Network Application Security Policy Enforcement
First Claim
1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
- (A) at a source local security agent on a source computer system, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine;
(B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network;
(C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent;
(D) at the source local security agent, receiving the first set of network application security policies;
(E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system;
(F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request;
(G) at a destination local security agent on a destination computer system, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine;
(H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network;
(I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent;
(J) at the destination local security agent, receiving the second set of network application security policies;
(K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; and
(L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request.
3 Assignments
0 Petitions
Accused Products
Abstract
A system validates the establishment and/or continuation of a connection between two applications over a network using a three-stage process: (1) a local security agent on the same source system as the source application validates the connection against a set of policies stored locally on the source system; (2) a local security agent on the same destination system as the destination application validates the connection against a set of policies stored locally on the destination system; and (3) a reconciliation engine, after receiving connection and application state information from both the source and destination local security agents, validates the connection against a master set of policies. The connection is allowed or blocked depending on the outcome of the three-stage validation. This system protects against policy violations that are not detected by traditional systems without requiring alterations to the source and destination applications or the network traffic between them.
7 Citations
26 Claims
-
1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
-
(A) at a source local security agent on a source computer system, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; and (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system comprising at least one non-transitory computer readable medium having computer program instructions stored thereon, wherein the computer program instructions are executable by at least one computer processor to perform a method, the method comprising:
-
(A) at a source local security agent on a source computer system, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine; (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network; (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent; (D) at the source local security agent, receiving the first set of network application security policies; (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system; (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request; (G) at a destination local security agent on a destination computer system, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine; (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network; (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent; (J) at the destination local security agent, receiving the second set of network application security policies; (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; and (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification