`
`
`as) United States
`
`
`
`
`
`
`
`
`
`a2) Patent Application Publication 10) Pub. No.: US 2009/0144818 Al
`
`
`
`
`
`
`
`(43) Pub. Date:
`Jun. 4, 2009
`Kumaret al.
`
`
`
`US 20090144818A1
`
`
`
`
`
`
`
`
`(54) SYSTEM AND METHOD FOR USING
`VARIABLE SECURITY TAG LOCATION IN
`
`
`
`NETWORK COMMUNICATIONS
`
`
`
`(75)
`
`
`
`Inventors:
`
`
`
`
`
`
`Srinivas Kumar, Cupertino, CA
`
`
`(US); Vijayashree S. Bettadapura,
`
`
`Campbell, CA (US)
`
`
`
`
`
`
`Correspondence Address:
`RATNERPRESTIA
`
`P.O. BOX 980
`
`
`
`
`
`VALLEY FORGE,PA 19482 (US)
`
`
`
`
`(73) Assignee:
`
`
`
`
`
`
`Applied Identity, San Francisco,
`
`
`CA (US)
`
`
`
`
`
`(21) Appl. No.:
`
`
`
`12/267,850
`
`
`
`(22)
`
`
`
`Filed:
`
`
`
`
`
`Nov. 10, 2008
`
`
`
`
`
`
`
`Related U.S. Application Data
`
`
`
`
`
`
`(60) Provisional application No. 60/986,833, filed on Nov.
`
`
`9, 2007.
`
`
`
`Publication Classification
`
`
`
`
`
`
`(51)
`
`
`
`
`
`Int. Cl.
`
`
`(2006.01)
`G06F 21/00
`
`
`
`
`(52) US. CD. ccc ccceesessesecsecneceeneeneeneeseeneeseeeeees 726/13
`
`
`
`ABSTRACT
`(57)
`
`
`
`
`
`
`
`A method of packet security managementto ensure a secure
`connection from one network node to another. The method
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`includescreating a security tag for each packet in a network
`
`
`
`
`
`
`
`session, selecting one of a numberofpossible tag locations
`
`
`
`
`
`
`
`
`
`within the packet, inserting the security tag at that location,
`
`
`
`
`
`
`
`
`transmitting the tagged packets from a sending node to the
`
`
`
`
`
`
`
`
`receiving node, authenticating the packets’ security tags at the
`
`
`
`
`
`
`
`receiving node, and dropping non-authenticated packets. The
`
`
`
`
`
`
`
`
`methodalso includes determining best possible tag locations
`
`
`
`
`
`
`
`
`when sending a packet and locating a security tag when
`
`
`receiving a packet.
`
`‘TCP Option
`
`
`TCP/IP Packet
`TCP Header
`
`
`
`
`
`
`
`120
`
`130
`
`|
`
`
`
`IP Header
`
`
`
`
`IP option
`
`
`
`
`
`
`
`160
`
`
`
`peojAedJOHels
`
`Payload
`
`peojAegJopug
`
`Page 1 of 16
`
`Netskope Exhibit 1006
`
`Page 1 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 1 of 9
`
`
`US 2009/0144818 Al
`
`
`
`a
`
`—
`
`’
`
`3
`
`A ° Iy
`
`
`90
`
`
`g
`
`if |
`
`
`| (Xp 3
`
`
`
`
`sg) 28/4 °
`
`of
`€| 83
`
`
`5
`
`:
`
`a
`
`
`
`ReceivingNode
`
`
`
`
`
`
`
`
`«
`
`To
`
`a
`oO
`—
`
`LL.
