System and method for interlocking a host and a gateway

US 9,866,528 B2
Filed: 08/17/2015
Issued: 01/09/2018
Est. Priority Date: 02/23/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable medium having logic encoded therein, wherein the logic, when executed by one or more processors, is operable to perform operations comprising:

receiving, at a network gateway, a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;

selecting a network policy to be applied to network traffic associated with the host based, at least in part, on information contained in the session descriptor, wherein based on the information including an indication of a wireless network connection and a wired network connection being active simultaneously on the host, the network policy is selected to restrict access to sensitive data by the application file via the network connection;

correlating network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and

applying the network policy to the network traffic.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel.

417 Citations

19 Claims

1. At least one non-transitory computer readable medium having logic encoded therein, wherein the logic, when executed by one or more processors, is operable to perform operations comprising:
- receiving, at a network gateway, a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;
  
  selecting a network policy to be applied to network traffic associated with the host based, at least in part, on information contained in the session descriptor, wherein based on the information including an indication of a wireless network connection and a wired network connection being active simultaneously on the host, the network policy is selected to restrict access to sensitive data by the application file via the network connection;
  
  correlating network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and
  
  applying the network policy to the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The at least one non-transitory computer readable medium of claim 1, wherein the network traffic received by the network gateway is associated with a first altered network address provided by a network address translator.
  - 3. The at least one non-transitory computer readable medium of claim 2, the operations further comprising:
    - correlating second network traffic received at the network gateway with the host based on the UUID contained in a second session descriptor, wherein the second network traffic is associated with a second altered network address provided by the network address translator; and
      
      applying a second network policy to the second network traffic.
  - 4. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor is communicated from the host to the network gateway through an out-of-band communication channel.
  - 5. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor is communicated from the host to the network gateway through an in-band communication channel.
  - 6. The at least one non-transitory computer readable medium of claim 5, wherein the session descriptor is encoded in one or more messages associated with the network connection.
  - 7. The at least one non-transitory computer readable medium of claim 1, wherein the operations further comprise:
    - identifying a protocol used by the application file for the network connection; and
      
      determining whether the protocol is permitted for use by the application file, wherein the network policy is applied to block the network connection based on determining the application file is not permitted to use the identified protocol for the network connection.
  - 8. The at least one non-transitory computer readable medium of claim 1, wherein the network policy is applied to rate-limit communication over the network connection based, at least in part, on the application file.
  - 9. The at least one non-transitory computer readable medium of claim 1, wherein the network policy is associated with a whitelist that restricts protocols that may be used by the application.
  - 10. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor indicates whether a local antivirus system is running in the host.
  - 11. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor indicates a file type of the application file.
  - 12. The at least one non-transitory computer readable medium of claim 1, wherein the session descriptor indicates whether a mountable read/write media is attached to the host during the network connection.

13. A network gateway, comprising:
- a firewall module; and
  
  one or more hardware processors operable to execute instructions associated with the firewall module, the one or more processors being operable to;
  
  receive a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;
  
  select a network policy to be applied to network traffic associated with the host based, at least in part, on information contained in the session descriptor, wherein based on the information including an indication of a wireless network connection and a wired network connection being active simultaneously on the host, the network policy is selected to restrict access to sensitive data by the application file via the network connection;
  
  correlate network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and
  
  apply the network policy to the network traffic.
- View Dependent Claims (14, 15, 16)
- - 14. The network gateway of claim 13, wherein the network traffic received by the network gateway is associated with a first altered network address provided by a network address translator.
  - 15. The network gateway of claim 13, the one or more processors being further operable to:
    - correlate second network traffic received at the network gateway with the host based on the UUID contained in a second session descriptor, wherein the second network traffic is associated with a second altered network address provided by the network address translator; and
      
      apply a second network policy to the second network traffic.
  - 16. The network gateway of claim 13, the one or more processors being further operable to:
    - identify the session descriptor encoded in one or more messages associated with the network connection and received from the host through an in-band communication channel; and
      
      extract the session descriptor from the one or more messages.

17. A method, comprising:
- receiving, at a network gateway, a session descriptor from a host, wherein the session descriptor identifies an application file associated with a process on the host attempting to establish a network connection via the network gateway;
  
  selecting a network policy to be applied to network traffic associated with the host based, at least in part, on information contained in the session descriptor, wherein based on the information including an indication of a wireless network connection and a wired network connection being active simultaneously on the host, the network policy is selected to restrict access to sensitive data by the application file via the network connection;
  
  correlating network traffic received by the network gateway with the host based on a universally unique identifier (UUID) contained in the session descriptor; and
  
  applying the network policy to the network traffic.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, further comprising:
    - correlating second network traffic received at the network gateway with the host based on the UUID contained in a second session descriptor, wherein the second network traffic is associated with an altered network address provided by a network address translator; and
      
      applying a second network policy to the second network traffic.
  - 19. The method of claim 17, further comprising:
    - identifying the session descriptor encoded in one or more messages associated with the network connection and received from the host through an in-band communication channel; and
      
      extracting the session descriptor from the one or more messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Cooper, Geoffrey Howard, Diehl, David Frederick, Mahadik, Vinay A., Venugopalan, Ramnath
Primary Examiner(s)
Wang, Harris C

Application Number

US14/827,396
Publication Number

US 20150365380A1
Time in Patent Office

876 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 47/125   by balancing the load, e.g....

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/146   Markers for unambiguous ide...

System and method for interlocking a host and a gateway

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

417 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

System and method for interlocking a host and a gateway

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

417 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others