Applying a network traffic policy to an application session

US 9,954,899 B2
Filed: 05/17/2016
Issued: 04/24/2018
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for applying a security policy to an application session, comprising:

determining, by a security gateway, a first user identity and a second user identity from a data packet for an application session, the determining comprising;

inspecting, by the security gateway, the data packet for the application session and storing a host identity and an application session time in an application session record;

determining, by the security gateway, from the data packet for the application session a user identity and storing the user identity in the application session record;

determining, by the security gateway, a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity, and the access session time match the host identity and the application session time of the application session record;

storing the second user identity in the application session record;

obtaining, by the security gateway, a security policy for the application session based on the first user identity or the second user identity; and

applying the security policy to the application session by the security gateway.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present technology relate to a method for applying a security policy to an application session, comprising: determining, by a security gateway, a first user identity and a second user identity from a data packet for an application session; obtaining, by the security gateway, a security policy for the application session; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

288 Citations

17 Claims

1. A method for applying a security policy to an application session, comprising:
- determining, by a security gateway, a first user identity and a second user identity from a data packet for an application session, the determining comprising;
  
  inspecting, by the security gateway, the data packet for the application session and storing a host identity and an application session time in an application session record;
  
  determining, by the security gateway, from the data packet for the application session a user identity and storing the user identity in the application session record;
  
  determining, by the security gateway, a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity, and the access session time match the host identity and the application session time of the application session record;
  
  storing the second user identity in the application session record;
  
  obtaining, by the security gateway, a security policy for the application session based on the first user identity or the second user identity; and
  
  applying the security policy to the application session by the security gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the obtaining a security policy for the application session comprises:
    - querying, by the security gateway, a corporate directory comprising a plurality of security policies, the query including a user identity;
      
      matching, by the corporate directory, the user identity of the query against the plurality of security policies to determine whether one of the plurality of security policies is applicable to the user identity of the query; and
      
      in response to finding a match, sending, by the corporate directory, the security policy to the security gateway.
  - 3. The method of claim 2, wherein the user identity of the query comprises at least one of the first user identity and the second user identity.
  - 4. The method of claim 2, wherein the matching the user identity of the query against the plurality of security policies comprises:
    - mapping, by the security policy, network parameters of one of the plurality of security policies to the user identity of the query; and
      
      determining whether there is a match between the user identity of the query and the user identity in the security policy.
  - 5. The method of claim 1, wherein at least one of the plurality of security policies comprises a network traffic policy.
  - 6. The method of claim 5, wherein the network traffic policy comprises one or more of the following:
    - packet modification control for the application session;
      
      traffic shaping control;
      
      application session access control indicating whether the user identity of the query is denied or allowed to continue to the application session; and
      
      a bandwidth control.
  - 7. The method of claim 6, wherein the packet modification control for the application session comprises one or more of the following:
    - performing network address translation to the application session;
      
      performing port address translation to the application session using a pre-determined port number;
      
      performing content substitution, if the application session is an Hypertext Transfer Protocol (HTTP) session and if a Universal Resource Locator (URL) in data packets of the application session matches a predetermined URL;
      
      performing filename substitution, if the application session is a file transfer session and if a filename matching a pre-determined filename is found in data packets of the application session; and
      
      inserting a cookie for the user of the user identity, if the application session is an HTTP session.
  - 8. The method of claim 1, further comprising generating a security report concerning the application of the security policy to the application session.

