`
`
`as) United States
`
`
`
`
`
`
`
`
`
`a2) Patent Application Publication co) Pub. No.: US 2014/0282843 Al
`
`
`
`
`
`
`
`
`
` Buruganahalli et al. (43) Pub. Date: Sep. 18, 2014
`
`
`
`US 20140282843A1
`
`
`
`
`
`
`
`(54) CREATING AND MANAGING A NETWORK
`
`
`SECURITY TAG
`
`
`
`
`
`
`(71) Applicant: McAfee, Inc., Santa Clara, CA (US)
`
`
`
`
`
`
`Inventors: Shivakumar Buruganahalli, San Jose,
`
`
`
`
`
`
`CA (US); Manuel Nedbal, Santa Clara,
`
`
`CA (US)
`
`
`
`
`
`(72)
`
`
`
`
`
`
`13/976,303
`
`
`Mar.15, 2013
`PCT/US2013/032433
`
`
`
`
`
`(21) Appl. No.:
`.
`
`
`(22) PCT Filed:
`
`
`
`(86) PCT No.:
`
`
`§ 371 (¢)(),
`
`
`
`
`
`
`Dec. 26, 2013
`(2), (4) Date:
`
`Publication Classification
`
`
`
`(51)
`
`
`
`
`
`Int. Cl.
`
`
`HOAL 29/06
`
`(2006.01)
`
`
`
`
`
`
`(52) U.S. CI.
`
`
`
`
`
`CPC ooceeececeeeeeessescneeeceecseteees FOAL 63/20 (2013.01)
`USPC woe ce ccceseeesseeneescecesescneceeessenensesaeaeees 726/1
`
`
`
`
`
`
`(57)
`
`ABSTRACT
`
`
`
`
`
`
`
`
`
`
`
`An apparatus, computer readable medium, and method are
`
`
`
`
`
`
`
`provided in one example embodimentand include a network
`
`
`
`
`
`
`
`
`device, an analysis module, and a tag module. The analysis
`
`
`
`
`
`
`module may be configured to perform a numberofactions on
`
`
`
`
`
`
`
`
`the network data to identify network information about the
`
`
`
`
`
`
`
`network data. The tag module may be configured to deter-
`
`
`
`
`
`
`
`
`mine whethera destination for the network data is within a set
`
`
`
`
`
`
`
`of destinations; and responsive to a determination that the
`
`
`
`
`
`
`
`
`
`destination for the network data is within the set of destina-
`
`
`
`
`
`
`
`
`tions: generate a metadata tag based on the network informa-
`
`
`
`
`
`
`
`
`
`
`tion, associate the metadata tag with the network data, and
`
`
`
`
`
`
`
`
`transmit the network information and the metadata tag.
`
`
`
`100
`
`|
`
`108
`
`
`
`|
`, ppINTRUSION| |
`| pRoroco,
`
`
`
`
`
`
`VIRUS SCAN
`
`
`
`
`| ||IDENTIFICATION ||PROTECTIONSCAN |FLOWANALYSIS |
`
`
`
`
`
`PROTOCOL|||| IDENTIFICATION|| INTRUSION oT | |
`
`
`
`
`
`VIRUS SCAN |
`
`
`
`
`PROTECTION
`FLOW
`i OF BLOCKED
`|
`:
`
`RESULT
`
`
`
`
`
`
`
`
`
`
`INFORMATION|pj i SOURCE SCAN RESULT
`
`
`
`
`
`Page 1 of 18
`
`Netskope Exhibit 1005
`
`Page 1 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Sep. 18,2014 Sheet 1 of 6
`
`
`
`US 2014/0282843 Al
`
`
`14
`
`16
`
`
`
`
`
`
` (WEB SERVER) ( SERVER
`
`NETWORK
`
`
`
`12
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NETWORK 18
`
`ef” Request 1"
`
`
`os} (88
`a
`
`
`
`
`
`PIG. 1
`
`Page 2 of 18
`
`Netskope Exhibit 1005
`
`Page 2 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Sep. 18,2014 Sheet 2 of 6
`
`
`
`US 2014/0282843 Al
`
` 30 NETWORK 34 38
`
`ROUTER |
`
`i
`a2
`
`:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`\
`Z
`\
`£
`|
`SERVER
`DATA
`FIREWALL |
`SERVER
`
`
`
`NETWORK|_ ; ee ae PROXY || ANTEVIRUS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`AUTHENTICATION |
`
`SERVER
`
`
`
`
`
`
`
`
`INTRUSION
`
`
`
`
`PROTECTION
`SWITCH
`
`
`SYSTEM
`
`
`
`
`
`
`
`
`
`
`|
`
`36
`
`Page 3 of 18
`
`Netskope Exhibit 1005
`
`Page 3 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Sep. 18,2014 Sheet 3 of 6
`
`
`
`US 2014/0282843 Al
`
`
`FIG. 3
`
`10
`
`
`NETWORK ENVIRONMENT
`
`
`
`
`
`| 18
`
`
`
`NETWORK DEVICE
`
`
`
`MODULES
`
`90
`NETWORK
`
`
`
`
` | WEB SERVER |
`
`
`
`
`
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` NETWORK DATA
`
`
`
`
`
`
`
`
`
`Page 4 of 18
`
`Netskope Exhibit 1005
`
`Page 4 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Sep. 18, 2014 Sheet 4 of 6
`
`
`
`US 2014/0282843 Al
`
`
`
`NOISMLLNI
`
`NOSMULNI
`
`NOUOSLOud
`
`
`
`LINsdeNYOS
`
`SNAIA
`
`
`NVOSNOLLOELOUd
`
`NOLLVOINLNAGE=||SISATWNYMOTE
`NOWWOLUNZGL||||TOD0LOud
`
`
`Jounos=||||NOLLVARIOSNI|GENO07EJO-imot
`iSOH|7000L0ud
`
`
`vyOla
`
`SNOWLOYV
`
`O01
`
`
`|lanssy
`
`
`
`|NWOSSOMIA
`
`NWOS
`
`Page 5 of 18
`
`Netskope Exhibit 1005
`
`Page 5 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Sep. 18,2014 Sheet 5 of 6
`
`
`
`US 2014/0282843 Al
`
`502
`
`
`
`
`
`
` . is “~ .
