Identity and policy-based network security and management system and method

US 8,984,620 B2
Filed: 08/21/2007
Issued: 03/17/2015
Est. Priority Date: 07/06/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computer, authenticated and authorized identity information associated with a user that includes at least a user id and one or more user IP addresses associated with the user id;

receiving at least one data packet from a source, wherein the at least one packet comprises source information comprising a source IP address and destination information of a destination to which to transmit the packet;

identifying, by the computer, a connection object associated with the connection based at least on the source information and the destination information of the at least one data packet;

associating the identified connection object with the at least one packet;

attempting to match the source IP address to one of the one or more user IP addresses;

responsive to determining that the source IP address matches one of the one or more user IP addresses;

identifying the identity information associated with the authorized user based on the source IP address;

updating the identified connection object with the authenticated and authorized identity information;

identifying a firewall rule associated with the at least one packet and the updated connection object based at least on a combination of the user id, the matched user IP address, the source information of the at least one data packet, and the destination information of the at least one data packet;

applying the firewall rule to the at least one packet of the connection;

performing a firewall action for the at least one packet in view of applying the firewall rule, wherein the action is selected from the group consisting of;

accepting the at least one packet, dropping the at least one packet, or rejecting the at least one packet; and

responsive to accepting the at least one packet after applying the firewall rule,identifying at least one management policy associated with the connection object;

applying the at least one identified management policy to the at least one packet; and

transmitting the at least one packet to the destination.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing security for a network connecting a source and a destination. The system and method provide a security and management system between the source and the destination which is configured to apply rules and policies which are specific to the user to the connection between the source and the destination. The user-specific policies are used to govern the security and management of each packet transmitted and received via the connection.

Citations

24 Claims

1. A method comprising:
- receiving, by a computer, authenticated and authorized identity information associated with a user that includes at least a user id and one or more user IP addresses associated with the user id;
  
  receiving at least one data packet from a source, wherein the at least one packet comprises source information comprising a source IP address and destination information of a destination to which to transmit the packet;
  
  identifying, by the computer, a connection object associated with the connection based at least on the source information and the destination information of the at least one data packet;
  
  associating the identified connection object with the at least one packet;
  
  attempting to match the source IP address to one of the one or more user IP addresses;
  
  responsive to determining that the source IP address matches one of the one or more user IP addresses;
  
  identifying the identity information associated with the authorized user based on the source IP address;
  
  updating the identified connection object with the authenticated and authorized identity information;
  
  identifying a firewall rule associated with the at least one packet and the updated connection object based at least on a combination of the user id, the matched user IP address, the source information of the at least one data packet, and the destination information of the at least one data packet;
  
  applying the firewall rule to the at least one packet of the connection;
  
  performing a firewall action for the at least one packet in view of applying the firewall rule, wherein the action is selected from the group consisting of;
  
  accepting the at least one packet, dropping the at least one packet, or rejecting the at least one packet; and
  
  responsive to accepting the at least one packet after applying the firewall rule,identifying at least one management policy associated with the connection object;
  
  applying the at least one identified management policy to the at least one packet; and
  
  transmitting the at least one packet to the destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising creating the connection object based at least in part on the source information and the destination information.
  - 3. The method of claim 1, further comprising:
    - receiving a login request from the user, wherein the login request comprises a user IP address, and login credentials;
      
      identifying a profile associated with the user, wherein the profile comprises user data and at least one user-specific policy;
      
      determining if the user is authentic by comparing the login credentials with the user data of the identified profile; and
      
      determining if the login request is authorized by applying the at least one user-specific policy of the identified profile.
  - 4. The method of claim 3, wherein determining if the login request is authorized comprises applying a user-specific quota policy.
  - 5. The method of claim 3, further comprising:
    - applying override policy information to override at least a portion of the user-specific policy.
  - 6. The method of claim 3, wherein determining if the login request is authorized comprises applying a user-specific access time policy.
  - 7. The method of claim 1, wherein the at least one management policy comprises an application security policy.
  - 8. The method of claim 1, wherein the at least one management policy comprises a destination network address translation policy.
  - 9. The method of claim 1, wherein the at least one management policy comprises a source network address translation policy.
  - 10. The method of claim 1, wherein the at least one management policy comprises a intrusion detection and prevention policy.
  - 11. The method of claim 1, wherein the at least one management policy comprises a bandwidth management policy.
  - 12. The method of claim 1, wherein the at least one management policy comprises a routing policy.

