Patent Grant
9973472
The present technology is generally directed to computer security, and more specifically, but not by way of limitation, to computer network security.
Some embodiments include methods comprising: writing, by a policy engine, entries in a forwarding table of a switch through an application programming interface (API) of the switch, such that first data packets from a first host and directed to a second host are forwarded by the switch to an enforcement point; receiving, by the switch, the first data packets; forwarding, by the switch, the first data packets to the enforcement point using the forwarding table; determining, by the enforcement point, whether the first data packets violate a high-level security policy using a low-level rule set; configuring, by the enforcement point, the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy; configuring, by the enforcement point, the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to determining the first data packets violate the security policy; receiving, by the switch, second data packets; and selectively dropping or forwarding the second data packets, by the switch, in accordance with the configuration.
Various embodiments include systems comprising: a data network; a plurality of hosts communicatively coupled to the data network; a switch communicatively coupled to the data network, including a forwarding table and an application programming interface (API); an enforcement point communicatively coupled to the data network; and a policy engine communicatively coupled to the data network, wherein the system performs a method comprising: writing, by the policy engine, entries in the forwarding table of the switch through the application programming interface (API), such that first data packets from a first host and directed to a second host are forwarded by the switch to the enforcement point; receiving, by the switch, the first data packets; forwarding, by the switch, the first data packets to the enforcement point using the forwarding table; determining, by the enforcement point, whether the first data packets violate a high-level security policy using a low-level rule set; configuring, by the enforcement point, the forwarding table through the API such that second data packets are forwarded by the switch to the second host, in response to determining the first data packets do not violate the security policy; configuring, by the enforcement point, the forwarding table through the API such that the second data packets are dropped or forwarded to a security function by the switch, in response to determining the first data packets violate the security policy; receiving, by the switch, second data packets; and selectively dropping or forwarding the second data packets, by the switch, in accordance with the configuration.
An exemplary system according to the present technology operates when new connections are being made, by pushing the decision regarding the connection to a higher level for inspection, and evaluating the new connections for allowance. These new connections are implemented by the switch in each server/rack. A switch has a forwarding table, which implements a rule. In an exemplary system, all initial traffic between nodes that have not communicated before is to not communicate without first forwarding to distributed security processor. This is the default rule and provides the basic level of security, since the distributed security processor has to approve all connections.
An exemplary system may use an enforcement point (EP) operating in the switch or associated with the switch, which sends communications to the distributed security processor. This communication may be via a tunneling system, for example, a Virtual Extensible Local Area Network (VXLAN). The distributed security processor checks the policy, validates expected protocol behavior, and after approving the communication, forwards the first several packets to the intended recipient node. Next, the distributed security processor programs the switch to allow future communications from the first port to the second port (also referred to or alternatively may be: a node, a communication node, a virtual machine, a container, and a host). Additionally, the sender and recipient in this and all other examples may be on the same server controlled by the same switch, different servers controlled by the same switch, or may be on different servers controlled by different switches.
In an exemplary system according to the present technology, the initial forwarding table includes a default routing rule to first send all communications to the distributed security processor, which is later rewritten to allow communications directly controlled by the switch without intervention by the distributed security processor. Certain information in a packet header will prompt a re-forwarding to the distributed security processor. For example, if a Transmission Control Protocol (TCP) header includes information relating to setting up and/or tearing down a connection, then the distributed security processor is consulted to review the communication, and distributed security processor approval is required. For example, a TCP header including SYN, FIN, and/or RST, relating to the setting up or tearing down of connections, might require the distributed security processor approval. Actions of the distributed security processor may be logged to allow review and enforcement, as well as policy revision.
Policy engine 190 may communicate bilaterally with distributed security processor 180, which may operate to implement the policies. Additionally, policy engine 190 may communicate bilaterally with switch 125 via Application Programming Interface (API) 135 associated with switch 125 to implement the policies. API 135 includes a set of routines, protocols, and/or tools for building software applications for switch 125. API 135 may express a software component in terms of its operations, inputs, outputs, and underlying types. Alternatively or additionally, API 135 may be a software development kit (SDK or “devkit”), which includes a set of software development tools that allows the creation of applications for switch 125. Distributed security processor 180 may communicate computer executable instructions to API 135. System 100 may include many assets 140-145, with a similar or different structure from each other. Each of assets 140-145 may be coupled to some or all of the other of assets 140-145 in system 100 via network 110. At least some of assets 140-145 may also be coupled via network 110 to the internet, an intranet, or any other appropriate network.
