Web Caching with Security as a Service

US 20150026757A1
Filed: 07/22/2013
Published: 01/22/2015
Est. Priority Date: 07/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting, at a cloud connector device of a network, a request from a user for content;

when the content is not cached in the network;

redirecting the request to cloud-based security as a service server;

receiving the content from the cloud-based security as a service server;

routing the content to a cache server; and

receiving at a cloud connector identity-based security policy from the cloud-based security as a service server for the content;

when the content is cached in the network;

determining whether the request satisfies an identity-based security policy;

sending the request to the cache server when the request satisfies the identity-based security policy; and

rejecting the request when the request fails to satisfy the identity-based security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used.

28 Citations

View as Search Results

22 Claims

1. A method comprising:
- intercepting, at a cloud connector device of a network, a request from a user for content;
  
  when the content is not cached in the network;
  
  redirecting the request to cloud-based security as a service server;
  
  receiving the content from the cloud-based security as a service server;
  
  routing the content to a cache server; and
  
  receiving at a cloud connector identity-based security policy from the cloud-based security as a service server for the content;
  
  when the content is cached in the network;
  
  determining whether the request satisfies an identity-based security policy;
  
  sending the request to the cache server when the request satisfies the identity-based security policy; and
  
  rejecting the request when the request fails to satisfy the identity-based security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein intercepting comprises intercepting all requests, including the request, received at the cloud connector device and wherein all of the cached content, including the content routed to the cache server, is filtered by the cloud-based security as a service server prior to caching.
  - 3. The method of claim 1 wherein intercepting at the cloud connector device of the network comprises intercepting with a transparent proxy at an edge router of an enterprise network.
  - 4. The method of claim 1 further comprising storing a list of cachable target uniform resource locators, and determining whether the content is cached from the cachable target uniform resource locators.
  - 5. The method of claim 1 wherein redirecting comprises redirecting to the security as a service server outside the network.
  - 6. The method of claim 1 wherein receiving the content comprises receiving the content after filtering of the content by the cloud-based security as a service server.
  - 7. The method of claim 1 wherein routing the content comprises routing the content to the cache server for caching and response, by the cache server, of the content to the request from a client other than the cache server.
  - 8. The method of claim 1 further comprising notifying the security as a service server of web caching in the network, wherein receiving the content comprises receiving the content with an altered caching header as compared to the content as provided by a content server.
  - 9. The method of claim 8 wherein the receiving the content with the altered caching header comprises receiving the content with an indication of no caching.
  - 10. The method of claim 1 wherein determining whether the request satisfies the identity-based security policy comprises determining an identity of a source of the request by user, user group, device group, security clearance, location of the source, or combinations thereof.
  - 11. The method of claim 1 further comprising receiving the identity-based security policy from the cloud-based security as a service server, wherein determining whether the request satisfies the identity-based security policy comprises determining at the cloud connector device for the cached content with a same policy as determining at the security as a service server.
  - 12. The method of claim 1 wherein determining whether the request satisfies the identify-based security policy comprises determining whether an identity of a source of the request is in a white list or a black list for the content.
  - 13. The method of claim 12 wherein further comprising requesting a policy from the security as a service server where the identity is not in the white or black lists.

14. Logic encoded in one or more non-transitory computer-readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving, within a network, identity-based security information from a security as a service server outside the network;
  
  receiving, from an identified source, a request for content cached within the network;
  
  verifying, with the identity-based security information, that the identified source is allowed access to the content cached within the network; and
  
  providing the content to the identified source.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The logic encoded in the one or more non-transitory computer readable media of claim 14 wherein receiving the identity-based security information comprises receiving user identities, user-group identities, location identities, device identities, or combinations thereof and corresponding security policies implemented by the security as a servicer server, and wherein verifying comprises applying the security policies to the request for the cached content.
  - 16. The logic encoded in the one or more non-transitory computer readable media of claim 14 further comprising determining that the content is cached within the network, the cached content comprising content filtered by the cloud-based security as a service, wherein verifying comprises implementing identity-based security for the filtered content cached in the network.
  - 17. The logic encoded in the one or more non-transitory computer readable media of claim 14 further comprising:
    - receiving a further request for content not cached in the network;
      
      redirecting the further request to the security as a service;
      
      receiving a response to the further request from the security as a service; and
      
      providing the response for caching in the network.
  - 18. The logic encoded in the one or more non-transitory computer readable media of claim 17 wherein the response comprises further content responsive to the further request, the further content comprising security filtered content with a caching lifetime adjusted by the security as a service server.

19. An apparatus comprising:
- a client device connected to a network, the client device configured to request content; and
  
  a gateway device of the network, the gateway device configured to restrict serving, in response to the request, of cached content within the network based on an identity-based security policy of a cloud-based security as a service.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19 further comprising a cache server storing the cached content, a lifetime of the cached content set by the security as a service to be different than a setting of a source of the content.

21. A method comprising:
- receiving, at a security service processor, a request for content from a host in an enterprise network;
  
  requesting the content from a web server;
  
  receiving from the web server the content in response to the request;
  
  filtering, by the security service processor, the content received from the web server;
  
  adjusting a freshness setting of the content, the freshness setting corresponding to caching; and
  
  transmitting the content with the adjusted freshness setting to the enterprise network as a response to the request.
- View Dependent Claims (22)
- - 22. The method of claim 21 further comprising:
    - transmitting an identity-based security policy to a cloud connector in the enterprise network for providing the content from cache within the network using the identity-based security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Reddy, Tirumaleswar, Patil, Prashanth, Nethi, Ramesh, Wing, Daniel, Wild, Christopher

Granted Patent

US 9,288,231 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Web Caching with Security as a Service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Web Caching with Security as a Service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links