`
`
`
`
`” THERE AN INITIAL-
`
`
`
`
`“METADATA
`
`“TAG?
`
`ves |
`
`
`
`
`
`
`PERFORMANUMBEROFACTIONSONTHE|
`
`
`
`NETWORK DATA TO IDENTIFY NETWORK
`
`
`INFORMATION ABOUT THE NETWORK DATA
`
`
`
`
`IDENTIFY INITIAL NETWORK INFORMATION
`
`
`
`
`ABOUT THE NETWORK DATA BASED
`
`
`ON THE INITIAL METADATA TAG
`
`
`
`
`
`
`
`
`
`S|
`
`505
`
`504.
`
`
`
`
`
`
`
`
`
`
`
`IS a
`
`
`
`
`
`
`ves
`A DESTINATION FOR
`
`
`
`“ THENETWORKDATAWITHINA=>>
`
`
`
`
`
`“SET OF DESTINATIONS
`GENERATE A METADATA |
` -
`
`
`
`
`
`
`
`
`NETWORK INFORMATION |
`TAG BASED ON THE—K_gpg
`
`
`
`
`
`
`~
`ISTHERE
`
`ASSOCIATE THE
`
`
`
`
`
`
`ponent<<
`ANINITIAL METADATA
`METADATA TAG WITH A 540
`
`
`
`
`
`~ TAG?
`|
`THE NETWORK DATA
`|
`
`
`
`
`
`
`i
`SEND THE NETWORK
`
`
`
`
`DATA AND THE METADATA|
`
`
`TAG TO ANOTHER
`| ~542
`
`NETWORK DEVICE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`END
`
`FIG. 5
`
`Page 6 of 18
`
`Netskope Exhibit 1005
`
`Page 6 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Sep. 18, 2014 Sheet 6 of 6
`
`
`
`US 2014/0282843 Al
`
`0
`j\.
`9
`
`SaHASG|NOLLVOINAININOD
`
`|(aVORASY
`ASNOW69
`
`
`
`WALSASHASOf]
`
`|INGA
`
`|AMOWNN|
`
`y3
`
`g
`
`00g
`
`
`
`
`
`
`
`
`
`
`
`
`
`ANOWSIN
`
`|
`
`LINSWSTS
`
`ceg
`
`AWISIC
`
`669
`
`|RECHOIH
`
`Page 7 of 18
`
`Netskope Exhibit 1005
`
`Page 7 of 18
`
`Netskope Exhibit 1005
`
`
`
`
`
`
`
`
`

`

`
`
`US 2014/0282843 Al
`
`
`
`Sep. 18, 2014
`
`
`
`CREATING AND MANAGING A NETWORK
`
`
`
`SECURITY TAG
`
`
`
`
`
`
`
`
`
`
`
`
`
`TECHNICAL FIELD
`
`
`
`
`
`
`
`
`
`
`[0001] This disclosure relates in general to the field of
`
`
`
`
`
`
`
`networks, and moreparticularly, to creating and managing a
`
`
`
`
`
`network security tag in a network environment.
