Deploying a security policy based on domain names

US 9,571,452 B2
Filed: 06/29/2015
Issued: 02/14/2017
Est. Priority Date: 07/01/2014
Status: Active Grant

First Claim

Patent Images

1. A method for deploying a security policy based on domain names comprising:

receiving a network request from an endpoint at a firewall, the network request including an address for a remote resource;

when the address includes a domain name, applying the security policy to the network request based upon the domain name; and

when the address includes an Internet Protocol (IP) address, performing the steps of;

transmitting a hypertext transfer protocol (HTTP) GET request from the firewall to the IP address;

receiving a response including a header;

extracting a second domain name associated with the IP address from the header; and

applying the security policy to the network request based upon the second domain name.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall uses a variety of techniques to obtain a useful domain name from a network request, that is, a domain name that facilitates the accurate enforcement of domain-based security rules for network traffic at the firewall. If the network request includes an Internet Protocol (IP) address instead of the domain name, the firewall may begin with a reverse domain name lookup. If this technique fails to adequately resolve the domain name, then the firewall may attempt a hypertext transfer protocol (HTTP) GET request to the IP address and investigate the header for useful domain name information. The firewall may also or instead initiate a secure connection to the IP address and analyze a certificate returned from the destination for the presence of domain name information. These measures can produce one or more domain names that can be collectively analyzed to select a suitable domain name for the application of a domain-based security rule or policy by the firewall.

19 Citations

View as Search Results

21 Claims

1. A method for deploying a security policy based on domain names comprising:
- receiving a network request from an endpoint at a firewall, the network request including an address for a remote resource;
  
  when the address includes a domain name, applying the security policy to the network request based upon the domain name; and
  
  when the address includes an Internet Protocol (IP) address, performing the steps of;
  
  transmitting a hypertext transfer protocol (HTTP) GET request from the firewall to the IP address;
  
  receiving a response including a header;
  
  extracting a second domain name associated with the IP address from the header; and
  
  applying the security policy to the network request based upon the second domain name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 further comprising:
    - initiating a secure connection from the firewall to the IP address;
      
      receiving a certificate at the firewall from a server responding at the IP address;
      
      analyzing the certificate for name information; and
      
      extracting a third domain name associated with the IP address from the name information.
  - 3. The method of claim 2 wherein the secure connection is a Secure Sockets Layer (SSL) connection.
  - 4. The method of claim 2 wherein the secure connection is initiated through a default port for HTTP over Transport Layer Security/Secure Socket Layer (TLS/SSL).
  - 5. The method of claim 2 wherein the secure connection is initiated through an alternate port for HTTP over TLS/SSL.
  - 6. The method of claim 2 wherein the name information includes at least one of a Common Name or a Subject Alternative Name of a domain that the server is hosting.
  - 7. The method of claim 2 wherein the second domain name and the third domain name are different, the method further comprising selecting one of the second domain name and the third domain name to apply the security policy.
  - 8. The method of claim 1 wherein the header of the response to the HTTP GET request includes a location header containing the second domain name.
  - 9. The method of claim 8 wherein the second domain name is a redirection address.
  - 10. The method of claim 9 wherein the header includes an HTTP status code of 301 identifying the redirection address as a temporary redirection address.
  - 11. The method of claim 9 wherein the header includes an HTTP status code of 302 identifying the redirection address as a permanent redirection address.
  - 12. The method of claim 1 wherein the header includes a cookie identifying the second domain name.
  - 13. The method of claim 1 further comprising, when the address includes the IP address, attempting a reverse domain name lookup.
  - 14. The method of claim 1 wherein the HTTP GET is transmitted to a default HTTP port.
  - 15. The method of claim 1 wherein the HTTP GET is transmitted to an alternate HTTP port.
  - 16. The method of claim 1 wherein the security policy includes a whitelist of acceptable domain names.
  - 17. The method of claim 1 wherein the security policy includes a blacklist of unacceptable domain names.
  - 18. The method of claim 1 wherein, when the address includes an Internet Protocol (IP) address, the method further includes:
    - attempting a reverse domain name lookup;
      
      when the reverse domain name lookup adequately resolves the domain name, applying the security policy based on the domain name; and
      
      when the reverse domain name lookup up fails to adequately resolve the domain name, proceeding with the HTTP GET request to the IP address.

19. A computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on a firewall, deploys a security policy for an enterprise by performing the steps of:
- receiving a network request from an endpoint at a firewall, the network request including an address for a remote resource;
  
  when the address includes a domain name, applying the security policy to the network request based upon the domain name; and
  
  when the address includes an Internet Protocol (IP) address, performing the steps of;
  
  transmitting a hypertext transfer protocol (HTTP) GET request from the firewall to the IP address;
  
  receiving a response including a header;
  
  extracting a second domain name associated with the IP address from the header; and
  
  applying the security policy to the network request based upon the second domain name.
- View Dependent Claims (20)
- - 20. The computer program product of claim 19 further comprising code that performs the steps of:
    - initiating a secure connection from the firewall to the IP address;
      
      receiving a certificate at the firewall from a server hosting a source of the IP address;
      
      analyzing the certificate for name information; and
      
      extracting a third domain name associated with the IP address from the name information.

21. A firewall comprising:
- a first network interface coupled to an endpoint;
  
  a second network interface coupled to a remote resource;
  
  a memory containing computer code;
  
  a processor configured to respond to a network request including an address from the endpoint received at the first network interface by performing the steps of;
  
  when the address includes a domain name, applying a security policy to the network request based upon the domain name; and
  
  when the address includes an Internet Protocol (IP) address, performing the steps of;
  
  attempting a reverse domain name lookup and extracting a first domain name associated with the IP address from the reverse domain name lookup, transmitting a hypertext transfer protocol (HTTP) GET request from the firewall to the IP address, receiving a response including a header, extracting a second domain name associated with the IP address from the header, initiating a secure connection from the firewall to the IP address, receiving a certificate at the firewall from a server hosting a source of the IP address, analyzing the certificate for name information, extracting a third domain name associated with the IP address from the name information; and
  
  applying the security policy to the network request based upon at least one of the first domain name, the second domain name, and the third domain name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Salcedo, Jonathan Egan
Primary Examiner(s)
Poltorak, Peter

Application Number

US14/753,339
Publication Number

US 20160006693A1
Time in Patent Office

596 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/0414   during transmission, i.e. p...

H04L 63/20   for managing network securi...

Deploying a security policy based on domain names

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Deploying a security policy based on domain names

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others