network gateway, the network gateway operable to enforce the service level designation throughout the secure network, the trusted connection operable to transport the network traffic to the communications network on behalf of a particular application; computer program code for selectively identifying the network traffic corresponding to the particular application.
-
-
24. A data communications device responsive to encoded processor based instructions for identifying prioritized network traffic comprising:
-
one or more processors; means for establishing a trusted environment operable to scrutinize network traffic sent via a particular node; means for communicating the establishment of the trusted environment to a data communications device coupled to a communications network; means for establishing a connection operable to transport network traffic to the communications network on behalf of a particular application; and means for setting a service level designator in each packet of the network traffic that is sent via the particular node;
wherein the particular node is responsive to a service level in the service level designator for determining traffic priority;means for selectively enabling recognition of the service level designator in predetermined attributes of packets sent via the particular node; means for selectively identifying network traffic corresponding to the particular application;
the means for establishing the trusted environment including means for executing a security agent on a user device, the security agent further comprising;means for identifying connections corresponding to user applications on the user device; means for scrutinizing all connections between the user device and the data communications device, the data communications device further comprising a network gateway operable to recognize and enforce the service level designator; and means for marking the service level designator in packets transported over the identified connections with corresponding service level markings according to a marking policy having predetermined values for setting a service level design.
-
Specification