Methods and systems for protecting a secured network

DC CAFC

US 9,137,205 B2
Filed: 10/22/2012
Issued: 09/15/2015
Est. Priority Date: 10/22/2012
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method, comprising:

at each packet security gateway of one or more packet security gateways associated with a security policy management server;

receiving a plurality of dynamic security policies from the security policy management server, wherein receiving the plurality of dynamic security policies comprises;

receiving at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped;

receiving, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded;

receiving, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded; and

receiving, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses;

receiving packets associated with a network protected by the packet security gateway; and

performing, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein performing the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets comprises performing at least one packet transformation function other than forwarding or dropping the packets.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

4 Petitions

Reexamination

Accused Products

Abstract

Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets.

Citations

96 Claims

1. A method, comprising:
- at each packet security gateway of one or more packet security gateways associated with a security policy management server;
  
  receiving a plurality of dynamic security policies from the security policy management server, wherein receiving the plurality of dynamic security policies comprises;
  
  receiving at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped;
  
  receiving, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded;
  
  receiving, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded; and
  
  receiving, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses;
  
  receiving packets associated with a network protected by the packet security gateway; and
  
  performing, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein performing the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets comprises performing at least one packet transformation function other than forwarding or dropping the packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the one or more packet security gateways comprise at least two packet security gateways configured in series the method comprising:
    - forwarding, by a first of the at least two packet security gateways and to a second of the at least two packet security gateways, a portion of the packets; and
      
      receiving, by the second of the at least two packet security gateways and from the first of the at least two packet security gateways, the portion of the packets.
  - 3. The method of claim 2, wherein a dynamic security policy of the plurality of dynamic security policies comprises at least two rules, a second of the at least two rules being configured to execute after a first of the at least two rules, the method comprising:
    - performing, by the first of the at least two packet security gateways, a packet transformation function specified by the first of the at least two rules; and
      
      performing, by the second of the at least two packet security gateways, a packet transformation function specified by the second of the at least two rules.
  - 4. The method of claim 1, wherein receiving the plurality of dynamic security policies comprises receiving at least one rule specifying a set of network addresses for which associated packets should be dropped and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which associated packets should be dropped should be forwarded.
  - 5. The method of claim 1, comprising;
    - receiving, by the security policy management server, information associated with a Voice over Internet Protocol (VoIP) session; and
      
      creating or altering, by the security policy management server and based on the information associated with the VoIP session, the at least one rule specifying the set of network addresses for which associated packets should be forwarded.
  - 6. The method of claim 1, wherein the plurality of dynamic security policies specify that a first portion of the packets should be placed in a first forwarding queue and a second portion of the packets should be placed in a second forwarding queue, the first forwarding queue having a higher forwarding rate than the second forwarding queue, the method comprising:
    - placing, by the one or more packet security gateways, the first portion of the packets in the first forwarding queue; and
      
      placing, by the one or more packet security gateways, the second portion of the packets in the second forwarding queue.
  - 7. The method of claim 1, wherein receiving the plurality of dynamic security policies comprises receiving at least one rule specifying the method comprising routing, by the one or more packet security gateways, at least one packet of the packets that matches the parameter to a network address different from a destination network address specified by the at least one packet.
  - 8. The method of claim 7, wherein the parameter comprises a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI), wherein the network address different from the destination network address specified by the at least one packet corresponds to a network device configured to copy information contained in the at least one packet and forward the at least one packet to the destination network address specified by the at least one packet, and wherein routing the at least one packet comprises encapsulating the at least one packet with a header containing the network address different from the destination network address specified by the at least one packet.
  - 9. The method of claim 1, wherein performing the at least one of the multiple packet transformation functions comprises at least one of forwarding the packets into the network protected by the packet security gateway, forwarding the packets out of the network protected by the packet security gateway, forwarding the packets to an Internet Protocol Security (IPsec) stack having an IPsec security association corresponding to the packets, or dropping the packets.
  - 10. The method of claim 1, wherein receiving the plurality of dynamic security policies comprises receiving at least one rule comprising a five-tuple specifying one or more protocols, one or more Internet Protocol (IP) source addresses, one or more source port values, one or more IP destination addresses, and one or more destination port values.
  - 11. The method of claim 1, wherein receiving the plurality of dynamic security policies comprises receiving at least one rule comprising a Differentiated Service Code Point (DSCP) selector that maps to a DSCP field in an Internet Protocol (IP) header of the packets.
  - 12. The method of claim 1, comprising operating, by at least one of the one or more packet security gateways, in a network layer transparent manner by sending and receiving traffic at a link layer using an interface that is not addressed at the network layer and performing the at least one of the multiple packet transformation functions at the network layer.
  - 13. The method of claim 12, wherein the at least one of the one or more packet security gateways includes a management interface having a network layer address, the method comprising securing access to the management interface at at least one of an application level, a link level, or a transport level.
  - 14. The method of claim 1, comprising:
    - receiving, by the security policy management server and from a subscription service that aggregates information associated with malicious network traffic, a list of network addresses known to be associated with malicious network traffic; and
      
      generating, by the security policy management server and based at least in part on the list, one or more rules included in the plurality of dynamic security policies.
  - 15. The method of claim 1, comprising receiving, by at least two of the one or more packet security gateways and from the security policy management server, one or more rules specifying source addresses that correspond to spoofed network addresses, wherein at least one rule of the one or more rules specifies different source addresses than at least another rule of the one or more rules.
  - 16. The method of claim 1, comprising locating at least one of the one or more packet security gateways at each boundary between a protected network associated with the security policy management server and an unprotected network.

17. A system, comprising:
- a security policy management server; and
  
  one or more packet security gateways associated with the security policy management server, wherein each packet security gateway of the one or more packet security gateways comprises computer hardware and logic configured to cause the packet security gateway to;
  
  receive a plurality of dynamic security policies from the security policy management server;
  
  receive at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped;
  
  receive, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded;
  
  receive, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded;
  
  receive, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses;
  
  receive packets associated with a network protected by the packet security gateway; and
  
  perform, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein each of the one or more packet security gateways is configured to perform the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets by performing at least one packet transformation function other than forwarding or dropping the packets.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The system of claim 17, wherein:
    - the one or more packet security gateways comprise at least two packet security gateways configured in series;
      
      a first of the at least two packet security gateways being configured to forward a portion of the packets to a second of the at least two packet security gateways; and
      
      the second of the at least two packet security gateways being configured to receive the portion of the packets from the first of the at least two packet security gateways.
  - 19. The system of claim 18, wherein:
    - a dynamic security policy of the plurality of dynamic security policies comprises at least two rules, a second of the at least two rules being configured to execute after a first of the at least two rules;
      
      the first of the at least two packet security gateways is configured to perform a packet transformation function specified by the first of the at least two rules; and
      
      the second of the at least two packet security gateways is configured to perform a packet transformation function specified by the second of the at least two rules.
  - 20. The system of claim 17, wherein each packet security gateway of the one or more packet security gateways is configured to receive at least one rule specifying a set of network addresses for which associated packets should be dropped and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which associated packets should be dropped should be forwarded.
  - 21. The system of claim 17, wherein the security policy management server is configured to:
    - receive information associated with a Voice over Internet Protocol (VoIP) session; and
      
      at least one of create or alter, based on the information associated with the VoIP session, the at least one rule specifying the set of network addresses for which associated packets should be forwarded.
  - 22. The system of claim 17, wherein:
    - the plurality of dynamic security policies specify that a first portion of the packets should be placed in a first forwarding queue and a second portion of the packets should be placed in a second forwarding queue, the first forwarding queue having a higher forwarding rate than the second forwarding queue; and
      
      the one or more packet security gateways are configured to;
      
      place the first portion of the packets in the first forwarding queue; and
      
      place the second portion of the packets in the second forwarding queue.
  - 23. The system of claim 17, wherein:
    - the plurality of dynamic security policies comprises at least one rule specifying a parameter; and
      
      the one or more packet security gateways are configured to route at least one packet of the packets that matches the parameter to a network address different from a destination network address specified by the at least one packet.
  - 24. The system of claim 23, wherein:
    - the parameter comprises a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI);
      
      the network address different from the destination network address specified by the at least one packet corresponds to a network device configured to copy information contained in the at least one packet and forward the at least one packet to the destination network address specified by the at least one packet; and
      
