System and method for using variable security tag location in network communications

US 8,990,573 B2
Filed: 11/10/2008
Issued: 03/24/2015
Est. Priority Date: 11/10/2008
Status: Active Grant

First Claim

Patent Images

1. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:

receiving, at the receiving node, a first packet from a sending node, the first packet comprising a plurality of placement locations each with a tag;

detecting, at the receiving node, if at least one of the tags at one or more of the plurality of placement locations in the first packet has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;

sending, by the receiving node to the sending node, at least one tag placement directive generated based on the detection, the at least at least one tag placement directive indicating at least one placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node;

receiving, at the receiving node, each packet of the packetized communication, each packet having the embedded security tag;

authenticating, at the receiving node, the embedded security tag in each packet; and

if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of packet security management to ensure a secure connection from one network node to another. The method includes creating a security tag for each packet in a network session, selecting one of a number of possible tag locations within the packet, inserting the security tag at that location, transmitting the tagged packets from a sending node to the receiving node, authenticating the packets'"'"' security tags at the receiving node, and dropping non-authenticated packets. The method also includes determining best possible tag locations when sending a packet and locating a security tag when receiving a packet.

197 Citations

21 Claims

1. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
- receiving, at the receiving node, a first packet from a sending node, the first packet comprising a plurality of placement locations each with a tag;
  
  detecting, at the receiving node, if at least one of the tags at one or more of the plurality of placement locations in the first packet has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;
  
  sending, by the receiving node to the sending node, at least one tag placement directive generated based on the detection, the at least at least one tag placement directive indicating at least one placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node;
  
  receiving, at the receiving node, each packet of the packetized communication, each packet having the embedded security tag;
  
  authenticating, at the receiving node, the embedded security tag in each packet; and
  
  if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the authenticating of the security tag in each packet of the packetized communication includes:
    - if a location placement message had been sent by the receiving node, checking a location in each packet of the packetized communication indicated by the location placement message for the security tag; and
      
      determining if the security tag at the checked location is authentic.
  - 3. The method according to claim 1, wherein the authenticating of the security tag in each packet of the packetized communication includes:
    - if the receiving node had not previously specify a fixed tag location, or if the receiving node is unable to locate the security tag in the fixed tag location, checking, by the receiving node, a size of one or both of;
      
      (1) an IP option field;
      
      or (2) a TCP option field of the respective packet of the packetized communication;
      
      if the size of the IP option field or the TCP option field for the respective packet is greater than or equal to a size of the security tag embedded in the respective packet, determining for the option field or fields that are greater than or equal to the size of the security tag, if the security tag is embedded in the IP option field or TCP option field;
      
      if the security tag is embedded in either the IP option field or the TCP option field, determining for each packet of the packetized communication if the security tag in the determined option field is authentic.
  - 4. The method according to claim 3, wherein the authenticating of the security tag in each packet of the packetized communication further includes:
    - if the size of the IP option field and the TCP option field for the respective packet is less than the size of the security tag, checking a beginning and an ending of a payload field of the respective packet to determine whether the security tag is located therein; and
      
      if the security tag is located in the beginning or the end of the payload field of the respective packet, determine for each packet of the packetized communication if the located security tag is authentic.
  - 5. The method according to claim 1, wherein the authenticating of the security tag in each packet of the packetized communication includes:
    - quarantining each packet associated with an unauthenticated security tag; and
      
      sending each packet associated with the unauthenticated security tag for analysis.
  - 6. The method according to claim 1, further comprising:
    - passing, by the receiving node, each packet of the packet communication that is authenticated to the secured resource on the network.
  - 7. The method according to claim 1, wherein the step of preventing access includes, if the security tag in the respective packet is not authenticated, preventing access by the respective packet having the security tag which is not authenticated to a secured resource.
  - 8. The method according to claim 1, wherein the step of selecting the at least one placement location includes the steps of:
    - storing, in the receiving node, tag placement information based on network characteristics that affect selection of the placement location of the security tag in accordance with address ranges of nodes in the network; and
      
      sending, by the receiving node to the sending node, the tag placement information indicating the network characteristics that affect the selection of the placement location.
  - 9. The method according to claim 1, wherein the step of selecting the at least one placement location includes the steps of:
    - establishing, by the receiving node, the at least one placement location; and
      
      transmitting, by the receiving node, a placement message indicating the at least one placement location of the security tag in each of the packetized communication packet.
  - 10. The method according to claim 1, wherein the step of selecting the at leastone placement location further includes:
    - receiving, by the receiving node from a sending node, a test packet having a plurality of security tags embedded in predetermined placement locations;
      
      choosing, by the receiving node, one or more locations corresponding to one or more of the predetermined placement locations in the test packet where the security tags are to be embedded in each packet of the packetized communication; and
      
      sending a placement message, from the receiving node to the sending node, that indicates the at least one placement location according to the chosen one or more predetermined placement locations.

11. A method for processing a security tag in each packet of a packetized communication, the packets being transmitted from a sending node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
- sending, by the sending node to the receiving node, a first packet comprising a plurality of placement locations each with a tag;
  
  receiving, at the sending node, at least one tag placement directive from the receiving node, the at least one tag placement directive generated based on whether one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;
  
  selecting, at the sending node, a first placement location among the plurality of placement locations to embed a first security tag in each packet of a first packetized communication being sent to a first receiving node, based on the received at least one tag placement directive, which indicates that the first placement location carries the first security tag unchanged over the network across one or more intermediaries to the first receiving node;
  
  inserting, by the sending node, the first security tag at the selected first placement location for each packet of the first packetized communication being sent to the first receiving node;
  
  transmitting, by the sending node, the first packetized communication with the first security tag;
  
  selecting, at the sending node, a second placement location among the plurality of placement locations to embed a second security tag in each packet of a second packetized communication being sent to a second receiving node, based on the received at least one tag placement directive, which indicates that the second placement location carries the second security tag unchanged over the network across one or more intermediaries to the second receiving node;
  
  inserting, by the sending node, the second security tag at the selected second placement location for each packet of the second packetized communication being sent to the second receiving node; and
  
  transmitting, by the sending node, the second packetized communication with the second security tag.
- View Dependent Claims (12, 13)
- - 12. The method according to claim 11, wherein:
    - the step of selecting the first placement location includes the step of receiving, by the sending node, a placement message indicating the first placement location among the plurality of placement locations to insert the first security tag; and
      
      the step of inserting the first security tag at the selected first placement location includes inserting the first security tag at the first placement location indicated in the placement message.
  - 13. The method according to claim 11, wherein the step of selecting the first placement location to embed the first security tags includes:
    - establishing the first placement location as being in one or more of;
      
      (1) a transport payload portion of each packet;
      
      (2) a TCP option portion of each packet;
      
      or (3) an IP option portion of each packet.

14. A method for processing a security tag embedded in a plurality of packets of a packetized communication, the packets being transmitted from a sending node to a receiving node in a network, the security tag including security information regarding the packetized communication, the method comprising the steps of:
- receiving, at the receiving node, a first packet from the sending node, the first packet comprising a plurality of placement locations each with a tag;
  
  detecting, at the receiving node, if one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;
  
  sending, by the receiving node to the sending node, at least one tag placement directive generated based on the detection, the at least one tag placement directive indicating at a placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node;
  
  authenticating, at the receiving node, each of the embedded security tags located at the selected placement location for the packets of the packetized communication; and
  
  passing packets that are authenticated to a secured resource on the network.
- View Dependent Claims (15, 16)
- - 15. The method according to claim 14, further comprising the step of:
    - preventing, by the receiving node, access by each respective packet of the packet communication to a secured resource;
      
      (1) if the respective packet does not have the security tag embedded at the selected placement location;
      
      or (2) if the respective packet has the security tag embedded at the selected placement location and the security tag is not authenticated.
  - 16. The method according to claim 15, further comprising:
    - embedding the security tag at the selected placement location for each packet of the packetized communication sent by the sending node in accordance with the placement location indicated in a placement message.

17. A sending node configured for transmitting packets toward a receiving node in a packetized communication network, comprising:
- a transmission unit configured for sending, to the receiving node, a first packet comprising a plurality of placement locations each with a tag;
  
  a receiver unit for receiving at least one tag placement directive from the receiving node, the at least one tag placement directive generated based on whether one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;
  
  a placement determination unit configured for selecting a first placement location among a plurality of placement locations for a first security tag to be embedded in each of a plurality of packets of a first packetized communication to be sent to a first receiving node, based on the received at least one tag placement directive, which indicates that the first placement location carries the first security tag unchanged over the network across one or more intermediaries to the first receiving node, and for selecting a second placement location among the plurality of placement locations for a second security tag to be embedded in each of a plurality of packets of a second packetized communication to be sent to a second receiving node, based on the received at least one tag placement directive, which indicates that the second placement location carries the second security tag unchanged over the network across one or more intermediaries to the second receiving node; and
  
  an insertion unit configured for inserting the first security tag at the first placement location for each of the packets of the first packetized communication, and inserting the second security tag at the second placement location for each of the packets of the second packetized communication;
  
  the transmission unit further configured for transmitting first packetized communication with the inserted first security tag toward the first receiving node, and transmitting the second packetized communication with the inserted second security tag toward the second receiving node.
- View Dependent Claims (18)
- - 18. The sending node according to claim 17, wherein the sending node is configured to receive network characteristics information associated with an address of the sending node to select the first placement location.

19. A receiving node configured for receiving packets sent by a sending node in a packetized communication network, comprising:
- a receiving unit configured for receiving a first packet from the sending node, the first packet comprising a plurality of placement locations each with a tag, and detecting if one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;
  
  a sending unit configured for sending, to the sending node, at least one tag placement directive generated based on the detection, the at least at least one tag placement directive indicating at least one placement location among the plurality of locations to embed a security tag in each packet of a packetized communication, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node, wherein the receiving unit is further configured to receive packets from the sending node embedded with a security tag; and
  
  a packet processor configured for authenticating, at the receiving node, the security tag embedded in each of the packets, wherein the packet processor prevents access by a respective packet of the packetized communication to a secured resource;
  
  (1) if the respective, received packet does not have the security tag embedded in a selected one of a plurality of placement locations, or (2) if the security tag embedded at the selected one of the plurality of placement locations is not authenticated, the one of the plurality of placement locations selected responsive to at least one tag placement directive from the receiving node generated based on one or more predetermined network characteristics that can remove or change a security tag in a packet, the location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node.
- View Dependent Claims (20)
- - 20. The receiving node according to claim 19, further comprising:
    - a network characteristics table configured for storing information indicating network characteristics that affect selection of the placement locations for different ranges of addresses of nodes on the packetized communication network; and
      
      a transmitting unit configured for sending, to the sending node, the network characteristics table.

21. A non-transitory computer readable storage medium configured for storing computer code to execute a method for processing a security tag in each packet of a packetized communication, the packets being transmitted to a receiving node in a network, the security tag including information relating to at least a user, the method comprising the steps of:
- sending, by a sending node to the receiving node, a first packet comprising a plurality of placement locations each with a tag;
  
  receiving, at the sending node, at least one tag placement directive from the receiving node, the at least one tag placement directive generated based on whether one or more tags at one or more of the plurality of placement locations has been removed or changed based on one or more network characteristics that can remove or change a security tag in a packet from the sending node to the receiving node;
  
  selecting, at the sending node, at least one placement location among the plurality of placement locations to embed a security tag in each packet of a packetized communication, responsive to the at least one placement directive from the receiving node, the at least one placement location selected to carry the security tag unchanged over the network across one or more intermediaries to the receiving node;
  
  receiving, at the receiving node, each packet of the packetized communication, each packet having the embedded security tag;
  
  authenticating, at the receiving node, the embedded security tag in each packet; and
  
  if a respective packet of the packetized communication is received by the receiving node without the security tag embedded in the selected placement location, preventing access by the respective packet which does not have the security tag embedded in the selected placement location to a secured resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kumar, Srinivas, Bettadapura, Vijayashree S.
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
LINDSEY, MATTHEW S

Application Number

US12/267,850
Publication Number

US 20090144818A1
Time in Patent Office

2,325 Days
Field of Search
US Class Current

713/175
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

System and method for using variable security tag location in network communications

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

197 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for using variable security tag location in network communications

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links