Communication policy enforcement in a data network

US 8,185,642 B1
Filed: 11/18/2005
Issued: 05/22/2012
Est. Priority Date: 11/18/2005
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a network device to allow authorized communication between a destination device and a source device, the network device to;

receive a first packet sent from the source device to the destination device;

determine that the first packet does not include authorization information;

provide a message to a policy server that establishes a network policy, the message informing the policy server that authorization information should be included in subsequent packets from the source device to the destination device;

receive, from the policy server, a copy of authorization information associated with the source device;

receive, from the source device, a second packet intended for the destination device;

determine that the second packet includes authorization information;

compare the authorization information included in the second packet with the copy of authorization information received from the policy server; and

forward at least a portion of the second packet to the destination device when the authorization information, included in the second packet, matches the copy of authorization information received from the policy server.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device is configured to receive authorization information from a first network device and to receive a request that data units sent to a destination device contain authorization information, where the request is received from a second network device. The device is configured to assemble authorized data units by associating the authorization information with content intended for a destination device, where the content can be exchanged with the destination device during authorized communication. The device is configured to provide at least one of the authorized data units to the second network device so that the second network device can establish the authorized communication between the device and the destination device.

24 Citations

View as Search Results

14 Claims

1. A system comprising:
- a network device to allow authorized communication between a destination device and a source device, the network device to;
  
  receive a first packet sent from the source device to the destination device;
  
  determine that the first packet does not include authorization information;
  
  provide a message to a policy server that establishes a network policy, the message informing the policy server that authorization information should be included in subsequent packets from the source device to the destination device;
  
  receive, from the policy server, a copy of authorization information associated with the source device;
  
  receive, from the source device, a second packet intended for the destination device;
  
  determine that the second packet includes authorization information;
  
  compare the authorization information included in the second packet with the copy of authorization information received from the policy server; and
  
  forward at least a portion of the second packet to the destination device when the authorization information, included in the second packet, matches the copy of authorization information received from the policy server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, where the network device is further to:
    - receive additional authorization information from the policy server, where the additional authorization information is used to establish a communication channel between the source device and the network device, where the communication channel transports encapsulated packets.
  - 3. The system of claim 2, where the network device extracts a packet from one of the encapsulated packets and makes the extracted packet available to the destination device.
  - 4. The system of claim 1, where the network device makes at least a portion of the authorization information, included in the second packet, available to the policy server to determine if the authorization information is legitimate.
  - 5. The system of claim 1, where the authorization information, included in the second packet, comprises a token.
  - 6. The system of claim 5, where the token comprises information associated with at least one of an identity of the source device, an identity of a user associated with the source device, a health of the source device, a set of access rules for the source device, or a protocol to use for the authorized communication.
  - 7. The system of claim 6, where the health of the source device comprises information about a version of software operating on the source device.
  - 8. The system of claim 5, where the token includes a reference to information that authorizes the source device.
  - 9. The system of claim 1, where the authorization information comprises an Internet Protocol (IP) packet that can be operated on by the destination device or another device on the network.

10. A method, performed by a network device, for establishing authorized communication between a source device and a destination device, the method comprising:
- receiving a first packet from the source device, the first packet being intended for the destination device;
  
  determining that the first packet does not include authorization information;
  
  providing, to a policy server, a message in response to determining that the first packet does not include authorization information, the message informing the policy server that authorization information should be included in subsequent communication from the source device;
  
  intercepting a second packet from the source device, the second packet being intended for the destination device;
  
  determining that the second packet includes authorization information;
  
  receiving a copy of authorization information from the policy server;
  
  processing the authorization information, in response to determining that the second packet includes authorization information, to determine whether the authorization information, included in the received second packet, matches the received copy of the authorization information; and
  
  forwarding the second packet to the destination device when the authorization information included in the received second packet matches the received copy of the authorization information.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10, where processing the authorization information comprises:
    - comparing a first token, included in the authorization information included in the second packet, with a second token included in the received copy of authorization information.
  - 12. The method of claim 10, where the forwarding comprises:
    - providing the second packet to the destination device without the authorization information.
  - 13. The method of claim 10, where the processing further comprises:
    - using the authorization information to establish an Internet Protocol secure (IPsec) tunnel with the source device.

14. A network device, comprising:
- a processor; and
  
  a memory to store one or more instructions which when executed by the processor, cause the processor to;
  
  receive a first packet from a source device, the first packet being intended for a destination device;
  
  determine that the first packet does not include authorization information;
  
  receive a copy of authorization information from a policy server, where the copy of authorization information is used to determine if communication between the source device and the destination device can be authorized;
  
  send, to the policy server, a request that subsequent packets from the source device, intended for the destination device, contain authorization information;
  
  receive, from the source device, subsequent packets;
  
  determine that the subsequent packets include authorization information;
  
  compare the authorization information included in the subsequent packets with the received copy of the authorization information; and
  
  allow at least a portion of the subsequent packets to reach the destination device when the authorization information, included in the subsequent packets, matches the copy of the authorization information received from the policy server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Tock, Theron, Chickering, Roger A.
Primary Examiner(s)
Moore, Ian N
Assistant Examiner(s)
Nguyen, Thai

Application Number

US11/281,905
Time in Patent Office

2,377 Days
Field of Search

726/26, 726 1- 21
US Class Current

709/229
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/126   the source of the received ...

Communication policy enforcement in a data network

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Communication policy enforcement in a data network

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links