Methods and systems for protecting a secured network
DC CAFCFirst Claim
1. A method, comprising:
- at each packet security gateway of one or more packet security gateways associated with a security policy management server;
receiving a plurality of dynamic security policies from the security policy management server, wherein receiving the plurality of dynamic security policies comprises;
receiving at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped;
receiving, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded;
receiving, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded; and
receiving, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses;
receiving packets associated with a network protected by the packet security gateway; and
performing, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein performing the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets comprises performing at least one packet transformation function other than forwarding or dropping the packets.
4 Assignments
Litigations
4 Petitions
Reexamination
Accused Products
Abstract
Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets.
-
Citations
96 Claims
-
1. A method, comprising:
at each packet security gateway of one or more packet security gateways associated with a security policy management server; receiving a plurality of dynamic security policies from the security policy management server, wherein receiving the plurality of dynamic security policies comprises; receiving at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped; receiving, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded; receiving, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded; and receiving, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses; receiving packets associated with a network protected by the packet security gateway; and performing, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein performing the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets comprises performing at least one packet transformation function other than forwarding or dropping the packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A system, comprising:
-
a security policy management server; and one or more packet security gateways associated with the security policy management server, wherein each packet security gateway of the one or more packet security gateways comprises computer hardware and logic configured to cause the packet security gateway to; receive a plurality of dynamic security policies from the security policy management server; receive at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped; receive, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded; receive, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded; receive, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses; receive packets associated with a network protected by the packet security gateway; and perform, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein each of the one or more packet security gateways is configured to perform the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets by performing at least one packet transformation function other than forwarding or dropping the packets. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. One or more non-transitory computer-readable media having instructions stored thereon, that when executed, cause each packet security gateway of one or more packet security gateways associated with a security policy management server to:
-
receive a plurality of dynamic security policies from the security policy management server; receive at least one rule specifying a set of network addresses for which associated packets should be forwarded and at least one rule specifying that all packets associated with network addresses outside the set of network addresses for which packets should be forwarded should be dropped; receive, at a first time, a dynamic security policy specifying a first set of network addresses for which packets should be forwarded; receive, at a second time, a dynamic security policy specifying a second set of network addresses for which packets should be forwarded; receive, at a third time, a dynamic security policy specifying a third set of network addresses for which packets should be forwarded, the second time being after the first time, the third time being after the second time, the second set of network addresses including more network addresses than the first set of network addresses, and the third set of network addresses including more network addresses than the second set of network addresses; receive packets associated with a network protected by the packet security gateway; and perform, on a packet by packet basis, at least one of multiple packet transformation functions specified by the plurality of dynamic security policies on the packets associated with the network protected by the packet security gateway, wherein each of the one or more packet security gateways is configured to perform the at least one of the multiple packet transformation functions specified by the plurality of dynamic security policies on the packets by performing at least one packet transformation function other than forwarding or dropping the packets. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A method, comprising:
-
at each of one or more packet security gateways associated with a security policy management server; receiving, from the security policy management server, a dynamic security policy comprising at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI); receiving packets associated with a network protected by the packet security gateway; and performing, on the packets, on a packet by packet basis, at least one packet transformation function of multiple packet transformation functions specified by the dynamic security policy, wherein performing the at least one packet transformation function comprises; encapsulating at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address; and routing, based on the header, the at least one packet to the network address that is different from the destination network address. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
-
-
63. A system, comprising:
-
a security policy management server; and one or more packet security gateways associated with the security policy management server, wherein each packet security gateway of the one or more packet security gateways comprises computer hardware and logic configured to cause the packet security gateway to; receive, from the security policy management server, a dynamic security policy comprising at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI); receive packets associated with a network protected by the packet security gateway; perform, on the packets, on a packet by packet basis, at least one packet transformation function of multiple packet transformation functions specified by the dynamic security policy; encapsulate at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address; and route, based on the header, the at least one packet to the network address that is different from the destination network address. - View Dependent Claims (64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
-
-
77. One or more non-transitory computer-readable media having instructions stored thereon, that when executed, cause each packet security gateway of one or more packet security gateways associated with a security policy management server to:
-
receive, from the security policy management server, a dynamic security policy comprising at least one rule specifying a set of network addresses and a Session Initiation Protocol (SIP) Uniform Resource Identifier (URI); receive packets associated with a network protected by the packet security gateway; perform, on the packets, on a packet by packet basis, at least one packet transformation function of multiple packet transformation functions specified by the dynamic security policy; encapsulate at least one packet of the packets that falls within the set of network addresses and matches the SIP URI with a header containing a network address that is different from a destination network address specified by the at least one packet and that corresponds to a network device configured to copy information contained in the at least one packet and to forward the at least one packet to the destination network address; and route, based on the header, the at least one packet to the network address that is different from the destination network address. - View Dependent Claims (78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90)
-
-
91. A method, comprising:
-
communicating, by a security policy management server and to a packet security gateway located at a first boundary of a network protected by the security policy management server, a first dynamic security policy, the first dynamic security policy comprising one or more rules based on the first boundary; communicating, by the security policy management server and to a packet security gateway located at a second boundary of the network, a second dynamic security policy, the second dynamic security policy comprising one or more rules based on the second boundary that differ from the one or more rules based on the first boundary; performing, by the packet security gateway located at the first boundary, at least one of multiple packet transformation functions specified by the first dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the first boundary, wherein performing the at least one of the multiple packet transformation functions specified by the first dynamic security policy comprises dropping one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the first boundary; and performing, by the packet security gateway located at the second boundary, at least one of multiple packet transformation functions specified by the second dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the second boundary, wherein performing the at least one of the multiple packet transformation functions specified by the second dynamic security policy comprises dropping one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the second boundary. - View Dependent Claims (92)
-
-
93. A system, comprising:
-
a security policy management server; a first packet security gateway, located at a first boundary of a network protected by the security policy management server, comprising computer hardware and logic configured to cause the first packet security gateway to; receive, from the security policy management server, a first dynamic security policy, the first dynamic security policy comprising one or more rules based on the first boundary; perform, at least one of multiple packet transformation functions specified by the first dynamic security policy on a plurality of packets that correspond to one or more criteria specified by the one or more rules based on the first boundary; and drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the first boundary; and a second packet security gateway, located at a second boundary of a network protected by the security policy management server, comprising computer hardware and logic configured to cause the second packet security gateway to; receive, from the security policy management server, a second dynamic security policy, the second dynamic security policy comprising one or more rules based on the second boundary that differ from the one or more rules based on the first boundary; perform at least one of multiple packet transformation functions specified by the second dynamic security policy on a plurality of packets that correspond to one or more criteria specified by the one or more rules based on the second boundary; and drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the second boundary. - View Dependent Claims (94)
-
-
95. One or more non-transitory computer-readable media having instructions stored thereon that when executed cause:
-
a security policy management server to communicate, to a packet security gateway located at a first boundary of a network protected by the security policy management server, a first dynamic security policy, the first dynamic security policy comprising one or more rules based on the first boundary; the security policy management server to communicate, to a packet security gateway located at a second boundary of the network, a second dynamic security policy, the second dynamic security policy comprising one or more rules based on the second boundary that differ from the one or more rules based on the first boundary;
the packet security gateway located at the first boundary to;perform at least one of multiple packet transformation functions specified by the first dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the first boundary; and drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the first boundary; and the packet security gateway located at the second boundary to; perform at least one of multiple packet transformation functions specified by the second dynamic security policy on a plurality of packets associated with the network that correspond to one or more criteria specified by the one or more rules based on the second boundary; and drop one or more of the plurality of packets associated with the network that correspond to the one or more criteria specified by the one or more rules based on the second boundary. - View Dependent Claims (96)
-
Specification