      the one or more packet security gateways are configured to encapsulate the at least one packet with a header containing the network address different from the destination network address specified by the at least one packet.
  - 25. The system of claim 17, wherein each packet security gateway of the one or more packet security gateways is configured to at least one of forward the packets into the network protected by the packet security gateway, forward the packets out of the network protected by the packet security gateway, forward the packets to an Internet Protocol Security (IPsec) stack having an IPsec security association corresponding to the packets, or drop the packets.
  - 26. The system of claim 17, wherein each packet security gateway of the one or more packet security gateways is configured to receive at least one rule comprising a five-tuple specifying one or more protocols, one or more Internet Protocol (IP) source addresses, one or more source port values, one or more IP destination addresses, and one or more destination port values.
  - 27. The system of claim 17, wherein each packet security gateway of the one or more packet security gateways is configured to receive at least one rule comprising a Differentiated Service Code Point (DSCP) selector that maps to a DSCP field in an Internet Protocol (IP) header of the packets.
  - 28. The system of claim 17, wherein at least one of the one or more packet security gateways is configured to operate in a network layer transparent manner by sending and receiving traffic at a link layer using an interface that is not addressed at the network layer and performing the at least one of the multiple packet transformation functions at the network layer.
  - 29. The system of claim 28, wherein the at least one of the one or more packet security gateways includes a management interface having a network layer address, and wherein the at least one of the one or more packet security gateways is configured to secure access to the management interface at at least one of an application level, a link level, or a transport level.
  - 30. The system of claim 17, wherein the security policy management server is configured to:
    - receive, from a subscription service that aggregates information associated with malicious network traffic, a list of network addresses known to be associated with malicious network traffic; and
      
      generate, based at least in part on the list, one or more rules included in the plurality of dynamic security policies.
  - 31. The system of claim 17, wherein:
    - at least two of the one or more packet security gateways are configured to receive, from the security policy management server, one or more rules specifying source addresses that correspond to spoofed network addresses; and
      
      at least one rule of the one or more rules specifies different source addresses than at least another rule of the one or more rules.
  - 32. The system of claim 17, wherein at least one of the one or more packet security gateways is located at each boundary between a protected network associated with the security policy management server and an unprotected network.

33. One or more non-transitory computer-readable media having instructions stored thereon, that when executed, cause each packet security gateway of one or more packet security gateways associated with a security policy management server to:
- receive a plurality of dynamic security policies from the security policy management server;
  
  receive at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped;
  
  receive, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded;
  
  receive, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded;
  
  receive, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses;
  
  receive packets associated with a network protected by the packet security gateway; and
  
  perform, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein each of the one or more packet security gateways is configured to perform the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets by performing at least one packet transformation function other than forwarding or dropping the packets.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 34. The one or more non-transitory computer-readable media of claim 33, wherein the one or more packet security gateways comprise at least two packet security gateways configured in series, and wherein the instructions, when executed, cause:
    - a first of the at least two packet security gateways to forward a portion of the packets to a second of the at least two packet security gateways; and
      
      the second of the at least two packet security gateways to receive the portion of the packets from the first of the at least two packet security gateways.
  - 35. The one or more non-transitory computer-readable media of claim 34, wherein a dynamic security policy of the plurality of dynamic security policies comprises at least two rules, a second of the at least two rules being configured to execute after a first of the at least two rules, and wherein the instructions, when executed, cause:
    - the first of the at least two packet security gateways to perform a packet transformation function specified by the first of the at least two rules; and
      
      the second of the at least two packet security gateways to perform a packet transformation function specified by the second of the at least two rules.
  - 36. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to receive at least one rule specifying a set of network addresses for which associated packets should be dropped and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which associated packets should be dropped should be forwarded.
  - 37. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause the security policy management server to:
    - receive information associated with a Voice over Internet Protocol (VoIP) session; and
      
      at least one of create or alter, based on the information associated with the VoIP session, the at least one rule specifying the set of network addresses for which associated packets should be forwarded.
  - 38. The one or more non-transitory computer-readable media of claim 33, wherein the plurality of dynamic security policies specify that a first portion of the packets should be placed in a first forwarding queue and a second portion of the packets should be placed in a second forwarding queue, the first forwarding queue having a higher forwarding rate than the second forwarding queue, and wherein the instructions, when executed, cause the one or more packet security gateways to:
    - place the first portion of the packets in the first forwarding queue; and
      
      place the second portion of the packets in the second forwarding queue.
  - 39. The one or more non-transitory computer-readable media of claim 33, wherein the plurality of dynamic security policies comprises at least one rule specifying a parameter, and wherein the instructions, when executed, cause the one or more packet security gateways to route at least one packet of the packets that matches the parameter to a network address different from a destination network address specified by the at least one packet.
  - 40. The one or more non-transitory computer-readable media of claim 39, wherein the parameter comprises a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI), wherein the network address different from the destination network address specified by the at least one packet corresponds to a network device configured to copy information contained in the at least one packet and forward the at least one packet to the destination network address specified by the at least one packet, and wherein the instructions, when executed, cause the one or more packet security gateways to encapsulate the at least one packet with a header containing the network address different from the destination network address specified by the at least one packet.
  - 41. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to at least one of forward the packets into the network protected by the packet security gateway, forward the packets out of the network protected by the packet security gateway, forward the packets to an Internet Protocol Security (IPsec) stack having an IPsec security association corresponding to the packets, or drop the packets.
  - 42. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to receive at least one rule comprising a five-tuple specifying one or more protocols, one or more Internet Protocol (IP) source addresses, one or more source port values, one or more IP destination addresses, and one or more destination port values.
  - 43. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to receive at least one rule comprising a Differentiated Service Code Point (DSCP) selector that maps to a DSCP field in an Internet Protocol (IP) header of the packets.
  - 44. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause at least one packet security gateway of the one or more packet security gateways to operate in a network layer transparent manner by sending and receiving traffic at a link layer using an interface that is not addressed at the network layer and performing the at least one of the multiple packet transformation functions at the network layer.
  - 45. The one or more non-transitory computer-readable media of claim 44, wherein the at least one of the one or more packet security gateways includes a management interface having a network layer address, and wherein the instructions, when executed, cause the at least one packet security gateway of the one or more packet security gateways to secure access to the management interface at at least one of an application level, a link level, or a transport level.
  - 46. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause the security policy management server to:
    - receive, from a subscription service that aggregates information associated with malicious network traffic, a list of network addresses known to be associated with malicious network traffic; and
      
      generate, based at least in part on the list, one or more rules included in the plurality of dynamic security policies.
  - 47. The one or more non-transitory computer-readable media of claim 33, wherein the instructions, when executed, cause at least two of the one or more packet security gateways to receive, from the security policy management server, one or more rules specifying source addresses that correspond to spoofed network addresses, at least one rule of the one or more rules specifying different source addresses than at least another rule of the one or more rules.
  - 48. The one or more non-transitory computer-readable media of claim 33, wherein at least one of the one or more packet security gateways is located at each boundary between a protected network associated with the security policy management server and an unprotected network.

49. A method, comprising:
- at each of one or more packet security gateways associated with a security policy management server;
  
  receiving, from the security policy management server, a dynamic security policy comprising at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI);
  
  receiving packets associated with a network protected by the packet security gateway; and
  
  performing, on the packets, on a packet by packet basis, at least one packet transformation function of multiple packet transformation functions specified by the dynamic security policy, wherein performing the at least one packet transformation function comprises;
  
  encapsulating at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address; and
  
  routing, based on the header, the at least one packet to the network address that is different from the destination network address.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
- - 50. The method of claim 49, wherein the one or more packet security gateways comprise at least two packet security gateways configured in series, the method comprising:
    - forwarding, by a first of the at least two packet security gateways, a portion of the packets to a second of the at least two packet security gateways; and
      
      receiving, by the second of the at least two packet security gateways, the portion of the packets from the first of the at least two packet security gateways.
  - 51. The method of claim 50, wherein the dynamic security policy comprises at least two rules, a second of the at least two rules being configured to execute after a first of the at least two rules, the method comprising:
    - performing, by the first of the at least two packet security gateways, a packet transformation function specified by the first of the at least two rules; and
      
      performing, by the second of the at least two packet security gateways, a packet transformation function specified by the second of the at least two rules.
  - 52. The method of claim 49, wherein receiving the dynamic security policy comprises receiving at least one rule specifying a set of network addresses for which associated packets should be dropped and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which associated packets should be dropped should be forwarded.
  - 53. The method of claim 49, comprising:
    - receiving, by the security policy management server, information associated with a Voice over Internet Protocol (VoIP) session; and
      
      creating or altering, by the security policy management server and based on the information associated with the VoIP session, the at least one rule specifying the set of network addresses.
  - 54. The method of claim 49, wherein the dynamic security policy specifies that a first portion of the packets should be placed in a first forwarding queue and a second portion of the packets should be placed in a second forwarding queue, the first forwarding queue having a higher forwarding rate than the second forwarding queue, the method comprising:
    - placing, by the one or more packet security gateways, the first portion of the packets in the first forwarding queue; and
      
      placing, by the one or more packet security gateways, the second portion of the packets in the second forwarding queue.
  - 55. The method of claim 49, wherein performing the at least one packet transformation function comprises at least one of forwarding the packets into the network protected by the packet security gateway, forwarding the packets out of the network protected by the packet security gateway, forwarding the packets to an Internet Protocol Security (IPsec) stack having an IPsec security association corresponding to the packets, or dropping the packets.
  - 56. The method of claim 49, wherein receiving the dynamic security policy comprises receiving at least one rule comprising a five-tuple specifying one or more protocols, one or more Internet Protocol (IP) source addresses, one or more source port values, one or more IP destination addresses, and one or more destination port values.
  - 57. The method of claim 49, wherein receiving the dynamic security policy comprises receiving at least one rule comprising a Differentiated Service Code Point (DSCP) selector that maps to a DSCP field in an Internet Protocol (IP) header of the packets.
  - 58. The method of claim 49, comprising operating, by at least one of the one or more packet security gateways, in a network layer transparent manner by sending and receiving traffic at a link layer using an interface that is not addressed at the network layer and performing the at least one packet transformation function at the network layer.
  - 59. The method of claim 58, wherein the at least one of the one or more packet security gateways includes a management interface having a network layer address, the method comprising securing access to the management interface at at least one of an application level, a link level, or a transport level.
  - 60. The method of claim 49, comprising:
    - receiving, by the security policy management server and from a subscription service that aggregates information associated with malicious network traffic, a list of network addresses known to be associated with malicious network traffic; and
      
      generating, by the security policy management server and based at least in part on the list, one or more rules included in the dynamic security policy.
  - 61. The method of claim 49, comprising receiving, by at least two of the one or more packet security gateways and from the security policy management server, one or more rules specifying source addresses that correspond to spoofed network addresses, wherein at least one rule of the one or more rules specifies different source addresses than at least another rule of the one or more rules.
  - 62. The method of claim 49, comprising locating at least one of the one or more packet security gateways at each boundary between a protected network associated with the security policy management server and an unprotected network.

63. A system, comprising:
- a security policy management server; and
  
  one or more packet security gateways associated with the security policy management server, wherein each packet security gateway of the one or more packet security gateways comprises computer hardware and logic configured to cause the packet security gateway to;
  
  receive, from the security policy management server, a dynamic security policy comprising at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI);
  
  receive packets associated with a network protected by the packet security gateway;
  
  perform, on the packets, on a packet by packet basis, at least one packet transformation function of multiple packet transformation functions specified by the dynamic security policy;
  
  encapsulate at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address; and
  
  route, based on the header, the at least one packet to the network address that is different from the destination network address.
- View Dependent Claims (64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
- - 64. The system of claim 63, wherein:
    - the one or more packet security gateways comprise at least two packet security gateways configured in series;
      
      a first of the at least two packet security gateways being configured to forward a portion of the packets to a second of the at least two packet security gateways; and
      
      the second of the at least two packet security gateways being configured to receive the portion of the packets from the first of the at least two packet security gateways.
  - 65. The system of claim 64, wherein:
    - the dynamic security policy comprises at least two rules, a second of the at least two rules being configured to execute after a first of the at least two rules;
      
      the first of the at least two packet security gateways is configured to perform a packet transformation function specified by the first of the at least two rules; and
      
      the second of the at least two packet security gateways is configured to perform a packet transformation function specified by the second of the at least two rules.
  - 66. The system of claim 63, wherein each packet security gateway of the one or more packet security gateways is configured to receive at least one rule specifying a set of network addresses for which associated packets should be dropped and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which associated packets should be dropped should be forwarded.
  - 67. The system of claim 63, wherein the security policy management server is configured to:
    - receive information associated with a Voice over Internet Protocol (VoIP) session; and
      
      at least one of create or alter, based on the information associated with the VoIP session, the at least one rule specifying the set of network addresses.
  - 68. The system of claim 63, wherein:
    - the dynamic security policy specifies that a first portion of the packets should be placed in a first forwarding queue and a second portion of the packets should be placed in a second forwarding queue, the first forwarding queue having a higher forwarding rate than the second forwarding queue; and
      
      the one or more packet security gateways are configured to;
      
      place the first portion of the packets in the first forwarding queue; and
      
      place the second portion of the packets in the second forwarding queue.
  - 69. The system of claim 63, wherein each packet security gateway of the one or more packet security gateways is configured to at least one of forward the packets into the network protected by the packet security gateway, forward the packets out of the network protected by the packet security gateway, forward the packets to an Internet Protocol Security (IPsec) stack having an IPsec security association corresponding to the packets, or drop the packets.
  - 70. The system of claim 63, wherein each packet security gateway of the one or more packet security gateways is configured to receive at least one rule comprising a five-tuple specifying one or more protocols, one or more Internet Protocol (IP) source addresses, one or more source port values, one or more IP destination addresses, and one or more destination port values.
  - 71. The system of claim 63, wherein each packet security gateway of the one or more packet security gateways is configured to receive at least one rule comprising a Differentiated Service Code Point (DSCP) selector that maps to a DSCP field in an Internet Protocol (IP) header of the packets.
  - 72. The system of claim 63, wherein at least one of the one or more packet security gateways is configured to operate in a network layer transparent manner by sending and receiving traffic at a link layer using an interface that is not addressed at the network layer and performing the at least one packet transformation function at the network layer.
  - 73. The system of claim 72, wherein the at least one of the one or more packet security gateways includes a management interface having a network layer address, and wherein the at least one of the one or more packet security gateways is configured to secure access to the management interface at at least one of an application level, a link level, or a transport level.
  - 74. The system of claim 63, wherein the security policy management server is configured to:
    - receive, from a subscription service that aggregates information associated with malicious network traffic, a list of network addresses known to be associated with malicious network traffic; and
      
      generate, based at least in part on the list, one or more rules included in the dynamic security policy.
  - 75. The system of claim 63, wherein:
    - at least two of the one or more packet security gateways are configured to receive, from the security policy management server, one or more rules specifying source addresses that correspond to spoofed network addresses; and
      
      at least one rule of the one or more rules specifies different source addresses than at least another rule of the one or more rules.
  - 76. The system of claim 63, wherein at least one of the one or more packet security gateways is located at each boundary between a protected network associated with the security policy management server and an unprotected network.

77. One or more non-transitory computer-readable media having instructions stored thereon, that when executed, cause each packet security gateway of one or more packet security gateways associated with a security policy management server to:
- receive, from the security policy management server, a dynamic security policy comprising at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI);
  
  receive packets associated with a network protected by the packet security gateway;
  
  perform, on the packets, on a packet by packet basis, at least one packet transformation function of multiple packet transformation functions specified by the dynamic security policy;
  
  encapsulate at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address; and
  
  route, based on the header, the at least one packet to the network address that is different from the destination network address.
- View Dependent Claims (78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90)
- - 78. The one or more non-transitory computer-readable media of claim 77, wherein the one or more packet security gateways comprise at least two packet security gateways configured in series, and wherein the instructions, when executed, cause:
    - a first of the at least two packet security gateways to forward a portion of the packets to a second of the at least two packet security gateways; and
      
      the second of the at least two packet security gateways to receive the portion of the packets from the first of the at least two packet security gateways.
  - 79. The one or more non-transitory computer-readable media of claim 78, wherein the dynamic security policy comprises at least two rules, a second of the at least two rules being configured to execute after a first of the at least two rules, and wherein the instructions, when executed, cause:
    - the first of the at least two packet security gateways to perform a packet transformation function specified by the first of the at least two rules; and
      
      the second of the at least two packet security gateways to perform a packet transformation function specified by the second of the at least two rules.
  - 80. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to receive at least one rule specifying a set of network addresses for which associated packets should be dropped and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which associated packets should be dropped should be forwarded.
  - 81. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause the security policy management server to:
    - receive information associated with a Voice over Internet Protocol (VoIP) session; and
      
      at least one of create or alter, based on the information associated with the VoIP session, the at least one rule specifying the set of network addresses.
  - 82. The one or more non-transitory computer-readable media of claim 77, wherein the dynamic security policy specifies that a first portion of the packets should be placed in a first forwarding queue and a second portion of the packets should be placed in a second forwarding queue, the first forwarding queue having a higher forwarding rate than the second forwarding queue, and wherein the instructions, when executed, cause the one or more packet security gateways to:
    - place the first portion of the packets in the first forwarding queue; and
      
      place the second portion of the packets in the second forwarding queue.
  - 83. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to at least one of forward the packets into the network protected by the packet security gateway, forward the packets out of the network protected by the packet security gateway, forward the packets to an Internet Protocol Security (IPsec) stack having an IPsec security association corresponding to the packets, or drop the packets.
  - 84. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to receive at least one rule comprising a five-tuple specifying one or more protocols, one or more Internet Protocol (IP) source addresses, one or more source port values, one or more IP destination addresses, and one or more destination port values.
  - 85. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause each packet security gateway of the one or more packet security gateways to receive at least one rule comprising a Differentiated Service Code Point (DSCP) selector that maps to a DSCP field in an Internet Protocol (IP) header of the packets.
  - 86. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause at least one packet security gateway of the one or more packet security gateways to operate in a network layer transparent manner by sending and receiving traffic at a link layer using an interface that is not addressed at the network layer and performing the at least one packet transformation function at the network layer.
  - 87. The one or more non-transitory computer-readable media of claim 86, wherein the at least one of the one or more packet security gateways includes a management interface having a network layer address, and wherein the instructions, when executed, cause the at least one packet security gateway of the one or more packet security gateways to secure access to the management interface at at least one of an application level, a link level, or a transport level.
  - 88. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause the security policy management server to:
    - receive, from a subscription service that aggregates information associated with malicious network traffic, a list of network addresses known to be associated with malicious network traffic; and
      
      generate, based at least in part on the list, one or more rules included in the dynamic security policy.
  - 89. The one or more non-transitory computer-readable media of claim 77, wherein the instructions, when executed, cause at least two of the one or more packet security gateways to receive, from the security policy management server, one or more rules specifying source addresses that correspond to spoofed network addresses, at least one rule of the one or more rules specifying different source addresses than at least another rule of the one or more rules.
  - 90. The one or more non-transitory computer-readable media of claim 77, wherein at least one of the one or more packet security gateways is located at each boundary between a protected network associated with the security policy management server and an unprotected network.

91. A method, comprising:
- communicating, by a security policy management server and to a packet security gateway located at a first boundary of a network protected by the security policy management server, a first dynamic security policy, the first dynamic security policy comprising one or more rules based on the first boundary;
  
  communicating, by the security policy management server and to a packet security gateway located at a second boundary of the network, a second dynamic security policy, the second dynamic security policy comprising one or more rules based on the second boundary that differ from the one or more rules based on the first boundary;
  
  performing, by the packet security gateway located at the first boundary, at least one of multiple packet transformation functions specified by the first dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the first boundary, wherein performing the at least one of the multiple packet transformation functions specified by the first dynamic security policy comprises dropping one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the first boundary; and
  
  performing, by the packet security gateway located at the second boundary, at least one of multiple packet transformation functions specified by the second dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the second boundary, wherein performing the at least one of the multiple packet transformation functions specified by the second dynamic security policy comprises dropping one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the second boundary.
- View Dependent Claims (92)
- - 92. The method of claim 91, wherein:
    - the first boundary comprises a boundary between the network protected by the security policy management server and a first network that interfaces with the network protected by the security policy management server;
      
      the second boundary comprises a boundary between the network protected by the security policy management server and a second network that interfaces with the network protected by the security policy management server;
      
      the one or more criteria specified by the one or more rules based on the first boundary comprise one or more criteria based on a set of source network addresses for the first network;
      
      the one or more criteria specified by the one or more rules based on the second boundary comprise one or more criteria based on a set of source network addresses for the second network;
      
      performing the at least one of the multiple packet transformation functions specified by the first dynamic security policy comprises dropping at least one packet, received from the first network, comprising a spoofed source address; and
      
      performing the at least one of the multiple packet transformation functions specified by the second dynamic security policy comprises dropping at least one packet, received from the second network, comprising a different spoofed source address.

93. A system, comprising:
- a security policy management server;
  
  a first packet security gateway, located at a first boundary of a network protected by the security policy management server, comprising computer hardware and logic configured to cause the first packet security gateway to;
  
  receive, from the security policy management server, a first dynamic security policy, the first dynamic security policy comprising one or more rules based on the first boundary;
  
  perform, at least one of multiple packet transformation functions specified by the first dynamic security policy on a plurality of packets that correspond to one or more criteria specified by the one or more rules based on the first boundary; and
  
  drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the first boundary; and
  
  a second packet security gateway, located at a second boundary of a network protected by the security policy management server, comprising computer hardware and logic configured to cause the second packet security gateway to;
  
  receive, from the security policy management server, a second dynamic security policy, the second dynamic security policy comprising one or more rules based on the second boundary that differ from the one or more rules based on the first boundary;
  
  perform at least one of multiple packet transformation functions specified by the second dynamic security policy on a plurality of packets that correspond to one or more criteria specified by the one or more rules based on the second boundary; and
  
  drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the second boundary.
- View Dependent Claims (94)
- - 94. The system of claim 93, wherein:
    - the first boundary comprises a boundary between the network protected by the security policy management server and a first network that interfaces with the network protected by the security policy management server;
      
      the second boundary comprises a boundary between the network protected by the security policy management server and a second network that interfaces with the network protected by the security policy management server;
      
      the one or more criteria specified by the one or more rules based on the first boundary comprise one or more criteria based on a set of source network addresses for the first network;
      
      the one or more criteria specified by the one or more rules based on the second boundary comprise one or more criteria based on a set of source network addresses for the second network;
      
      the first packet security gateway is configured to drop at least one packet received from the first network based on a determination that the at least one packet received from the first network comprises a spoofed source address; and
      
      the second packet security gateway is configured to drop at least one packet received from the second network based on a determination that the at least one packet received from the second network comprises a different spoofed source address.

95. One or more non-transitory computer-readable media having instructions stored thereon that when executed cause:
- a security policy management server to communicate, to a packet security gateway located at a first boundary of a network protected by the security policy management server, a first dynamic security policy, the first dynamic security policy comprising one or more rules based on the first boundary;
  
  the security policy management server to communicate, to a packet security gateway located at a second boundary of the network, a second dynamic security policy, the second dynamic security policy comprising one or more rules based on the second boundary that differ from the one or more rules based on the first boundary;
  
  the packet security gateway located at the first boundary to;
  
  perform at least one of multiple packet transformation functions specified by the first dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the first boundary; and
  
  drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the first boundary; and
  
  the packet security gateway located at the second boundary to;
  
  perform at least one of multiple packet transformation functions specified by the second dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the second boundary; and
  
  drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the second boundary.
- View Dependent Claims (96)
- - 96. The one or more non-transitory computer-readable media of claim 95, wherein:
    - the first boundary comprises a boundary between the network protected by the security policy management server and a first network that interfaces with the network protected by the security policy management server;
      
      the second boundary comprises a boundary between the network protected by the security policy management server and a second network that interfaces with the network protected by the security policy management server;
      
      the one or more criteria specified by the one or more rules based on the first boundary comprise one or more criteria based on a set of source network addresses for the first network;
      
      the one or more criteria specified by the one or more rules based on the second boundary comprise one or more criteria based on a set of source network addresses for the second network; and
      
      the instructions, when executed, cause;
      
      the packet security gateway located at the first boundary to drop at least one packet received from the first network based on a determination that the at least one packet received from the first network comprises a spoofed source address; and
      
      the packet security gateway located at the second boundary to drop at least one packet received from the second network based on a determination that the at least one packet received from the second network comprises a different spoofed source address.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Rogers, Steven, Moore, Sean
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US13/657,010
Publication Number

US 20140115654A1
Time in Patent Office

1,058 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

Methods and systems for protecting a secured network

First Claim

4 Assignments

Litigations

4 Petitions

Reexamination

Accused Products

Abstract

Citations

96 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for protecting a secured network

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

4 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

Citations

96 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links