`BACKGROUND
`
`
`
`
`
`
`
`
`[0002] Computer networks continue to become more com-
`
`
`
`
`
`
`
`plex. Users of computer networksfrequently use applications
`
`
`
`
`
`
`
`
`
`that cause network devices to send and receive data to many
`
`
`
`
`
`
`
`
`different network devices. The data may travel through a
`number of different networks and network devices before
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`reaching the final destination for the data. Network devices
`
`
`
`
`
`
`
`
`may be capable ofreceiving and sending data across different
`
`
`
`
`
`
`
`
`
`types of networks. Such devices may be usedfor routing data
`
`
`
`
`
`
`
`
`
`
`to the final destination for the data, such as routers and
`
`
`
`
`
`
`
`
`switches. Such devices may also be used to prevent unautho-
`
`
`
`
`
`
`
`
`rized access to applications and data, such as firewalls,
`
`
`
`
`
`
`
`authentication servers, and proxy servers. Further, such
`
`
`
`
`
`
`
`
`devices may be used to prevent unauthorized data from being
`
`
`
`
`
`
`
`transmitted through the network, such as antivirus servers,
`
`
`
`
`
`
`
`data capture servers, and security complianceservers.
`
`
`
`
`
`[0003] Enterprise or Cloud is a complex implementation of
`
`
`
`
`
`
`
`
`network devices, security devices, server devices, and virtu-
`
`
`
`
`
`
`alized environments distributed across geographical borders,
`
`
`
`
`
`
`
`
`such as, for example, routers, switches, firewalls, intrusion
`
`
`
`
`
`
`
`protection systems, data capture devices, authenticating serv-
`
`
`
`
`
`
`
`ers, Web caches, accelerators, decryption proxies, compli-
`
`
`
`
`
`
`
`
`ances, storage servers, and server farms. Various network
`
`
`
`
`
`
`
`
`devices may analyze network data as it traverses from the
`
`
`
`
`
`
`perimeter towards the core of an enterprise network.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`[0004]
`To provide a more complete understanding of the
`
`
`
`
`
`
`
`
`present disclosure and features and advantages thereof, ref-
`
`
`
`
`
`
`
`erence is madeto the following description, taken in conjunc-
`
`
`
`
`
`
`
`
`tion with the accompanying figures, wherein like reference
`
`
`
`
`
`numerals represent like parts, in which:
`
`
`
`
`
`FIG. 1 is a simplified block diagram of a network
`[0005]
`
`
`
`
`environment in accordance with an embodiment;
`
`
`
`
`
`FIG. 2 is a simplified block diagram of a network
`[0006]
`
`
`
`
`depicted in accordance with an embodiment;
`
`
`
`
`
`FIG. 3 is a simplified block diagram of a network
`[0007]
`
`
`
`
`
`environment depicted in accordance with an embodiment;
`
`
`
`
`
`
`
`FIG. 4 a simplified block diagram of actions per-
`[0008]
`
`
`
`
`
`
`formed by modules of a network device in accordance with an
`
`embodiment;
`
`
`
`
`
`
`FIG. 5 is a flowchart illustrating an example flow
`[0009]
`
`
`
`
`
`
`
`
`that may be associated with network system for managing
`
`
`
`
`
`
`network data in accordance with an embodiment; and
`
`
`
`
`
`
`FIG. 6 is a simplified block diagram illustrating a
`[0010]
`
`
`
`
`
`
`computing system that is arranged in a point-to-point con-
`
`
`
`figuration according to an embodiment.
`DETAILED DESCRIPTION OF EXAMPLE
`
`
`EMBODIMENTS
`
`
`
`
`
`
`Example Embodiments
`
`
`
`
`
`
`FIG. 1 is a simplified block diagram of a network
`[0011]
`environment 10 in accordance with an embodiment. Network
`
`
`
`
`
`environment 10 is an environment in which embodiments
`
`
`
`
`
`
`
`may be implemented.
`
`
`
`
`
`
`
`[0012] Network environment 10 includes a network 12, a
`
`
`
`
`
`
`
`
`
`
`Webserver 14, a database server 16, and a network 18. Net-
`
`
`
`
`
`
`work 12 may be a medium used to provide communications
`
`
`
`
`
`
`
`links between various devices and computers connected
`
`
`
`
`
`
`
`together within network environment 10. Network 12 may
`
`
`
`
`
`
`include connections, such as wired communication links,
`
`
`
`
`wireless communication links, or both.
`
`
`
`
`
`
`
`
`Inthe example, Web server 14 is connected to net-
`[0013]
`
`
`
`
`
`
`
`work 12. Web server 14 is a server configured to send and
`
`
`
`
`
`
`
`
`
`receive Web pages and Web applications to and from clients
`
`
`
`
`
`
`
`
`that request such data. Similarly, database server 16 is con-
`
`
`
`
`
`
`
`nected to network 12. Database server 16 is a server config-
`ured to store and retrieve data in a database that is sent to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`database server 16 or requested from database server 16.
`
`
`
`
`
`
`
`However, in other examples, Web server 14 and database
`
`
`
`
`
`
`
`server 16 may run different or additional applications that
`cause Web server 14 and database server 16 to send and
`
`
`
`
`
`
`
`
`
`
`receive different data.
`
`
`
`
`
`
`
`
`
`[0014] Client 20 is connected to network 18. Client 20 may
`
`
`
`
`
`
`
`be, for example, a personal computer or network computer.
