METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK

US 20200137121A1
Filed: 12/27/2019
Published: 04/30/2020
Est. Priority Date: 10/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method of filtering packets at a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, the method comprising:

receiving, by the packet security gateway and from a security policy management server external from the network protected by the packet security gateway, a dynamic security policy comprising a first set of packet filtering rules to be applied to all network traffic traversing the boundary, wherein;

each packet filtering rule of the first set of packet filtering rules comprises at least one packet matching criterion and a corresponding packet transformation function, andone or more first packet filtering rules of the first set of packet filtering rules were automatically created or altered by the security policy management server based on malicious traffic information received from a malicious host tracker service;

performing, on a packet by packet basis, packet filtering on a first portion of packets corresponding to network traffic traversing the boundary via the packet security gateway based on the first set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets;

receiving, by the packet security gateway and after performing packet filtering on the first portion of the packets, an updated second set of packet filtering rules for the dynamic security policy from the security policy management server, wherein the updated second set of packet filtering rules comprises an update to the one or more first packet filtering rules created or altered by the security policy management server based on updated malicious traffic information received from the malicious host tracker service; and

performing, on a packet by packet basis, packet filtering on a second portion of the packets corresponding to network traffic traversing the boundary via the packet security gateway based on the updated second set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the second set of packet filtering rules on the second portion of packets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets.

12 Citations

View as Search Results

27 Claims

1. A method of filtering packets at a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, the method comprising:
- receiving, by the packet security gateway and from a security policy management server external from the network protected by the packet security gateway, a dynamic security policy comprising a first set of packet filtering rules to be applied to all network traffic traversing the boundary, wherein;
  
  each packet filtering rule of the first set of packet filtering rules comprises at least one packet matching criterion and a corresponding packet transformation function, andone or more first packet filtering rules of the first set of packet filtering rules were automatically created or altered by the security policy management server based on malicious traffic information received from a malicious host tracker service;
  
  performing, on a packet by packet basis, packet filtering on a first portion of packets corresponding to network traffic traversing the boundary via the packet security gateway based on the first set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets;
  
  receiving, by the packet security gateway and after performing packet filtering on the first portion of the packets, an updated second set of packet filtering rules for the dynamic security policy from the security policy management server, wherein the updated second set of packet filtering rules comprises an update to the one or more first packet filtering rules created or altered by the security policy management server based on updated malicious traffic information received from the malicious host tracker service; and
  
  performing, on a packet by packet basis, packet filtering on a second portion of the packets corresponding to network traffic traversing the boundary via the packet security gateway based on the updated second set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the second set of packet filtering rules on the second portion of packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the at least one packet matching criterion corresponding to the one or more first packet filtering rules automatically created or altered by the security policy management server comprises at least one network address indicated by the malicious traffic information.
  - 3. The method of claim 1, wherein the malicious host tracker service comprises a subscription service that aggregates information associated with malicious network traffic.
  - 4. The method of claim 1, wherein the malicious traffic information comprises a list of network addresses known to be associated with malicious network traffic.
  - 5. The method of claim 1, wherein at least one packet transformation function comprises a network protective action.
  - 6. The method of claim 1, further comprising:
    - receiving, by the packet security gateway, packets in a network layer transparent manner using an interface that is not addressed at the network layer; and
      
      performing the at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets at the network layer.
  - 7. The method of claim 1, wherein one or more packet filtering rules of the first set of packet filtering rules specify a packet transformation function other than forwarding or dropping the corresponding packets.

8. A packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, comprising:
- one or more processors; and
  
  memory storing instructions that, when executed by the one or more processors, cause the packet security gateway to;
  
  receive, from a security policy management server external from the network protected by the packet security gateway, a dynamic security policy comprising a first set of packet filtering rules to be applied to all network traffic traversing the boundary, wherein;
  
  each packet filtering rule of the first set of packet filtering rules comprises at least one packet matching criterion and a corresponding packet transformation function, andone or more first packet filtering rules of the first set of packet filtering rules were automatically created or altered by the security policy management server based on malicious traffic information received from a malicious host tracker service;
  
  perform, on a packet by packet basis, packet filtering on a first portion of packets corresponding to network traffic traversing the boundary via the packet security gateway based on the first set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets;
  
  receive, after performing packet filtering on the first portion of the packets, an updated second set of packet filtering rules for the dynamic security policy from the security policy management server, wherein the updated second set of packet filtering rules comprises an update to the one or more first packet filtering rules created or altered by the security policy management server based on updated malicious traffic information received from the malicious host tracker service; and
  
  perform, on a packet by packet basis, packet filtering on a second portion of the packets corresponding to network traffic traversing the boundary via the packet security gateway based on the updated second set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the second set of packet filtering rules on the second portion of packets.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The packet security gateway of claim 8, wherein the at least one packet matching criterion corresponding to the one or more first packet filtering rules automatically created or altered by the security policy management server comprises at least one network address indicated by the malicious traffic information.
  - 10. The packet security gateway of claim 8, wherein the malicious host tracker service comprises a subscription service that aggregates information associated with malicious network traffic.
  - 11. The packet security gateway of claim 8, wherein the malicious traffic information comprises a list of network addresses known to be associated with malicious network traffic.
  - 12. The packet security gateway of claim 8, wherein at least one packet transformation function comprises a network protective action.
  - 13. The packet security gateway of claim 8, wherein the instructions further cause the packet security gateway to:
    - receive packets in a network layer transparent manner using an interface that is not addressed at the network layer; and
      
      perform the at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets at the network layer.
  - 14. The packet security gateway of claim 8, wherein one or more packet filtering rules of the first set of packet filtering rules specify a packet transformation function other than forwarding or dropping the corresponding packets.

