Access, priority and bandwidth management based on application identity

US 9,240,945 B2
Filed: 03/18/2009
Issued: 01/19/2016
Est. Priority Date: 03/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method of controlling packet flow, comprising:

receiving, from a sending node by a packet processor of a security node, packets destined for one or more resources, the sending node inserting an application identifier into a respective one of the packets responsive to determining that the respective one of the packets is sent from a first application registered with the security node and that the first registered application is invoked for execution by a second application registered with the security node;

determining, by the packet processor for each of the received packets, whether a respective application identifier has been inserted by the sending node; and

controlling, by the packet processor for the received packets determined to have an inserted application identifier, a packet flow of the corresponding packets being sent from the security node by establishing one or more of a priority or a bandwidth of the corresponding packets to the one or more resources.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method or system for managing packet flow is disclosed. The packets each include an inserted application identifier identifying a registered application. The method includes receiving packets destined for one or more resources, determining, by a packet processor, the inserted application identifier for each of the respective packets received and managing the packet flow of each received packet sent from a security node based at least in part on the inserted application identifier of the received packet.

208 Citations

20 Claims

1. A method of controlling packet flow, comprising:
- receiving, from a sending node by a packet processor of a security node, packets destined for one or more resources, the sending node inserting an application identifier into a respective one of the packets responsive to determining that the respective one of the packets is sent from a first application registered with the security node and that the first registered application is invoked for execution by a second application registered with the security node;
  
  determining, by the packet processor for each of the received packets, whether a respective application identifier has been inserted by the sending node; and
  
  controlling, by the packet processor for the received packets determined to have an inserted application identifier, a packet flow of the corresponding packets being sent from the security node by establishing one or more of a priority or a bandwidth of the corresponding packets to the one or more resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the determining of the inserted application identifier occurs in the security node in an Open Systems Interconnect (OSI) layer below an application layer.
  - 3. The method of claim 1, wherein the determining of the inserted application identifier occurs in a network layer.
  - 4. The method of claim 1, further comprising:
    - establishing, by the security node, a list of registered applications and unique application identifiers associated therewith; and
      
      securely sending, by the security node to the sending node, the list of registered applications and the associated unique application identifiers.
  - 5. The method of claim 1, further comprising:
    - inserting, by a program processor of the sending node, the application identifier identifying the registered application into packets to be sent from sending node; and
      
      sending the packets destined for the one or more resources via the security node.
  - 6. The method of claim 1, wherein the inserting of the application identifier includes:
    - embedding at least the application identifier and a user identifier in a security tag; and
      
      inserting the security tag into each of the packets sent by the sending node, as an in-band metadata tag.
  - 7. The method of claim 6, wherein the determining of the inserted application identifier for each of the respective packets received by the security node includes:
    - scanning for the embedded security tag in each of the packets received by the security node; and
      
      extracting the inserted application and user identifiers from the scanned security tags of the packets received by the security node.
  - 8. The method of claim 1, wherein the inserting of the application identifier into packets to be sent from the sending node includes:
    - selectively inserting a respective application identifier into each packet;
      
      (1) associated with an application in a list of registered applications; and
      
      (2) destined for one of the one or more resources such that application identifiers are prevented from being inserted into packets that are associated with an application not in the list of registered applications or that are not destined for one of the one or more resources.
  - 9. The method of claim 1, wherein the adjustment of one or more of a priority or a bandwidth of the corresponding packets to the resource is based on at least the application identifier in the corresponding packets.
  - 10. The method of claim 1, further comprising:
    - blocking, by the security node, the flow of packets without an inserted application identifier to the one or more resources.
  - 11. The method of claim 1, further comprising:
    - generating audit logs from the received packets that include at least information to watermark an application associated with the received packets.

12. A security node for managing packet flow between a sending node and one or more resources on a network, comprising:
- a registration unit configured for registering applications that are authorized to access the one or more resources on the network; and
  
  a packet processor comprising circuitry configured for;
  
  receiving, from the sending node, packets destined for the one or more resources, the sending node inserting an application identifier into a respective one of the packets responsive to determining that the respective one of the packets is sent from a first application registered with the security node and that the first registered application is invoked for execution by a second application registered with the security node;
  
  determining, for each of the received packets, whether a respective application identifier has been inserted by the sending node;
  
  controlling, for the received packets determined to have an inserted application identifier, a packet flow of the packets being sent from the security node by establishing one or more of a priority or a bandwidth of the corresponding packets to the one or more resources.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The security node of claim 12, further comprising:
    - an event logger configured for generating audit logs from the received packets that includes at least information to watermark an application associated with the received packets.
  - 14. The security node of claim 12, wherein the packet processor is configured to determine presence of the respective application identifier in an Open Systems Interconnect (OSI) layer below an application layer.
  - 15. The security node of claim 12, wherein the packet processor is configured to determine presence of the respective application identifier in a network layer.
  - 16. The security node of claim 12, wherein the packet processor is configured to establish a list of registered applications and unique application identifiers associated therewith, and to securely send, to the sending node, the list of registered applications and the associated unique application identifiers.
  - 17. The security node of claim 12, wherein a program processor of the sending node inserts the application identifier identifying the registered application into packets to be sent from sending node, and sends the packets destined for the one or more resources via the security node.
  - 18. The security node of claim 17, wherein the inserting of the application identifier includes:
    - embedding at least the application identifier and a user identifier in a security tag; and
      
      inserting the security tag into each of the packets sent by the sending node, as an in-band metadata tag.
  - 19. The security node of claim 18, wherein the packet processor is configured to determine a presence of an application identifier in each of the respective packets received by the security node by:
    - scanning for the embedded security tag in each of the packets received by the security node; and
      
      extracting the inserted application from the scanned security tags of the packets received by the security node.
  - 20. The security node of claim 17, wherein the inserting of the application identifier into packets to be sent from the sending node includes:
    - selectively inserting a respective application identifier into each packet;
      
      (1) associated with an application in a list of registered applications; and
      
      (2) destined for one of the one or more resources such that application identifiers are prevented from being inserted into packets that are associated with an application not in the list of registered applications or that are not destined for one of the one or more resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kumar, Srinivas, Bettadapura, Vijayashree S., Shah, Shadab Munam
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US12/406,613
Publication Number

US 20090241170A1
Time in Patent Office

2,498 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/2458   Modification of priorities ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

Access, priority and bandwidth management based on application identity

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

208 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access, priority and bandwidth management based on application identity

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

208 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links