Encrypted traffic inspection in a cloud-based security system
US-2021344511-A1 · Nov 4, 2021 · US
Providing zero trust network security without modification of network infrastructure
US11962584B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11962584-B2 |
| Application number | US-202016939589-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 27, 2020 |
| Priority date | Jul 27, 2020 |
| Publication date | Apr 16, 2024 |
| Grant date | Apr 16, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Zero trust network security is provided without modifying the underlying network infrastructure. Unique intermediate certificates created based on a primary certificate are sent to each of a plurality of entities. Each entity of the plurality of entities is installed on a respective node of a plurality of nodes in a network environment of a cloud provider. An agent is deployed to each of the plurality of nodes, and the agent is configured to enforce at least one network firewall policy based on the intermediate certificate sent to the corresponding entity.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: creating a primary certificate based on signed data obtained from a cloud provider, wherein the signed data identify a plurality of nodes in a network environment of the cloud provider; creating a plurality of intermediate certificates based on the primary certificate, wherein the primary certificate and each of the plurality of intermediate certificates comprises a signature of the cloud provider, wherein each of the plurality of intermediate certificates is unique; sending each of the plurality of intermediate certificates to a respective one of a plurality of entities, wherein each entity of the plurality of entities is installed on a respective node of the plurality of; and deploying each of a plurality of agents to a respective one of the plurality of nodes, where the plurality of agents enforces a first firewall policy for respective ones of the plurality of entities based on the plurality of intermediate certificates. 2. The method of claim 1 , wherein each of the plurality of agents routes traffic to and from a corresponding entity of the plurality of entities. 3. The method of claim 2 further comprising modifying iptables of each agent of the plurality of agents to route traffic to the plurality of agents, wherein modifying the iptables of each agent of the plurality of agents comprises modifying the iptables to route traffic corresponding to network addresses that are not defined as allowable in the first firewall policy to the agent. 4. The method of claim 1 , wherein each of the plurality of intermediate certificates expires after a predetermined period of time. 5. The method of claim 4 , further comprising: sending, to each entity of the plurality of entities, a new intermediate certificate prior to expiration of a respective one of the plurality of intermediate certificates sent to the entity. 6. The method of claim 1 , wherein the plurality of entities comprises at least one of one or more applications and one or more services. 7. The method of claim 1 further comprising enforcing, by the plurality of agents, the first firewall policy for the respective ones of the plurality of entities, wherein enforcing the first firewall policy comprises verifying if communications of the plurality of entities are allowed based on the plurality of intermediate certificates. 8. The method of claim 7 , wherein verifying if communications of the plurality of entities are allowed comprises, based on initiation of a communication between a first entity of the plurality of entities and a second entity, receiving, by a first agent of the plurality of agents, a certificate of the second entity; determining if the certificate is valid; and based on determining that the certificate is valid, allowing communications between the first entity and the second entity. 9. The method of claim 8 , wherein determining if the certificate is valid comprises determining if the certificate comprises the signature of the cloud provider. 10. The method of claim 8 further comprising, based on receiving, by the first agent, an indication of an identity of the second entity, determining if the identity of the second entity is consistent with the network environment, wherein allowing communications between the first entity and the second entity is further based on determining that the identity of the second entity is consistent with the network environment. 11. A non-transitory computer-readable medium having stored thereon instructions executable by a processing circuitry to: create a primary certificate based on signed data obtained from a cloud provider, wherein the signed data identify a plurality of nodes in a network environment of the cloud provider; create a plurality of intermediate certificates based on the primary certificate, wherein the primary certificate and each of the plurality of intermediate certificates comprises a signature of the cloud provider, wherein each of the plurality of intermediate certificates is unique; send each of the plurality of intermediate certificates to a respective one of a plurality of entities, wherein each entity of the plurality of entities is installed on a respective node of the plurality of nodes; and deploy each of a plurality of agents to a respective one of the plurality of nodes, wherein the plurality of agents verifies whether communications of the plurality of entities are allowed based on the plurality of intermediate certificates. 12. The non-transitory computer-readable medium of claim 11 further comprising instructions to send, to each entity of the plurality of entities, a new intermediate certificate prior to expiration of a respective one of the plurality of intermediate certificates sent to the entity, wherein each of the plurality of intermediate certificates expires after a predetermined period of time. 13. The non-transitory computer-readable medium of claim 11 further comprising instructions to verify, by the plurality of agents, whether communications of the plurality of entities are allowed, wherein the instructions to verify whether communications of the plurality of entities are allowed comprise instructions to, based on initiation of a communication between a first entity of the plurality of entities and a second entity, receive, by a first agent of the plurality of agents, a certificate of the second entity; determine whether the certificate is valid; and based on a determination that the certificate is valid, allowing communications between the first entity and the second entity. 14. The non-transitory computer-readable medium of claim 13 , wherein the instructions to determine whether the certificate is valid comprise instructions to determine whether the certificate comprises the signature of the cloud provider. 15. The non-transitory computer-readable medium of claim 13 further comprising instructions to, based on receipt by the first agent of an indication of an identity of the second entity, determine whether the identity of the second entity is consistent with the network environment, wherein the instructions to allow communications between the first entity and the second entity further comprise instructions to allow communications between the first entity and the second entity based on a determination that the identity of the second entity is consistent with the network environment. 16. The non-transitory computer-readable medium of claim 11 further comprising instructions executable by the processing circuitry to enforce, by the plurality of agents, a first firewall policy for the respective ones of the plurality of entities, wherein the instructions to enforce the first firewall policy comprise instructions to verify whether communications of the plurality of entities are allowed based on the plurality of intermediate certificates. 17. The non-transitory computer-readable medium of claim 11 , wherein each of the plurality of agents routes traffic to and from a corresponding entity of the plurality of entities. 18. A system comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, cause the system to: create a primary certificate based on signed data obtained from a cloud provider, wherein the signed data identify a plurality of nodes in a network environment of the cloud provider; create a plurality of intermediate certificates based on the primary certificate, wherein the primary certificate and each of the plurality of intermediate certificates comprises a
Assignees
Inventors
Classifications
- H04L63/0869Primary
for achieving mutual authentication (cryptographic mechanisms or cryptographic arrangements for mutual authentication H04L9/3273) · CPC title
Rule management · CPC title
- H04L63/0823Primary
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
at the transport layer · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11962584B2 cover?
- Zero trust network security is provided without modifying the underlying network infrastructure. Unique intermediate certificates created based on a primary certificate are sent to each of a plurality of entities. Each entity of the plurality of entities is installed on a respective node of a plurality of nodes in a network environment of a cloud provider. An agent is deployed to each of the pl…
- Who is the assignee on this patent?
- Twistlock Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0869. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 16 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).