Authentication via monitoring
First Claim
1. A non-transitory tangible media encoded with executable instructions which when executed are operable to perform a method, the method comprising:
- in a firewall;
detecting a packet data flow of a cryptographic protocol between a first endpoint and a second endpoint;
collecting an identity data of the first endpoint and the second endpoint;
where the identity data is included in the packet data flow and comprises a digital certificate of the first endpoint and at least one attribute value of the second endpoint;
making a decision, based, at least in part, on the identity data, whether to admit or deny the packet data flow through the firewall and on a trust that the first endpoint assigns to the second endpoint while establishing a connection with the second endpoint;
verifying an identity of one or more of, the first endpoint, and the second endpoint, based on the identity data from the digital certificate and the at least one attribute value, where the collected identity data facilitates validation of the digital certificate;
based, at least in part, on validating endpoint identity data included in the packet data flow of the cryptographic protocol that is observed at the firewall, admitting or denying the packet data flow through the firewall.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision.
-
Citations
23 Claims
-
1. A non-transitory tangible media encoded with executable instructions which when executed are operable to perform a method, the method comprising:
-
in a firewall; detecting a packet data flow of a cryptographic protocol between a first endpoint and a second endpoint; collecting an identity data of the first endpoint and the second endpoint; where the identity data is included in the packet data flow and comprises a digital certificate of the first endpoint and at least one attribute value of the second endpoint; making a decision, based, at least in part, on the identity data, whether to admit or deny the packet data flow through the firewall and on a trust that the first endpoint assigns to the second endpoint while establishing a connection with the second endpoint; verifying an identity of one or more of, the first endpoint, and the second endpoint, based on the identity data from the digital certificate and the at least one attribute value, where the collected identity data facilitates validation of the digital certificate; based, at least in part, on validating endpoint identity data included in the packet data flow of the cryptographic protocol that is observed at the firewall, admitting or denying the packet data flow through the firewall. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
a firewall; a micro-processor; a data flow detection logic to detect a packet data flow of a cryptographic protocol between a first network communicator (NC) and a second NC; an identification logic to collect an identification information from the first NC and the second NC, the identification information being associated with indicators of identity; where the identification information is included in the packet data flow and comprises a digital certificate of the first NC and at least one attribute value of the second NC; a control logic to make a decision for the packet data flow, based, at least in part on the identification information, whether to allow or deny the packet data flow through the firewall and on a trust that the first NC assigns to the second NC while establishing a connection with the second NC; verify an identity of one or more of, the first NC, and the second NC, based on the identification information from the digital certificate and the at least one attribute value, where the collected identification information facilitates validation of the digital certificate; a network policing agent to admit or deny the packet data flow through the firewall based, at least in part, on validating endpoint identity data included in the packet data flow of the cryptographic protocol that is observed at the firewall. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification