Securing internal services in a distributed environment

US 9,912,783 B2
Filed: 01/29/2016
Issued: 03/06/2018
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting a service call initiated by a client process of a client, whereinthe client is deployed in a source appliance,the service call is a request for provision of an internal service by a server deployed in a target appliance,the service call comprises an identifier, andthe identifier identifies the internal service;

determining whether one or more rules of a plurality of rules are specified for the identifier; and

in response to a determination that the one or more rules are specified for the identifier,generating a service packet by multiplexing client information and information specified in the service call, andforwarding the service packet to the target appliance.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are methods, systems, and processes to secure internal services in a distributed environment. A service call initiated by a client process of a client is intercepted. In this example, the service call is a request for an internal service provided by a server deployed in a target appliance. The client is deployed in a source appliance. The service call includes an identifier, and the identifier identifies the internal service. If one or more rules are specified for the identifier, a service packet is generated by multiplexing client information associated with the client process as well as information in the service call. The service packet is forwarded to the target appliance.

11 Citations

View as Search Results

20 Claims

1. A method comprising:
- intercepting a service call initiated by a client process of a client, whereinthe client is deployed in a source appliance,the service call is a request for provision of an internal service by a server deployed in a target appliance,the service call comprises an identifier, andthe identifier identifies the internal service;
  
  determining whether one or more rules of a plurality of rules are specified for the identifier; and
  
  in response to a determination that the one or more rules are specified for the identifier,generating a service packet by multiplexing client information and information specified in the service call, andforwarding the service packet to the target appliance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - accessing source kernel memory of the source appliance; and
      
      retrieving the client information from source kernel memory, whereinthe client information comprises one or more client process properties of a plurality of client process properties associated with the client process.
  - 3. The method of claim 2, further comprising:
    - intercepting the service packet forwarded to the target appliance;
      
      demultiplexing the service packet to retrieve the client information;
      
      processing one or more attributes of at least one rule using the client information; and
      
      forwarding the service call to the server, if the processing indicates that the forwarding the service call is allowable.
  - 4. The method of claim 3, whereinthe plurality of client process properties comprise a user context, a user group context, a client program name, a parent process name, or a terminal type.
  - 5. The method of claim 4, whereineach rule of the one or more rules comprises one or more attributes, andeach attribute of the one or more attributes corresponds to a client process property of the plurality of client process properties.
  - 6. The method of claim 4, further comprising:
    - forwarding the service call to the server if no rule is specified for the identifier.
  - 7. The method of claim 4, whereinthe processing comprisesdetermining whether each attribute of at least one rule matches a corresponding client process property.
  - 8. The method of claim 7, whereinthe one or more rules are part of a rule set,the rule set is part ofa source service call filter module, anda target service call filter module,the source kernel comprises a multiplexing module that performs the multiplexing, andthe target kernel comprises a demultiplexing module that performs the demultiplexing.
  - 9. The method of claim 8, further comprising:
    - accessing the rule set to determine whether the internal service identified by the identifier is unprotected or protected.
  - 10. The method of claim 9, whereinthe internal service is protected if the rule set comprises at least one rule of the plurality of rules for the identifier specified in the service call, andthe internal service is unprotected if the rule set does not comprise at least one rule of the plurality of rules for the identifier specified in the service call.

11. A non-transitory computer readable storage medium storing program instructions executable to:
- intercept a service call initiated by a client process of a client, whereinthe client is deployed in a source appliance,the service call is a request for provision of an internal service by a server deployed in a target appliance,the service call comprises an identifier, andthe identifier identifies the internal service;
  
  determine whether one or more rules of a plurality of rules are specified for the identifier; and
  
  in response to a determination that the one or more rules are specified for the identifier,generate a service packet by multiplexing client information and information specified in the service call, andforward the service packet to the target appliance.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable storage medium of claim 11, further comprising:
    - accessing source kernel memory of the source appliance; and
      
      retrieving the client information from source kernel memory, whereinthe client information comprises one or more client process properties of a plurality of client process properties associated with the client process, andthe plurality of client process properties comprise a user context, a user group context, a client program name, a parent process name, or a terminal type.
  - 13. The non-transitory computer readable storage medium of claim of claim 12, further comprising:
    - intercepting the service packet forwarded to the target appliance;
      
      demultiplexing the service packet to retrieve the client information;
      
      processing one or more attributes of at least one rule using the client information; and
      
      forwarding the service call to the server, if the processing indicates that the forwarding the service call is allowable.
  - 14. The non-transitory computer readable storage medium of claim of claim 13, whereineach rule of the one or more rules comprises one or more attributes, andeach attribute of the one or more attributes corresponds to a client process property of the plurality of client process properties.
  - 15. The non-transitory computer readable storage medium of claim of claim 14, whereinthe processing comprisesdetermining whether each attribute of at least one rule matches a corresponding client process property.

16. A system comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors, wherein the memory stores program instructions executable by the one or more processors to;
  
  intercept a service call initiated by a client process of a client, whereinthe client is deployed in a source appliance,the service call is a request for provision of an internal service by a server deployed in a target appliance,the service call comprises an identifier, andthe identifier identifies the internal service;
  
  determine whether one or more rules of a plurality of rules are specified for the identifier; and
  
  in response to a determination that the one or more rules are specified for the identifier,generate a service packet by multiplexing client information and information specified in the service call, andforward the service packet to the target appliance.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, further comprising:
    - accessing source kernel memory of the source appliance; and
      
      retrieving the client information from source kernel memory, whereinthe client information comprises one or more client process properties of a plurality of client process properties associated with the client process, andthe plurality of client process properties comprise a user context, a user group context, a client program name, a parent process name, or a terminal type.
  - 18. The system of claim 17, further comprising:
    - intercepting the service packet forwarded to the target appliance;
      
      demultiplexing the service packet to retrieve the client information;
      
      processing one or more attributes of at least one rule using the client information; and
      
      forwarding the service call to the server, if the processing indicates that the forwarding the service call is allowable.
  - 19. The system of claim of claim 18, whereineach rule of the one or more rules comprises one or more attributes, andeach attribute of the one or more attributes corresponds to a client process property of the plurality of client process properties.
  - 20. The system of claim of claim 19, whereinthe processing comprisesdetermining whether each attribute of at least one rule matches a corresponding client process property.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Inventors
Goel, Vikas
Primary Examiner(s)
JEAN GILLES, JUDE

Application Number

US15/010,487
Publication Number

US 20170223142A1
Time in Patent Office

767 Days
Field of Search

709203, 709219, 709224
US Class Current
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/629   to features or functions of...

H04L 63/0227   Filtering policies mail mes...

H04L 67/01   Protocols

H04L 67/60   Scheduling or organising th...

Securing internal services in a distributed environment

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing internal services in a distributed environment

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links