Identity and policy-based network security and management system and method
First Claim
Patent Images
1. A method comprising:
- receiving, by a computer, authenticated and authorized identity information associated with a user that includes at least a user id and one or more user IP addresses associated with the user id;
receiving at least one data packet from a source, wherein the at least one packet comprises source information comprising a source IP address and destination information of a destination to which to transmit the packet;
identifying, by the computer, a connection object associated with the connection based at least on the source information and the destination information of the at least one data packet;
associating the identified connection object with the at least one packet;
attempting to match the source IP address to one of the one or more user IP addresses;
responsive to determining that the source IP address matches one of the one or more user IP addresses;
identifying the identity information associated with the authorized user based on the source IP address;
updating the identified connection object with the authenticated and authorized identity information;
identifying a firewall rule associated with the at least one packet and the updated connection object based at least on a combination of the user id, the matched user IP address, the source information of the at least one data packet, and the destination information of the at least one data packet;
applying the firewall rule to the at least one packet of the connection;
performing a firewall action for the at least one packet in view of applying the firewall rule, wherein the action is selected from the group consisting of;
accepting the at least one packet, dropping the at least one packet, or rejecting the at least one packet; and
responsive to accepting the at least one packet after applying the firewall rule,identifying at least one management policy associated with the connection object;
applying the at least one identified management policy to the at least one packet; and
transmitting the at least one packet to the destination.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing security for a network connecting a source and a destination. The system and method provide a security and management system between the source and the destination which is configured to apply rules and policies which are specific to the user to the connection between the source and the destination. The user-specific policies are used to govern the security and management of each packet transmitted and received via the connection.
-
Citations
24 Claims
-
1. A method comprising:
-
receiving, by a computer, authenticated and authorized identity information associated with a user that includes at least a user id and one or more user IP addresses associated with the user id; receiving at least one data packet from a source, wherein the at least one packet comprises source information comprising a source IP address and destination information of a destination to which to transmit the packet; identifying, by the computer, a connection object associated with the connection based at least on the source information and the destination information of the at least one data packet; associating the identified connection object with the at least one packet; attempting to match the source IP address to one of the one or more user IP addresses; responsive to determining that the source IP address matches one of the one or more user IP addresses; identifying the identity information associated with the authorized user based on the source IP address; updating the identified connection object with the authenticated and authorized identity information; identifying a firewall rule associated with the at least one packet and the updated connection object based at least on a combination of the user id, the matched user IP address, the source information of the at least one data packet, and the destination information of the at least one data packet; applying the firewall rule to the at least one packet of the connection; performing a firewall action for the at least one packet in view of applying the firewall rule, wherein the action is selected from the group consisting of;
accepting the at least one packet, dropping the at least one packet, or rejecting the at least one packet; andresponsive to accepting the at least one packet after applying the firewall rule, identifying at least one management policy associated with the connection object; applying the at least one identified management policy to the at least one packet; and transmitting the at least one packet to the destination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising a computer to:
-
receive authenticated and authorized identity information associated with a user that includes at least a user id and one or more user IP addresses associated with the user id; receive at least one data packet from a source, wherein the at least one packet comprises source information comprising a source IP address and destination information of a destination to which to transmit the packet; identify a connection object associated with the connection based at least on the source information and the destination information of the at least one data packet; associate the identified connection object with the at least one packet; attempt to match the source IP address to one of the one or more user IP addresses; responsive to determining that the source IP address matches one of the one or more user IP addresses; identify the identity information associated with the authorized user based on the source IP address; update the identified connection object with the authenticated and authorized identity information; identify a firewall rule associated with the at least one packet and the updated connection object based at least on a combination of the user id, the matched user IP address, the source information of the at least one data packet, and the destination information of the at least one data packet; apply the firewall rule to the at least one packet of the connection; perform a firewall action for the at least one packet in view of applying the firewall rule, wherein the action is selected from the group consisting of;
accepting the at least one packet, dropping the at least one packet, or rejecting the at least one packet; andresponsive to accepting the at least one packet after applying the firewall rule, identify at least one management policy associated with the connection object; apply the at least one identified management policy to the at least one packet; and transmit the at least one packet to the destination. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification