Method and apparatus for application awareness in a network

What is claimed is: 1. A method for enforcing a network policy on an application executing within a first context, the method comprising: intercepting, by an agent executing in the first context, a network socket event request from the application before the network socket event request reaches a transport layer located between a network layer and the application in a network stack of the first context; sending, by the agent to a security server executing in a second context, a request for a decision on whether to allow or deny the intercepted network socket event, the request for the decision including application information comprising a domain of the application; receiving, by the agent, the decision from the security server, the decision being an allowance or a denial of the network socket event request, the decision being based at least in part on the application information; and preventing, by the agent, the network socket request from reaching the transport layer in the first context when the decision is the denial of the network socket event request. 2. The method of claim 1 , wherein the request for the decision further includes application information comprising an identification of a user of the application, an application file name, an application executable hash, and an application identifier. 3. The method of claim 1 , further comprising: sending the network socket event request from the application in the first context to the transport layer in the first context. 4. The method of claim 1 , wherein the request for the decision further includes application information comprising an application file name, an application executable hash, and an application identifier. 5. The method of claim 1 , further comprising: collecting statistics about data flow through the network socket of the first context; sending the statistics from the first context, to a data collection module that receives statistics about data flows through multiple network sockets of multiple contexts; and generating a report of the statistics about the data flows through the multiple network sockets of the multiple contexts. 6. The method of claim 1 , wherein the network event is any of: opening the network socket, closing the network socket, and listening to the network socket. 7. The method of claim 1 , wherein the application identifier is based on at least a process identifier that identifies (i) a process created when an operating system loads and runs an executable file of the application, and (ii) the executable file of the application. 8. The method of claim 1 , wherein a transport layer interface located between the transport layer and the application intercepts the network socket event, and the transport layer interface is a Transport Driver Interface. 9. The method of claim 1 , wherein the transport layer interface is a layered service provider that allows or blocks network socket event requests and resides above a base transport provider. 10. A non-transitory computer-readable medium with computer readable instructions executable by a context, comprising: instructions that perform, intercepting, by an agent executing in the first context, a network socket event request from the application before the network socket event request reaches a transport layer located between a network layer and the application in a network stack of the first context; instructions that perform, sending, by the agent to a security server executing in a second context, a request for a decision on whether to allow or deny the intercepted network socket event, the request for the decision including application information comprising a domain of the application; instructions that perform, receiving, by the agent, the decision from the security server, the decision being an allowance or a denial of the network socket event request, the decision being based at least in part on the application information; and instructions that perform, preventing, by the agent, the network socket request from reaching the transport layer in the first context when the decision is the denial of the network socket event request. 11. The non-transitory computer-readable medium of claim 10 , wherein the application identifier is based on data received from an interface of the transport on the first context. 12. The non-transitory computer-readable medium of claim 10 , further comprising: instructions sending the network socket event request from the application in the first context to the transport layer in the first context. 13. The non-transitory computer-readable medium of claim 10 , wherein the security module makes decisions on whether to allow or deny network socket events in multiple contexts. 14. The non-transitory computer-readable medium of claim 10 , wherein the network event is any of: opening the network socket, closing the network socket, and listening to the network socket. 15. The non-transitory computer-readable medium of claim 10 , wherein the transport layer interface is a layered service provider that allows or blocks network socket event requests and resides above a base transport provider. 16. The non-transitory computer-readable medium of claim 12 , further comprising: instructions collecting statistics about data flow through the network socket of the first context; and instructions sending the statistics from the first context, to a data collection module that receives statistics about data flows through multiple network sockets of multiple contexts; and instructions generating a report of the statistics about the data flows through the multiple network sockets of the multiple contexts. 17. A computer system, comprising: an agent executing in a context; a security server executing in a second context; a firewall; and a processor and memory with the context, the context executing: instructions that perform, receiving, by the security server, a request from the for a decision on whether to allow or deny a network socket event request from an application, the network socket event request being intercepted by the agent before the network socket event request reaches a transport layer located between a network layer and the application in a network stack of the context, the request for the decision including application information comprising a domain of the application; and instructions that perform, sending, by the security server, the decision to the firewall that enforces the decision, the decision being an allowance or a denial of the network socket event request, the decision being based at least in part on the application information, and wherein the denial prevents the network socket request from reaching the transport layer in the context. 18. The system of claim 17 , wherein the application information comprises an identification of a user of the application, an application file name, an application executable hash, and an application identifier. 19. The system of claim 17 , wherein the context further executes instructions that perform sending the network socket event request from the application in the context to the transport layer in the context. 20. The system of claim 17 , wherein the transport layer interface is a layered service provider that allows or blocks network socket event requests and resides above a base transport provider.