`
`
`
`
`°
`3
`
`
`
`°
`
`
`oO
`wo
`
`
`
`
`4
`
`
`
`
`
`&
`
`
`&
`oo
`al
`
`2| £§
`
`zl 8B
`
`—~)]
`OM
`a| ©
`
`
`o
`ro)
`
`Node
`_Sending
`
`Uy
`
`
`
`User
`
`
`
`
`©N
`
`10
`
`Page 2 of 16
`
`Netskope Exhibit 1006
`
`Page 2 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 2 of 9
`
`
`US 2009/0144818 Al
`
`
`
`
`
`9/Ge|SUO}IPUOD4JOMJON
`
`
`
`JOSS800)qJOYOed
`
`upBularssey
`
`
`
`WunBuyywsued|
`
`SPONBulAlecey qd)Old
`
`HUNUONdsedayY/UOISSILUSUBL|
`
`WUUO!HSesu|
`
`
`
`
`
`JIUF)UONEUILWII}OqJUSWSde|q
`
`
`
`SPONHulpues
`
`Page 3 of 16
`
`Netskope Exhibit 1006
`
`Page 3 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 3 of 9
`
`
`US 2009/0144818 Al
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`End of Payload
`Start Of Payload
`
` TCP/IPPacket
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`110
`
`
`
`
`
`
`
`
`
`
`IPHeader
`IPoption
`
`
`120
`
`Page 4 of 16
`
`Netskope Exhibit 1006
`
`Zi
`
`
`
`or
`
`e)
`re
`
`|
`
`Fig.2
`
`TCPOption
`
`
`
`
`
`TCPHeader
`
`Page 4 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 4 of 9
`
`
`US 2009/0144818 Al
`
`
`
`apon Bulpuas
`
`
`
`6)payiedsajon
`
`pazesnueyyny
`
`Buy0}UOlsses
`
`“UOQeI0}
`
`siapouBulajered
`
`paysiqeyse
`
`PUIAIDAPIG[Lipea}yeaudoF
`
`
`
`
`
`AjpadsapouHurohyno40)aunyeuBbrs
`
`
`
`qasuas-oyneiOMgaU0}syayjoed
`
`papajoduySadunoseal
`
`*syauqns
`
`
`
`QTqualpenbiuneaeaD
`
`
`
`
`
`peojAedpue‘eyepuolssas
`
`
`
`
`
`
`
`‘kayUoIsses‘QTJUaIpesp
`
`
`
`BuypuasayyjeulSHO}asp
`
`
`
`
`
`
`
`uonesquauynepuss"spou
`
`
`
`
`
`“apouBulpuas‘sjenuapep
`
`JasnyyJsanbas
`
`“goldpuesenigede
`
`
`
`
`
`
`
`
`
`ajquwassy"Ayuolssespue
`
`4Jasnay)ajenqueyny
`
`
`
`‘QIqusippuasOe]Aynses‘eyepuoissesse
`
`
`
`
`
`pueAoyuorsses‘fsgannal|pquawale|d
`
`
`
`
`
`"BJepudISseSpuesyeugnspaypajoid
`
`JoJajqe}SUOpUo?yOMYSU
`
`
`
`"panbasuoAesQuaiANe
`
`
`
`*apouBuypues
`
`VE‘Bid
`
`
`
`
`
`apouGulpuespes
`
`
`
`WO.)UOHEULIOJUI
`
`
`Spon Hulaiecoy
`
`
`
`Page 5 of 16
`
`Netskope Exhibit 1006
`
`Page 5 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 5 of 9
`
`
`US 2009/0144818 Al
`
`
`
`
`
`
`
`juanbesqnsuo6eypeysiiqerss0}syoyoedBulobynoS|@pouBunya,
`
`
`
`PaveRUSUINYBe}aeudoiddessooyD
`
`
`Uy03UOISsEs
`
`Aqungespesul03UORed0}
`BIGIABOWJOGUO
`Buyyesipulabessow
`
`quswaoeld&puss
`
`ieWwpeppaquiesbeq
`paaowasusaqSAEY
`s6QAuMdasG94
`AuunoasuMJexped
`
`“suoQero]sjqissod
`Alaaoosip2puas
`
`SUOQEIO]Poj}eg
`:apoyBuipuas|epoyBulajeoey
`
`
`.‘syauqnspapajoid
`
`
`qe‘bid
`
`Occ
`
`
`
`8Tc
`
`*"suogeco]6e3
`
`yomjauAq
`
`“squsWIpedu!
