System and method to apply a packet routing policy to an application session

US 8,584,199 B1
Filed: 12/15/2012
Issued: 11/12/2013
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for routing data packets of an application session, comprising:

recognizing the application session between a network and an application via a security gateway;

determining by the security gateway a user identity from an application session record for the application session, wherein the application session record comprises a user identity used for accessing a network through a host, a host identity for the host, and an application session time, wherein a creating of the application session record comprises;

querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time,wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time,wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and

storing the second user identity as a network user identity used for accessing the network in the application session record;

determining one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface;

receiving a data packet for the application session by the security gateway, the data packet comprising a source network address and a destination network address;

comparing, by the security gateway, the source network address from the data packet with the host network address of each packet routing policy, and comparing the destination network address from the data packet with the application network address of each packet routing policy; and

in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, processing the data packet using the forwarding interface of the given packet routing policy by the security gateway.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy.

399 Citations

21 Claims

1. A method for routing data packets of an application session, comprising:
- recognizing the application session between a network and an application via a security gateway;
  
  determining by the security gateway a user identity from an application session record for the application session, wherein the application session record comprises a user identity used for accessing a network through a host, a host identity for the host, and an application session time, wherein a creating of the application session record comprises;
  
  querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time,wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time,wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  storing the second user identity as a network user identity used for accessing the network in the application session record;
  
  determining one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface;
  
  receiving a data packet for the application session by the security gateway, the data packet comprising a source network address and a destination network address;
  
  comparing, by the security gateway, the source network address from the data packet with the host network address of each packet routing policy, and comparing the destination network address from the data packet with the application network address of each packet routing policy; and
  
  in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, processing the data packet using the forwarding interface of the given packet routing policy by the security gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the security gateway comprises a network interface, wherein the forwarding interface of the given packet routing policy indicates transmission of data packets using the network interface, wherein the processing further comprises:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmitting the data packet using the network interface of the security gateway.
  - 3. The method of claim 1, wherein the security gateway is coupled to a network element, wherein the forwarding interface of the given packet routing policy directs the security gateway to send data packets to the network element, wherein the processing further comprises:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the give packet routing policy, transmitting the data packet to the network element using the network interface of the security gateway.
  - 4. The method of claim 3, wherein the one or more packet routing policies comprise a second given packet routing policy associated with the network element, the second given packet routing policy comprising a second host network address, a second application network address, and a second forwarding interface, wherein the determining the one or more packet routing policies further comprises:
    - determining by the security gateway that the second given packet routing policy is associated with the network element; and
      
      in response to determining that the second given packet routing policy is associated with the network element, sending the second given packet routing policy to the network element by the security gateway.
  - 5. The method of claim 4, wherein the forwarding interface of the given packet routing policy indicates transmission of data packets to the network element, wherein the processing further comprises:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmitting the data packet to the network element by the security gateway.
  - 6. The method of claim 5, wherein the method further comprises:
    - receiving the data packet from the security gateway by the network element;
      
      comparing, by the network element, the source network address from the data packet with the second host network address of the second given packet routing policy, and comparing the destination network address from the data packet with the second application network address of the second given packet routing policy; and
      
      in response to finding a match between the source network address and the second host network address, and between the destination network address and the second application network address, processing the data packet using the second forwarding interface of the second given packet routing policy by the network element.
  - 7. The method of claim 1, further comprising:
    - generating a security report based on the application session record and the one or more packet routing policies.

8. A system, comprising:
- a security gateway, wherein the security gateway;
  
  recognizes an application session between a network and an application via the security gateway;
  
  determines a user identity from an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein in creating the application session record, the security gateway;
  
  queries an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time,wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time,wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  stores the second user identity as a network user identity used for accessing the network in the application session record;
  
  determines one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface;
  
  receives a data packet for the application session, the data packet comprising a source network address and a destination network address;
  
  compares the source network address from the data packet with the host network address of each packet routing policy, and comparing the destination network address from the data packet with the application network address of each packet routing policy; and
  
  in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of a given packet routing policy, processes the data packet using the forwarding interface of the given packet routing policy.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the security gateway comprises a network interface, wherein the forwarding interface of the given packet routing policy indicates transmission of data packets using the network interface, wherein in processing the data packet, the security gateway:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmits the data packet using the network interface of the security gateway.
  - 10. The system of claim 8, further comprising a network element coupled to the security gateway, wherein the forwarding interface of the given packet routing policy directs the security gateway to send data packets to the network element, wherein in processing the data packet, the security gateway:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmitting the data packet to the network element using the network interface of the security gateway.
  - 11. The system of claim 10, wherein the one or more packet routing policies comprise a second given packet routing policy associated with the network element, the second given packet routing policy comprising a second host network address, a second application network address, and a second forwarding interface,wherein in the determining the one or more packet routing policies, the security gateway further:
    - determines that the second given packet routing policy is associated with the network element, andin response to determining that the second given packet routing policy is associated with the network element, sends the second given packet routing policy to the network element.
  - 12. The system of claim 11, wherein the forwarding interface of the given packet routing policy indicates transmission of data packets to the network element, wherein in the processing, the security gateway:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmits the data packet to the network element.
  - 13. The system of claim 12, wherein the network element:
    - receives the data packet from the security gateway;
      
