Distributed application awareness

US 9,258,313 B1
Filed: 09/28/2012
Issued: 02/09/2016
Est. Priority Date: 09/28/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

an edge device, of a plurality of edge devices in communication with a security device, the security device being included in a network,the edge device being positioned at an edge of the network between the security device and a user device attempting to access the network via the edge device, andthe edge device being to;

receive network traffic, generated by an application executing on the user device;

determine, based on information included in the network traffic, a flow associated with the network traffic;

determine an application identifier associated with the flow,the application identifier identifying the application;

determine whether the application identifier matches one of a first plurality of application identifiers stored by the edge device,the first plurality of application identifiers including one or more application identifiers that are not included in a second plurality of application identifiers stored by the security device and are not included in a third plurality of application identifiers stored by another edge device of the plurality of edge devices;

when the application identifier matches the one of the first plurality of application identifiers;

identify a policy associated with the one of the first plurality of application identifiers;

when the application identifier does not match the one of the first plurality of application identifiers;

send information associated with the network traffic to the security device, andreceive the policy from the security device; and

apply the policy to the network traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network device is configured to receive network traffic associated with an application executing on a user device; identify, based on the network traffic, an application identifier associated with the application; determine whether the application identifier matches one of a set of application identifiers stored by the network device; identify a policy based on the application identifier when the application identifier matches one of the set of application identifiers; and apply the policy to the network traffic associated with the application. The policy may be obtained from another network device, in communication with the network device, when the application identifier does not match one of the set of application identifiers.

Citations

20 Claims

1. A system, comprising:
- an edge device, of a plurality of edge devices in communication with a security device, the security device being included in a network,the edge device being positioned at an edge of the network between the security device and a user device attempting to access the network via the edge device, andthe edge device being to;
  
  receive network traffic, generated by an application executing on the user device;
  
  determine, based on information included in the network traffic, a flow associated with the network traffic;
  
  determine an application identifier associated with the flow,the application identifier identifying the application;
  
  determine whether the application identifier matches one of a first plurality of application identifiers stored by the edge device,the first plurality of application identifiers including one or more application identifiers that are not included in a second plurality of application identifiers stored by the security device and are not included in a third plurality of application identifiers stored by another edge device of the plurality of edge devices;
  
  when the application identifier matches the one of the first plurality of application identifiers;
  
  identify a policy associated with the one of the first plurality of application identifiers;
  
  when the application identifier does not match the one of the first plurality of application identifiers;
  
  send information associated with the network traffic to the security device, andreceive the policy from the security device; and
  
  apply the policy to the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, where the first plurality of application identifiers, stored by the edge device, is a subset of the second plurality of application identifiers stored by the security device.
  - 3. The system of claim 1, where the edge device is further to:
    - store information identifying the flow in a flow table; and
      
      store the application identifier, in association with the information identifying the flow, as a flow record in the flow table.
  - 4. The system of claim 3, where the edge device is further to:
    - share the flow record with one or more other edge devices of the plurality of edge devices,each particular edge device, of the one or more other edge devices, storing the flow record in a respective flow table stored by the particular edge device.
  - 5. The system of claim 1, where the edge device, when sending the information associated with the network traffic, is to:
    - send the information, associated with the network traffic, via a secure communication channel to the security device.
  - 6. The system of claim 1, where the plurality of edge devices and the security device collectively perform distributed application awareness functions to identify and track end user applications associated with the network,the end user applications including the application.
  - 7. The system of claim 1, where, when determining the flow associated with the network traffic, the edge device is to:
    - determine one or more of;
      
      a source address associated with the network traffic,a destination address associated with the network traffic,a source port associated with the network traffic,a destination port associated with the network traffic, ora protocol associated with the network traffic, anddetermine the information identifying the flow based on the one or more of the source address, the destination address, the source port, the destination port, or the protocol.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by one or more processors, of an edge device, of a plurality of edge devices in communication with a security device, cause the one or more processors to;
  
  receive network traffic generated by an application executing on a user device,the edge device being positioned at an edge of a network between the user device and the security device,the plurality of edge devices and the security device being included in the network, andthe user device attempting to access the network via the edge device;
  
  determine, based on information included in the network traffic, a flow associated with the network traffic;
  
  determine an application identifier associated with the flow,the application identifier identifying the application;
  
  determine whether the application identifier matches one of a first plurality of application identifiers stored by the edge device,the first plurality of application identifiers including one or more application identifiers that are not included in a second plurality of application identifiers stored by the security device and are not included in a third plurality of application identifiers stored by another edge device of the plurality of edge devices;
  
  when the application identifier matches the one of the first plurality of application identifiers;
  
  identify a policy associated with the one of the first plurality of application identifiers;
  
  when the application identifier does not match the one of the first plurality of application identifiers;
  
  obtain the policy from the security device; and
  
  apply the policy.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer-readable medium of claim 8, where the first plurality of application identifiers, stored by the edge device, is a subset of the second plurality of application identifiers stored by the security device.
  - 10. The non-transitory computer-readable medium of claim 8, where the instructions further comprise:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      store information identifying the flow in a flow table; and
      
      store the application identifier, in association with the information identifying the flow, as a flow record in the flow table.
  - 11. The non-transitory computer-readable medium of claim 8, where the one or more instructions to determine the flow associated with the network traffic include:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      determine one or more of;
      
      a source address associated with the network traffic,a destination address associated with the network traffic,a source port associated with the network traffic,a destination port associated with the network traffic, ora protocol associated with the network traffic, anddetermine the information identifying the flow based on the one or more of the source address, the destination address, the source port, the destination port, or the protocol.
  - 12. The non-transitory computer-readable medium of claim 10, where the one or more instructions to determine the application identifier include:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      read the application identifier from the flow table.
  - 13. The non-transitory computer-readable medium of claim 10, where the instructions further comprise:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      share the flow record with one or more other edge devices of the plurality of edge devices,each particular edge device, of the one or more other edge devices, storing the flow record in a respective flow table stored by the particular edge device.

14. A method, comprising:
- receiving, by an edge device of a plurality of edge devices, network traffic generated by an application executing on a user device,the user device attempting to access a network via the edge device, andthe edge device being positioned at an edge of the network between the user device and a security device that is included in the network;
  
  determining, by the edge device and based on the network traffic, a flow associated with the network traffic;
  
  determining, by the edge device and based on the flow, an application identifier associated with the flow,the application identifier identifying the application;
  
  determining, by the edge device, whether the application identifier matches one of a first plurality of application identifiers stored by the edge device,the first plurality of application identifiers including one or more application identifiers that are not included in a second plurality of application identifiers stored by the security device and are not included in a third plurality of application identifiers stored by another edge device of the plurality of edge devices;
  
  identifying, by the edge device, a policy associated with the one of the first plurality of application identifiers when the application identifier matches the one of the first plurality of application identifiers; and
  
  applying, by the edge device, the policy to the network traffic,the policy being obtained from the security device when the application identifier does not match the one of the first plurality of application identifiers.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - determining a set of application identifiers, of the first plurality of application identifiers, corresponding to applications that attempt to communicate with the network less than a threshold quantity of times; and
      
      sending the set of application identifiers to the security device,the second plurality of application identifiers including the set of application identifiers.
  - 16. The method of claim 14, further comprising:
    - storing information identifying the flow in a flow table; and
      
      storing the application identifier, in association with the information identifying the flow, as a flow record in the flow table.
  - 17. The method of claim 14, where determining the flow associated with the network traffic includes:
    - determining one or more of;
      
      a source address associated with the network traffic,a destination address associated with the network traffic,a source port associated with the network traffic,a destination port associated with the network traffic, ora protocol associated with the network traffic, anddetermining the flow based on the one or more of the source address, the destination address, the source port, the destination port, or the protocol.
  - 18. The method of claim 16, where determining the application identifier includes:
    - reading the application identifier from the flow table.
  - 19. The method of claim 14, where determining the flow includes:
    - analyzing information regarding the network traffic to determine the flow associated with the application.
  - 20. The method of claim 16, further comprising:
    - transmit the flow record to one or more other edge devices of the plurality of edge devices,each particular edge device, of the one or more other edge devices, storing the flow record in a respective flow table stored by the particular edge device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Waterman, Alexander S., Knappe, Michael E., Tomasello, Joe, Narayanaswamy, Krishna
Primary Examiner(s)
Patel, Nirav B
Assistant Examiner(s)
Waliullah, Mohammed

Application Number

US13/631,563
Time in Patent Office

1,229 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0281   Proxies

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

Distributed application awareness

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed application awareness

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links