Security policy check based on communication establishment handshake packet

US 9,825,911 B1
Filed: 11/18/2015
Issued: 11/21/2017
Est. Priority Date: 11/18/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a plurality of computing devices configurable to implement a plurality of computing nodes in a provider network, wherein each computing device includes a processor and memory; and

one or more of the computing devices are configured to implement a network address translator (NAT) and a policy manager;

wherein the NAT;

receives packets wherein the packets include handshake packets that are part of a multipart Transmission Control Protocol (TCP) communication session establishment handshake which target at least one of the computing nodes of the provider network; and

redirects at least one packet that is part of the multipart TCP communication session establishment handshake to the policy manager rather than to the computing node targeted by the packet; and

wherein the policy manager stores history data of the packets and prevents the redirected packets from being forwarded to a targeted computing node in the provider network to thereby disallow the multipart TCP communication session from being established based at least in part on a comparison of information in a header of the packet as well as the history data, or a value derived from the packets history data, to a set of security policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed that make security policy decisions based on a packet of a communication establishment handshake. The packet is intercepted and provided to a policy manger. If a security check fails, the communication session is not permitted to be established. In one example, the system includes network device (e.g., a network address translator) and a policy manager. The network address translator can receive Transmission Control Protocol (TCP) communication session establishment handshake packets and redirect each packet that is part of the TCP handshake to the policy manager rather than to the computing node targeted by the packet. The policy manager prevents the redirected packet from being forwarded to a targeted computing node in the provider network to thereby disallow the communication session from being established based on a comparison of at least information in a header of the packet to a set of security policies.

108 Citations

View as Search Results

18 Claims

1. A system, comprising:
- a plurality of computing devices configurable to implement a plurality of computing nodes in a provider network, wherein each computing device includes a processor and memory; and
  
  one or more of the computing devices are configured to implement a network address translator (NAT) and a policy manager;
  
  wherein the NAT;
  
  receives packets wherein the packets include handshake packets that are part of a multipart Transmission Control Protocol (TCP) communication session establishment handshake which target at least one of the computing nodes of the provider network; and
  
  redirects at least one packet that is part of the multipart TCP communication session establishment handshake to the policy manager rather than to the computing node targeted by the packet; and
  
  wherein the policy manager stores history data of the packets and prevents the redirected packets from being forwarded to a targeted computing node in the provider network to thereby disallow the multipart TCP communication session from being established based at least in part on a comparison of information in a header of the packet as well as the history data, or a value derived from the packets history data, to a set of security policies.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1 wherein the one or more of the computing devices are configured to implement a plurality of communication managers which are configured to implement a plurality of virtual networks for providing the packets to be transmitted to or from each of the computing nodes.
  - 3. The system of claim 1:
    - wherein the one or more of the computing devices are configured to implement a plurality of policy managers; and
      
      wherein the NAT is configured to compute a hash of at least a portion of a packet that is part of the multipart communication session establishment handshake to produce a hash value, to map the hash value to a particular policy manager, and to redirect the packet to that particular policy manager.

4. A system, comprising:
- a plurality of computing devices configurable to implement a plurality of computing nodes in a network, wherein each computing device includes a processor and memory; and
  
  one or more of the computing devices are configured to implement a plurality of policy managers, wherein each policy manager;
  
  receives a communication session establishment handshake packet that is part of a multipart communication session establishment handshake which targets at least one of the computing nodes of the network; and
  
  prevents the communication session from being established based at least in part on a comparison by the policy manager of information in a header of the communication establishment handshake packet to security policies accessible to the policy manager; and
  
  wherein the one or more computing devices are configured to implement a network device that;
  
  receives packets, wherein the packets include handshake packets that are part of the multipart communication session establishment handshake which targets at least one of the computing nodes of the network; and
  
  for each packet that is part of the multipart communication session establishment handshake, computes a hash of at least a portion of the packet to produce a hash value, maps the hash value to a particular policy manager, and redirects the packet to that particular policy manager.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The system of claim 4, wherein the security policies include a plurality of security policies at least one of which includes a plurality of internet protocol (IP) addresses and causes the particular policy manager to prevent a communication session from being established with respect to computing systems external to the network and/or computing nodes within the network that are addressed with any of the IP addresses in the security policy.
  - 6. The system of claim 5, wherein the packets redirected by the network device include Transmission Control Protocol (TCP) handshake packets to establish a TCP communication session.
  - 7. The system of claim 5 wherein the network device implements at least one of network address translation, packet rate limiting, packet metering, firewalling, and packet filtering.
  - 8. The system of claim 4 wherein the network device is configured to detect packets that are not part of the multipart communication session establishment handshake and forward such packets to the computing nodes targeted by the packets.
  - 9. The system of claim 4:
    - wherein each policy manager stores history data of the packets and is configured to compare the information in the header as well as the history data, or a value derived from the history data, to the set of security policies and to prevent the redirected packet from being forwarded to the targeted computing node based on the comparison.
  - 10. The system of claim 4, wherein the security policies include a security policy that includes a source IP address and a destination port number which causes the particular policy manager to prevent a communication session from being established that includes the source IP address and destination port number.

11. A method, comprising:
- determining whether a communication packet targeting a computing node is a packet of a multi-packet communication session establishment handshake;
  
  computing a hash value of a field in a header of the communication packet that is the packet of the multi-packet communication session establishment handshake;
  
  based on the hash value, forwarding the communication packet that is a packet of the multi-packet communication session establishment handshake to one of a plurality of policy managers, rather than to the computing node;
  
  comparing, by the policy manager that is one of the plurality of policy managers, information in the header of the communication packet to a plurality of security policies;
  
  forwarding, by the policy manager, the communication packet to the targeted computing node based on the information in the header not violating any of the security policies that permit an establishment of a communication session to be completed; and
  
  preventing the communication session from being completed based on the information in the header violating at least one of the security policies that permit the establishment of the communication session to be completed.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein determining whether the communication packet is a packet of a multi-packet communication session establishment handshake includes determining whether the communication packet is a TCP SYN or TCP SYN-ACK packet.
  - 13. The method of claim 11, further comprising:
    - implementing a virtual network over a physical network; and
      
      wherein forwarding each packet that is a packet of a multi-packet communication session establishment handshake to a policy manager includes forwarding the packet over the virtual network to the policy manager.
  - 14. The method of claim 13 further comprising providing access to the physical network on behalf of customers of a provider network.
  - 15. The method of claim 11, further comprising forwarding each packet that is not a packet of a multi-packet communication session establishment handshake to the computing node, rather than to the policy manager.
  - 16. The method of claim 11, wherein comparing, by the policy manager receiving the communication packet, information in the header of the packet to the plurality of security policies includes comparing the information to a security policy that includes a plurality of internet protocol (IP) addresses, and wherein preventing the communication session from being established includes preventing the communication session from being established based on the source IP address in the packet matching one of the plurality of IP addresses in the security policy.
  - 17. The method of claim 11 further comprising:
    - storing history data of packets received by the policy manager;
      
      generating a metric indicative of the history data; and
      
      wherein comparing the information in the header of the packet to the security policies includes comparing the information in the header as well as the metric to the security policies.
  - 18. The method of claim 17 wherein the metric includes a packet rate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason
Primary Examiner(s)
Shayanfar, Ali

Application Number

US14/944,943
Time in Patent Office

734 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/2503   Translation of Internet pro...

H04L 61/2514   between local and global IP...

H04L 63/0236   Filtering by address, proto...

H04L 63/10   for controlling access to d...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 65/1069   Session establishment or de...

H04L 67/141   Setup of application sessio...

Security policy check based on communication establishment handshake packet

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

108 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy check based on communication establishment handshake packet

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links