Security policy check based on communication establishment handshake packet
First Claim
1. A system, comprising:
- a plurality of computing devices configurable to implement a plurality of computing nodes in a provider network, wherein each computing device includes a processor and memory; and
one or more of the computing devices are configured to implement a network address translator (NAT) and a policy manager;
wherein the NAT;
receives packets wherein the packets include handshake packets that are part of a multipart Transmission Control Protocol (TCP) communication session establishment handshake which target at least one of the computing nodes of the provider network; and
redirects at least one packet that is part of the multipart TCP communication session establishment handshake to the policy manager rather than to the computing node targeted by the packet; and
wherein the policy manager stores history data of the packets and prevents the redirected packets from being forwarded to a targeted computing node in the provider network to thereby disallow the multipart TCP communication session from being established based at least in part on a comparison of information in a header of the packet as well as the history data, or a value derived from the packets history data, to a set of security policies.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed that make security policy decisions based on a packet of a communication establishment handshake. The packet is intercepted and provided to a policy manger. If a security check fails, the communication session is not permitted to be established. In one example, the system includes network device (e.g., a network address translator) and a policy manager. The network address translator can receive Transmission Control Protocol (TCP) communication session establishment handshake packets and redirect each packet that is part of the TCP handshake to the policy manager rather than to the computing node targeted by the packet. The policy manager prevents the redirected packet from being forwarded to a targeted computing node in the provider network to thereby disallow the communication session from being established based on a comparison of at least information in a header of the packet to a set of security policies.
108 Citations
18 Claims
-
1. A system, comprising:
-
a plurality of computing devices configurable to implement a plurality of computing nodes in a provider network, wherein each computing device includes a processor and memory; and one or more of the computing devices are configured to implement a network address translator (NAT) and a policy manager; wherein the NAT; receives packets wherein the packets include handshake packets that are part of a multipart Transmission Control Protocol (TCP) communication session establishment handshake which target at least one of the computing nodes of the provider network; and redirects at least one packet that is part of the multipart TCP communication session establishment handshake to the policy manager rather than to the computing node targeted by the packet; and wherein the policy manager stores history data of the packets and prevents the redirected packets from being forwarded to a targeted computing node in the provider network to thereby disallow the multipart TCP communication session from being established based at least in part on a comparison of information in a header of the packet as well as the history data, or a value derived from the packets history data, to a set of security policies. - View Dependent Claims (2, 3)
-
-
4. A system, comprising:
-
a plurality of computing devices configurable to implement a plurality of computing nodes in a network, wherein each computing device includes a processor and memory; and one or more of the computing devices are configured to implement a plurality of policy managers, wherein each policy manager; receives a communication session establishment handshake packet that is part of a multipart communication session establishment handshake which targets at least one of the computing nodes of the network; and prevents the communication session from being established based at least in part on a comparison by the policy manager of information in a header of the communication establishment handshake packet to security policies accessible to the policy manager; and wherein the one or more computing devices are configured to implement a network device that; receives packets, wherein the packets include handshake packets that are part of the multipart communication session establishment handshake which targets at least one of the computing nodes of the network; and for each packet that is part of the multipart communication session establishment handshake, computes a hash of at least a portion of the packet to produce a hash value, maps the hash value to a particular policy manager, and redirects the packet to that particular policy manager. - View Dependent Claims (5, 6, 7, 8, 9, 10)
-
-
11. A method, comprising:
-
determining whether a communication packet targeting a computing node is a packet of a multi-packet communication session establishment handshake; computing a hash value of a field in a header of the communication packet that is the packet of the multi-packet communication session establishment handshake; based on the hash value, forwarding the communication packet that is a packet of the multi-packet communication session establishment handshake to one of a plurality of policy managers, rather than to the computing node; comparing, by the policy manager that is one of the plurality of policy managers, information in the header of the communication packet to a plurality of security policies; forwarding, by the policy manager, the communication packet to the targeted computing node based on the information in the header not violating any of the security policies that permit an establishment of a communication session to be completed; and preventing the communication session from being completed based on the information in the header violating at least one of the security policies that permit the establishment of the communication session to be completed. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification