System and method to apply network traffic policy to an application session

US 8,312,507 B2
Filed: 05/27/2010
Issued: 11/13/2012
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for applying a security policy to an application session, comprising:

(a) recognizing the application session between a network and an application via a security gateway;

(b) determining by the security gateway a user identity of the application session using information about the application session, wherein the determining comprises;

(b1) determining the user identity from an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein a creating of the application session record comprises;

(b1i) querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;

(b1ii) comparing by the identity server the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;

(b1iii) returning by the identity server the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and

(b1iv) storing the second user identity as a network user identity used for accessing the network in the application session record;

(c) obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and

(d) applying the security policy to the application session by the security gateway.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method for applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

Citations

23 Claims

1. A method for applying a security policy to an application session, comprising:
- (a) recognizing the application session between a network and an application via a security gateway;
  
  (b) determining by the security gateway a user identity of the application session using information about the application session, wherein the determining comprises;
  
  (b1) determining the user identity from an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein a creating of the application session record comprises;
  
  (b1i) querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  (b1ii) comparing by the identity server the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;
  
  (b1iii) returning by the identity server the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  (b1iv) storing the second user identity as a network user identity used for accessing the network in the application session record;
  
  (c) obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and
  
  (d) applying the security policy to the application session by the security gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the user identity comprises a network user identity used for accessing the network.
  - 3. The method of claim 1, wherein the user identity comprises a user identity used to access the application, wherein the user identity is recognized from packets of the application session.
  - 4. The method of claim 1, wherein the obtaining (c) and applying (d) comprises:
    - (c1) obtaining the security policy comprising a network traffic policy mapped to the user identity; and
      
      (d1) applying the network traffic policy to the application session.
  - 5. The method of claim 4, wherein the network traffic policy comprises one or more of the following:
    - packet modification control for the application session;
      
      traffic shaping control;
      
      application session access control indicating whether the user identity is denied or allowed to continue the application session; and
      
      a bandwidth control.
  - 6. The method of claim 5, wherein the packet modification control for the application session comprises one or more of the following:
    - performing network address translation to the application session;
      
      performing port address translation to the application session using a pre-determined port number;
      
      performing content substitution, if the application session is an Hypertext Transfer Protocol (HTTP) session and if a Universal Resource Locator (URL) in data packets of the application session matches a predetermined URL;
      
      performing filename substitution, if the application session is a file transfer session and if a filename matching a pre-determined filename is found in data packets of the application session; and
      
      inserting a cookie for the user of the user identity, if the application session is an HTTP session.
  - 7. The method of claim 5, wherein the traffic shaping control comprises one of more of the following:
    - changing a window segment size; and
      
      adjusting a transmission control protocol (TCP) window.
  - 8. The method of claim 4, wherein the network traffic policy comprises a connection rate control.
  - 9. The method of claim 4, wherein the network traffic policy comprises a server load balancer preference.
  - 10. The method of claim 4, wherein the network traffic policy comprises a quality of service.
  - 11. The method of claim 10, wherein the quality of service indicates a change of Differentiated Services Code point (DSCP) marking in data packets of the application session.
  - 12. The method of claim 1, wherein the obtaining (c) and applying (d) comprises:
    - (c1) obtaining the security policy comprising a document access policy mapped to the user identity; and
      
      (d1) applying the document access policy to the application session.
  - 13. The method of claim 12, wherein the document access policy comprises a document identity and a document user identity, wherein the applying (d1) comprises:
    - (d1i) comparing the user identity with the document user identity; and
      
      (d1ii) in response to determining that the user identity matches the document user identity, allowing access to a document with the document identity by the user identity.
  - 14. The method of claim 1, further comprising:
    - (e) generating a security report concerning the application of the security policy to the application session.

15. A computer program product for applying a security policy to an application session, the computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code configured to;
  
  recognize the application session between a network and an application via a security gateway;
  
  determine a user identity of the application session using information about the application session, wherein the determine comprises;
  
  determine the user identity from an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein a create of the application session record comprises;
  
  query an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  compare by the identity server the host identity in the application session record with the second host identity in the access session record, and compare the access session time with the application session time;
  
  return by the identity server the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  store the second user identity as a network user identity used for accessing the network in the application session record;
  
  obtain the security policy comprising network parameters mapped to the user identity; and
  
  apply the security policy to the application session.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product of claim 15, wherein the user identity comprises a network user identity used for accessing the network.
  - 17. The computer program product of claim 15, wherein the user identity comprises a user identity used to access the application, wherein the user identity is recognized from packets of the application session.
  - 18. The computer program product of claim 15, wherein the computer readable program code configured to obtain the security policy comprising network parameters mapped to the user identity and to apply the security policy to the application session are further configured to:
    - obtain the security policy comprising a network traffic policy mapped to the user identity; and
      
      apply the network traffic policy to the application session.
  - 19. The computer program product of claim 15, wherein the computer readable program code configured to obtain the security policy comprising network parameters mapped to the user identity and to apply the security policy to the application session are further configured to:
    - obtain the security policy comprising a document access policy mapped to the user identity; and
      
      apply the document access policy to the application session.

20. A system, comprising:
- a corporate directory comprising a plurality of security policies; and
  
  a security gateway, wherein the security gateway;
  
  recognizes an application session between a network and an application via the security gateway;
  
  determines a user identity of the application session using information about the application session, wherein the determines comprises;
  
  determines the user identity from an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein a create of the application session record comprises;
  
  queries an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  compares by the identity server the host identity in the application session record with the second host identity in the access session record, and compare the access session time with the application session time;
  
  returns by the identity server the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  stores the second user identity as a network user identity used for accessing the network in the application session record;
  
  obtains from the corporate direction the security policy of the plurality of security policies comprising network parameters mapped to the user identity; and
  
  applies the security policy to the application session.
- View Dependent Claims (21, 22, 23)
- - 21. The system of claim 20, wherein the user identity comprises a network user identity used for accessing the network or a user identity used to access the application, wherein the user identity is recognized from packets of the application session.
  - 22. The system of claim 20, wherein the security gateway further:
    - obtains the security policy comprising a network traffic policy mapped to the user identity; and
      
      applies the network traffic policy to the application session.
  - 23. The system of claim 20, wherein the security gateway further:
    - obtains the security policy comprising a document access policy mapped to the user identity; and
      
      applies the document access policy to the application session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Chiong, John, Oshiba, Dennis
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
LAVELLE, GARY E

Application Number

US12/788,339
Publication Number

US 20100235880A1
Time in Patent Office

901 Days
Field of Search

726/1, 726/7, 726/28
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/44   Program or device authentic...

H04L 12/66   Arrangements for connecting...

H04L 51/04   Real-time or near real-time...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/164   at the network layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

H04L 65/1026 : at the edge

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1004 : Server selection for load b...

H04L 67/104 : Peer-to-peer [P2P] networks

H04L 67/141 : Setup of application sessio...

H04L 67/306 : User profiles

H04L 67/535 : Tracking the activity of th...

H04L 69/28 : Timers or timing mechanisms...

H04L 69/329 : in the application layer [O...

H04M 1/7243 : with interactive means for ...

H04W 12/084 : using delegated authorisati...

H04W 12/37 : Managing security policies ...

H04W 12/61 : Time-dependent

View All

System and method to apply network traffic policy to an application session

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to apply network traffic policy to an application session

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links