Session slicing of mirrored packets
US-12184680-B2 · Dec 31, 2024 · US
Policy enforcement with dynamic address object
US8930529B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-8930529-B1 |
| Application number | US-201113246472-A |
| Country | US |
| Kind code | B1 |
| Filing date | Sep 27, 2011 |
| Priority date | Sep 27, 2011 |
| Publication date | Jan 6, 2015 |
| Grant date | Jan 6, 2015 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Policy enforcement is disclosed. An identity notification is received from a network device. The identity notification is usable to determine a user identifier associated with the network device. The identity notification is also usable to determine an IP address associated with the network device. A policy is updated based on the received identity notification.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising: a processor configured to: receive a policy comprising an identifier associated with a network device; receive a first identity notification from the network device; store, in response to receiving the first identity notification, a mapping between the identifier associated with the network device and a first IP address determined based at least in part on the first identity notification; implement the policy based at least in part on the stored mapping, including by using the first IP address to represent the network device; receive a second identity notification from the network device; determine, in response to receiving the second identity notification, that an IP address associated with the network device has changed to a second IP address; update the stored mapping to a mapping between the identifier associated with the network device and the second IP address; implement a revised version of the policy based at least in part on the updated mapping, including by using the second IP address to represent the network device; and enforce the implemented revised version of the policy, including by allowing or denying one or more requests to access the network device; and a memory coupled to the processor and configured to provide the processor with instructions; wherein the network device comprises a virtual machine, and the second identity notification is received from the virtual machine in conjunction with a migration of the virtual machine. 2. The system of claim 1 wherein at least one of the first identity notification and the second identity notification is received from the network device in conjunction with an execution of a startup script by the network device machine. 3. The system of claim 1 wherein an identity notification is received from the network device periodically. 4. The system of claim 1 wherein at least one of the first identity notification and the second identity notification is received from the network device in response to a login event occurring on the network device. 5. The system of claim 1 wherein at least one of the first identity notification and the second identity notification explicitly includes a user identifier. 6. The system of claim 1 wherein at least one of the first identity notification and the second identity notification explicitly includes a current IP address associated with the network device. 7. The system of claim 1 wherein at least one of the first identity notification and the second identity notification includes a digital certificate usable to determine a user identifier. 8. The system of claim 1 wherein implementing the revised version of the policy includes retrieving the stored mapping between the identifier associated with the network device and the first IP address. 9. The system of claim 1 wherein implementing the revised version of the policy includes compiling a current IP address associated with the network device into a rule usable by a firewall. 10. The system of claim 1 wherein at least one of the first identity notification and the second identity notification is received by the system via an application programming interface. 11. The system of claim 1 wherein the network device is located at a hosting facility. 12. A method, comprising: receiving a policy comprising an identifier associated with a network device; receiving a first identity notification from the network device; storing, in response to receiving the first identity notification, a mapping between the identifier associated with the network device and a first IP address determined based at least in part on the first identity notification; implementing the policy based at least in part on the stored mapping, including by using the first IP address to represent the network device; receiving a second identity notification from the network device; determining, in response to receiving the second identity notification, that an IP address associated with the network device has changed to a second IP address; updating the stored mapping to a mapping between the identifier associated with the network device and the second IP address; implementing a revised version of the policy based at least in part on the updated mapping, including by using the second IP address to represent the network device; and enforcing the implemented revised version of the policy, including by allowing or denying one or more requests to access the network device; wherein the network device comprises a virtual machine, and the second identity notification is received from the virtual machine in conjunction with a migration of the virtual machine. 13. The method of claim 12 wherein at least one of the first identity notification and the second identity notification is received from the network device in response to a login event occurring on the network device. 14. A computer program product embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for: receiving a policy comprising an identifier associated with a network device; receiving a first identity notification from the network device; storing, in response to receiving the first identity notification, a mapping between the identifier associated with the network device and a first IP address determined based at least in part on the first identity notification; implementing the policy based at least in part on the stored mapping, including by using the first IP address to represent the network device; receiving a second identity notification from the network device; determining, in response to receiving the second identity notification, that an IP address associated with the network device has changed to a second IP address; updating the stored mapping to a mapping between the identifier associated with the network device and the second IP address; implementing a revised version of the policy based at least in part on the updated mapping, including by using the second IP address to represent the network device; and enforcing the implemented revised version of the policy, including by allowing or denying one or more requests to access the network device; wherein the network device comprises a virtual machine, and the second identity notification is received from the virtual machine in conjunction with a migration of the virtual machine.
Assignees
Inventors
Classifications
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Entity profiles · CPC title
Network directories; Name-to-address mapping · CPC title
Update or notification mechanisms, e.g. DynDNS · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US8930529B1 cover?
- Policy enforcement is disclosed. An identity notification is received from a network device. The identity notification is usable to determine a user identifier associated with the network device. The identity notification is also usable to determine an IP address associated with the network device. A policy is updated based on the received identity notification.
- Who is the assignee on this patent?
- Wang Song, Deng Suiqiang, Xu Wilson, and 2 more
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 06 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).