Using geographical information in policy enforcement

US 8,566,900 B1
Filed: 05/23/2011
Issued: 10/22/2013
Est. Priority Date: 05/23/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive, from a device having an associated source IP address, a request to access a resource having an associated destination IP address;

determine a security policy based at least in part on an IP address-geolocation mapping associated with at least one of the source IP address and the destination IP address, wherein the security policy includes at least one action to be taken by the system with respect to the request; and

enforce the security policy based at least in part on the IP address-geolocation mapping;

a data store configured to store a plurality of IP address-geolocation mappings, wherein a geolocation comprises at least one of (1) country information and (2) a user-defined region; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Using geographical information in policy enforcement is disclosed. A policy is determined based on geographical information associated with an IP address. A policy is enforced based at least in part on the geographical information. The IP address may be either a source IP address or a destination IP address. In some cases network traffic is monitored to determine the IP address.

Citations

17 Claims

1. A system, comprising:
- a processor configured to;
  
  receive, from a device having an associated source IP address, a request to access a resource having an associated destination IP address;
  
  determine a security policy based at least in part on an IP address-geolocation mapping associated with at least one of the source IP address and the destination IP address, wherein the security policy includes at least one action to be taken by the system with respect to the request; and
  
  enforce the security policy based at least in part on the IP address-geolocation mapping;
  
  a data store configured to store a plurality of IP address-geolocation mappings, wherein a geolocation comprises at least one of (1) country information and (2) a user-defined region; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1 wherein the processor is further configured to monitor network traffic to determine at least one of the source IP address and destination IP address.
  - 3. The system of claim 1 wherein the processor is further configured to store a mapping between the source IP address and a geolocation in a data store.
  - 4. The system of claim 1 wherein the data store includes latitude and longitude information.
  - 5. The system of claim 1 wherein the security policy comprises a policy associated with an application.
  - 6. The system of claim 1 wherein the security policy comprises a quality of service policy.
  - 7. The system of claim 1 wherein the security policy comprises a routing policy.
  - 8. The system of claim 1 wherein the processor is further configured to receive the IP address-geolocation mapping from a third party.
  - 9. The system of claim 1 wherein the processor is further configured to allow a user to override the IP address-geolocation mapping.
  - 10. The system of claim 1 wherein the processor is further configured to cause a display of geographical information associated with the IP address-geolocation mapping in an interface.
  - 11. The system of claim 10 wherein the interface includes an indication of an application used by a client associated with the source IP address.
  - 12. The system of claim 10 wherein the interface includes an indication of monitored network traffic correlated with the geographical information and a threat.
  - 13. The system of claim 1 wherein the processor is further configured to monitor one or more network events and to enforce the security policy based at least in part on the monitored events.
  - 14. The system of claim 1 wherein the security policy includes a specification of a source country.
  - 15. The system of claim 1 wherein the security policy includes a specification of a destination country.

16. A method, comprising:
- receiving, from a device having an associated source IP address, a request to access a resource having an associated destination IP address;
  
  determining, by a processor, a security policy based at least in part on an IP address-geolocation mapping associated with at least one of the source IP address and the destination IP address, wherein the security policy includes at least one action to be taken with respect to the request; and
  
  enforcing the security policy based at least in part on the geographical information;
  
  wherein a plurality of IP address-geolocation mappings are included in a data store accessible to the processor and wherein a geolocation comprises at least one of (1) country information and (2) a user-defined region.

17. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving, from a device having an associated source IP address, a request to access a resource having an associated destination IP address;
  
  determining a security policy based at least in part on an IP address-geolocation mapping associated with at least one of the source IP address and the destination IP address, wherein the security policy includes at least one action to be taken with respect to the request; and
  
  enforcing the security policy based at least in part on the geographical information;
  
  wherein the instructions further comprise instructions for accessing a plurality of IP address-geolocation mappings included in a data store and wherein a geolocation comprises at least one of (1) country information and (2) a user-defined region.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Bharali, Anupam, Ithal, Ravi, Chen, Yueh-Zen
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US13/113,936
Time in Patent Office

883 Days
Field of Search

726 1- 3, 726/13, 713/160, 713/165, 713/2, 709/224
US Class Current

726/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 67/52   specially adapted for the l...

Using geographical information in policy enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Using geographical information in policy enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links