Applying security policy to an application session

US 9,270,705 B1
Filed: 07/03/2014
Issued: 02/23/2016
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for applying a security policy to an application session, comprising:

recognizing the application session between a network and an application via a security gateway;

retrieving, by the security gateway, an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time;

recognizing, by the security gateway, an access session between a second host and the network;

retrieving, by the security gateway, an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;

querying, by the security gateway, an identity server by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network;

comparing, by the identity server, the first host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;

returning, by the identity server, the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time;

storing, at the identity server, the second user identity as a network user identity used for accessing the network in the application session record;

determining, by the security gateway, at least one security policy applicable to the application session based on a group identity; and

applying the at least one security policy to the application session by the security gateway if the network user identity is a member of the group identity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

303 Citations

27 Claims

1. A method for applying a security policy to an application session, comprising:
- recognizing the application session between a network and an application via a security gateway;
  
  retrieving, by the security gateway, an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time;
  
  recognizing, by the security gateway, an access session between a second host and the network;
  
  retrieving, by the security gateway, an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  querying, by the security gateway, an identity server by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network;
  
  comparing, by the identity server, the first host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;
  
  returning, by the identity server, the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time;
  
  storing, at the identity server, the second user identity as a network user identity used for accessing the network in the application session record;
  
  determining, by the security gateway, at least one security policy applicable to the application session based on a group identity; and
  
  applying the at least one security policy to the application session by the security gateway if the network user identity is a member of the group identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the determining, by the security gateway, at least one security policy applicable to the application session further comprises determining that the at least one security policy is applicable for the time period.
  - 3. The method of claim 1, wherein the at least one security policy comprises a network traffic policy.
  - 4. The method of claim 3, wherein the network traffic policy comprises a bandwidth rate capacity for the network.
  - 5. The method of claim 3, wherein the network traffic policy comprises a quality of service mapped to the network user identity for the application session.
  - 6. The method of claim 3, wherein the network traffic policy comprises one or more of:
    - a queuing delay, a queuing priority, a packet forwarding path, a link interface preference, a server load balancing preference, and a packet routing policy.
  - 7. The method of claim 3, wherein the network traffic policy comprises a traffic shaping control.
  - 8. The method of claim 7, wherein the traffic shaping control comprises a TCP profile.
  - 9. The method of claim 3, wherein the network traffic policy comprises an application session modification control based on the network user identity.

10. A computer program product for applying a security policy to an application session, the computer program product comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied thereon, the computer readable program code configured to;
  
  recognize the application session between a network and an application via a security gateway;
  
  retrieve, by the security gateway, an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time;
  
  recognize, by the security gateway, an access session between a second host and the network;
  
  retrieve, by the security gateway, an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  query, by the security gateway, an identity server, by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network;
  
  compare, by the identity server, the first host identity in the application session record with the second host identity in the access session record, and compare the access session time with the application session time;
  
  return, by the identity server, the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time;
  
  store, at the identity server, the second user identity as a network user identity used for accessing the network in the application session record;
  
  determine, by the security gateway, at least one security policy applicable to the application session based on a group identity; and
  
  apply the at least one security policy to the application session by the security gateway, if the network user identity is a member of the group identity.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, wherein the computer readable program code configured to determine, by the security gateway, at least one security policy applicable to the application session is further configured to determine that the at least one security policy is applicable for the time period.
  - 12. The computer program product of claim 10, wherein the at least one security policy comprises a network traffic policy.
  - 13. The computer program product of claim 12, wherein the network traffic policy comprises a bandwidth rate capacity for the network.
  - 14. The computer program product of claim 12, wherein the network traffic policy comprises a quality of service mapped to the network user identity for the application session.
  - 15. The computer program product of claim 12, wherein the network traffic policy comprises one or more of:
    - a queuing delay, a queuing priority, a packet forwarding path, a link interface preference, a server load balancing preference, and a packet routing policy.
  - 16. The computer program product of claim 12, wherein the network traffic policy comprises a traffic shaping control.
  - 17. The computer program product of claim 16, wherein the traffic shaping control comprises a TCP profile.
  - 18. The computer program product of claim 12, wherein the network traffic policy comprises an application session modification control based on the network user identity.

19. A system, comprising:
- a corporate directory comprising at least one security policy; and
  
  a security gateway, wherein the security gateway;
  
  recognizes an application session between a network and an application;
  
  retrieves an application session record for the application session, the application session record comprising a first user identity used for accessing the application through a first host, a first host identity for the first host, and an application session time;
  
  recognizes an access session between a second host and the network;
  
  retrieves an access session record for the access session, the access session record comprising a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  queries an identity server by sending the first host identity and the application session time in the application session record, the identity server comprising the access session record for the access session between the second host and the network, wherein the identity server;
  
  compares the first host identity in the application session record with the second host identity in the access session record, and compares the access session time with the application session time;
  
  returns the second user identity in the access session record if the first host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  stores the second user identity as a network user identity used for accessing the network in the application session record;
  
  determines at least one security policy applicable to the application session based on a group identity; and
  
  applies the at least one security policy to the application session if the network user identity is a member of the group identity.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19, wherein the determines at least one security policy applicable to the application session further comprises determines that the at least one security policy is applicable for the time period.
  - 21. The system of claim 19, wherein the at least one security policy comprises a network traffic policy.
  - 22. The system of claim 21, wherein the network traffic policy comprises a bandwidth rate capacity for the network.
  - 23. The system of claim 21, wherein the network traffic policy comprises a quality of service mapped to the network user identity for the application session.
  - 24. The system of claim 21, wherein the network traffic policy comprises one or more of:
    - a queuing delay, a queuing priority, a packet forwarding path, a link interface preference, a server load balancing preference, and a packet routing policy.
  - 25. The system of claim 21, wherein the network traffic policy comprises a traffic shaping control.
  - 26. The system of claim 25, wherein the traffic shaping control comprises a TCP profile.
  - 27. The system of claim 21, wherein the network traffic policy comprises an application session modification control based on the network user identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Oshiba, Dennis, Chiong, John
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
LAVELLE, GARY E

Application Number

US14/323,884
Publication Number

US 20160050233A1
Time in Patent Office

600 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/44   Program or device authentic...

H04L 12/66   Arrangements for connecting...

H04L 51/04   Real-time or near real-time...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/164   at the network layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

H04L 65/1026 : at the edge

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1004 : Server selection for load b...

H04L 67/104 : Peer-to-peer [P2P] networks

H04L 67/141 : Setup of application sessio...

H04L 67/306 : User profiles

H04L 67/535 : Tracking the activity of th...

H04L 69/28 : Timers or timing mechanisms...

H04L 69/329 : in the application layer [O...

H04M 1/7243 : with interactive means for ...

H04W 12/084 : using delegated authorisati...

H04W 12/37 : Managing security policies ...

H04W 12/61 : Time-dependent

View All

Applying security policy to an application session

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

303 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Applying security policy to an application session

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links