15. One or more non-transitory computer readable media storing instructions that, when executed by at least one processor, cause a packet security gateway, of a plurality of packet security gateways that collectively provide an entire interface across a boundary of a network protected by the packet security gateway and one or more networks other than the network protected by the packet security gateway, to perform steps comprising:
- receiving, from a security policy management server external from the network protected by the packet security gateway, a dynamic security policy comprising a first set of packet filtering rules to be applied to all network traffic traversing the boundary, wherein;
  
  each packet filtering rule of the first set of packet filtering rules comprises at least one packet matching criterion and a corresponding packet transformation function, andone or more first packet filtering rules of the first set of packet filtering rules were automatically created or altered by the security policy management server based on malicious traffic information received from a malicious host tracker service;
  
  performing, on a packet by packet basis, packet filtering on a first portion of packets corresponding to network traffic traversing the boundary via the packet security gateway based on the first set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets;
  
  receiving, after performing packet filtering on the first portion of the packets, an updated second set of packet filtering rules for the dynamic security policy from the security policy management server, wherein the updated second set of packet filtering rules comprises an update to the one or more first packet filtering rules created or altered by the security policy management server based on updated malicious traffic information received from the malicious host tracker service; and
  
  performing, on a packet by packet basis, packet filtering on a second portion of the packets corresponding to network traffic traversing the boundary via the packet security gateway based on the updated second set of packet filtering rules by performing at least one packet transformation function specified by at least one packet filtering rule of the second set of packet filtering rules on the second portion of packets.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable media of claim 15, wherein the at least one packet matching criterion corresponding to the one or more first packet filtering rules automatically created or altered by the security policy management server comprises at least one network address indicated by the malicious traffic information.
  - 17. The computer readable media of claim 15, wherein the malicious host tracker service comprises a subscription service that aggregates information associated with malicious network traffic, and wherein the malicious traffic information comprises a list of network addresses known to be associated with malicious network traffic.
  - 18. The computer readable media of claim 15, wherein at least one packet transformation function comprises a network protective action.
  - 19. The computer readable media of claim 15, further comprising:
    - receiving, by the packet security gateway, packets in a network layer transparent manner using an interface that is not addressed at the network layer; and
      
      performing the at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets at the network layer.
  - 20. The computer readable media of claim 15, wherein one or more packet filtering rules of the first set of packet filtering rules specify a packet transformation function other than forwarding or dropping the corresponding packets.

21. A method of filtering packets at a packet security gateway configured for protection of a network and associated with a security policy management server external from the network, the method comprising:
- receiving, by the packet security gateway, a dynamic security policy comprising a first set of packet filtering rules from the security policy management server, wherein each packet filtering rule of the first set of packet filtering rules comprises at least one packet matching criterion and a corresponding packet transformation function, and wherein one or more first packet filtering rules of the first set of packet filtering rules were automatically created or altered by the security policy management server based on malicious traffic information received from a malicious host tracker service;
  
  performing, on a packet by packet basis, packet filtering on a first portion of packets associated with the network protected by the packet security gateway based on the first set of packet filtering rules by performing at least one of multiple packet transformation functions specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets;
  
  receiving, by the packet security gateway and after performing packet filtering on the first portion of the packets, an updated second set of packet filtering rules for the dynamic security policy from the security policy management server, wherein the updated second set of packet filtering rules comprises an update to the one or more first packet filtering rules created or altered by the security policy management server based on updated malicious traffic information received from the malicious host tracker service; and
  
  performing, on a packet by packet basis, packet filtering on a second portion of the packets associated with the network protected by the packet security gateway based on the updated second set of packet filtering rules.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The method of claim 21, wherein the at least one packet matching criterion corresponding to the one or more first packet filtering rules automatically created or altered by the security policy management server comprises at least one network address indicated by the malicious traffic information.
  - 23. The method of claim 21, wherein the malicious host tracker service comprises a subscription service that aggregates information associated with malicious network traffic.
  - 24. The method of claim 21, wherein the malicious traffic information comprises a list of network addresses known to be associated with malicious network traffic.
  - 25. The method of claim 21, wherein at least one packet transformation function comprises a network protective action.
  - 26. The method of claim 21, further comprising:
    - receiving, by the packet security gateway, packets in a network layer transparent manner using an interface that is not addressed at the network layer; and
      
      performing the at least one packet transformation function specified by at least one packet filtering rule of the first set of packet filtering rules on the first portion of packets at the network layer.
  - 27. The method of claim 21, wherein one or more packet filtering rules of the first set of packet filtering rules specify a packet transformation function other than forwarding or dropping the corresponding packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Rogers, Steven, Moore, Sean

Granted Patent

US 10,785,266 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others