System and method to apply a packet routing policy to an application session
First Claim
1. A method for routing data packets of an application session, comprising:
- recognizing the application session between a network and an application via a security gateway;
determining by the security gateway a user identity from an application session record for the application session, wherein the application session record comprises a user identity used for accessing a network through a host, a host identity for the host, and an application session time, wherein a creating of the application session record comprises;
querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time,wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time,wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
storing the second user identity as a network user identity used for accessing the network in the application session record;
determining one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface;
receiving a data packet for the application session by the security gateway, the data packet comprising a source network address and a destination network address;
comparing, by the security gateway, the source network address from the data packet with the host network address of each packet routing policy, and comparing the destination network address from the data packet with the application network address of each packet routing policy; and
in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, processing the data packet using the forwarding interface of the given packet routing policy by the security gateway.
2 Assignments
0 Petitions
Accused Products
Abstract
A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy.
399 Citations
21 Claims
-
1. A method for routing data packets of an application session, comprising:
-
recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity from an application session record for the application session, wherein the application session record comprises a user identity used for accessing a network through a host, a host identity for the host, and an application session time, wherein a creating of the application session record comprises; querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time, wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time, wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and storing the second user identity as a network user identity used for accessing the network in the application session record; determining one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface; receiving a data packet for the application session by the security gateway, the data packet comprising a source network address and a destination network address; comparing, by the security gateway, the source network address from the data packet with the host network address of each packet routing policy, and comparing the destination network address from the data packet with the application network address of each packet routing policy; and in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, processing the data packet using the forwarding interface of the given packet routing policy by the security gateway. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
a security gateway, wherein the security gateway; recognizes an application session between a network and an application via the security gateway; determines a user identity from an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein in creating the application session record, the security gateway; queries an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time, wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time, wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and stores the second user identity as a network user identity used for accessing the network in the application session record; determines one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface; receives a data packet for the application session, the data packet comprising a source network address and a destination network address; compares the source network address from the data packet with the host network address of each packet routing policy, and comparing the destination network address from the data packet with the application network address of each packet routing policy; and in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of a given packet routing policy, processes the data packet using the forwarding interface of the given packet routing policy. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A non-transitory computer readable storage medium having computer readable program code embodied therewith for routing data packets of an application session, the computer readable program code configured to:
-
recognize the application session between a network and an application via a security gateway; determine a user identity from an application session record for the application session, wherein the application session record comprises a user identity used for accessing a network through a host, a host identity for the host, and an application session time, wherein a creation of the application session record comprises; query an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time, wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time, wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and store the second user identity as a network user identity used for accessing the network in the application session record; determine one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface; receive a data packet for the application session, the data packet comprising a source network address and a destination network address; compare the source network address from the data packet with the host network address of each packet routing policy, and compare the destination network address from the data packet with the application network address of each packet routing policy; and in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, process the data packet using the forwarding interface of the given packet routing policy. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification