Dynamic user identification and policy enforcement in cloud-based secure web gateways

US 9,065,800 B2
Filed: 12/27/2012
Issued: 06/23/2015
Est. Priority Date: 03/18/2011
Status: Active Grant

First Claim

Patent Images

1. A cloud-based secure Web gateway, comprising:

a network interface communicatively coupled to a network;

a processor; and

memory storing instructions that, when executed, cause the processor to;

dynamically associate traffic received on the network interface with users, wherein the traffic comprises a combination of authenticated traffic and unknown traffic and the instructions, when executed, further cause the processor to dynamically associate authenticated Hypertext Transfer Protocol (HTTP) traffic to an associated user and dynamically associate unknown traffic from a destination Internet Protocol (IP) address to an associated user of the destination IP address;

maintain the dynamic association over time;

share the dynamic association with at least one additional cloud-based secure Web gateway;

apply policies to the traffic based on the dynamic association, wherein the policies comprise one or more of allowing, blocking, or cautioning the traffic;

log the traffic based on the policies and the dynamic association.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based secure Web gateway, a cloud-based secure Web method, and a network deliver a secure Web gateway (SWG) as a cloud-based service to organizations and provide dynamic user identification and policy enforcement therein. As a cloud-based service, the SWG systems and methods provide scalability and capability of accommodating multiple organizations therein with proper isolation therebetween. There are two basic requirements for the cloud-based SWG: (i) Having some means of forwarding traffic from the organization or its users to the SWG nodes, and (ii) Being able to authenticate the organization and users for policy enforcement and access logging. The SWG systems and methods dynamically associate traffic to users regardless of the source (device, location, encryption, application type, etc.), and once traffic is tagged to a user/organization, various polices can be enforced and audit logs of user access can be maintained.

47 Citations

View as Search Results

18 Claims

1. A cloud-based secure Web gateway, comprising:
- a network interface communicatively coupled to a network;
  
  a processor; and
  
  memory storing instructions that, when executed, cause the processor to;
  
  dynamically associate traffic received on the network interface with users, wherein the traffic comprises a combination of authenticated traffic and unknown traffic and the instructions, when executed, further cause the processor to dynamically associate authenticated Hypertext Transfer Protocol (HTTP) traffic to an associated user and dynamically associate unknown traffic from a destination Internet Protocol (IP) address to an associated user of the destination IP address;
  
  maintain the dynamic association over time;
  
  share the dynamic association with at least one additional cloud-based secure Web gateway;
  
  apply policies to the traffic based on the dynamic association, wherein the policies comprise one or more of allowing, blocking, or cautioning the traffic;
  
  log the traffic based on the policies and the dynamic association.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The cloud-based secure Web gateway of claim 1, wherein the unknown traffic is associated to the associated user based on determining the user through authenticated HTTP traffic from a same destination IP address.
  - 3. The cloud-based secure Web gateway of claim 1, wherein the instructions, when executed, further cause the processor to:
    - map the unknown traffic to an organization depending on whether the destination IP address is private or specific to the organization when multiple users are determined on the destination IP address based on seeing multiple users through authenticated HTTP traffic thereon.
  - 4. The cloud-based secure Web gateway of claim 1, wherein the instructions, when executed, further cause the processor to:
    - maintain the dynamic association over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address.
  - 5. The cloud-based secure Web gateway of claim 1, wherein the instructions, when executed, further cause the processor to:
    - pre-configure an association between an organization and a destination port to identify traffic originating from the organization.
  - 6. The cloud-based secure Web gateway of claim 5, wherein the instructions, when executed, further cause the processor to:
    - perform authentication challenges for known traffic to identify the destination port periodically and to detect fraudulent use.
  - 7. The cloud-based secure Web gateway of claim 1, wherein the instructions, when executed, further cause the processor to:
    - receive the traffic via generic routing encapsulation (GRE).
  - 8. The cloud-based secure Web gateway of claim 1, wherein the instructions, when executed, further cause the processor to:
    - receive the traffic via a virtual private network (VPN).
  - 9. The cloud-based secure Web gateway of claim 1, wherein the instructions, when executed, further cause the processor to:
    - receive the traffic via an explicit Proxy mode.
  - 10. The cloud-based secure Web gateway of claim 1, wherein the cloud-based secure Web gateway is a node in a distributed security system, and wherein the instructions, when executed, further cause the processor to:
    - receive dynamic associations from other nodes in the distributed security system via a central authority.

11. A cloud-based secure Web method, comprising:
- dynamically associating traffic received on a network interface with users, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, and wherein the dynamically associating comprises dynamically associating authenticated Hypertext Transfer Protocol (HTTP) traffic to an associated user, and dynamically associating unknown traffic from a destination Internet Protocol (IP) address to an associated user of the destination IP address;
  
  maintaining the dynamic association over time;
  
  sharing the dynamic association with a plurality of cloud-based secure Web gateways which are part of a distributed security system;
  
  applying policies to the traffic based on the dynamic association, wherein the policies comprise one or more of allowing, blocking, or cautioning the traffic; and
  
  logging the traffic based on the policies and the dynamic association.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The cloud-based secure Web method of claim 11, wherein the unknown traffic is associated to the associated user based on determining the user through authenticated HTTP traffic from a same destination IP address.
  - 13. The cloud-based secure Web method of claim 11, further comprising:
    - mapping the unknown traffic to an organization depending on whether the destination IP address is private or specific to the organization when multiple users are determined on the destination IP address based on seeing multiple users through authenticated HTTP traffic thereon.
  - 14. The cloud-based secure Web method of claim 11, further comprising:
    - maintaining the dynamic association over time by updating the dynamic association based on newly received authenticated HTTP traffic, on pre-defined time thresholds for expiring associations, and on detecting collisions of multiple users on the destination IP address.
  - 15. The cloud-based secure Web method of claim 11, further comprising:
    - pre-configuring an association between an organization and a destination port to identify traffic originating from the organization.
  - 16. The cloud-based secure Web method of claim 11, further comprising:
    - performing authentication challenges for known traffic to identify the destination port periodically and to detect fraudulent use.
  - 17. The cloud-based secure Web method of claim 11, further comprising:
    - receiving the traffic via one of generic routing encapsulation (GRE), a virtual private network (VPN), and an explicit Proxy mode.

18. A network, comprising:
- a distributed cloud-based security system coupled to the Internet;
  
  a plurality of cloud-based secure Web gateways within the distributed cloud-based security system; and
  
  a plurality of users accessing the Internet through the distributed cloud-based security system;
  
  wherein each of the plurality of cloud-based secure Web gateways is configured to;
  
  dynamically associate traffic received on a network interface with individual users of the plurality of users, wherein the traffic comprises a combination of authenticated traffic and unknown traffic, wherein authenticated Hypertext Transfer Protocol (HTTP) traffic is dynamically associated to an associated user and unknown traffic from a destination Internet Protocol (IP) address is dynamically associated to an associated user of the destination IP address;
  
  maintain the dynamic association over time;
  
  share the dynamic association between the plurality of cloud-based secure Web gateways via a central authority;
  
  apply policies to the traffic based on the dynamic association, wherein the policies comprise one or more of allowing, blocking, or cautioning the traffic; and
  
  log the traffic based on the policies and the dynamic association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Devarajan, Srikanth, Narasimhan, Sridhar, Sinha, Amit, Apte, Manoj
Primary Examiner(s)
Javaid, Jamal

Application Number

US13/728,631
Publication Number

US 20140026179A1
Time in Patent Office

908 Days
Field of Search

726/1, 726/3, 726/23, 709/223
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/168   above the transport layer

Dynamic user identification and policy enforcement in cloud-based secure web gateways

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic user identification and policy enforcement in cloud-based secure web gateways

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links