System and method for interlocking a host and a gateway

US 9,112,830 B2
Filed: 02/23/2011
Issued: 08/18/2015
Est. Priority Date: 02/23/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a session descriptor by a processor at a network gateway, the session descriptor received from a host with a process attempting to establish a network connection via the network gateway, wherein the process is running on the host with a particular set of one or more user credentials, wherein the session descriptor includes a universally unique identifier (UUID) associated with the host and the particular set of one or more user credentials, wherein the host is configured to permit user authentication by any one of a plurality of sets of one or more user credentials, and wherein each set of the plurality of sets of one or more user credentials is associated with a different UUID;

pairing the network connection with the particular set of one or more user credentials, wherein the pairing is based on the session descriptor;

correlating the session descriptor with a network policy; and

applying the network policy to the network connection, wherein the network policy is implemented based, at least in part, on the particular set of one or more user credentials paired with the network connection.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel.

341 Citations

37 Claims

1. A method, comprising:
- receiving a session descriptor by a processor at a network gateway, the session descriptor received from a host with a process attempting to establish a network connection via the network gateway, wherein the process is running on the host with a particular set of one or more user credentials, wherein the session descriptor includes a universally unique identifier (UUID) associated with the host and the particular set of one or more user credentials, wherein the host is configured to permit user authentication by any one of a plurality of sets of one or more user credentials, and wherein each set of the plurality of sets of one or more user credentials is associated with a different UUID;
  
  pairing the network connection with the particular set of one or more user credentials, wherein the pairing is based on the session descriptor;
  
  correlating the session descriptor with a network policy; and
  
  applying the network policy to the network connection, wherein the network policy is implemented based, at least in part, on the particular set of one or more user credentials paired with the network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the session descriptor is exchanged through an out-of-band communication channel.
  - 3. The method of claim 1, wherein the session descriptor is exchanged through an in-band communication channel.
  - 4. The method of claim 1, wherein the session descriptor is stegonographically embedded in an in-band communication channel.
  - 5. The method of claim 1, wherein the network policy is applied to restrict communication over the network connection based, at least in part, on an identification of the application in the session descriptor.
  - 6. The method of claim 1, wherein the network policy is applied to rate-limit communication over the network connection based, at least in part, on an identification of the application in the session descriptor.
  - 7. The method of claim 1, wherein the network policy is applied to restrict protocols that may be used by the application.
  - 8. The method of claim 1, wherein the network policy is associated with a whitelist that restricts protocols that may be used by the application.
  - 9. The method of claim 1, further comprising alerting a user of the network policy if communication through the network connection is restricted.
  - 10. The method of claim 1, wherein the host communicates through a network address translator.
  - 11. The method of claim 1, wherein the session descriptor comprises information about a filename associated with the application.

12. At least one non-transitory computer readable medium having logic encoded therein, wherein the logic, when executed by one or more processors, is operable to perform operations comprising:
- receiving a session descriptor at a network gateway, the session descriptor received from a host with a process attempting to establish a network connection via the network gateway, wherein the process is running on the host with a particular set of one or more user credentials, wherein the session descriptor includes a universally unique identifier (UUID) associated with the host and the particular set of one or more user credentials, wherein the host is configured to permit user authentication by any one of a plurality of sets of one or more user credentials, and wherein each set of the plurality of sets of one or more user credentials is associated with a different UUID;
  
  pairing the network connection with the particular set of one or more user credentials, wherein the pairing is based on the session descriptor;
  
  correlating the session descriptor with a network policy; and
  
  applying the network policy to the network connection, wherein the network policy is implemented based, at least in part, on the particular set of one or more user credentials paired with the network connection.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The medium of claim 12, wherein the session descriptor is exchanged through an out-of-band communication channel.
  - 14. The medium of claim 12, wherein the session descriptor is exchanged through an in-band communication channel.
  - 15. The medium of claim 12, wherein the session descriptor is stegonographically embedded in an in-band communication channel.
  - 16. The medium of claim 12, wherein the network policy is applied to restrict communication over the network connection based, at least in part, on an identification of the application in the session descriptor.
  - 17. The medium of claim 12, wherein the network policy is applied to rate-limit communication over the network connection based, at least in part, on an identification of the application in the session descriptor.
  - 18. The medium of claim 12, wherein the network policy is applied to restrict protocols that may be used by the application.
  - 19. The medium of claim 12, wherein the network policy is associated with a whitelist that restricts protocols that may be used by the application.
  - 20. The medium of claim 12, further comprising alerting a user of the network policy if communication through the network connection is restricted.
  - 21. The medium of claim 12, wherein the host communicates through a network address translator.
  - 22. The medium of claim 12, wherein the session descriptor comprises information about a filename associated with the application.

23. An apparatus, comprising:
- a firewall module; and
  
  one or more processors operable to execute instructions associated with the firewall module, wherein the one or more processors are hardware processors, the one or more processors being operable to;
  
  receive a session descriptor from a host with a process attempting to establish a network connection via the apparatus, wherein the process is running on the host with a particular set of one or more user credentials, wherein the session descriptor includes a universally unique identifier (UUID) associated with the host and the particular set of one or more user credentials, wherein the host is configured to permit user authentication by any one of a plurality of sets of one or more user credentials, and wherein each set of the plurality of sets of one or more user credentials is associated with a different UUID;
  
  pair the network connection with the particular set of one or more user credentials, wherein the pairing is based on the session descriptor;
  
  correlate the session descriptor with a network policy; and
  
  apply the network policy to the network connection, wherein the network policy is implemented based, at least in part, on the particular set of one or more user credentials paired with the network connection.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 24. The apparatus of claim 23, wherein the session descriptor is exchanged through an out-of-band communication channel.
  - 25. The apparatus of claim 23, wherein the session descriptor is exchanged through an in-band communication channel.
  - 26. The apparatus of claim 23, wherein the session descriptor is stegonographically embedded in an in-band communication channel.
  - 27. The apparatus of claim 23, wherein the network policy is applied to restrict communication over the network connection based, at least in part, on an identification of the application in the session descriptor.
  - 28. The apparatus of claim 23, wherein the network policy is applied to rate-limit communication over the network connection based, at least in part, on an identification of the application in the session descriptor.
  - 29. The apparatus of claim 23, wherein the network policy is applied to restrict protocols that may be used by the application.
  - 30. The apparatus of claim 23, wherein the network policy is associated with a whitelist that restricts protocols that may be used by the application.
  - 31. The apparatus of claim 23, the one or more processors being further operable to alert a user of the network policy if communication through the network connection is restricted.
  - 32. The apparatus of claim 23, wherein the host communicates through a network address translator.
  - 33. The apparatus of claim 23, wherein the session descriptor comprises information about a filename associated with the application.
  - 34. The apparatus of claim 23, wherein more than one network address is associated with the host, the session descriptor comprises information about a user associated with one of the network addresses, and network policy is applied based on the user.
  - 35. The apparatus of claim 23, wherein the session descriptor includes a hash of an executable file associated with the application.
  - 36. The apparatus of claim 23, wherein the session descriptor comprises information about the configuration and state of software installed on the host.
  - 37. The apparatus of claim 23, wherein the session descriptor identifies network addresses associated with the host and network policy is applied based, at least in part, on the network addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey Howard, Diehl, David Frederick, Mahadik, Vinay A., Venugopalan, Ramnath
Primary Examiner(s)
WANG, HARRIS C

Application Number

US13/032,851
Publication Number

US 20120216271A1
Time in Patent Office

1,637 Days
Field of Search

726/12
US Class Current

1/1
CPC Class Codes

H04L 47/125   by balancing the load, e.g....

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/146   Markers for unambiguous ide...

System and method for interlocking a host and a gateway

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

341 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for interlocking a host and a gateway

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

341 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links