`
`
`
`
`
`
`
`
`Client 20 may send data to authentication server 22 and may
`
`
`
`
`
`
`
`data messages from authentication server 22 using network
`
`
`
`
`
`
`
`
`18. Such data may include requests to authenticate a user,
`
`
`
`
`
`
`verify user credentials, or other suitable examples.
`
`
`
`
`
`
`
`
`[0015] Client 20, authentication server 22, and other
`
`
`
`
`
`
`
`devices connected to network 18 may also communicate with
`
`
`
`
`
`
`
`
`Webserver 14 and database server 16 using network 12. To
`
`
`
`
`
`
`
`
`
`communicate with Web server 14 and databaseserver 16, for
`
`
`
`
`
`
`
`
`example, client 20 may send data through network 18 to
`router 24. Router 24 is a network device connected to both
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network 18 and network 12. Router 24 mayreceive the data
`
`
`
`
`
`
`
`
`
`from network 12, process the data, and transmit the processed
`
`
`
`
`
`
`
`
`data on network 18. Likewise, router 24 mayalso receive data
`
`
`
`
`
`
`
`
`
`
`on network 18, process the data, and transmit the processed
`
`
`
`
`
`
`
`
`data to network 12. One example of such processing is per-
`
`
`
`
`
`forming network address translation (NAT).
`
`
`
`
`
`
`
`[0016]
`In one example, client 20 is configured to request a
`
`
`
`
`
`
`
`
`
`Webpage from Webserver 14. Client 20 is further configured
`
`
`
`
`
`
`with a network address ofrouter 24 as a gateway to be used by
`
`
`
`
`
`
`
`
`
`client 20. Client 20 generates request 26 for the Web page
`
`
`
`
`
`
`
`
`using the Hypertext Transfer Protocol (HTTP)and transmits
`
`
`
`
`
`
`
`request 26 to router 24. Router 24 receives request 26 and
`
`
`
`
`
`
`
`
`processes request 26. In this example, router 24first requests
`information from authentication server 22 to determine
`
`
`
`
`
`
`
`
`
`
`
`
`whether client 20 is permitted to send request 26 through
`router 24. When router 24 determinesthat client 20 is autho-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`rized to send request 26 through router 24, router 24 modifies
`
`
`
`
`
`
`the source address ofrequest 26 to be the address ofrouter 24
`on network 12.
`
`
`
`
`
`
`
`
`
`
`[0017] Router 24 then transmits request 26 on network 12.
`
`
`
`
`
`
`
`
`Web server 14 on network 12 receives request 26. Web server
`
`
`
`
`
`
`
`
`14 generates a response to the request and transmits the
`
`
`
`
`
`
`
`response to router 24 through network 12. Router 24 pro-
`
`
`
`
`
`
`
`
`cesses the response by modifying the destination address, for
`
`
`
`
`
`
`
`example, and transmits the responseto client 20.
`
`
`
`
`
`
`
`[0018] Network environment 10 may include additional
`
`
`
`
`
`
`
`
`
`servers, clients, and other devices not shown.In the depicted
`
`
`
`
`
`example, Network environment10 may be a representation of
`
`
`
`
`
`
`
`the Internet with network 12 representing a worldwidecol-
`
`
`
`
`
`
`
`
`lection of networks and gateways that use the Transmission
`
`
`
`
`
`
`Control Protocol/Internet Protocol (TCP/IP) suite of proto-
`cols to communicate with one another. At the heart of the
`
`
`
`
`
`
`
`
`
`
`
`
`
`Internet is a backbone of high-speed data communication
`
`
`
`
`
`
`
`lines between major nodes or host computers, consisting of
`
`Page 8 of 18
`
`Netskope Exhibit 1005
`
`Page 8 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`US 2014/0282843 Al
`
`
`
`Sep. 18, 2014
`
`
`
`
`
`
`
`
`
`thousands of commercial, government, educational and other
`
`
`
`
`
`
`
`
`network devices that route data and messages. Of course,
`
`
`
`
`
`
`network environment 10 mayalso be implemented as a num-
`
`
`
`
`
`
`
`
`berof different types ofnetworks, such as for example, one or
`
`
`
`
`
`
`
`more of an intranet, a local area network (LAN), or a wide
`
`
`
`
`
`
`
`area network (WAN). FIG. 1 is intended as an example, and
`not as an architectural limitation.
`
`
`
`
`
`
`
`
`
`[0019]
`FIG. 2 is a simplified block diagram of network 18
`
`
`
`
`
`depicted in accordance with an embodiment. In an embodi-
`
`
`
`
`
`
`
`
`
`ment, network 18 includesfirewall 30, router 32, proxy server
`
`
`
`
`
`
`
`
`34, authentication server 36, anti-virus server 38, intrusion
`
`
`
`
`
`
`
`
`
`protection system 40, switch 42, client 44 and client 46. In
`
`
`
`
`
`
`
`
`this example, network data 28 may be received from another
`
`
`
`
`
`
`network, such as network 12 in FIG. 1, with a destination of
`client 44.
`
`
`
`
`
`
`
`
`
`In this example, firewall 30 may be configured to
`[0020]
`receive network data 28. Firewall 30 is a network device
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`configured to allow or deny the transmission of certain net-
`
`
`
`
`
`
`
`
`
`work data based on a policy. Firewall 30, using the policy,
`
`
`
`
`
`
`may be configured to allow network data based oncriteria,
`
`
`
`
`
`
`
`
`such as, having certain source and destination addresses,
`
`
`
`
`
`
`
`source and destination networks, source and destination
`
`
`
`
`
`
`
`
`ports, content, and other suitable criteria. Likewise, firewall
`
`
`
`
`
`
`
`
`
`30 may also be configured to prevent network data from
`
`
`
`
`
`
`
`
`entering network 18 meeting the same, different, and addi-
`
`
`
`tional types of criteria.
`
`
`
`
`
`
`
`[0021] Router 32 may be configuredto receive and process
`
`
`
`
`
`
`
`
`
`(i.e., analyze) network data 28. In this example, router 32 may
`
`
`
`
`
`
`
`
`be configured to modify the destination address and destina-
`
`
`
`
`
`
`
`
`
`
`tion port for network data 28 suchthat the destination address
`
`
`
`
`
`
`
`
`of data 28 is proxy server 34 and the destination port is a port
`
`
`
`
`
`
`
`
`
`on which proxyserver 34 is listening for data 28. Router 32
`
`
`
`
`
`
`
`maybe configuredto transmit network data 28 to proxy server
`
`
`
`
`
`
`
`
`
`34. Ifnetwork data 28 is coming from proxyserver 34, router
`
`
`
`
`
`
`
`
`32 may be configured to send network data 28 to firewall 30.
`
`
`
`
`
`
`[0022]
`In an embodiment, proxy server 34 communicates
`
`
`
`
`
`
`
`
`
`with router 32, authentication server 36, and anti-virus server
`
`
`
`
`
`
`
`38. Proxy server 34 may be configured to receive network
`
`
`
`
`
`
`
`
`
`data 28. For example, proxy server 34 may receive network
`
`
`
`
`
`
`
`data 28 and identify network data 28 as a response to a request
`
`
`
`
`
`
`
`
`
`for a Web page from a server outside of network 18. Proxy
`
`
`
`
`
`
`
`
`
`
`server 34 maythen identify content in the Web page that is not
`
`
`
`
`
`
`
`allowed bya policy, such as social networking content. Such
`
`
`
`
`
`
`
`
`a policy may bereceived,in part, from authentication server
`
`
`
`
`
`
`
`
`
`
`36. For example, a policy may indicate that only certain users
`
`
`
`
`
`
`
`
`of network 18 may be permitted to receive pages with social
`
`
`
`
`
`
`networking content. In one or more embodiments, network
`
`
`
`
`
`
`
`
`
`18 mayset such a policy. In this example, the user of client 44
`
`
`
`
`
`
`may not be authorized to receive social networking content,
`
`
`
`
`
`
`
`so a portion of network data 28 may be removed by proxy
`
`
`
`
`
`
`
`
`server 34 before transmitting network data 28 through net-
`work 18 to anti-virus server 38.
`
`
`
`
`
`
`
`
`
`
`[0023] Anti-virus server 38 may be configured to commu-
`
`
`
`
`
`
`
`
`nicate with proxy server 34 andinstruction protection system
`
`
`
`
`
`
`40. In an embodiment,anti-virus server 38 may be configured
`
`
`
`
`
`
`
`
`
`to receive network data 28 and determine whether any
`
`
`
`
`
`
`
`viruses, malware, or other undesired and malicious software
`
`
`
`
`
`
`
`
`
`is present in network data 28. When such software is found,
`
`
`
`
`
`
`
`
`anti-virus server 38 may block network data 28 from being
`
`
`
`
`
`
`
`transmitted further, anti-virus server 38 may removecertain
`
`
`
`
`
`
`
`
`
`portions of network data 28, or perform another suitable
`
`
`
`
`
`
`
`action. In this example, anti-virus server 38 transmits network
`
`
`
`
`
`data 28 to intrusion protection system 40.
`
`
`
`
`
`
`
`Intrusion protection system 40 maybe configured to
`[0024]
`communicate with anti-virus server 38 and switch 42. Intru-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`sion protection system 40 may be configuredto receive data
`28 and determine whether the content of network data 28 or
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`circumstances surrounding network data 28 comprise an
`
`
`
`
`
`
`
`
`attack on network 18. For example, intrusion protection sys-
`
`
`
`
`
`
`
`
`
`tem 40 may determine whether network data 28, with a des-
`
`
`
`
`
`
`
`tination of client 44 or being transmitted by client 44, exceeds
`
`
`
`
`
`
`a predetermined threshold. Exceeding the predetermined
`
`
`
`
`
`
`
`threshold may be considered malicious and network data 28
`
`
`
`
`
`
`may be blocked from transmission by intrusion protection
`
`
`system 40.
`
`
`
`
`
`
`
`
`
`[0025]
`Inthis example, network data 28 does not comprise
`
`
`
`
`
`
`
`an attack on network 18, so intrusion protection system 40
`
`
`
`
`
`
`
`transmits network data 28 to client 44 using network 18. In
`
`
`
`
`
`
`this example, client 44 is connected to intrusion protection
`
`
`
`
`
`
`
`
`system 40 using switch 42. Switch 42 receives network data
`28 and retransmits network data 28 to client 44. Client 44
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`receives data 28 and displays a Web page using the contents of
`network data 28.
`
`
`
`
`
`
`
`
`
`[0026] Each of the network devices of network 18 may be
`
`
`
`
`
`
`
`configured to perform complex processing, such as, deep
`
`
`
`
`
`
`packet inspection, protocol analysis, state-machine on net-
`
`
`
`
`
`
`
`
`
`
`workdata 28, per packet basis looking for malicious content.
`
`
`
`
`
`
`
`
`Aspart of the processing every network device spends pro-
`
`
`
`
`
`
`
`cessor cycles gathering critical information regarding net-
`
`
`
`
`
`
`
`work data 28. In currently existing mechanisms, as network
`data 28 is forwarded to the next network device in the chain
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`for processing, that network device must perform all of the
`
`
`
`
`
`
`
`
`processing on network data 28 over again. If the network
`
`
`
`
`
`
`
`devices are implemented as virtual machine within a virtual
`
`
`
`
`
`
`
`
`environment, this redundant processing will use more cycles
`
`
`
`
`
`
`gathering information limiting processing capability and
`
`
`
`
`
`
`
`scalability. Additionally, security elements and core business
`
`
`
`
`
`
`
`
`
`logic have no insight into the security attributes or the pro-
`
`
`
`
`
`
`
`cessing done on network data 28by the other network devices
`
`
`
`
`
`
`
`
`
`
`
`in the chain for any given network data. Also, network devices
`
`
`
`
`
`
`
`may tap into a cloud for real-time information regarding
`
`
`
`
`
`
`
`
`
`network data 28. Retrieving data from a cloud may be com-
`
`
`
`
`
`
`
`putationally expensive if done by each network device in the
`
`
`
`
`
`
`
`chain to obtain same information. However, there currently
`
`
`
`
`
`
`
`exists no mechanism to leverage and build on the processing
`
`
`
`
`
`
`
`
`
`
`done by the previous entity in the chain for security and
`
`
`
`network data processing.
`
`
`
`
`
`
`
`[0027] The different examples provide a numberof advan-
`
`
`
`
`
`
`
`
`tages. For example, the different embodiments allow for a
`
`
`
`
`
`
`
`network device in a network to use the result of processing
`
`
`
`
`
`
`
`performed bya previous network device through which net-
`
`
`
`
`
`
`
`
`work data 28 has already traveled. The use of processing by
`
`
`
`
`
`
`
`
`the previous network device allows the network device to
`
`
`
`
`
`
`
`
`process the data without having to repeat actions already
`
`
`
`
`
`performed bythe previous network device.
`
`
`
`
`
`
`
`
`Inoneor more embodiments, network devices in the
`[0028]
`
`
`
`
`
`
`network infrastructure do processing, including deep packet
`
`
`
`
`
`
`inspection, protocol analysis, and state-machine processing,
`
`
`
`
`
`
`looking for malicious content. Aspart of the processing, each
`
`
`
`
`
`
`
`network device uses resources gathering information regard-
`
`
`
`
`
`
`
`
`ing network data 28. As network data 28 is forwardedto the
`
`
`
`
`
`
`
`
`
`next network device in the route for processing, the next
`
`
`
`
`
`
`
`
`network device may analyze a metadata tag added by the
`
`
`
`
`
`
`previous network device to perform additional processing.
`
`
`
`
`
`
`
`
`
`The metadata tag may be information and data about network
`
`
`
`
`
`
`
`
`
`data 28. By receiving the metadata tag about network content
`
`
`
`
`
`
`
`
`28, a network device may avoid reprocessing network data in
`
`Page 9 of 18
`
`Netskope Exhibit 1005
`
`Page 9 of 18
`
`Netskope Exhibit 1005
`
`

`

`
`
`US 2014/0282843 Al
`
`
`
`Sep. 18, 2014
`
`
`
`
`
`
`
`
`
`
`
`
`
`the same way multiple times. The metadata tag may be shared
`
`
`
`
`
`
`
`
`across network devices within a network. The metadata tag
`
`
`
`
`
`
`
`
`maybetransmitted to and from the different entities using
`
`
`
`
`
`
`in-band or out-of-band channels. Additionally, the metadata
`
`
`
`
`
`
`
`
`tag may be shared across logical and physical connections,
`
`
`
`
`
`
`
`tunnels, through any protocol to protocol translates, etc.