      compares the source network address from the data packet with the second host network address of the second given packet routing policy, and compares the destination network address from the data packet with the second application network address of the second given packet routing policy; and
      
      in response to finding a match between the source network address and the second host network address, and between the destination network address and the second application network address, processes the data packet using the second forwarding interface of the second given packet routing policy.
  - 14. The system of claim 8, wherein the security gateway further:
    - generates a security report based on the application session record and the one or more packet routing policies.

15. A non-transitory computer readable storage medium having computer readable program code embodied therewith for routing data packets of an application session, the computer readable program code configured to:
- recognize the application session between a network and an application via a security gateway;
  
  determine a user identity from an application session record for the application session, wherein the application session record comprises a user identity used for accessing a network through a host, a host identity for the host, and an application session time, wherein a creation of the application session record comprises;
  
  query an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time,wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time,wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  store the second user identity as a network user identity used for accessing the network in the application session record;
  
  determine one or more packet routing policies applicable to the application session based on the user identity, each packet routing policy comprising a host network address, an application network address, and a forwarding interface;
  
  receive a data packet for the application session, the data packet comprising a source network address and a destination network address;
  
  compare the source network address from the data packet with the host network address of each packet routing policy, and compare the destination network address from the data packet with the application network address of each packet routing policy; and
  
  in response to finding a match between the source network address and the host network address of a given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, process the data packet using the forwarding interface of the given packet routing policy.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The medium of claim 15, wherein the security gateway comprises a network interface, wherein the forwarding interface of the given packet routing policy indicates transmission of data packets using the network interface, wherein the computer readable program code configured to process is further configured to:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmit the data packet using the network interface of the security gateway.
  - 17. The medium of claim 15, wherein the security gateway is coupled to a network element, wherein the forwarding interface of the given packet routing policy directs the security gateway to send data packets to the network element, wherein the computer readable program code configured to process is further configured to:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmit the data packet to the network element using the network interface of the security gateway.
  - 18. The medium of claim 17, wherein the one or more packet routing policies comprise a second given packet routing policy associated with the network element, the second given packet routing policy comprising a second host network address, a second application network address, and a second forwarding interface, wherein the computer readable program code configured to determine the one or more packet routing policies is further configured to:
    - determine that the second given packet routing policy is associated with the network element, andin response to determining that the second given packet routing policy is associated with the network element, send the second given packet routing policy from the security gateway to the network element.
  - 19. The medium of claim 18, wherein the forwarding interface of the given packet routing policy indicates transmission of data packets to the network element, wherein the computer readable program code configured to process is further configured to:
    - in response to finding the match between the source network address and the host network address of the given packet routing policy, and between the destination network address and the application network address of the given packet routing policy, transmit the data packet to the network element.
  - 20. The medium of claim 19, wherein the computer readable program code is further configured to:
    - receive the data packet from the security gateway by the network element;
      
      compare, by the network element, the source network address from the data packet with the second host network address of the second given packet routing policy, and compare the destination network address from the data packet with the second application network address of the second given packet routing policy; and
      
      in response to finding a match between the source network address and the second host network address, and between the destination network address and the second application network address, process the data packet using the second forwarding interface of the second given packet routing policy by the network element.
  - 21. The medium of claim 15, wherein the computer readable program code is further configured to:
    - generate a security report based on the application session record and the one or more packet routing policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Chiong, John, Oshiba, Dennis
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
Lavelle, Gary

Application Number

US13/716,124
Time in Patent Office

332 Days
Field of Search

726/1, 726/7, 726/28
US Class Current

726/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 2101/365   Application layer names, e....

H04L 45/308   Route determination based o...

H04L 51/04   Real-time or near real-time...

H04L 61/2596   Translation of addresses of...

H04L 61/50   Address allocation

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/20   for managing network securi...

H04L 65/1026   at the edge

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

H04L 67/10   in which an application is ...

H04L 67/14   Session management for real...

H04L 67/306 : User profiles

H04L 67/535 : Tracking the activity of th...

H04L 69/22 : Parsing or analysis of headers

H04M 1/7243 : with interactive means for ...

H04W 12/082 : using revocation of authori...

H04W 12/088 : using filters or firewalls

H04W 12/37 : Managing security policies ...

H04W 12/45 : using multiple identity mod...

H04W 12/61 : Time-dependent

H04W 12/72 : Subscriber identity

H04W 12/76 : Group identity

View All

System and method to apply a packet routing policy to an application session

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

399 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System and method to apply a packet routing policy to an application session

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

399 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others