9. A system, comprising:
- a corporate directory comprising a plurality of security policies; and
  
  a security gateway, wherein the security gateway;
  
  determines a first user identity and a second user identity from a data packet for an application session, the determining comprising;
  
  inspecting the data packet for the application session and storing a host identity and an application session time in an application session record;
  
  determining from the data packet for the application session a user identity and storing the user identity in the application session record;
  
  determining a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity, and the access session time match the host identity and the application session time of the application session record;
  
  storing the second user identity in the application session record;
  
  obtains a security policy for the application session, the security policy based on the first user identity or the second user identity; and
  
  applies the security policy to the application session.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the security gateway obtains a security policy for the application session comprises:
    - querying, by the security gateway, the corporate directory, the query including a user identity;
      
      matching, by the corporate directory, the user identity of the query against the plurality of security policies to determine whether one of the plurality of security policies is applicable to the user identity of the query; and
      
      in response to finding a match, sending, by the corporate directory, the security policy to the security gateway.
  - 11. The system of claim 10, wherein the user identity of the query comprises at least one of the first user identity and the second user identity.
  - 12. The system of claim 10, wherein the matching the user identity of the query against the plurality of security policies comprises:
    - mapping, by one of the plurality of security policies, network parameters of the security policy to the user identity of the query; and
      
      determining whether there is a match between the user identity of the query and the user identity in the security policy.
  - 13. The system of claim 9, wherein at least one of the plurality of security policies comprises a network traffic policy.
  - 14. The system of claim 13, wherein the network traffic policy comprises one or more of the following:
    - packet modification control for the application session;
      
      traffic shaping control;
      
      application session access control indicating whether the user identity of the query is denied or allowed to continue to the application session; and
      
      a bandwidth control.
  - 15. The system of claim 14, wherein the packet modification control for the application session comprises one or more of the following:
    - performing network address translation to the application session;
      
      performing port address translation to the application session using a pre-determined port number;
      
      performing content substitution, if the application session is an Hypertext Transfer Protocol (HTTP) session and if a Universal Resource Locator (URL) in data packets of the application session matches a predetermined URL;
      
      performing filename substitution, if the application session is a file transfer session and if a filename matching a pre-determined filename is found in data packets of the application session; and
      
      inserting a cookie for the user of the user identity, if the application session is an HTTP session.
  - 16. The system of claim 9, wherein the security gateway further generates a security report concerning the application of the security policy to the application session.

17. A non-transitory computer readable storage medium having computer readable program code embodied therewith for routing data packets of an application session, the computer readable program code configured to:
- determine, by a security gateway, a first user identity and a second user identity from a data packet for an application session, the determining comprising;
  
  inspecting, by the security gateway, the data packet for the application session and storing a host identity and an application session time in an application session record;
  
  determining, by the security gateway, from the data packet for the application session a user identity and storing the user identity in the application session record;
  
  determining, by the security gateway, a second user identity by matching an access session record of an access session accessed during the application session that comprises the second user identity, a second host identity, and an access session time, wherein the second host identity, and the access session time match the host identity and the application session time of the application session record;
  
  storing the second user identity in the application session record;
  
  obtain, by the security gateway, a security policy for the application session based on the first user identity or the second user identity; and
  
  apply the security policy to the application session by the security gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Oshiba, Dennis, Chiong, John
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
LAVELLE, GARY E

Application Number

US15/157,357
Publication Number

US 20160261642A1
Time in Patent Office

707 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 2101/365   Application layer names, e....

H04L 45/308   Route determination based o...

H04L 51/04   Real-time or near real-time...

H04L 61/2596   Translation of addresses of...

H04L 61/50   Address allocation

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/20   for managing network securi...

H04L 65/1026   at the edge

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

H04L 67/10   in which an application is ...

H04L 67/14   Session management for real...

H04L 67/306 : User profiles

H04L 67/535 : Tracking the activity of th...

H04L 69/22 : Parsing or analysis of headers

H04M 1/7243 : with interactive means for ...

H04W 12/082 : using revocation of authori...

H04W 12/088 : using filters or firewalls

H04W 12/37 : Managing security policies ...

H04W 12/45 : using multiple identity mod...

H04W 12/61 : Time-dependent

H04W 12/72 : Subscriber identity

H04W 12/76 : Group identity

View All

Applying a network traffic policy to an application session

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

288 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Applying a network traffic policy to an application session

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

288 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others