Monitoring traffic to provide enhanced network security

US 8,161,547 B1
Filed: 03/22/2004
Issued: 04/17/2012
Est. Priority Date: 03/22/2004
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic to enhance security comprising:

detecting, at a network firewall device, a network connection established between a client application and a server application across a communications network;

monitoring packets communicated between the client application and the server application;

identifying a security certificate communicated from the server application to the client application;

determining validity of the security certificate;

determining whether the server application advertises unexpected security options by identifying a server name associated with the server application;

checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and

if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; and

if the server application advertises unexpected security options or if the security certificate is not valid, disrupting further communications between the client application and the server application on the network connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication system includes a traffic monitoring element that monitors network traffic between network components. The network traffic monitoring element monitors for security anomalies and, upon detecting a security anomaly, may respond appropriately. For example, the network traffic monitoring element may identify a security certificate communicated from a server application to a client application, determine the validity of the certificate, and disrupt further communications between the server application and the client application if the certificate is not valid.

35 Citations

View as Search Results

16 Claims

1. A method for monitoring network traffic to enhance security comprising:
- detecting, at a network firewall device, a network connection established between a client application and a server application across a communications network;
  
  monitoring packets communicated between the client application and the server application;
  
  identifying a security certificate communicated from the server application to the client application;
  
  determining validity of the security certificate;
  
  determining whether the server application advertises unexpected security options by identifying a server name associated with the server application;
  
  checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and
  
  if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; and
  
  if the server application advertises unexpected security options or if the security certificate is not valid, disrupting further communications between the client application and the server application on the network connection.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - determining that a protocol for the network connection permits unsecure communications;
      
      detecting a capability advertisement from the server application indicating support for securing of the network connection; and
      
      if the client application does not attempt to secure the network connection, disrupting further communications between the client application and the server application on the network connection.
  - 3. The method of claim 1, further comprising:
    - determining that a protocol for the network connection permits unsecure communications;
      
      determining that the client application has not selected to secure the network connection; and
      
      after a predetermined period of time, ceasing monitoring of the network connection.
  - 4. The method of claim 1, wherein determining validity of the security certificate comprises:
    - verifying that the security certificate has not expired;
      
      verifying each entity identified in a chain of authority established by the certificate; and
      
      checking the security certificate against a certificate revocation list.
  - 5. The method of claim 1, wherein disrupting further communications between the client application and the server application on the network connection comprises:
    - detecting packets communicated between the client application and the server application; and
      
      dropping the detected packets.

6. A network traffic monitor comprising:
- a first interface coupled to a client application;
  
  a second interface coupled to a server application;
  
  a memory maintaining a list of known servers that indicates, for each listed server, whether the server supports secure links; and
  
  a controller operable to;
  
  detect a network connection established between the client application and the server application;
  
  monitor packets communicated between the client application and the server application;
  
  identify a security certificate communicated from the server application to the client-application;
  
  determine validity of the security certificate;
  
  determine whether the server application advertises unexpected security by identifying a server name associated with the server application;
  
  checking the server name against the list of known servers; and
  
  if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; and
  
  if the server application advertises unexpected security options or if the security certificate is not valid, disrupt further communications between the client application and the server application on the network connection.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The network traffic monitor of claim 6, wherein the controller is further operable to:
    - determine that a protocol for the network connection permits unsecure communications;
      
      detect a capability advertisement from the server application indicating support for securing of the network connection; and
      
      if the client application does not attempt to secure the network connection, disrupt further communications between the client application and the server application on the network connection.
  - 8. The network traffic monitor of claim 6, wherein the controller is further operable to:
    - determine that a protocol for the network connection permits unsecure communications;
      
      determine that the client application has not selected to secure the network connection; and
      
      after a predetermined period of time, cease monitoring of the network connection.
  - 9. The network traffic monitor of claim 6, wherein the controller is further operable to determine validity of the security certificate by:
    - verifying that the security certificate has not expired;
      
      verifying each entity identified in a chain of authority established by the certificate; and
      
      checking the security certificate against a certificate revocation list.
  - 10. The network traffic monitor of claim 6, wherein the controller is further operable to disrupt further communications between the client application and the server application on the network connection by detecting packets communicated between the client application and the server application and dropping the detected packets.

11. A non-transitory computer readable storage medium encoded with logic for monitoring network traffic to enhance security, the logic operable when executed to:
- detect a network connection established between a client application and a server application across a communications network;
  
  monitor packets communicated between the client application and the server application;
  
  identify a security certificate communicated from the server application to the client application;
  
  determine validity of the security certificate;
  
  determine whether the server application advertises unexpected security options by identifying a server name associated with the server application;
  
  checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and
  
  if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; and
  
  if the server application advertises unexpected security options or if the security certificate is not valid, disrupt further communications between the client application and the server application on the network connection.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable storage medium of claim 11, the logic further operable when executed to:
    - determine that a protocol for the network connection permits unsecure communications;
      
      detect a capability advertisement from the server application indicating support for securing of the network connection; and
      
      if the client application does not attempt to secure the network connection, disrupt further communications between the client application and the server application on the network connection.
  - 13. The non-transitory computer readable storage medium of claim 11, the logic further operable when executed to:
    - determine that a protocol for the network connection permits unsecure communications;
      
      determine that the client application has not selected to secure the network connection; and
      
      after a predetermined period of time, cease monitoring of the network connection.
  - 14. The non-transitory computer readable storage medium of claim 11, wherein determining validity of the security certificate comprises:
    - verifying that the security certificate has not expired;
      
      verifying each entity identified in a chain of authority established by the certificate; and
      
      checking the security certificate against a certificate revocation list.
  - 15. The non-transitory computer readable storage medium of claim 11, wherein disrupting further communications between the client application and the server application on the network connection comprises:
    - detecting packets communicated between the client application and the server application; and
      
      dropping the detected packets.

16. A network traffic monitor comprising:
- means for detecting a network connection established between a client application and a server application across a communications network;
  
  means for monitoring packets communicated between the client application and the server application;
  
  means for identifying a security certificate communicated from the server application to the client application;
  
  means for determining validity of the security certificate; and
  
  means for determining whether the server application advertises unexpected security options by identifying a server name associated with the server application;
  
  checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and
  
  if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; and
  
  means for, if the server application advertises unexpected security options or if the security certificate is not valid, disrupting further communications between the client application and the server application on the network connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Jennings, Cullen F., Mahy, Rohan W.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US10/807,219
Time in Patent Office

2,948 Days
Field of Search

726/13, 726/11, 726/12, 726/22, 726/14, 370/218, 713/158, 713/156
US Class Current

726/22
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/1441 Countermeasures against mal...

Monitoring traffic to provide enhanced network security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring traffic to provide enhanced network security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links