Network security policy enforcement using application session information and object attributes
First Claim
Patent Images
1. A computer implemented method comprising:
- identifying an authentication exchange packet from network traffic traversing on a computer network;
extracting a user ID and a client network address from the authentication exchange packet;
selecting, from a directory service, a network entity having an attribute associated with the user ID;
associating the attribute with the client network address;
by a computing device, receiving an additional packet traversing on the computer network, the additional packet transmitted as part of an application session established between a client application and a server application;
generating session information from the additional packet, the session information comprising a client network address and a server network address;
associating the additional packet with the network entity using the session information; and
enforcing a security policy defined for the computer network by using the session information and attribute to determine whether the additional packet violates the security policy.
7 Assignments
0 Petitions
Accused Products
Abstract
A packet traversing on the computer network is received; session information is generated from the packet with the session information including a client network address and a server network address; the packet is associated with at least one object attribute from the directory by using the session information; and a security policy defined for the network environment is enforced by using the session information and the object attribute(s) to determine whether the packet violates the security policy.
57 Citations
43 Claims
-
1. A computer implemented method comprising:
-
identifying an authentication exchange packet from network traffic traversing on a computer network; extracting a user ID and a client network address from the authentication exchange packet; selecting, from a directory service, a network entity having an attribute associated with the user ID; associating the attribute with the client network address; by a computing device, receiving an additional packet traversing on the computer network, the additional packet transmitted as part of an application session established between a client application and a server application; generating session information from the additional packet, the session information comprising a client network address and a server network address; associating the additional packet with the network entity using the session information; and enforcing a security policy defined for the computer network by using the session information and attribute to determine whether the additional packet violates the security policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. An apparatus comprising:
-
a memory; a means for identifying an authentication exchange packet from network traffic traversing on a computer network; a means for extracting a user ID and a client network address from the authentication exchange packet; a means for selecting, from a directory service, a network entity having an attribute associated with the user ID; a means for associating the attribute with the client network address; a means for receiving an additional packet traversing on the computer network, the additional packet having a source network address, a source port ID, a destination network address, a destination port ID, and a transport protocol type, the additional packet transmitted as part of an application session established between a client application and a server application; a means for generating session information from the additional packet, the session information comprising a client network address and a server network address; a means for associating the additional packet with the network entity using the session information; and a means for enforcing a security policy defined for the computer network by using the session information and the attribute to determine whether the additional packet violates the security policy. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
Specification