In some embodiments, assets 140-145 are at least one of a virtual machine (VM), physical host, workload, server, cloud-based virtual machine, client, enforcement target, and the like. Each of assets 140-145 is communicatively coupled with switch 125, which may operate to control communications into and out of assets 140-145, and between assets 140-145. For example, one or more of assets 140-145 include a VM (e.g. asset 143 may is referenced as VM 143). The virtual machines may operate as part of a hypervisor. Alternatively, different virtual machine systems may be used, for example, containers.
In operation, policy engine 190 communicates with API 135, to program forwarding table 160 of switch 125. The initial programming is the default programming, and indicates to forward any communication which has not previously been approved by distributed security processor 180 (which is all communications in the initial default situation) to distributed security processor 180. Next, asset 140 may attempt to communicate, by communication 150, to virtual machine (VM) 143. Switch 125 checks forwarding table 160 prior to allowing the communication, and since no approval indication exists there, switch 125 forwards the packets to distributed security processor 180 via tunnel 170. Tunnel 170 may be through a fabric of the data center of system 100, and may be a VXLAN communication path.
In some embodiments, policy engine 190 communicates with API 135, to program forwarding table 160 of switch 125. The initial programming is the default programming, and indicates to forward communication requiring processing by distributed security processor 180 (which is all communications in the initial default situation) to distributed security processor 180. Next, asset 140 may attempt to communicate, by communication 150, to virtual machine (VM) 143 using a protocol defined within the security policy applied to switch 125. Switch 125 checks forwarding table 160 prior to allowing the communication, and since no approval indication exists there, switch 125 forwards the packets to distributed security processor 180 via tunnel 170. Tunnel 170 may be through a fabric of the data center of system 100, and may be a VXLAN communication path. In this manner, it is possible for an administrator to ‘tune’ the traffic types requiring security processing within the network.
In various embodiments, the next step is for distributed security processor 180 to perform security checks on the communication and the sender and recipient nodes against policy provided by policy engine 190. The following step is, if the connection is approved, to forward the communication to VM 143, and to program a forwarding entry in forwarding table 160 of switch 125 for communications between asset 140 and asset 143. In this manner, subsequent communications between asset 140 and asset 143 may be handled by switch 125 without the assistance of distributed security processor 180, thereby optimizing communication and reducing resource load. However, some trigger events will cause the forwarding table to revert to a default position for a particular routing instruction, or for all routing instructions. The trigger event is also referred to herein as a condition, and may relate to a packet header, and/or changing of a connection between nodes.
If distributed security processor 180 performs a security check on the initial communication and the sender and recipient nodes against policy, and determines that the communication is prohibited or suspect in any manner, distributed security processor 180 may redirect the communication to a honeypot, redirect the communication to a tarpit, drop the packets, and may forward the packets without writing to forwarding table 160, so that future packets are also routed to distributed security processor 180, thereby providing inspection, logging, and security information to an IT administrator or security expert.
In an exemplary embodiment illustrated in
Distributed security processor 180 may communicate computer executable instructions to API 235. System 200 may include assets 240-245, with a similar or different structure from each other. At least some of assets 240-245 may be coupled to some or all of the other of assets 240-245 in system 200 via network 110. At least some of assets 240-245 may also be coupled via network 110 to the internet, an intranet, or any other appropriate network.
Each of assets 240-245 is communicatively coupled to switch 225, which may operate to control communications into and out of assets 240-245, and between assets 240-245. At least some of assets 240-245 may include one or more virtual machines. The virtual machines may operate as part of a hypervisor. Alternatively, different virtual machine systems may be used, for example containers. Additionally, at least one of assets 240-245 may include honeypot and/or tarpit virtual machines. A honeypot and a tarpit may operate as described above and herein.
Switch 225 may include Application Programming Interface (API) 235 to implement the policies by programming forwarding table 260. API 235 includes a set of routines, protocols, and/or tools for building software applications for switch 225. API 235 may express a software component in terms of its operations, inputs, outputs, and underlying types. Alternatively or additionally, API 235 may be a software development kit (SDK or “devkit”), which includes a set of software development tools that allows the creation of applications for switch 225. Switch 225 may also include enforcement point 280, which communicates bilaterally through the fabric of system 200 with distributed security processor 180.
In operation, policy engine 190 communicates to switch 225, to program forwarding table 260 of switch 225. The initial programming is the default programming, and indicates to forward any communication which has not previously been approved by distributed security processor 180 (which is all communications in the initial default situation) to distributed security processor 180. Next, asset 240 may attempt to communicate, by communication 150, to asset 243. Switch 225 checks forwarding table 260 prior to allowing the communication, and since no approval indication exists there, switch 225 forwards the packets to enforcement point 280 via a tunnel 270. Enforcement point 280 also exists virtually on switch 225.
In various embodiments, the next step is for enforcement point 280 to perform first security checks on the communication and the sender and recipient nodes against policy provided by distributed security processor 180 and policy engine 190. The following step is, if the connection is approved, to forward the communication to asset 243, and program via API 235 a forwarding entry in forwarding table 260 of switch 225 for communications between asset 243 and asset 243. In this manner, subsequent communications between asset 240 and asset 243 may be handled by switch 225 without the assistance of enforcement point 280, thereby optimizing communication and reducing resource load. However, some trigger events will cause the forwarding table to revert to a default position for a particular routing instruction, or for all routing instructions. The trigger event is also referred to herein as a condition, and may relate to a packet header, and/or changing of a connection between nodes.
If enforcement point 280 performs security checks on the initial communication and the sender and recipient nodes against policy and determines that the communication is prohibited or suspect in any manner, or even if the decision requires additional resources or a second level of security, enforcement point 280 may redirect the communication to distributed security processor 180 over the tunnel 270 for a further determination on the acceptability of the communication between asset 240 and asset 243.
Distributed security processor 180 performs these second, higher level security checks on the communication and the sender and recipient nodes against policy provided by policy engine 190. Additionally, distributed security processor 180 may check the communication to ensure that protocol sessions are set up according to documented standards. This advantageously reduces the aperture for protocol attacks and ensures protocol relationships (e.g., above TCP such as between OSI layers 5-7) are established correctly. If distributed security processor 180 performs security checks on the initial communication and the sender and recipient nodes against policy and determines if the communication is prohibited or suspect in any manner, then distributed security processor 180 may redirect the communication to a honeypot, redirect the communication to a tarpit, may drop the packets, may forward the packets without writing to forwarding table 260, so that future packets are also routed to distributed security processor 180, thereby providing inspection, logging, and security information to an IT administrator or security expert.
If distributed security processor 180 performs these second, higher level security checks on the communication and the sender and recipient nodes and approves the connection, then distributed security processor 180 may forward the communication to asset 243, either directly, or by instructing enforcement point 280 to forward the communication to asset 243. Additionally, distributed security processor 180 may direct enforcement point 280 to program, via API 235, the forwarding entry in forwarding table 260 of switch 225 for communications between asset 240 and asset 243. In this manner, subsequent communications between asset 240 and asset 243 may be handled by switch 225 without the assistance of enforcement point 280, thereby optimizing communication and reducing resource load. In still another alternative, distributed security processor 180 may authorize enforcement point 280 to handle communications of this type for new, future connections, or even to not program forwarding table 260 for this connection, so that new, future communications are monitored at an intermediate level of security.
As discussed previously, some trigger events will cause the forwarding table to revert to a default position for a particular routing instruction, or for all routing instructions. The trigger event is also referred to herein as a condition, and may relate to a packet header, and/or changing of a connection between nodes.
In exemplary embodiments of the present technology, the initiation of communications between nodes is an event requiring higher scrutiny, and this policy is implemented by having the default forwarding table include no entry. The communication is forwarded to an EP directly, to an EPI directly, or to an EP via an EPI, across a tunnel or a fabric of a network. The EP and/or EPI checks policy, and may determine to allow the communication, in which case an EPI may be programmed, and the forwarding table is updated to enable the communication between the nodes. This policy is applied to future communications, unless a trigger condition is met. A distinction between the model of system 100 (
The switches described above, including switch 125 and switch 225, may be in the physical environment. In alternative exemplary embodiments, the switch may be a virtual switch.
Various exemplary embodiments of the present invention may enable the management of table resources on a switch for optimization. For example, if a switch is running out of free space, then connections can be aggregated in the forwarding table, or connections may be pushed to other resources for confirmation.
In some embodiments, switch 225 is a hardware switch and at least one of assets 240-245 is a physical host. In various embodiments, switch 225 is a virtual switch and at least one of assets 240-245 is a virtual machine.