`
`
`
`Page 6 of 16
`
`Netskope Exhibit 1006
`
`Page 6 of 16
`
`Netskope Exhibit 1006
`
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 6 of 9
`
`
`US 2009/0144818 Al
`
`
`
`
`
`
`Fig.4
`
`Page 7 of 16
`
`Netskope Exhibit 1006
`
`
`
`
`
`otr
`
`
`
`
`
`
`
`310
`
`
`
`f
`Directives
`TagPlacement
`
`
`NetworkConditionsTable
`
`
`IPAddressRange
`
`330|,
`
`
`
`320
`
`Page 7 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 7 of 9
`
`
`US 2009/0144818 Al
`
`
`
`
`
`
`
`BeyAunoespesuy
`
`dun32Jpedur
`
`
`
`‘uones0|peyjads
`
`yHOMgeuash
`
`
`
`ajqeqsuogipuca
`
`aulwwayep03Aqua
`
`‘uoneao}Ge}359q
`
`
`
`GeyAQuinoesYesul
`
`"alaly
`
`ueypjewsseuppe
`
`spomgeuulAqueJomgauepuas
`
`Se
`
`Spon Hulpuss
`
`
`Gigasuowipucsuogpudd
`
`
`
`
`0}.UOReLUUOZUIjO.quOD|
`
`
`
`‘gunqeubisjeybipsn
`
`
`
`quawared‘grquays
`
`Jaljopue‘seaqzaiip
`
`
`
`"623Aunsasayea
`
`
`
`
`
`
`
`Spon GuiAledey
`
`
`
`Page 8 of 16
`
`Netskope Exhibit 1006
`
`Page 8 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 8 of 9
`
`
`US 2009/0144818 Al
`
`
`
`
`
`
`
`6e)Auunsespeey
`
`
`
`HeyAuinsaspeay
`
`‘uondodoiUl
`
`‘uondodiUl
`
`pep
`
`
`
`‘yayoedpuss
`
`uj6e3Aqunses
`
`quoydeadap
`
`éezis
`
`
`
`éUOROBUUODSpou
`
`apoNn Bulpues
`
`Be}Aunses
`
`jayoedsf
`
`=<uogdoI>
`
`BulpusssiyjJypayloads
`uoje0]62}pexysem_-
`
`
`
`
`
`=z°a@
`
`s.5Ta)
`
`x8oO,
`
`Page 9 of 16
`
`Netskope Exhibit 1006
`
`Page 9 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Jun. 4, 2009 Sheet 9 of 9
`
`
`US 2009/0144818 Al
`
`
`
`
`
`Ebey
`
`6e)AwinoasesaeyepouBulpuas
`
`Bu}WoyJexDedJXouBy}Seog
`
`
`
`Auindeasayysaowsy
`
`Jeopedauywoy62)
`
`Aqundesou}ST
`
`yse]Sy}SeUOl}LOO]SWes3)UL
`
`Posisapou}03JaxIed
`auypsemioypue
`doQuayyne6e3
`
`
`
`*S0INOS1JJOMJEU
`
`*uoIpaULOD
`
`9g‘Big
`
`
`
`QpoN Buipues apoN BHulAlesoy
`
`Seuss}
`
`
`‘4yayoedauydoiq
`aunye6aAQunoes
`
`DIJPA2BJU}
`
`ayyjopue
`
`épeojAed
`
`
`
`
`
`*Be]Aunoespeoy
`
`pleaBately
`
`au]3e6eyAundas
`
`BY]JOPes
`
`epeojAed~
`
`
`
`
`
`
`
`
`
`Page 10 of 16
`
`Netskope Exhibit 1006
`
`Page 10 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`US 2009/0144818 Al
`
`
`Jun. 4, 2009
`
`
`
`SYSTEM AND METHOD FOR USING
`
`
`
`
`VARIABLE SECURITY TAG LOCATIONIN
`
`
`
`
`NETWORK COMMUNICATIONS
`
`
`
`
`
`CROSS REFERENCE TO RELATED
`
`
`APPLICATIONS
`
`
`
`
`
`
`
`
`
`[0001] This application claims the benefit of U.S. Provi-
`
`
`
`
`
`
`
`sional Application No. 60/986,833,
`filed Nov. 9, 2007,
`
`
`
`
`
`
`
`
`entitled “System And Method For Using Variable Security
`
`
`
`
`
`
`Tag Location In Network Communications” the contents of
`
`
`
`
`
`which are hereby incorporated by reference.
