SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY

US 20150365380A1
Filed: 08/17/2015
Published: 12/17/2015
Est. Priority Date: 02/23/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable medium having logic encoded therein, wherein the logic, when executed by one or more processors, is operable to perform operations comprising:

receiving, at a network gateway, a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;

determining a network policy to be applied to network traffic associated with the host based on information contained in the session descriptor;

correlating network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and

applying the network policy to the network traffic.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel.

30 Citations

View as Search Results

20 Claims

1. At least one non-transitory computer readable medium having logic encoded therein, wherein the logic, when executed by one or more processors, is operable to perform operations comprising:
- receiving, at a network gateway, a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;
  
  determining a network policy to be applied to network traffic associated with the host based on information contained in the session descriptor;
  
  correlating network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and
  
  applying the network policy to the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The at least one non-transitory computer readable medium of claim 1, wherein the network traffic received by the network gateway is associated with a first altered network address provided by a network address translator.
  - 3. The at least one non-transitory computer readable medium of claim 2, further comprising:
    - correlating second network traffic received at the network gateway with the host based on the UUID contained in a second session descriptor, wherein the second network traffic is associated with a second altered network address provided by the network address translator; and
      
      applying a second network policy to the second network traffic.
  - 4. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor is communicated from the host to the network gateway through an out-of-band communication channel.
  - 5. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor is communicated from the host to the network gateway through an in-band communication channel.
  - 6. The at least one non-transitory computer readable medium of claim 5, wherein the session descriptor is encoded in one or more messages associated with the network connection.
  - 7. The at least one non-transitory computer readable medium of claim 1, wherein the network policy is applied to restrict protocols used in the network connection based on the application file.
  - 8. The at least one non-transitory computer readable medium of claim 1, wherein the network policy is applied to rate-limit communication over the network connection based, at least in part, on the application file.
  - 9. The at least one non-transitory computer readable medium of claim 1, wherein the network policy is associated with a whitelist that restricts protocols that may be used by the application.
  - 10. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor indicates whether a local antivirus system is running in the host.
  - 11. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor indicates a file type of the application file.
  - 12. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor indicates whether a mountable read/write media is attached to the host during the network connection.
  - 13. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor indicates whether the host has a wireless connection and a wired connection simultaneously active during the network connection.

14. A network gateway, comprising:
- a firewall module; and
  
  one or more hardware processors operable to execute instructions associated with the firewall module, the one or more processors being operable to;
  
  receive a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;
  
  determine a network policy to be applied to network traffic associated with the host based on information contained in the session descriptor;
  
  correlate network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and
  
  apply the network policy to the network traffic.
- View Dependent Claims (15, 16, 17)
- - 15. The network gateway of claim 14, wherein the network traffic received by the network gateway is associated with a first altered network address provided by a network address translator.
  - 16. The network gateway of claim 14, the one or more processors being further operable to:
    - correlate second network traffic received at the network gateway with the host based on the UUID contained in a second session descriptor, wherein the second network traffic is associated with a second altered network address provided by the network address translator; and
      
      apply a second network policy to the second network traffic.
  - 17. The network gateway of claim 14, the one or more processors being further operable to:
    - identify the session descriptor encoded in one or more messages associated with the network connection and received from the host through an in-band communication channel; and
      
      extract the session descriptor from the one or more messages.

18. A method, comprising:
- receiving, at a network gateway, a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;
  
  determining a network policy to be applied to network traffic associated with the host based on information contained in the session descriptor;
  
  correlating network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and
  
  applying the network policy to the network traffic.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising:
    - correlating second network traffic received at the network gateway with the host based on the UUID contained in a second session descriptor, wherein the second network traffic is associated with an altered network address provided by a network address translator; and
      
      applying a second network policy to the second network traffic.
  - 20. The method of claim 18, further comprising:
    - identifying the session descriptor encoded in one or more messages associated with the network connection and received from the host through an in-band communication channel; and
      
      extracting the session descriptor from the one or more messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey Howard, Diehl, David Frederick, Mahadik, Vinay A., Venugopalan, Ramnath

Granted Patent

US 9,866,528 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 47/125   by balancing the load, e.g....

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/146   Markers for unambiguous ide...

SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links