Secure enterprise network

US 8,166,554 B2
Filed: 01/25/2005
Issued: 04/24/2012
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

by a network device, separating a packet stream between one or more network hosts and one or more network resources configured to execute a plurality of applications into a plurality of individual data streams based at least in part on, for each of the plurality of individual data streams, to which of a plurality of users the data stream belongs, the packet stream comprising a plurality of control packets and data packets, the separating further comprising identifying at least one authentication exchange packet from packets traversing on a network, extracting a first user ID and a first network address from the authentication exchange packet, and filtering packets traversing on the network that each have a network address equivalent to the first network address;

identifying the users associated with the individual data streams using a directory service; and

determining a network policy based at least in part on the separating and the identifying, the network policy identifying, for each of the plurality of applications, which of the plurality of users have access from the one or more network hosts to the application.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

What is proposed is a method of implementing a security system (Packet Sentry) addressing the internal security problem of enterprises having a generalized approach for inferential determination and enforcement of network policy with directory service based group correlation with transparent authentication of the connected customer and the policy enforcement inside the network. The security system enables the network to analyze and enforce policy using any bit or bits in a stream or a packet, conduct Flow Vector analysis on the data traffic, provide Application Monitoring, Normalization and user authentication validation. The system enables the network to implement Group relationship Analysis and correlation using combination of Network inferences and Directory service data resulting in generation of Group norms using statistically significant relationships. These will provide a more secure enterprise environment where data security levels can be enforced and the usage monitored effectively in the infrastructure.

308 Citations

19 Claims

1. A computer implemented method comprising:
- by a network device, separating a packet stream between one or more network hosts and one or more network resources configured to execute a plurality of applications into a plurality of individual data streams based at least in part on, for each of the plurality of individual data streams, to which of a plurality of users the data stream belongs, the packet stream comprising a plurality of control packets and data packets, the separating further comprising identifying at least one authentication exchange packet from packets traversing on a network, extracting a first user ID and a first network address from the authentication exchange packet, and filtering packets traversing on the network that each have a network address equivalent to the first network address;
  
  identifying the users associated with the individual data streams using a directory service; and
  
  determining a network policy based at least in part on the separating and the identifying, the network policy identifying, for each of the plurality of applications, which of the plurality of users have access from the one or more network hosts to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising analyzing network data based at least on the network policy.
  - 3. The method of claim 1, further comprising enforcing the network policy.
  - 4. The method of claim 1, further comprising:
    - analyzing network data based at least on the network policy; and
      
      enforcing the network policy.
  - 5. The method of claim 1 further comprising using look ahead verification to verify each of the plurality of users has been authenticated, the look ahead verification comprising, for each of the individual data streams:
    - extracting a username from the data stream;
      
      inspecting remaining data flow of the individual data stream to verify whether the authentication was successful;
      
      if the authentication was successful, looking up in a cache of the network device, a user policy of the user to which the data stream belongs; and
      
      if the user policy is not found in the cache, retrieving the user policy from the directory service while the authentication is in progress.
  - 6. The method of claim 1, further comprising using cached verification to verify each of the plurality of users has been authenticated.
  - 7. The method of claim 1 , further comprising using background session verification to verify each of the plurality of users has been authenticated.
  - 8. The method of claim 1, further comprising using a reverse query of host verification to verify each of the plurality of users has been authenticated.
  - 9. The method of claim 1, further comprising using an agent deployed on a directory services (DS) server to verify each of the plurality of users has been authenticated.

10. An apparatus comprising:
- a memory; and
  
  one or more processors configured to;
  
  separate a packet stream between one or more network hosts and one or more network resources configured to execute a plurality of applications into a plurality of individual data streams based at least in part on, for each of the plurality of individual data streams, to which of a plurality of users the data stream belongs, the packet stream comprising a plurality of control packets and data packets, the separating further comprising identifying at least one authentication exchange packet from packets traversing on a network, extracting a first user ID and a first network address from the authentication exchange packet, and filtering packets traversing on the network that each have a network address equivalent to the first network address;
  
  identify the users associated with the individual data streams using a directory service; and
  
  determine a network policy based at least in part on the separating and the identifying, the network policy identifying, for each of the plurality of applications, which of the plurality of users have access from the one or more network hosts to the application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, the processor further configured to analyze network data based at least on the network policy.
  - 12. The apparatus of claim 10, the processor further configured to enforce the network policy.
  - 13. The apparatus of claim 10, the processor further configured to:
    - analyze network data based at least on the network policy; and
      
      enforce the network policy.
  - 14. The apparatus of claim 10 , the processor further configured to verify using look ahead verification to verify each of the plurality of users has been authenticated, the look ahead verification comprising, for each of the individual data streams:
    - extracting a username from the data stream;
      
      inspecting remaining data flow of the individual data stream to verify whether the authentication was successful;
      
      if the authentication was successful, looking up in a cache of the network device, a user policy of the user to which the data stream belongs; and
      
      if the user policy is not found in the cache, retrieving the user policy from the directory service while the authentication is in progress.
  - 15. The apparatus of claim 10, the processor further configured to verify using cached verification to verify each of the plurality of users has been authenticated.
  - 16. The apparatus of claim 10, the processor further configured to verify using background session verification to verify each of the plurality of users has been authenticated.
  - 17. The apparatus of claim 10, the processor further configured to verify using a reverse query of host verification to verify each of the plurality of users has been authenticated.
  - 18. The apparatus of claim 10, the processor further configured to verify using an agent deployed on a directory services (DS) server to verify each of the plurality of users has been authenticated.

19. An apparatus comprising:
- means for separating a packet stream between one or more network hosts and one or more network resources configured to execute a plurality of applications into a plurality of individual data streams based at least in part on, for each of the plurality of individual data streams, to which of a plurality of users the data stream belongs, the packet stream comprising a plurality of control packets and data packets, the separating further comprising identifying at least one authentication exchange packet from packets traversing on a network, extracting a first user ID and a first network address from the authentication exchange packet, and filtering packets traversing on the network that each have a network address equivalent to the first network address;
  
  means for identifying the users associated with the individual data streams using a directory service; and
  
  means for determining a network policy based at least in part on the separating and the identifying, the network policy identifying, for each of the plurality of applications, which of the plurality of users have access from the one or more network hosts to the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
John, Pramod
Primary Examiner(s)
Gee, Jason

Application Number

US11/042,842
Publication Number

US 20050193427A1
Time in Patent Office

2,646 Days
Field of Search

380/28, 726/22, 726/26, 726/28
US Class Current

726/26
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/105 Multiple levels of security

Secure enterprise network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

308 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure enterprise network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

308 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links