Network security policy enforcement using application session information and object attributes

US 8,214,875 B2
Filed: 05/24/2006
Issued: 07/03/2012
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

identifying an authentication exchange packet from network traffic traversing on a computer network;

extracting a user ID and a client network address from the authentication exchange packet;

selecting, from a directory service, a network entity having an attribute associated with the user ID;

associating the attribute with the client network address;

by a computing device, receiving an additional packet traversing on the computer network, the additional packet transmitted as part of an application session established between a client application and a server application;

generating session information from the additional packet, the session information comprising a client network address and a server network address;

associating the additional packet with the network entity using the session information; and

enforcing a security policy defined for the computer network by using the session information and attribute to determine whether the additional packet violates the security policy.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet traversing on the computer network is received; session information is generated from the packet with the session information including a client network address and a server network address; the packet is associated with at least one object attribute from the directory by using the session information; and a security policy defined for the network environment is enforced by using the session information and the object attribute(s) to determine whether the packet violates the security policy.

57 Citations

View as Search Results

43 Claims

1. A computer implemented method comprising:
- identifying an authentication exchange packet from network traffic traversing on a computer network;
  
  extracting a user ID and a client network address from the authentication exchange packet;
  
  selecting, from a directory service, a network entity having an attribute associated with the user ID;
  
  associating the attribute with the client network address;
  
  by a computing device, receiving an additional packet traversing on the computer network, the additional packet transmitted as part of an application session established between a client application and a server application;
  
  generating session information from the additional packet, the session information comprising a client network address and a server network address;
  
  associating the additional packet with the network entity using the session information; and
  
  enforcing a security policy defined for the computer network by using the session information and attribute to determine whether the additional packet violates the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein generating session information includes extracting a source network address, a source port ID, a destination network address, a destination port ID, and a transport protocol type from the additional packet.
  - 3. The method of claim 1, wherein generating session information further includes:
    - extracting a source network address and a destination network address from the additional packet; and
      
      using the source network address as the server network address and the destination network address as the client network address if the source port ID is equivalent to a well-known or registered port ID and the additional packet is not a TCP SYN packet.
  - 4. The method of claim 1, wherein generating session information further includes:
    - extracting a source network address and a destination network address from the additional packet; and
      
      using the destination network address as the server network address and the source network address as the client network address if the destination port ID is equivalent to a well-known or registered port ID and the additional packet is not a TCP SYN packet.
  - 5. The method of claim 1, wherein generating session information further includes:
    - extracting a source network address and a destination network address from the additional packet; and
      
      using the source network address as the client network address and the destination network address as the server network address if the additional packet is a SYN packet.
  - 6. The method of claim 1, wherein generating session information includes:
    - extracting a transport protocol type from the additional packet; and
      
      determining an application program type for the application session.
  - 7. The method of claim 6, wherein determining an application program type includes:
    - extracting a source network address from the additional packet;
      
      determining whether the additional packet is a SYN packet, if the transport protocol type is TCP; and
      
      extracting a port ID from the additional packet if the port ID is equivalent to a well-known or registered port ID, and using the port ID to select an application program type based on well known or registered port numbers, if the transport protocol type is TCP and the additional packet is not a SYN packet.
  - 8. The method of claim 6, wherein determining an application program type includes:
    - extracting a source network address; and
      
      extracting a port ID from the additional packet if the port ID is equivalent to a well-known or registered port ID, and using the port ID to select an application program type based on well known or registered port numbers if the transport protocol type is UDP.
  - 9. The method of claim 6, wherein generating session information further includes generating metadata from the additional packet.
  - 10. The method of claim 9, wherein the metadata includes data specific to the application session.
  - 11. The method of claim 9, wherein the application session is within a particular application program category and the metadata includes characteristics particular to the application program category.
  - 12. The method of claim 9, wherein the metadata information includes a file name of any data transferred by the additional packet from the application protocol session and a type for the data.
  - 13. The method of claim 9, wherein the metadata includes an Instant Messenger ID.
  - 14. The method of claim 1, wherein the attribute is a name attribute, a group ID attribute, or an organizational ID attribute.
  - 15. The method of claim 1, further including verifying the client network address by determining whether the network entity is logged onto a computing device assigned with the client network address on the computing network.
  - 16. The method of claim 1, wherein using the session information and the network entity to determine whether the additional packet violates the security policy includes using a name attribute, group ID attribute or organizational ID attribute obtained from the network entity.
  - 17. The method of claim 1, wherein enforcing a security policy includes dropping the additional packet if the additional packet violates the security network policy.
  - 18. The method of claim 17, wherein the additional packet violates the security policy if the session information includes a particular application protocol session type.
  - 19. The method of claim 1, wherein enforcing the security policy includes reporting the application session.
  - 20. The method of claim 1, wherein the additional packet violates the security policy if the session information includes a particular type of metadata.
  - 21. The method of claim 1, wherein the additional packet violates the security policy if the session information includes metadata that matches particular data content.
  - 22. The method of claim 1, wherein the additional packet violates the security policy if the session information includes a selected source address.
  - 23. The method of claim 1, wherein the additional packet violates the security policy if the session information includes a selected destination address.