13. A system comprising a computer to:
- receive authenticated and authorized identity information associated with a user that includes at least a user id and one or more user IP addresses associated with the user id;
  
  receive at least one data packet from a source, wherein the at least one packet comprises source information comprising a source IP address and destination information of a destination to which to transmit the packet;
  
  identify a connection object associated with the connection based at least on the source information and the destination information of the at least one data packet;
  
  associate the identified connection object with the at least one packet;
  
  attempt to match the source IP address to one of the one or more user IP addresses;
  
  responsive to determining that the source IP address matches one of the one or more user IP addresses;
  
  identify the identity information associated with the authorized user based on the source IP address;
  
  update the identified connection object with the authenticated and authorized identity information;
  
  identify a firewall rule associated with the at least one packet and the updated connection object based at least on a combination of the user id, the matched user IP address, the source information of the at least one data packet, and the destination information of the at least one data packet;
  
  apply the firewall rule to the at least one packet of the connection;
  
  perform a firewall action for the at least one packet in view of applying the firewall rule, wherein the action is selected from the group consisting of;
  
  accepting the at least one packet, dropping the at least one packet, or rejecting the at least one packet; and
  
  responsive to accepting the at least one packet after applying the firewall rule,identify at least one management policy associated with the connection object;
  
  apply the at least one identified management policy to the at least one packet; and
  
  transmit the at least one packet to the destination.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the computer is further to create the connection object based at least in part on the source information and the destination information.
  - 15. The system of claim 13, wherein the computer is further to:
    - receive a login request from the user, wherein the login request comprises a user IP address, and login credentials,identify a profile associated with the user, wherein the profile comprises user data and at least one user-specific policy,determine if the user is authentic by comparing the login credentials with the user data of the identified profile, anddetermine if the login request is authorized by applying the at least one user-specific policy of the identified profile.
  - 16. The system of claim 15, wherein the computer is further to determine if the login request is authorized by applying a user-specific quota policy.
  - 17. The system of claim 15, wherein the computer is further to apply override policy information to override at least a portion of the user-specific policy.
  - 18. The system of claim 15, wherein the computer is further to determine if the login request is authorized by applying a user-specific access time policy.
  - 19. The system of claim 13, wherein the at least one management policy comprises an application security policy.
  - 20. The system of claim 13, wherein the at least one management policy comprises a destination network address translation policy.
  - 21. The system of claim 13, wherein the at least one management policy comprises a source network address translation policy.
  - 22. The system of claim 13, wherein the at least one management policy comprises a intrusion detection and prevention policy.
  - 23. The system of claim 13, wherein the at least one management policy comprises a bandwidth management policy.
  - 24. The system of claim 13, wherein the at least one management policy comprises a routing policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Cyberoam Technologies Pvt Ltd. (Sophos Group Ltd.)
Inventors
Sonwane, Abhilash Vijay, Mahadevia, Jimit Hareshkumau, Malek, Sarfaraz Mohammedhanif, Pandya, Sumit, Modhwadiya, Rajesh Hardasbhai, Shah, Nishit Shantibhai
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US11/915,607
Publication Number

US 20100100949A1
Time in Patent Office

2,765 Days
Field of Search

726/1, 726/7, 726/13
US Class Current

726/13
CPC Class Codes

H04L 61/2503   Translation of Internet pro...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Identity and policy-based network security and management system and method

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Identity and policy-based network security and management system and method

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links