System and method for using variable security tag location in network communications
First Claim
1. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
- receiving, at the receiving node, a first packet from a sending node, the first packet comprising a plurality of placement locations each with a tag;
detecting, at the receiving node, if at least one of the tags at one or more of the plurality of placement locations in the first packet has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;
sending, by the receiving node to the sending node, at least one tag placement directive generated based on the detection, the at least at least one tag placement directive indicating at least one placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node;
receiving, at the receiving node, each packet of the packetized communication, each packet having the embedded security tag;
authenticating, at the receiving node, the embedded security tag in each packet; and
if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.
8 Assignments
0 Petitions
Accused Products
Abstract
A method of packet security management to ensure a secure connection from one network node to another. The method includes creating a security tag for each packet in a network session, selecting one of a number of possible tag locations within the packet, inserting the security tag at that location, transmitting the tagged packets from a sending node to the receiving node, authenticating the packets'"'"' security tags at the receiving node, and dropping non-authenticated packets. The method also includes determining best possible tag locations when sending a packet and locating a security tag when receiving a packet.
197 Citations
21 Claims
-
1. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
-
receiving, at the receiving node, a first packet from a sending node, the first packet comprising a plurality of placement locations each with a tag; detecting, at the receiving node, if at least one of the tags at one or more of the plurality of placement locations in the first packet has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node; sending, by the receiving node to the sending node, at least one tag placement directive generated based on the detection, the at least at least one tag placement directive indicating at least one placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node; receiving, at the receiving node, each packet of the packetized communication, each packet having the embedded security tag; authenticating, at the receiving node, the embedded security tag in each packet; and if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted from a sending node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
-
sending, by the sending node to the receiving node, a first packet comprising a plurality of placement locations each with a tag; receiving, at the sending node, at least one tag placement directive from the receiving node, the at least one tag placement directive generated based on whether one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node; selecting, at the sending node, a first placement location among the plurality of placement locations to embed a first security tag in each packet of a first packetized communication being sent to a first receiving node, based on the received at least one tag placement directive, which indicates that the first placement location carries the first security tag unchanged over the network across one or more intermediaries to the first receiving node; inserting, by the sending node, the first security tag at the selected first placement location for each packet of the first packetized communication being sent to the first receiving node; transmitting, by the sending node, the first packetized communication with the first security tag; selecting, at the sending node, a second placement location among the plurality of placement locations to embed a second security tag in each packet of a second packetized communication being sent to a second receiving node, based on the received at least one tag placement directive, which indicates that the second placement location carries the second security tag unchanged over the network across one or more intermediaries to the second receiving node; inserting, by the sending node, the second security tag at the selected second placement location for each packet of the second packetized communication being sent to the second receiving node; and transmitting, by the sending node, the second packetized communication with the second security tag. - View Dependent Claims (12, 13)
-
-
14. A method for processing a security tag embedded in a plurality of packets of a packetized communication, the packets being transmitted from a sending node to a receiving node in a network, the security tag including security information regarding the packetized communication, the method comprising the steps of:
-
receiving, at the receiving node, a first packet from the sending node, the first packet comprising a plurality of placement locations each with a tag; detecting, at the receiving node, if one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node; sending, by the receiving node to the sending node, at least one tag placement directive generated based on the detection, the at least one tag placement directive indicating at a placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node; authenticating, at the receiving node, each of the embedded security tags located at the selected placement location for the packets of the packetized communication; and passing packets that are authenticated to a secured resource on the network. - View Dependent Claims (15, 16)
-
-
17. A sending node configured for transmitting packets toward a receiving node in a packetized communication network, comprising:
-
a transmission unit configured for sending, to the receiving node, a first packet comprising a plurality of placement locations each with a tag; a receiver unit for receiving at least one tag placement directive from the receiving node, the at least one tag placement directive generated based on whether one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node; a placement determination unit configured for selecting a first placement location among a plurality of placement locations for a first security tag to be embedded in each of a plurality of packets of a first packetized communication to be sent to a first receiving node, based on the received at least one tag placement directive, which indicates that the first placement location carries the first security tag unchanged over the network across one or more intermediaries to the first receiving node, and for selecting a second placement location among the plurality of placement locations for a second security tag to be embedded in each of a plurality of packets of a second packetized communication to be sent to a second receiving node, based on the received at least one tag placement directive, which indicates that the second placement location carries the second security tag unchanged over the network across one or more intermediaries to the second receiving node; and an insertion unit configured for inserting the first security tag at the first placement location for each of the packets of the first packetized communication, and inserting the second security tag at the second placement location for each of the packets of the second packetized communication; the transmission unit further configured for transmitting first packetized communication with the inserted first security tag toward the first receiving node, and transmitting the second packetized communication with the inserted second security tag toward the second receiving node. - View Dependent Claims (18)
-
-
19. A receiving node configured for receiving packets sent by a sending node in a packetized communication network, comprising:
-
a receiving unit configured for receiving a first packet from the sending node, the first packet comprising a plurality of placement locations each with a tag, and detecting if one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node; a sending unit configured for sending, to the sending node, at least one tag placement directive generated based on the detection, the at least at least one tag placement directive indicating at least one placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node, wherein the receiving unit is further configured to receive packets from the sending node embedded with a security tag; and a packet processor configured for authenticating, at the receiving node, the security tag embedded in each of the packets, wherein the packet processor prevents access by a respective packet of the packetized communication to a secured resource;
(1) if the respective, received packet does not have the security tag embedded in a selected one of a plurality of placement locations, or (2) if the security tag embedded at the selected one of the plurality of placement locations is not authenticated, the one of the plurality of placement locations selected responsive to at least one tag placement directive from the receiving node generated based on one or more predetermined network characteristics that can remove or change a security tag in a packet, the location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node. - View Dependent Claims (20)
-
-
21. A non-transitory computer readable storage medium configured for storing computer code to execute a method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
-
sending, by a sending node to the receiving node, a first packet comprising a plurality of placement locations each with a tag; receiving, at the sending node, at least one tag placement directive from the receiving node, the at least one tag placement directive generated based on whether one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node; selecting, at the sending node, at least one placement location among the plurality of placement locations to embed a security tag in each packet of a packetized communication, responsive to the at least one placement directive from the receiving node, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node; receiving, at the receiving node, each packet of the packetized communication, each packet having the embedded security tag; authenticating, at the receiving node, the embedded security tag in each packet; and if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.
-
Specification