Authentication via monitoring

US 8,806,572 B2
Filed: 05/30/2009
Issued: 08/12/2014
Est. Priority Date: 05/30/2009
Status: Active Grant

First Claim

Patent Images

1. A non-transitory tangible media encoded with executable instructions which when executed are operable to perform a method, the method comprising:

in a firewall;

detecting a packet data flow of a cryptographic protocol between a first endpoint and a second endpoint;

collecting an identity data of the first endpoint and the second endpoint;

where the identity data is included in the packet data flow and comprises a digital certificate of the first endpoint and at least one attribute value of the second endpoint;

making a decision, based, at least in part, on the identity data, whether to admit or deny the packet data flow through the firewall and on a trust that the first endpoint assigns to the second endpoint while establishing a connection with the second endpoint;

verifying an identity of one or more of, the first endpoint, and the second endpoint, based on the identity data from the digital certificate and the at least one attribute value, where the collected identity data facilitates validation of the digital certificate;

based, at least in part, on validating endpoint identity data included in the packet data flow of the cryptographic protocol that is observed at the firewall, admitting or denying the packet data flow through the firewall.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision.

Citations

23 Claims

1. A non-transitory tangible media encoded with executable instructions which when executed are operable to perform a method, the method comprising:
- in a firewall;
  
  detecting a packet data flow of a cryptographic protocol between a first endpoint and a second endpoint;
  
  collecting an identity data of the first endpoint and the second endpoint;
  
  where the identity data is included in the packet data flow and comprises a digital certificate of the first endpoint and at least one attribute value of the second endpoint;
  
  making a decision, based, at least in part, on the identity data, whether to admit or deny the packet data flow through the firewall and on a trust that the first endpoint assigns to the second endpoint while establishing a connection with the second endpoint;
  
  verifying an identity of one or more of, the first endpoint, and the second endpoint, based on the identity data from the digital certificate and the at least one attribute value, where the collected identity data facilitates validation of the digital certificate;
  
  based, at least in part, on validating endpoint identity data included in the packet data flow of the cryptographic protocol that is observed at the firewall, admitting or denying the packet data flow through the firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The media of claim 1, where the identity data is partially encrypted.
  - 3. The media of claim 1, where the identity data further comprises one or more of, authorization attributes, policy assertions, link layer addresses, TCP port identifiers, and UDP port identifiers.
  - 4. The media of claim 1, where the identity data further comprises one or more of, a message authentication code (MAC), an internet protocol (IP) destination address, an IP source address, a nonce generated by the first endpoint, a nonce generated by the second endpoint, and a validation information for the digital certificate from the digital certificate.
  - 5. The media of claim 4, where the decision depends on one or more of, cryptographic information, a digital signature, and a message authentication code.
  - 6. The media of claim 1, where the collected identity data facilitates verification of certificates associated with one or more of an authentication, authorization, and accounting server, and a certificate authority.
  - 7. The media of claim 1, where the decision controls one or more of, a quality of service (QoS), and whether to establish the connection for the first endpoint.
  - 8. The media of claim 1, where the decision controls one or more of, whether the connection is to be allowed based on an identity, whether an out of band audit on a particular endpoint is to be triggered, a privacy constraint for the particular endpoint, identifying a particular flow to be proxied, identifying the particular flow to be unproxied, identifying the particular flow to be forwarded without inspection, generating a record of an identity of an encrypted session created by the particular endpoint, providing a specialized service based on an endpoint identity, performing a URL redirection, customizing a consent page based on a server identity, performing device authorization based on a machine certificate, performing flow classification based on an identity, enforcing a traffic mirroring option, enforcing a traffic by-pass option, customizing a consent page, provisioning services based on the server identity, authorizations based on the server identity, generating an alarm based on a certificate property, generating an event based on the certificate property, generating a log entry based on the certificate property, validating whether a server is white-listed, validating whether the server is black-listed, and triggering a complementary passive decryption and inspection method.
  - 9. The media of claim 7, where the QoS controls one or more of, a data transfer rate, a memory allocation, a security monitoring feature associated with the networking device, a packet delay, and a packet jitter target rate.
  - 10. The media of claim 9, where the data transfer rate is based, at least in part, on a type of data traffic, and where the type of data traffic is determined by viewing a handshake.
  - 11. The media of claim 7, the method comprising:
    - making a second authentication policy decision based, at least in part, on the trust that the first endpoint assigns to the second endpoint, and where the trust assigned by the first endpoint to the second endpoint is based, at least in part, on one or more of, the first endpoint a establishing the connection, and the QoS received from the second endpoint to the first endpoint; and
      
