Network Application Security Policy Enforcement

US 20180234460A1
Filed: 01/30/2018
Published: 08/16/2018
Est. Priority Date: 02/10/2017
Status: Active Grant

First Claim

Patent Images

1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:

(A) at a source local security agent on a source computer system, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine;

(B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network;

(C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent;

(D) at the source local security agent, receiving the first set of network application security policies;

(E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system;

(F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request;

(G) at a destination local security agent on a destination computer system, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine;

(H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network;

(I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent;

(J) at the destination local security agent, receiving the second set of network application security policies;

(K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; and

(L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system validates the establishment and/or continuation of a connection between two applications over a network using a three-stage process: (1) a local security agent on the same source system as the source application validates the connection against a set of policies stored locally on the source system; (2) a local security agent on the same destination system as the destination application validates the connection against a set of policies stored locally on the destination system; and (3) a reconciliation engine, after receiving connection and application state information from both the source and destination local security agents, validates the connection against a master set of policies. The connection is allowed or blocked depending on the outcome of the three-stage validation. This system protects against policy violations that are not detected by traditional systems without requiring alterations to the source and destination applications or the network traffic between them.

7 Citations

26 Claims

1. A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
- (A) at a source local security agent on a source computer system, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine;
  
  (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network;
  
  (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent;
  
  (D) at the source local security agent, receiving the first set of network application security policies;
  
  (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system;
  
  (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request;
  
  (G) at a destination local security agent on a destination computer system, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine;
  
  (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network;
  
  (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent;
  
  (J) at the destination local security agent, receiving the second set of network application security policies;
  
  (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; and
  
  (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies.
  - 3. The method of claim 2, further comprising:
    - (N) if the reconciliation engine determines that the third set of network application security policies does not cover the outgoing connection request and the incoming connection request, then instructing the source local security agent to terminate a first connection created in response to the outgoing connection request and instructing the destination local security agent to terminate a second connection created in response to the incoming connection request.
  - 4. The method of claim 2, further comprising:
    - (N) if a timeout period elapses at the source local security agent without the source local security agent receiving an instruction from the reconciliation engine to keep alive a connection created in response to the outgoing connection request then, at the source local security agent, terminating the connection created in response to the outgoing connection request.
  - 5. The method of claim 2, further comprising:
    - (N) if a timeout period elapses at the destination local security agent without the destination local security agent receiving an instruction from the reconciliation engine to keep alive a connection created in response to the incoming connection request then, at the destination local security agent, terminating the connection created in response to the incoming connection request.
  - 6. The method of claim 2, further comprising:
    - (N) at the source local security agent, in response to determining that the first set of policies does not cover the outgoing connection request, temporarily blocking the outgoing connection request; and
      
      (O) at the source local security agent, in response to receiving an instruction from the reconciliation engine to allow the outgoing connection request, allowing a connection in response to the outgoing connection request.
  - 7. The method of claim 2, further comprising:
    - (N) at the destination local security agent, in response to determining that the second set of policies does not cover the incoming connection request, temporarily blocking the incoming connection request; and
      
      (O) at the destination local security agent, in response to receiving an instruction from the reconciliation engine to allow the incoming connection request, allowing a connection in response to the incoming connection request.
  - 8. The method of claim 1, wherein the first set of network application security policies comprises a subset of a larger set of network application security policies stored at the policy management engine.
  - 9. The method of claim 1, further comprising:
    - (M) if none of the first set of network application security policies is determined to cover the outgoing connection request, then denying the outgoing connection request.
  - 10. The method of claim 1:
    - wherein (A) comprises transmitting the state of the application executing on the source computer system and the first state of the network over an Internet Protocol (IP) network; and
      
      wherein (G) comprises transmitting the state of the application executing on the destination computer system and the second state of the network over the IP network.
  - 11. The method of claim 1:
    - wherein (C) comprises transmitting the first set of network application security policies to the source local security agent over an Internet Protocol (IP) network; and
      
      wherein (I) comprises transmitting the second set of network application security policies to the destination local security agent over the IP network.
  - 12. The method of claim 1:
    - wherein (A) further comprises transmitting, at the source local security agent, data representing a network configuration of the source system to the policy management engine; and
      
      wherein (G) further comprises transmitting, at the destination local security agent, data representing a network configuration of the destination system to the policy management engine.
  - 13. The method of claim 1, wherein each policy in the first set of network application security policies contains data:
    - representing a source application using at least one attribute other than a name of the source application and communication content;
      
      representing a destination application using at least one attribute other than a name of the destination application and communication content;
      
      indicating that the source application is authorized or is not authorized to communicate with the destination application.