The components shown in
Mass data storage 430, which can be implemented with a magnetic disk drive, solid state drive, or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit(s) 410. Mass data storage 430 stores the system software for implementing embodiments of the present disclosure for purposes of loading that software into main memory 420.
Portable storage device 440 operates in conjunction with a portable non-volatile storage medium, such as a flash drive, floppy disk, compact disk, digital video disc, or Universal Serial Bus (USB) storage device, to input and output data and code to and from the computer system 400 of
User input devices 460 can provide a portion of a user interface. User input devices 460 may include one or more microphones, an alphanumeric keypad, such as a keyboard, for inputting alphanumeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. User input devices 460 can also include a touchscreen. Additionally, the computer system 400 as shown in
Graphics display system 470 includes a liquid crystal display (LCD) or other suitable display device. Graphics display system 470 is configurable to receive textual and graphical information and processes the information for output to the display device.
Peripheral devices 480 may include any type of computer support device that adds additional functionality to the computer system 400.
The components provided in the computer system 400 of
The processing for various embodiments may be implemented in software that is cloud-based. In some embodiments, the computer system 400 is implemented as a cloud-based computing environment, such as a virtual machine operating within a computing cloud. In other embodiments, the computer system 400 may itself include a cloud-based computing environment, where the functionalities of the computer system 400 are executed in a distributed fashion. Thus, the computer system 400, when configured as a computing cloud, may include pluralities of computing devices in various forms, as will be described in greater detail below.
In general, a cloud-based computing environment is a resource that typically combines the computational power of a large grouping of processors (such as within web servers) and/or that combines the storage capacity of a large grouping of computer memories or storage devices. Systems that provide cloud-based resources may be utilized exclusively by their owners or such systems may be accessible to outside users who deploy applications within the computing infrastructure to obtain the benefit of large computational or storage resources.
The cloud may be formed, for example, by a network of web servers that include a plurality of computing devices, such as the computer system 400, with each server (or at least a plurality thereof) providing processor and/or storage resources. These servers may manage workloads provided by multiple users (e.g., cloud resource customers or other users). Typically, each user places workload demands upon the cloud that vary in real-time, sometimes dramatically. The nature and extent of these variations typically depends on the type of business associated with the user.