      controlling the firewall based, at least in part, on the second authentication policy decision.
  - 12. The media of claim 11, where the firewall controls one or more of, a second connection from the second endpoint to a third endpoint, and the QoS for the second connection, and where the firewall controls one or more of, the second connection, and the QoS for the second connection, based, at least in part, on the second authentication policy decision.

13. An apparatus, comprising:
- a firewall;
  
  a micro-processor;
  
  a data flow detection logic to detect a packet data flow of a cryptographic protocol between a first network communicator (NC) and a second NC;
  
  an identification logic to collect an identification information from the first NC and the second NC, the identification information being associated with indicators of identity;
  
  where the identification information is included in the packet data flow and comprises a digital certificate of the first NC and at least one attribute value of the second NC;
  
  a control logic to make a decision for the packet data flow, based, at least in part on the identification information, whether to allow or deny the packet data flow through the firewall and on a trust that the first NC assigns to the second NC while establishing a connection with the second NC;
  
  verify an identity of one or more of, the first NC, and the second NC, based on the identification information from the digital certificate and the at least one attribute value, where the collected identification information facilitates validation of the digital certificate;
  
  a network policing agent to admit or deny the packet data flow through the firewall based, at least in part, on validating endpoint identity data included in the packet data flow of the cryptographic protocol that is observed at the firewall.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The apparatus of claim 13, where the network policing agent is to passively monitor the packet data flow without adding latency to an endpoint data flow and without modifying the packet data flow between endpoints.
  - 15. The apparatus of claim 13, wherein the firewall is implemented in any one of, a switch, a wireless access point, or a network interface card.
  - 16. The apparatus of claim 14, where the packet data flow comprises a handshake between the first NC and the second NC, and where the network policing agent resides between the first NC and the second NC.
  - 17. The apparatus of claim 16, where the data flow detection logic is to detect the handshake, and where the identification logic collects the identification information from the handshake.
  - 18. The apparatus of claim 13, where the identification information further comprises one or more of, a message authentication code (MAC), an internet protocol (IP) destination address of the packet data flow, an IP source address of the packet data flow, a nonce generated by the first NC, an identifier associated with a secret key, an identifier associated with a public key, the public key, and a nonce generated by the second NC.
  - 19. The apparatus of claim 18, where the identification information comprises a validation information for the digital certificate, where the validation information is to verify an identity of one or more of, the first NC, and the second NC, and where the validation information facilitates validation of the digital certificate retrieved from one or more of, the packet data flow, the first NC, and the second NC.
  - 20. The apparatus of claim 18, where the nonce is one of, a random number, a timestamp, and a pseudo random number, where the nonce is used once to verify an identity of one or more of, the first NC, the second NC, the packet data flow, and where the nonce prevents a replayed message from passing a message between the first NC and the second NC.
  - 21. The apparatus of claim 13, where the identify information comprises quality of service (QoS) data that includes parameters to facilitate control of one or more of, a data transfer rate, a memory allocation associated with the packet data flow, a security monitoring feature, a packet delay, and a packet jitter target rate.
  - 22. The apparatus of claim 13, where the trust assigned by the first NC to the second NC is based, at least in part, on one or more of, the first NC accepting the packet data flow from the second NC and allowing the connection, and the QoS assigned by the first NC to the packet data flow received from the second NC.
  - 23. The apparatus of claim 22, where the decision for a second data flow between the second NC and a third NC is based, at least in part, on the trust assigned by the first NC to the second NC, and where the connection policy for the second data flow facilitates one or more of, the connection for the second data flow that travels from the second NC to the third NC, and the QoS for the second data flow that travels from the second NC to the third NC.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McGrew, David A., Rao, Sandeep
Primary Examiner(s)
Rahman, Mohammad L
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US12/475,486
Publication Number

US 20100306816A1
Time in Patent Office

1,900 Days
Field of Search

726/3
US Class Current

726/3
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/1408 by monitoring network traff...

Authentication via monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication via monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links