Monitoring traffic to provide enhanced network security
First Claim
Patent Images
1. A method for monitoring network traffic to enhance security comprising:
- detecting, at a network firewall device, a network connection established between a client application and a server application across a communications network;
monitoring packets communicated between the client application and the server application;
identifying a security certificate communicated from the server application to the client application;
determining validity of the security certificate;
determining whether the server application advertises unexpected security options by identifying a server name associated with the server application;
checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and
if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; and
if the server application advertises unexpected security options or if the security certificate is not valid, disrupting further communications between the client application and the server application on the network connection.
1 Assignment
0 Petitions
Accused Products
Abstract
A communication system includes a traffic monitoring element that monitors network traffic between network components. The network traffic monitoring element monitors for security anomalies and, upon detecting a security anomaly, may respond appropriately. For example, the network traffic monitoring element may identify a security certificate communicated from a server application to a client application, determine the validity of the certificate, and disrupt further communications between the server application and the client application if the certificate is not valid.
35 Citations
16 Claims
-
1. A method for monitoring network traffic to enhance security comprising:
-
detecting, at a network firewall device, a network connection established between a client application and a server application across a communications network; monitoring packets communicated between the client application and the server application; identifying a security certificate communicated from the server application to the client application; determining validity of the security certificate; determining whether the server application advertises unexpected security options by identifying a server name associated with the server application;
checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and
if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; andif the server application advertises unexpected security options or if the security certificate is not valid, disrupting further communications between the client application and the server application on the network connection. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A network traffic monitor comprising:
-
a first interface coupled to a client application; a second interface coupled to a server application; a memory maintaining a list of known servers that indicates, for each listed server, whether the server supports secure links; and a controller operable to; detect a network connection established between the client application and the server application; monitor packets communicated between the client application and the server application; identify a security certificate communicated from the server application to the client-application; determine validity of the security certificate; determine whether the server application advertises unexpected security by identifying a server name associated with the server application;
checking the server name against the list of known servers; and
if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; andif the server application advertises unexpected security options or if the security certificate is not valid, disrupt further communications between the client application and the server application on the network connection. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer readable storage medium encoded with logic for monitoring network traffic to enhance security, the logic operable when executed to:
-
detect a network connection established between a client application and a server application across a communications network; monitor packets communicated between the client application and the server application; identify a security certificate communicated from the server application to the client application; determine validity of the security certificate; determine whether the server application advertises unexpected security options by identifying a server name associated with the server application;
checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and
if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; andif the server application advertises unexpected security options or if the security certificate is not valid, disrupt further communications between the client application and the server application on the network connection. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A network traffic monitor comprising:
-
means for detecting a network connection established between a client application and a server application across a communications network; means for monitoring packets communicated between the client application and the server application; means for identifying a security certificate communicated from the server application to the client application; means for determining validity of the security certificate; and means for determining whether the server application advertises unexpected security options by identifying a server name associated with the server application;
checking the server name against a list of known servers that indicates, for each listed server, whether the server supports secure links; and
if the list indicates that the server application supports secure links, monitoring for capability advertisements from the server application regarding availability of secure links; andmeans for, if the server application advertises unexpected security options or if the security certificate is not valid, disrupting further communications between the client application and the server application on the network connection.
-
Specification