The present technology is described above with reference to example embodiments. Therefore, other variations upon the example embodiments are intended to be covered by the present disclosure.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6253321 | Nikander et al. | Jun 2001 | B1 |
| 6484261 | Wiegel | Nov 2002 | B1 |
| 6578076 | Putzolu | Jun 2003 | B1 |
| 6765864 | Natarajan et al. | Jul 2004 | B1 |
| 6970459 | Meier | Nov 2005 | B1 |
| 6983325 | Watson et al. | Jan 2006 | B1 |
| 6992985 | Das | Jan 2006 | B1 |
| 7028179 | Anderson et al. | Apr 2006 | B2 |
| 7058712 | Vasko et al. | Jun 2006 | B1 |
| 7062566 | Amara et al. | Jun 2006 | B2 |
| 7068598 | Bryson et al. | Jun 2006 | B1 |
| 7373524 | Motsinger et al. | May 2008 | B2 |
| 7397794 | Lacroute et al. | Jul 2008 | B1 |
| 7464407 | Nakae et al. | Dec 2008 | B2 |
| 7519062 | Kloth et al. | Apr 2009 | B1 |
| 7542455 | Grayson et al. | Jun 2009 | B2 |
| 7620986 | Jagannathan et al. | Nov 2009 | B1 |
| 7694181 | Noller et al. | Apr 2010 | B2 |
| 7742414 | Iannaccone et al. | Jun 2010 | B1 |
| 7774837 | McAlister | Aug 2010 | B2 |
| 7849495 | Huang et al. | Dec 2010 | B1 |
| 7900240 | Terzis et al. | Mar 2011 | B2 |
| 7904454 | Raab | Mar 2011 | B2 |
| 7949677 | Croft et al. | May 2011 | B2 |
| 7954150 | Croft et al. | May 2011 | B2 |
| 7986938 | Meenan et al. | Jul 2011 | B1 |
| 7996255 | Shenoy et al. | Aug 2011 | B1 |
| 8051460 | Lum et al. | Nov 2011 | B2 |
| 8112304 | Scates | Feb 2012 | B2 |
| 8259571 | Raphel et al. | Sep 2012 | B1 |
| 8274912 | Wray et al. | Sep 2012 | B2 |
| 8296459 | Brandwine et al. | Oct 2012 | B1 |
| 8307422 | Varadhan et al. | Nov 2012 | B2 |
| 8321862 | Swamy et al. | Nov 2012 | B2 |
| 8353021 | Satish et al. | Jan 2013 | B1 |
| 8369333 | Hao et al. | Feb 2013 | B2 |
| 8396986 | Kanada et al. | Mar 2013 | B2 |
| 8490153 | Bassett et al. | Jul 2013 | B2 |
| 8494000 | Nadkarni et al. | Jul 2013 | B1 |
| 8565118 | Shukla et al. | Oct 2013 | B2 |
| 8612744 | Shieh | Dec 2013 | B2 |
| 8661434 | Liang et al. | Feb 2014 | B1 |
| 8688491 | Shenoy et al. | Apr 2014 | B1 |
| 8726343 | Borzycki et al. | May 2014 | B1 |
| 8798055 | An | Aug 2014 | B1 |
| 8813169 | Shieh et al. | Aug 2014 | B2 |
| 8813236 | Saha et al. | Aug 2014 | B1 |
| 8935457 | Feng et al. | Jan 2015 | B2 |
| 8938782 | Sawhney et al. | Jan 2015 | B2 |
| 8955093 | Shieh et al. | Feb 2015 | B2 |
| 8984114 | Shieh et al. | Mar 2015 | B2 |
| 8990371 | Kalyanaraman et al. | Mar 2015 | B2 |
| 9361089 | Bradfield et al. | Jun 2016 | B2 |
| 9380027 | Lian et al. | Jun 2016 | B1 |
| 9521115 | Woolward | Dec 2016 | B1 |
| 9609083 | Shieh | Mar 2017 | B2 |
| 9621595 | Lian et al. | Apr 2017 | B2 |
| 9680852 | Wager et al. | Jun 2017 | B1 |
| 20020031103 | Wiedeman et al. | Mar 2002 | A1 |
| 20030014665 | Anderson et al. | Jan 2003 | A1 |
| 20030055950 | Cranor et al. | Mar 2003 | A1 |
| 20030123481 | Neale et al. | Jul 2003 | A1 |
| 20030135625 | Fontes et al. | Jul 2003 | A1 |
| 20030177389 | Albert et al. | Sep 2003 | A1 |
| 20030236985 | Ruuth | Dec 2003 | A1 |
| 20040062204 | Bearden et al. | Apr 2004 | A1 |
| 20040093513 | Cantrell et al. | May 2004 | A1 |
| 20040095897 | Vafaei | May 2004 | A1 |
| 20040172618 | Marvin | Sep 2004 | A1 |
| 20040214576 | Myers et al. | Oct 2004 | A1 |
| 20050021943 | Ikudome et al. | Jan 2005 | A1 |
| 20050033989 | Poletto et al. | Feb 2005 | A1 |
| 20050060573 | D'Souza | Mar 2005 | A1 |
| 20050114288 | Dettinger et al. | May 2005 | A1 |
| 20050114829 | Robin et al. | May 2005 | A1 |
| 20050190758 | Gai et al. | Sep 2005 | A1 |
| 20050201343 | Sivalingham et al. | Sep 2005 | A1 |
| 20050246241 | Irizarry, Jr. et al. | Nov 2005 | A1 |
| 20050283823 | Okajo et al. | Dec 2005 | A1 |
| 20060050696 | Shah et al. | Mar 2006 | A1 |
| 20060137009 | Chesla | Jun 2006 | A1 |
| 20060150250 | Lee et al. | Jul 2006 | A1 |
| 20060177063 | Conway et al. | Aug 2006 | A1 |
| 20070016945 | Bassett et al. | Jan 2007 | A1 |
| 20070019621 | Perry et al. | Jan 2007 | A1 |
| 20070022090 | Graham | Jan 2007 | A1 |
| 20070064617 | Reves | Mar 2007 | A1 |
| 20070079308 | Chiaramonte et al. | Apr 2007 | A1 |
| 20070168971 | Royzen et al. | Jul 2007 | A1 |
| 20070192861 | Varghese et al. | Aug 2007 | A1 |
| 20070192863 | Kapoor et al. | Aug 2007 | A1 |
| 20070239987 | Hoole et al. | Oct 2007 | A1 |
| 20070271612 | Fang et al. | Nov 2007 | A1 |
| 20070277222 | Pouliot | Nov 2007 | A1 |
| 20080016550 | McAlister | Jan 2008 | A1 |
| 20080083011 | McAlister et al. | Apr 2008 | A1 |
| 20080086772 | Chesla | Apr 2008 | A1 |
| 20080155239 | Chowdhury et al. | Jun 2008 | A1 |
| 20080163207 | Reumann et al. | Jul 2008 | A1 |
| 20080222375 | Kotsovinos et al. | Sep 2008 | A1 |
| 20080229382 | Vitalos | Sep 2008 | A1 |
| 20080239961 | Hilerio et al. | Oct 2008 | A1 |
| 20080301770 | Kinder | Dec 2008 | A1 |
| 20080307110 | Wainner et al. | Dec 2008 | A1 |
| 20090077621 | Lang et al. | Mar 2009 | A1 |
| 20090083445 | Ganga | Mar 2009 | A1 |
| 20090103524 | Mantripragada et al. | Apr 2009 | A1 |
| 20090138316 | Weller et al. | May 2009 | A1 |
| 20090165078 | Samudrala et al. | Jun 2009 | A1 |
| 20090182835 | Aviles et al. | Jul 2009 | A1 |
| 20090190585 | Allen et al. | Jul 2009 | A1 |
| 20090228966 | Parfene et al. | Sep 2009 | A1 |
| 20090249470 | Litvin et al. | Oct 2009 | A1 |
| 20090260051 | Igakura | Oct 2009 | A1 |
| 20090268667 | Gandham et al. | Oct 2009 | A1 |
| 20090328187 | Meisel | Dec 2009 | A1 |
| 20100043068 | Varadhan et al. | Feb 2010 | A1 |
| 20100064341 | Aldera | Mar 2010 | A1 |
| 20100071025 | Devine et al. | Mar 2010 | A1 |
| 20100088738 | Bimbach | Apr 2010 | A1 |
| 20100095367 | Narayanaswamy | Apr 2010 | A1 |
| 20100100616 | Bryson et al. | Apr 2010 | A1 |
| 20100104094 | Takashima | Apr 2010 | A1 |
| 20100125900 | Dennerline et al. | May 2010 | A1 |
| 20100132031 | Zheng | May 2010 | A1 |
| 20100189110 | Kambhampati et al. | Jul 2010 | A1 |
| 20100191863 | Wing | Jul 2010 | A1 |
| 20100192225 | Ma et al. | Jul 2010 | A1 |
| 20100199349 | Ellis | Aug 2010 | A1 |
| 20100208699 | Lee et al. | Aug 2010 | A1 |
| 20100228962 | Simon | Sep 2010 | A1 |
| 20100235880 | Chen et al. | Sep 2010 | A1 |
| 20100235902 | Guo et al. | Sep 2010 | A1 |
| 20100274970 | Treuhaft et al. | Oct 2010 | A1 |
| 20100281533 | Mao et al. | Nov 2010 | A1 |
| 20100281539 | Burns et al. | Nov 2010 | A1 |
| 20100333165 | Basak et al. | Dec 2010 | A1 |
| 20110003580 | Belrose et al. | Jan 2011 | A1 |
| 20110010515 | Ranade | Jan 2011 | A1 |
| 20110013776 | McAlister | Jan 2011 | A1 |
| 20110069710 | Naven et al. | Mar 2011 | A1 |
| 20110072486 | Hadar et al. | Mar 2011 | A1 |
| 20110075667 | Li et al. | Mar 2011 | A1 |
| 20110113472 | Fung et al. | May 2011 | A1 |
| 20110138384 | Bozek et al. | Jun 2011 | A1 |
| 20110138441 | Neystadt et al. | Jun 2011 | A1 |
| 20110184993 | Chawla et al. | Jul 2011 | A1 |
| 20110225624 | Sawhney et al. | Sep 2011 | A1 |
| 20110249679 | Lin et al. | Oct 2011 | A1 |
| 20110261722 | Awano | Oct 2011 | A1 |
| 20110263238 | Riley et al. | Oct 2011 | A1 |
| 20110299533 | Yu et al. | Dec 2011 | A1 |
| 20120017258 | Suzuki | Jan 2012 | A1 |
| 20120036567 | Senese et al. | Feb 2012 | A1 |
| 20120113989 | Akiyoshi | May 2012 | A1 |
| 20120130936 | Brown et al. | May 2012 | A1 |
| 20120131685 | Broch et al. | May 2012 | A1 |
| 20120185913 | Martinez et al. | Jul 2012 | A1 |
| 20120207174 | Shieh | Aug 2012 | A1 |
| 20120216273 | Rolette et al. | Aug 2012 | A1 |
| 20120254980 | Takahashi | Oct 2012 | A1 |
| 20120287931 | Kidambi et al. | Nov 2012 | A1 |
| 20120311144 | Akelbein et al. | Dec 2012 | A1 |
| 20120311575 | Song | Dec 2012 | A1 |
| 20120324567 | Couto et al. | Dec 2012 | A1 |
| 20130019277 | Chang et al. | Jan 2013 | A1 |
| 20130081142 | McDougal et al. | Mar 2013 | A1 |
| 20130086383 | Galvao de Andrade et al. | Apr 2013 | A1 |
| 20130086399 | Tychon et al. | Apr 2013 | A1 |
| 20130097692 | Cooper et al. | Apr 2013 | A1 |
| 20130111542 | Shieh | May 2013 | A1 |
| 20130117836 | Shieh | May 2013 | A1 |
| 20130151680 | Salinas et al. | Jun 2013 | A1 |
| 20130152187 | Strebe et al. | Jun 2013 | A1 |
| 20130166490 | Elkins et al. | Jun 2013 | A1 |
| 20130166720 | Takashima et al. | Jun 2013 | A1 |
| 20130219384 | Srinivasan et al. | Aug 2013 | A1 |
| 20130223226 | Narayanan et al. | Aug 2013 | A1 |
| 20130250956 | Sun et al. | Sep 2013 | A1 |
| 20130254871 | Sun et al. | Sep 2013 | A1 |
| 20130263245 | Sun et al. | Oct 2013 | A1 |
| 20130275592 | Xu et al. | Oct 2013 | A1 |
| 20130276092 | Sun et al. | Oct 2013 | A1 |
| 20130291088 | Shieh et al. | Oct 2013 | A1 |
| 20130318617 | Chaturvedi et al. | Nov 2013 | A1 |
| 20130343396 | Yamashita et al. | Dec 2013 | A1 |
| 20140007181 | Sarin et al. | Jan 2014 | A1 |
| 20140022894 | Oikawa et al. | Jan 2014 | A1 |
| 20140137240 | Smith et al. | May 2014 | A1 |
| 20140153577 | Janakiraman et al. | Jun 2014 | A1 |
| 20140157352 | Paek et al. | Jun 2014 | A1 |
| 20140282027 | Gao et al. | Sep 2014 | A1 |
| 20140282518 | Banerjee | Sep 2014 | A1 |
| 20140283030 | Moore et al. | Sep 2014 | A1 |
| 20140298469 | Marion et al. | Oct 2014 | A1 |
| 20140310765 | Stuntebeck et al. | Oct 2014 | A1 |
| 20140344435 | Mortimore, Jr. et al. | Nov 2014 | A1 |
| 20150047046 | Pavlyushchik | Feb 2015 | A1 |
| 20150124606 | Alvarez et al. | May 2015 | A1 |
| 20150163088 | Anschutz | Jun 2015 | A1 |
| 20150186296 | Guidry | Jul 2015 | A1 |
| 20150229641 | Sun et al. | Aug 2015 | A1 |
| 20150229656 | Shieh | Aug 2015 | A1 |
| 20150249676 | Koyanagi et al. | Sep 2015 | A1 |
| 20150269383 | Lang et al. | Sep 2015 | A1 |
| 20160191545 | Nanda et al. | Jun 2016 | A1 |
| 20160203331 | Khan et al. | Jul 2016 | A1 |
| 20160269442 | Shieh | Sep 2016 | A1 |
| 20160294875 | Lian et al. | Oct 2016 | A1 |
| 20160323245 | Shieh et al. | Nov 2016 | A1 |
| 20170063795 | Lian et al. | Mar 2017 | A1 |
| 20170134422 | Shieh et al. | May 2017 | A1 |
| 20170168864 | Ross et al. | Jun 2017 | A1 |
| 20170180421 | Shieh et al. | Jun 2017 | A1 |
| 20170195454 | Shieh | Jul 2017 | A1 |
| 20170208100 | Lian et al. | Jul 2017 | A1 |
| 20170223033 | Wager et al. | Aug 2017 | A1 |
| 20170223038 | Wager et al. | Aug 2017 | A1 |
| 20170374032 | Woolward et al. | Dec 2017 | A1 |
| 20170374101 | Woolward | Dec 2017 | A1 |
| 20180005296 | Eades et al. | Jan 2018 | A1 |
| Number | Date | Country |
|---|---|---|
| 201642616 | Dec 2016 | TW |
| 201642617 | Dec 2016 | TW |
| 201642618 | Dec 2016 | TW |
| 201703483 | Jan 2017 | TW |
| 201703485 | Jan 2017 | TW |
| WO2002098100 | Dec 2002 | WO |
| WO2011012165 | Feb 2011 | WO |
| WO2016148865 | Sep 2016 | WO |
| WO2016160523 | Oct 2016 | WO |
| WO2016160533 | Oct 2016 | WO |
| WO2016160595 | Oct 2016 | WO |
| WO2016160599 | Oct 2016 | WO |
| WO2017100365 | Jun 2017 | WO |
| Entry |
|---|
| Non-Final Office Action, dated Jul. 1, 2015, U.S. Appl. No. 14/673,640, filed Mar. 30, 2015. |
| Non-Final Office Action, dated Jul. 7, 2015, U.S. Appl. No. 14/673,679, filed Mar. 30, 2015. |
| Non-Final Office Action, dated Jul. 31, 2015, U.S. Appl. No. 14/677,755, filed Apr. 2, 2015. |
| Specification, U.S. Appl. No. 14/673,679, filed Mar. 30, 2015. |
| Specification, U.S. Appl. No. 14/673,640, filed Mar. 30, 2015. |
| Specification, U.S. Appl. No. 14/657,282, filed Mar. 13, 2015. |
| Specification, U.S. Appl. No. 14/839,649, filed Aug. 28, 2015. |
| Specification, U.S. Appl. No. 14/839,699, filed Aug. 28, 2015. |
| Specification, U.S. Appl. No. 14/657,210, filed Mar. 13, 2015. |
| International Search Report dated May 3, 2016 in Patent Cooperation Treaty Application No. PCT/US2016/024300, filed Mar. 25, 2016. |
| International Search Report dated May 3, 2016 in Patent Cooperation Treaty Application No. PCT/US2016/024053 filed Mar. 24, 2016. |
| International Search Report dated May 6, 2016 in Patent Cooperation Treaty Application No. PCT/US2016/019643 filed Feb. 25, 2016. |
| Dubrawsky, Ido, “Firewall Evolution—Deep Packet Inspection,” Symantec, Created Jul. 28, 2003; Updated Nov. 2, 2010, symantec.com/connect/articles/firewall-evolution-deep-packet-inspection. |
| International Search Report dated Jun. 20, 2016 in Patent Cooperation Treaty Application No. PCT/US2016/024310 filed Mar. 25, 2016, pp. 1-9. |
| International Search Report dated May 3, 2016 in Patent Cooperation Treaty Application No. PCT/US2016/024116 filed Mar. 24, 2016. |
| “Feature Handbook: NetBrain® Enterprise Edition 6.1” NetBrain Technologies, Inc., Feb. 25, 2016, 48 pages. |
| Arendt, Dustin L. et al., “Ocelot: User-Centered Design of a Decision Support Visualization for Network Quarantine”, IEEE Symposium on Visualization for Cyber Security (VIZSEC), Oct. 25, 2015, 8 pages. |
| “International Search Report” and “Written Opinion of the International Searching Authority,” Patent Cooperation Treaty Application No. PCT/US2016/065451, dated Jan. 12, 2017, 20 pages. |
| Maniar, Neeta, “Centralized Tracking and Risk Analysis of 3rd Party Firewall Connections,” SANS Institute InfoSec Reading Room, Mar. 11, 2005, 20 pages. |
| Hu, Hongxin et al., “Detecting and Resolving Firewall Policy Anomalies,” IEEE Transactions on Dependable and Secure Computing, vol. 9, No. 3, May/Jun. 2012, pp. 318-331. |
| Number | Date | Country | |
|---|---|---|---|
| 20160294774 A1 | Oct 2016 | US |
