System and method for selective inspection of encrypted traffic
First Claim
1. A method comprising:
- intercepting data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data;
determining or identifying plain data from the intercepted data, wherein the plain data comprises unencrypted data;
analyzing the plain data, by an apparatus with a hardware module comprising a processor, to establish one or more selection rules by;
detecting predefined criteria,searching the plain data for an IP address allocated to at least one of the data connections,searching the plain data for an association between the predefined criteria and the IP address,upon discovering the searched association, adding the discovered IP address to a selection rule table;
selecting a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein selecting the subset further comprises configuring a network switch to forward only the selected subset of the network connections to an inspection device, and wherein configuring the network switch further comprises causing the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion; and
configuring the inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset.
3 Assignments
0 Petitions
Accused Products
Abstract
Inspection of encrypted network traffic where multiple network connections are monitored that carry encrypted data, but only a subset of the network connections are decrypted and inspected. Typically, only network connections that are associated with designated target users whose encrypted data is to be inspected are decrypted. A Network Monitor Center (NMC) dynamically establishes a list of rules for selection of encrypted data connections. The rules are provided to a Secure data Inspection Appliance (SIA) that accepts some or all of the network user encrypted traffic and checks it against a rule table. When detecting an encrypted connection that matches the rule table, the SIA decrypts the connection and provides a copy of the connection plain data to the NMC. The NMC then inspects the plain data for security threats. Once a security threat is found in a connection, the NMC applies predefined consequent actions to this connection.
36 Citations
16 Claims
-
1. A method comprising:
-
intercepting data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data; determining or identifying plain data from the intercepted data, wherein the plain data comprises unencrypted data; analyzing the plain data, by an apparatus with a hardware module comprising a processor, to establish one or more selection rules by; detecting predefined criteria, searching the plain data for an IP address allocated to at least one of the data connections, searching the plain data for an association between the predefined criteria and the IP address, upon discovering the searched association, adding the discovered IP address to a selection rule table; selecting a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein selecting the subset further comprises configuring a network switch to forward only the selected subset of the network connections to an inspection device, and wherein configuring the network switch further comprises causing the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion; and configuring the inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
a network interface that intercepts data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data; and a hardware module comprising a processor that; determines or identifies plain data from the intercepted data, wherein the plain data comprises unencrypted data; analyses the plain data to establish one or more selection rules by detecting predefined criteria, searching the plain data for an IP address allocated to at least one of the data connections, searching the plain data for an association between the predefined criteria and the IP address, and upon discovering the searched association, adding the discovered IP address to a selection rule table; selects a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein the processor configures a network switch to forward only the selected subset of the network connections to an inspection device, and further wherein the processor causes the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion; and configures the inspection device to decrypt the encrypted data conveyed by the data connections in the selected subset. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. An apparatus comprising a processor coupled to a memory:
-
a monitoring unit that intercepts data from a communication network, wherein the communication network carries data connections conveying the data, wherein the data relates to users of the communication network, and wherein the data comprises encrypted data, determines or identifies plain data from the intercepted data, wherein the plain data comprises unencrypted data, analyzes the plain data to establish one or more selection rules by detecting predefined criteria, searching the plain data for an IP address allocated to at least one of the data connections, searching the plain data for an association between the predefined criteria and the IP address, and upon discoverying the searched association, adding the IP address to a selection rule table, selects a subset of the data connections for selective inspection of encrypted data, wherein the selection is based on the selection rules, wherein the monitoring unit configures a network switch to forward only the selected subset of the network connections to an inspection device, and further wherein the monitoring unit causes the network switch to distribute the network connections in the subset among multiple inspection devices in accordance with a load balancing criterion, and outputs an indication of the selected subset; and the inspection device that receives the indication of the selected subset from the monitoring unit;
decrypts the encrypted data conveyed by the data connections in the selected subset, and outputs the decrypted data.
-
Specification