System and method for limiting data leakage
First Claim
Patent Images
1. A system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, comprising:
- a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request;
a receiver coupled to the buffer; and
a connection state engine connected to the buffer;
wherein the connection state engine is configured to receive an indication of the connection request from the first computer for a connection to the second computer and record initial state information and option parameters associated with the connection request;
wherein the connection state engine is configured to record current connection state information associated with the connection request after the connection state engine receives an indication that the second computer has sent an acknowledgement to the first computer;
wherein the receiver is configured to receive data into the buffer from one of the first or second computers after the acknowledgement,wherein the connection state engine is configured to read the received data from the buffer and is configured to deny use of the connection based on a pre-agent check that applies a security policy to the received data without forwarding the received data, responsive to receiving the indication that the second computer has sent an acknowledgement to the first computer, andwherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data.
10 Assignments
0 Petitions
Accused Products
Abstract
System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.
9 Citations
11 Claims
-
1. A system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, comprising:
-
a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request; a receiver coupled to the buffer; and a connection state engine connected to the buffer; wherein the connection state engine is configured to receive an indication of the connection request from the first computer for a connection to the second computer and record initial state information and option parameters associated with the connection request; wherein the connection state engine is configured to record current connection state information associated with the connection request after the connection state engine receives an indication that the second computer has sent an acknowledgement to the first computer; wherein the receiver is configured to receive data into the buffer from one of the first or second computers after the acknowledgement, wherein the connection state engine is configured to read the received data from the buffer and is configured to deny use of the connection based on a pre-agent check that applies a security policy to the received data without forwarding the received data, responsive to receiving the indication that the second computer has sent an acknowledgement to the first computer, and wherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data. - View Dependent Claims (2)
-
-
3. A system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, comprising:
-
a buffer, wherein the buffer is sized to receive and buffer data associated with a connection request; a receiver coupled to the buffer; one or more proxies connected to the buffer; and a connection state engine connected to the buffer and the proxies; wherein the connection state engine is configured to receive an indication of the connection request from the first computer for a connection to the second computer and record initial state information and option parameters associated with the connection request; wherein the connection state engine is configured to receive an indication of a connection acknowledgement being sent from the second computer to the first computer and record state associated with the connection acknowledgement; wherein the receiver is configured to receive data into the buffer from one of the first or second computers after the connection acknowledgement is received at the first computer; and wherein the connection state engine is configured to read the received data from the buffer, determine whether the connection should be promoted to one of the proxies based on a pre-agent check that applies a security policy to the received data, and promote the connection to a selected one of the proxies when it determines the connection should be promoted, wherein the selected proxy is configured to read current connection state information associated with the connection request and the connection acknowledgement and establish socket connections to the first and second computers as a function of the recorded state such that the connection changes into a proxy connection, responsive to the determination that the connection should be promoted, and wherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data. - View Dependent Claims (4, 5)
-
-
6. In a system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, a method of determining whether to deny use of the connections, comprising:
-
receiving a connection request from the first computer; recording initial state information and option parameters associated with the connection request; receiving a connection request acknowledgement from the second computer; recording current connection state information associated with the connection request acknowledgement; storing in a buffer data received from one of the first or second computers after the connection request acknowledgement has been received at the first computer; and determining, as a function of the received data stored in the buffer, whether to deny use of the connection, responsive to receiving the connection request acknowledgement, based on a pre-agent check that applies the security policy to the received data, the security policy expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data, wherein, when use of the connection is denied, none of the received data is forwarded using the connection associated with the connection request between the first and second computer. - View Dependent Claims (7)
-
-
8. In a system for applying a security policy to connections between a first computer on a first network and a second computer on a second network, a method of determining whether to deny use of the connections, comprising:
-
receiving a connection request from the first computer; recording initial state information and option parameters associated with the connection request; receiving a connection request acknowledgement from the second computer; recording current connection state information associated with the connection request acknowledgement; storing in a buffer data associated with the connection request, wherein the data is received from one of the first or second computers after the connection request acknowledgement has been received at the first computer; determining, as a function of the data stored in the buffer, whether to promote a message containing the data to a proxy, responsive to receiving the connection request acknowledgement, based on a pre-agent check that applies the security policy to the received data, wherein the security policy is expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data; receiving, at the proxy, information corresponding to the message; and establishing socket connections to the first and second computers as a function of the recorded connection state information such that the connection changes into a proxy connection. - View Dependent Claims (9)
-
-
10. A non-transitory machine-readable medium, on which are stored instructions, comprising instructions that when executed cause a machine to:
-
receive a connection request from a first computer on a first network; record initial state information and option parameters associated with the connection request; receive a connection request acknowledgement from a second computer on a second network; record current connection state information associated with the connection request acknowledgement; store in a buffer data received from one of the first or second computers after the connection request acknowledgement has been received at the first computer; and determine, as a function of the received data stored in the buffer, whether to deny use of the connection, responsive to receiving the connection request acknowledgement, based on a pre-agent check that applies the security policy to the received data, wherein the security policy expressed as a hierarchical set of rules, including rules based on reputation information assigned dynamically to a sender of the received data, and wherein, when use of the connection is denied, none of the received data is forwarded using the connection associated with the connection request between the first and second computer. - View Dependent Claims (11)
-
Specification