`
`
`
`
`
`
`
`
`[0029] One or more embodiments may providethat a net-
`
`
`
`
`
`
`
`
`work device adds a metadata tag, which includes metadata
`
`
`
`
`
`
`
`
`information and fields. The metadata tag may be added to
`
`
`
`
`
`
`
`
`network data when the network data first enters a network,
`
`
`
`
`
`
`
`domain, Active Directory domain, or other group of network
`
`
`
`
`
`
`
`
`devices. In other embodiments, any device within the group
`
`
`
`
`
`
`
`
`
`ofnetwork devices may add the metadata tag. Further, the last
`
`
`
`
`
`
`
`
`network device to receive the network data prior to sending
`
`
`
`
`
`
`
`
`
`the data outside of the group of network devices may remove
`
`
`
`
`
`
`
`
`the metadata tag. In other embodiments, any network device
`
`
`
`
`
`
`
`
`
`may remove the metadata tag. Thus, the metadata tag may be
`removed before it reaches undesired network devices.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0030] The embodiments providethat each network device,
`
`
`
`
`
`
`
`
`
`after processing the network data, may attach critical infor-
`
`
`
`
`
`
`
`
`
`mationto thetraffic stream in the form of a metadata tag. This
`
`
`
`
`
`
`
`
`
`metadata tag may be used to present any data related to the
`
`
`
`
`
`
`
`
`processing ofthis network data to the next network device or
`
`
`
`
`
`
`
`network devices that is between the end-points. The embodi-
`
`
`
`
`
`
`
`
`ments build synergy across various network devices within a
`
`
`
`
`
`
`domain by leveraging upon the information assembled by one
`
`
`
`
`
`
`
`network device to be presented to the next network device in
`the chain for the same network data. The embodimentsherein
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`help reduce redundant processing of network data by various
`
`
`
`
`
`
`
`elements increasing efficiency as well provide better protec-
`
`
`
`
`
`
`
`
`tion with scaling. This metadata tag could be implemented
`
`
`
`
`
`
`
`
`across various network devices such as, for example, an intru-
`
`
`
`
`
`
`
`
`sion protection system, a data loss prevention system,a fire-
`
`
`
`
`
`
`
`wall, a load balancer, end points, and servers.
`
`
`
`
`
`
`
`[0031] Creating synergy helps leverage the processing
`
`
`
`
`
`
`
`done by various elements leading to efficient processing and
`
`
`
`
`
`
`
`scalability. The embodiments herein enable different network
`
`
`
`
`
`
`
`
`devices to operate like one distributed system trying to solve
`
`
`
`
`
`
`
`different piece of the same puzzle. The embodiments herein
`
`
`
`
`
`
`
`
`mayalso operate whenapplied to virtual environments where
`each of the network devices are instantiated as virtual
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`machines. Every network device can leverage on the meta-
`
`
`
`
`
`
`
`
`data tag by building an ecosystem and taking security to a next
`
`
`
`
`
`
`
`
`
`level. Also when the network devices need to plug into acloud
`
`
`
`
`
`
`
`
`for real-time data, which is very expensive operation in terms
`
`
`
`
`
`
`
`
`ofprocessing, the different embodiments herein may increase
`
`
`
`
`
`
`
`
`efficiency. Since the metadata tag itself may be encrypted by
`
`
`
`
`
`
`
`
`
`
`akey, this provides additional protection for the metadata tag
`itself.
`
`
`
`
`
`
`
`FIG. 3 is a simplified block diagram of a network
`[0032]
`
`
`
`
`
`environment 10 depicted in accordance with an embodiment.
`
`
`
`
`
`
`Inan embodiment, network environment 10 includes network
`
`
`
`
`
`
`
`
`
`18, network device 50, network device 52, network device 54,
`
`
`
`
`
`
`
`
`
`
`Web server 14, and network 12. Network device 50, network
`
`
`
`
`
`
`
`
`device 52, and network device 54 are connected within net-
`
`
`
`
`
`
`
`work 18. Network 18 may be connected to network 12
`
`
`
`
`
`
`
`through network device 50. In some examples, network 12
`
`
`
`
`
`may be a representation ofthe Internet. Additionally, in other
`
`
`
`
`
`examples, network 12 may be a representation of a private
`network. Web server 14 is connected to network 12. In other
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`examples, web server 14 may be another type of network.
`
`
`
`
`
`
`
`In this example, network device 52 and network
`[0033]
`
`
`
`
`
`
`
`device 54 may communicate with one another using network
`
`
`
`
`
`
`
`
`18, but network device 52 and network device 54 may only
`
`
`
`
`
`
`
`
`
`
`
`
`communicate with Web server 14 by sending andreceiving
`
`
`
`
`
`
`
`
`data through network device 50. Network device 50 may be a
`
`
`
`
`
`
`
`router in some examples. For example, network device 50
`
`
`
`
`
`
`
`may be router 32 in FIG. 2. Further, network device 52 may be
`
`
`
`
`
`
`an example implementationof anti-virus server 38 in FIG.2.
