Resource-free prioritizing in high availability external security systems
First Claim
1. A method operative in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
- configuring first and second channels between the agent and the external security device;
providing, via the first channel, session user information received from the client;
providing, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and
prioritizing processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state.
1 Assignment
0 Petitions
Accused Products
Abstract
A database access control system is augmented to provide additional functionality to enable an external security device (e.g., an EDSM) to fully and accurately assess a database query against one or more security policies even when the EDSM is overloaded. To this end, a pair of channels is established between the ISA and the ESM, wherein the channel pair includes a first channel that is expected to have relatively low packet rate, and a second channel that is expected to have a relatively high packet rate. Internally, the ISA is configured to direct certain packets to the first channel, and to direct other packets to the second channel. Packets representing initial session information (i.e., user information sent at the beginning of a user session) are directed to the first channel, whereas packets received following session establishment are directed to the second channel, because the latter are likely to be present during a potential overload scenario. By routing the initial session setup information over the first channel, and by ensuring that the first channel is a low rate channel and thus highly available, the ESM remains able to perform its basic functions even in an overload scenario where significant traffic spikes are experienced over the second channel.
0 Citations
19 Claims
-
1. A method operative in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
-
configuring first and second channels between the agent and the external security device; providing, via the first channel, session user information received from the client; providing, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and prioritizing processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Apparatus for use in a database access control system wherein database requests directed from a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to; establish first and second channels between the agent and the external security device; provide, via the first channel, session user information received from the client; provide, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and prioritize processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state. - View Dependent Claims (8, 9, 10, 11, 12, 14, 15, 16, 17, 18)
-
-
13. A computer program product in a non-transitory computer readable medium, the computer program product holding computer program instructions executed by a processor in association with a database access control system wherein database requests directed by a client to a database server are intercepted by an agent and directed to an external security device for validation against a security policy, the computer program instructions comprising program code configured to:
-
establish first and second channels between the agent and the external security device; provide, via the first channel, session user information received from the client; provide, via the second channel, session requests received from the client after establishment of a session associated with the session user information; and prioritize processing of packets received over the first channel in lieu of packets received over the second channel when the external security device is operating in an overloaded state.
-
-
19. A database access control system operated in association with a database client application, and a database server, comprising:
-
an agent executed in hardware and configured to intercept a database protocol packet stream as the database client application directs requests to the database server; and a security mechanism executed in hardware and configured to receive a database protocol packet that has been forwarded by the agent for validation; wherein for a configurable number of packets in the intercepted database protocol packet stream that include session user information associated with initiation of a new session, the agent marks each such database protocol packet and outputs the database protocol packet as marked; wherein following processing of the configurable number of packets in the database protocol stream, outputting one or more follow-on data packets in the database protocol stream; wherein the security mechanism prioritizes processing of any marked database protocol packet over a database protocol packet that is not so marked.
-
Specification