14. A system comprising at least one non-transitory computer readable medium having computer program instructions stored thereon, wherein the computer program instructions are executable by at least one computer processor to perform a method, the method comprising:
- (A) at a source local security agent on a source computer system, transmitting the state of an application executing on the source computer system and a first state of a network to a policy management engine;
  
  (B) at the policy management engine, receiving the state of the application executing on the source computer system and the first state of the network;
  
  (C) at the policy management engine, transmitting a first set of network application security policies to the source local security agent;
  
  (D) at the source local security agent, receiving the first set of network application security policies;
  
  (E) at the source local security agent, intercepting an outgoing network connection request from the application executing on the source computer system;
  
  (F) at the source local security agent, determining whether at least one of the first set of network application security policies covers the outgoing connection request;
  
  (G) at a destination local security agent on a destination computer system, transmitting the state of an application executing on the destination computer system and a second state of the network to the policy management engine;
  
  (H) at the policy management engine, receiving the state of the application executing on the destination computer system and the second state of the network;
  
  (I) at the policy management engine, transmitting a second set of network application security policies to the destination local security agent;
  
  (J) at the destination local security agent, receiving the second set of network application security policies;
  
  (K) at the destination local security agent, intercepting an incoming network connection request from the application executing on the destination computer system; and
  
  (L) at the destination local security agent, determining whether at least one of the second set of network application security policies covers the incoming connection request.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the method further comprises:
    - (M) at a reconciliation engine, determining whether a third set of network application security policies covers the outgoing connection request and the incoming connection request, wherein the third set of network application security policies is a superset of the first set of network application security policies and the second set of network application security policies.
  - 16. The system of claim 15, wherein the method further comprises:
    - (N) if the reconciliation engine determines that the third set of network application security policies does not cover the outgoing connection request and the incoming connection request, then instructing the source local security agent to terminate a first connection created in response to the outgoing connection request and instructing the destination local security agent to terminate a second connection created in response to the incoming connection request.
  - 17. The system of claim 15, wherein the method further comprises:
    - (N) if a timeout period elapses at the source local security agent without the source local security agent receiving an instruction from the reconciliation engine to keep alive a connection created in response to the outgoing connection request then, at the source local security agent, terminating the connection created in response to the outgoing connection request.
  - 18. The system of claim 15, wherein the method further comprises:
    - (N) if a timeout period elapses at the destination local security agent without the destination local security agent receiving an instruction from the reconciliation engine to keep alive a connection created in response to the incoming connection request then, at the destination local security agent, terminating the connection created in response to the incoming connection request.
  - 19. The system of claim 15, wherein the method further comprises:
    - (N) at the source local security agent, in response to determining that the first set of policies does not cover the outgoing connection request, temporarily blocking the outgoing connection request; and
      
      (O) at the source local security agent, in response to receiving an instruction from the reconciliation engine to allow the outgoing connection request, allowing a connection in response to the outgoing connection request.
  - 20. The system of claim 15, wherein the method further comprises:
    - (N) at the destination local security agent, in response to determining that the second set of policies does not cover the incoming connection request, temporarily blocking the incoming connection request; and
      
      (O) at the destination local security agent, in response to receiving an instruction from the reconciliation engine to allow the incoming connection request, allowing a connection in response to the incoming connection request.
  - 21. The system of claim 14, wherein the first set of network application security policies comprises a subset of a larger set of network application security policies stored at the policy management engine.
  - 22. The system of claim 14, wherein the method further comprises:
    - (M) if none of the first set of network application security policies is determined to cover the outgoing connection request, then denying the outgoing connection request.
  - 23. The system of claim 14:
    - wherein (A) comprises transmitting the state of the application executing on the source computer system and the first state of the network over an Internet Protocol (IP) network; and
      
      wherein (G) comprises transmitting the state of the application executing on the destination computer system and the second state of the network over the IP network.
  - 24. The system of claim 14:
    - wherein (C) comprises transmitting the first set of network application security policies to the source local security agent over an Internet Protocol (IP) network; and
      
      wherein (I) comprises transmitting the second set of network application security policies to the destination local security agent over the IP network.
  - 25. The system of claim 14:
    - wherein (A) further comprises transmitting, at the source local security agent, data representing a network configuration of the source system to the policy management engine; and
      
      wherein (G) further comprises transmitting, at the destination local security agent, data representing a network configuration of the destination system to the policy management engine.
  - 26. The system of claim 14, wherein each policy in the first set of network application security policies contains data:
    - representing a source application using at least one attribute other than a name of the source application and communication content;
      
      representing a destination application using at least one attribute other than a name of the destination application and communication content;
      
      indicating that the source application is authorized or is not authorized to communicate with the destination application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Edgewise Networks, Inc. (Zscaler Incorporated)
Inventors
Smith, Peter, Sverdlove, Harry

Granted Patent

US 10,154,067 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

Network Application Security Policy Enforcement

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Network Application Security Policy Enforcement

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links