`
`
`
`
`
`
`
`
`
`In other examples, network devices 50-54 maybe other types
`of network devices.
`
`
`
`
`
`
`
`
`
`
`
`[0034]
`In one example, network device 54 generates net-
`work data 58 and sends network data 58 to network device 52.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Network data 58 may be numberof data packets of network
`
`
`
`
`
`
`
`data traffic. A data packet, as used herein, is a unit of data
`
`
`
`
`
`
`
`
`configuredfor travelling through a network. Each data packet
`
`
`
`
`
`
`
`may have a numberofportions. In an example, a packet has
`
`
`
`
`
`
`
`two portions, a body and a numberof headers. In another
`
`
`
`
`
`
`
`example, network data 58 may be a hypertext transfer proto-
`
`
`
`col (HTTP) request.
`
`
`
`
`
`
`[0035] Network device 54 is configured to send network
`data 58 intended for Web server 14 to network device 52.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Accordingly, network device 52 may be configuredas a gate-
`
`
`
`
`way for network device 54.
`
`
`
`
`
`
`
`[0036] Network device 52 may perform processing on net-
`
`
`
`
`
`
`
`
`
`work data 58. Network device 52 may include tag module 60
`
`
`
`
`
`
`
`
`and analysis modules 66. Network device 52 may be config-
`
`
`
`
`
`
`
`
`
`ured to notify tag module 60 that network data has been
`
`
`
`
`
`
`received. Tag module 60 may be configured to determine
`
`
`
`
`
`
`
`
`whether network data 58 includes metadata tag 64. Metadata
`
`
`
`
`
`
`tag 64 maybe a collection of network information related to
`
`
`
`
`
`
`
`network data 58 and processing of network data 58 by net-
`
`
`
`
`
`
`
`
`
`work device 54 and other previous network devices for which
`
`
`
`
`
`
`
`
`network data 58 has passed through. For example, the infor-
`
`
`
`
`
`
`
`
`
`mation may include a virus scan result, protocol flow infor-
`
`
`
`
`
`
`mation, identification of a blocked source address, an intru-
`
`
`
`
`
`
`
`
`
`sion protection scan result, and other suitable data. Examples
`
`
`
`
`
`
`of the network information are depicted in FIG.4.
`
`
`
`
`
`
`
`
`[0037] Analysis modules 66 and tag module 60 may work
`
`
`
`
`
`
`together to exchange network information. For example,
`
`
`
`
`
`
`
`analysis modules 66 may perform actions on networkdata 58
`
`
`
`
`
`
`
`
`and sendtheresults ofthe actionsto tag module 60. Likewise,
`
`
`
`
`
`
`
`tag module 60 may identify network information in a meta-
`
`
`
`
`
`
`
`
`
`
`data 64 tag associated with network data 58 and send the
`
`
`
`
`
`
`
`network information to analysis module 66. Analysis mod-
`
`
`
`
`
`
`ules 66 may be representative of different components of
`
`
`
`
`
`
`
`
`network device 52. For example, analysis modules 66 may be
`
`
`
`
`
`
`
`a security module or other processing module of network
`
`
`
`
`
`
`
`device 52. In even further embodiments, analysis modules 66
`
`
`
`
`
`may be a representation of a combination ofmodules used by
`
`
`
`
`
`
`
`
`network device 52, such as, for example, any of the network
`
`
`
`devices depicted in FIG.2.
`
`
`
`
`
`
`[0038] Analysis modules 66 may be configured to perform
`
`
`
`
`
`
`
`
`
`a numberofactions on network data 58. The actions may be,
`
`
`
`
`
`
`
`
`
`for example, a virus scan, a protocol flow analysis, host iden-
`
`
`
`
`
`
`
`tification, and other suitable actions. A numberof examples of
`
`
`
`
`
`
`
`
`the actionsare depicted in FIG.4. Ifnetwork data 58 included
`
`
`
`
`
`
`
`
`
`metadata tag 64, analysis modules 66 may perform the num-
`
`
`
`
`
`
`
`ber of actions based on network information in metadata tag
`
`
`
`
`
`
`
`
`
`64. The result of the actions may produce an analysis that
`
`
`
`
`
`
`
`includes network information. The actions may be performed
`
`
`
`
`
`fully, partially, entirely skipped, or redone.
`
`
`
`
`
`
`
`
`
`[0039] Analysis modules 66 mayalso retrieve and use prior
`
`
`
`
`
`
`
`analysis on similar type of data to network data 58 within a
`
`
`
`
`
`
`
`predeterminedperiod oftime. For example, analysis modules
`
`
`
`
`
`
`
`66 may use the network information provided by tag module
`