24. An apparatus comprising:
- a memory;
  
  a means for identifying an authentication exchange packet from network traffic traversing on a computer network;
  
  a means for extracting a user ID and a client network address from the authentication exchange packet;
  
  a means for selecting, from a directory service, a network entity having an attribute associated with the user ID;
  
  a means for associating the attribute with the client network address;
  
  a means for receiving an additional packet traversing on the computer network, the additional packet having a source network address, a source port ID, a destination network address, a destination port ID, and a transport protocol type, the additional packet transmitted as part of an application session established between a client application and a server application;
  
  a means for generating session information from the additional packet, the session information comprising a client network address and a server network address;
  
  a means for associating the additional packet with the network entity using the session information; and
  
  a means for enforcing a security policy defined for the computer network by using the session information and the attribute to determine whether the additional packet violates the security policy.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 25. The apparatus of claim 24, wherein the session information includes the client network address, the source port ID, the server network address and the destination port ID, and the application protocol type.
  - 26. The apparatus of claim 25, wherein the means for generating session information selects the source network address as the server network address and the client network address as the destination network address if the source port ID is equivalent to a well-known or registered port ID and the additional packet is not a TCP SYN packet.
  - 27. The apparatus of claim 25, wherein the means for generating session information selects the destination network address as the server network address and the source network address as the client network address if the destination port ID is equivalent to a well-known or registered port ID and the additional packet is not a TCP SYN packet.
  - 28. The apparatus of claim 25, wherein the means for generating session information selects the source network address as the client network address and the destination network address as the server network address if the additional packet is a SYN packet.
  - 29. The apparatus of claim 24, wherein the means for generating session information generates metadata from data within a data field of the additional packet if the data is found in the data field.
  - 30. The apparatus of claim 29, wherein the metadata includes data specific to the application session.
  - 31. The apparatus of claim 29, wherein the application session is within a particular application program category and the metadata includes characteristics particular to the application program category.
  - 32. The apparatus of claim 29, wherein the metadata information includes a file name of any data transferred by the additional packet from the application protocol session and a type for the data.
  - 33. The apparatus of claim 29, wherein the metadata information includes data transferred by the additional packet from the application protocol session, a type for the data and an Instant Messenger ID.
  - 34. The apparatus of claim 24, wherein the attribute is a name attribute, a group ID attribute, or an organizational ID attribute.
  - 35. The apparatus of claim 24, further including a means for verifying the client network address by determining whether the network entity is logged onto a computing device assigned with the client network address on the computer network.
  - 36. The apparatus of claim 24, wherein the attribute is a name attribute, a group ID attribute, or an organizational ID attribute obtained from the network entity.
  - 37. The apparatus of claim 24, wherein the means for enforcing the a security policy drops the additional packet if the additional packet violates the security policy.
  - 38. The apparatus of claim 37, wherein the additional packet violates the security policy if the session information includes a particular application protocol session type.
  - 39. The apparatus of claim 24, wherein the means for enforcing a security policy includes reporting the application session.
  - 40. The apparatus of claim 24, wherein the additional packet violates the security policy if the session information includes a particular type of metadata.
  - 41. The apparatus of claim 24, wherein the additional packet violates the security policy if the session information includes metadata that matches particular data content.
  - 42. The apparatus of claim 24, wherein the additional packet violates the security policy if the session information includes a particular source address.
  - 43. The apparatus of claim 24, wherein the additional packet violates the security policy if the session information includes a particular destination address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
John, Pramod, Chang, Ai-Lan, Lassig, Daniel J., Jee, Emmanuel W., Fong, Rendell K. G.
Primary Examiner(s)
Gee, Jason

Application Number

US11/440,663
Publication Number

US 20060236370A1
Time in Patent Office

2,232 Days
Field of Search

726/1, 726/2, 726/11
US Class Current

726/1
CPC Class Codes

G06F 11/30   Monitoring

H04L 2101/663   Transport layer addresses, ...

H04L 61/00   Network arrangements, proto...

H04L 61/4511   using domain name system [DNS]

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/146   Markers for unambiguous ide...

Network security policy enforcement using application session information and object attributes

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Network security policy enforcement using application session information and object attributes

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links