Systems and methods for managing application security profiles
First Claim
1. A method for configuring one or more application security profiles for a device, each application security profile specifying a number of checks performing security functions related to an application, the method comprising:
- (a) providing a configuration interface for configuring an application security profile to comprise a plurality of checks to perform on a stream of packets from a predetermined application to be received by a device, the predetermined application identified by a policy;
(b) receiving, via the configuration interface, a first setting, the first setting specifying a first check of the application security profile, wherein the first check comprises actions related to a first security function;
(c) receiving, via the configuration interface, a second setting, the second setting specifying a second check of the application security profile, wherein the second check comprises actions related to a second security function;
(d) receiving, by the configuration interface, configuration of a policy by a user to configure a policy engine of the device, the policy specifying a rule comprising a first expression, the first expression comprising an object oriented expression that specifies a device defined data structure selected by the user from a plurality of device defined data structures to explicitly typecast application layer data within a packet into a predetermined device defined data type and evaluates an application layer portion of a payload of the packet in the stream of packets from the predetermined application to be received by the device, the application layer portion comprising HyperText Transfer Protocol (HTTP) content;
(e) receiving, via the configuration interface, information identifying the application security profile to be processed based on an evaluation of the object oriented expression of the first expression of the rule to the payload of the packet in the stream of packets from the predetermined application to be received by the device; and
(f) establishing, by the configuration interface for the device, the policy to execute the first check and the second check of the application security profile based on a result of the evaluation of the object oriented expression of the first expression of the rule identifying to execute the application security profile.
8 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching.
-
Citations
34 Claims
-
1. A method for configuring one or more application security profiles for a device, each application security profile specifying a number of checks performing security functions related to an application, the method comprising:
-
(a) providing a configuration interface for configuring an application security profile to comprise a plurality of checks to perform on a stream of packets from a predetermined application to be received by a device, the predetermined application identified by a policy; (b) receiving, via the configuration interface, a first setting, the first setting specifying a first check of the application security profile, wherein the first check comprises actions related to a first security function; (c) receiving, via the configuration interface, a second setting, the second setting specifying a second check of the application security profile, wherein the second check comprises actions related to a second security function; (d) receiving, by the configuration interface, configuration of a policy by a user to configure a policy engine of the device, the policy specifying a rule comprising a first expression, the first expression comprising an object oriented expression that specifies a device defined data structure selected by the user from a plurality of device defined data structures to explicitly typecast application layer data within a packet into a predetermined device defined data type and evaluates an application layer portion of a payload of the packet in the stream of packets from the predetermined application to be received by the device, the application layer portion comprising HyperText Transfer Protocol (HTTP) content; (e) receiving, via the configuration interface, information identifying the application security profile to be processed based on an evaluation of the object oriented expression of the first expression of the rule to the payload of the packet in the stream of packets from the predetermined application to be received by the device; and (f) establishing, by the configuration interface for the device, the policy to execute the first check and the second check of the application security profile based on a result of the evaluation of the object oriented expression of the first expression of the rule identifying to execute the application security profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. In an appliance, a method for executing one or more application security profiles for a device, each application security profile specifying a number of policy groups performing security functions related to an application, the method comprising:
-
(a) identifying, by an appliance, a first policy to apply to a received packet stream from a predetermined application identified by the first policy, the first policy specifying a rule comprising a first expression and identifying an application security profile, the first expression comprising an object oriented expression that specifies a device defined data structure selected by a user from a plurality of device defined data structures to explicitly typecast application layer data within a packet into a predetermined device defined data type and evaluates an application layer portion of a payload of a packet of the received packet stream, the application layer portion comprising HyperText Transfer Protocol (HTTP) content; (b) evaluating, by the appliance, the first expression of the rule; and (c) processing, by the appliance responsive to the evaluation of the first expression of the rule, the first policy to execute a first check and a second check specified by the application security profile based on a result of the evaluation of the object oriented expression of the first expression of the rule identifying to execute the application security profile, wherein the first check comprises actions related to a first security function and the second check comprises actions related to a second security function. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A system for executing one or more application security profiles for a device, each application security profile specifying a number of policy groups performing security functions related to an application, the system comprising:
-
a packet processor which receives a packet stream; and a policy engine in communication with the packet processor which identifies a first policy to apply to the received packet stream from a predetermined application identified by the first policy;
the first policy specifying a rule comprising a first expression and identifying an application security profile, the first expression comprising an object oriented expression that specifies a device defined data structure selected by a user from a plurality of device defined data structures to explicitly typecast application layer data within a packet into a predetermined device defined data type and evaluates an application layer portion of a payload of the packet of the packet stream, the application layer portion comprising HyperText Transfer Protocol (HTTP) content;
evaluates the rule;
processes, in response to the evaluation of the first expression of the rule, the first policy to execute a first check and a second check specified by the application security profile based on a result of the evaluation of the object oriented expression of the first expression of the rule identifying to execute the application security profile, wherein the first check comprises actions related to a first security function and the second check comprises actions related to a second security function. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification