Transparent provisioning of network access to an application
First Claim
1. A method of transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the method comprising:
- interfacing with the network so as to be able to intercept any packet of the plurality of packets, wherein interfacing with the network comprises interfacing between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface capable of connecting the first application to the network, the first intended destination and the second intended destination being separate from the first application;
intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination;
analyzing, with a processor, an intercepted packet of the intercepted portion of packets and deleting the intercepted packet based on the analysis of the intercepted packet, wherein the analyzing of the intercepted packet comprises determining that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and determining whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination;
evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
forwarding the intercepted packet to the network if the intercepted packet is not one of the specified first subset or deleting the intercepted packet if the intercepted packet is not one of the specified first subset with respect to which the first application is to perform the first service.
9 Assignments
0 Petitions
Accused Products
Abstract
An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. A packet interceptor/processor apparatus is coupled with the network so as to be able to intercept and process packets flowing over the network. Further, the apparatus provides external connectivity to other devices that wish to intercept packets as well. The apparatus applies one or more rules to the intercepted packets which execute one or more functions on a dynamically specified portion of the packet and take one or more actions with the packets. The apparatus is capable of analyzing any portion of the packet including the header and payload. Actions include releasing the packet unmodified, deleting the packet, modifying the packet, logging/storing information about the packet or forwarding the packet to an external device for subsequent processing. Further, the rules may be dynamically modified by the external devices.
143 Citations
45 Claims
-
1. A method of transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the method comprising:
-
interfacing with the network so as to be able to intercept any packet of the plurality of packets, wherein interfacing with the network comprises interfacing between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface capable of connecting the first application to the network, the first intended destination and the second intended destination being separate from the first application; intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination; analyzing, with a processor, an intercepted packet of the intercepted portion of packets and deleting the intercepted packet based on the analysis of the intercepted packet, wherein the analyzing of the intercepted packet comprises determining that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and determining whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination; evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and forwarding the intercepted packet to the network if the intercepted packet is not one of the specified first subset or deleting the intercepted packet if the intercepted packet is not one of the specified first subset with respect to which the first application is to perform the first service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the system comprising:
-
a system network interface operative to interface with the network, wherein the system network interface is further operative to interface between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface operable to connect the first application to the network, the at least one intended destination being separate from the first application; a packet interceptor coupled with the system network interface and operative to intercept each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination; a processor coupled with the packet interceptor and operative to detect a security attack based on an intercepted packet of the intercepted portion of packets, and absorb the detected security attack, the detection comprising a determination that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and a determination whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination; a packet evaluator coupled with the packet interceptor and operative to evaluate each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and a packet forwarder coupled with the packet evaluator and operative to forward the intercepted packet to the network if the intercepted packet is not one of the specified first subset, a packet remover coupled with the packet evaluator and operative to delete the intercepted packet if the intercepted packet is not one of the specified first subset, or a combination thereof. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method of transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the method comprising:
-
interfacing with the network so as to be able to intercept any packet of the plurality of packets, wherein interfacing with the network comprises interfacing between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface capable of connecting the first application to the network, the at least one intended destination being separate from the first application; intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination; analyzing, by a processor, an intercepted packet of the intercepted portion of packets and absorbing the intercepted packet based on the analysis of the intercepted packet, the analyzing of the intercepted packet comprising determining that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and determining whether a capacity of the first intended destination or the second intended destination is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination; evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and forwarding the intercepted packet to the network or deleting the intercepted packet if the intercepted packet is not one of the specified first subset. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A system for transparently interfacing to a network, the network carrying a plurality of packets, a first subset of the plurality of packets being transmitted, via the network, by a first source to a first intended destination intended by the first source, a second subset of the plurality of packets being transmitted, via the network, by a second source to a second intended destination intended by the second source, each packet of the first subset of packets comprising routing data operative to cause the forwarding of the first packet via the network towards the first intended destination, each packet of the second subset of packets comprising routing data operative to cause the forwarding of the second packet via the network towards the second intended destination, the system comprising:
-
a system network interface operative to interface with the network, wherein the system network interface is further operative to interface between the network and a first application network interface of a first application, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including the first application network interface operable to connect the first application to the network, the at least one intended destination being separate from the first application; a packet interceptor coupled with the system network interface and operative to intercept each of at least a portion of the plurality of packets prior to a forwarding thereof toward the first intended destination or the second intended destination; a processor coupled with the packet interceptor and operative to detect a security attack based on an intercepted packet of the intercepted portion of packets, and absorb the detected security attack, wherein the detection comprises a determination that the intercepted packet is one of a plurality of packets directed to the first intended destination or the second intended destination, and a determination whether a capacity of the first intended destination or the second intended destination or a capacity of an intermediary separate from the processor, located between the processor and the first intended destination and the second intended destination and operative to cause forwarding of the intercepted packet towards the first intended destination or the second intended destination based on a specification of the first intended destination or the second intended destination specified therein, is exceeded by a quantity of packets of the plurality of packets directed to the first intended destination or the second intended destination, the intercepted packet being deleted when the capacity of the first intended destination or the capacity of the intermediary is exceeded and the intercepted packet is directed to the first intended destination, and the intercepted packet not being deleted when the capacity of the first intended destination is exceeded and the capacity of the intermediary and the capacity of the second intended destination are not exceeded; a packet evaluator coupled with the packet interceptor and operative to evaluate each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and a packet forwarder coupled with the packet evaluator and operative to forward the intercepted packet to the network if the intercepted packet is not one of the specified first subset, a packet remover coupled with the packet evaluator and operative to delete the intercepted packet if the intercepted packet is not one of the specified first subset, or a combination thereof. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
Specification