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`[0002] This invention relates to computer system security
`
`
`
`
`
`
`
`and, moreparticularly, to a system and method for improved
`
`
`
`
`
`reliability in secure packet communication systems.
`
`
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`[0003] Computer system resources such as web servers and
`
`
`
`
`
`
`
`database services may be directly accessible through net-
`
`
`
`
`
`
`
`works such as LANs, WANs, and the Internet. Communica-
`
`
`
`
`
`
`
`tion between computer systems over a network typically
`
`
`
`
`
`
`
`
`takes place through transmitted data structurescalled packets.
`
`
`
`
`
`
`
`
`
`
`A packet may include data being transported from one system
`
`
`
`
`
`
`
`
`to another system. Such data is generally referred to as pay-
`
`
`
`
`
`
`
`
`
`
`load. A packet may also include other data that defines the
`
`
`
`
`
`
`
`structure and nature ofthe packet, including information indi-
`
`
`
`
`
`
`
`
`cating the origin and destination of the packet and informa-
`
`
`
`
`
`
`
`tion indicating other packet characteristics. A stream ofpack-
`
`
`
`
`
`
`
`ets may constitute a communication from one system to
`
`
`another system.
`SUMMARYOF THE INVENTION
`
`
`
`
`
`
`
`
`
`[0004] The invention may be embodied as a method or
`
`
`
`
`
`
`
`
`
`system for inserting a security tag into a packet in one or more
`
`
`
`
`
`
`
`
`
`
`locations within the packet so that the packet may pass
`
`
`
`
`
`
`
`through a numberof network impediments with the security
`
`
`
`tag or tags intact.
`
`
`
`
`
`
`
`
`
`[0005] The sending node and receiving node may deter-
`
`
`
`
`
`
`
`
`mine security tag placement using different methods. They
`
`
`
`
`
`
`
`
`may negotiate placement when they first establish secure
`
`
`
`
`
`
`
`communications. The sending node may determine place-
`
`
`
`
`
`
`
`ment based on known network impediments between it and
`
`
`
`
`
`
`
`
`
`
`the receiving node. The sending node may senda test packet
`
`
`
`
`
`
`
`
`to the receiving node to determine locations where security
`
`
`
`
`
`
`
`
`tags are removedandthen determine placement based on the
`
`
`
`
`
`
`
`
`
`
`results (the received test packet). The sending node mayarbi-
`
`
`
`
`
`
`
`trarily or randomly determine one or more placementloca-
`
`
`
`
`
`
`
`
`
`tions in each packet andthe receiving node may checkfor the
`
`
`
`
`
`
`
`security tag in various placement locations whenit receives
`
`
`the packet.
`
`
`
`
`
`
`
`
`[0006] By providing a variety of security tag placement
`
`
`
`
`
`
`
`
`locations within a packet and then determining one or more
`
`
`
`
`
`
`
`locations to overcome network impediments between the
`
`
`
`
`
`
`
`sending node andthe receiving node, secure communications
`
`
`
`
`
`
`
`may be enabled using security tags in network environments
`
`
`
`
`
`
`
`
`
`that may not typically allow such security tags within packets.
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`[0007] The inventionis best understood from the following
`
`
`
`
`
`
`
`detailed description whenread in connection with the accom-
`
`
`
`
`
`panying drawings. According to common practice, various
`
`
`
`
`
`features/elements of the drawings may notbe drawntoscale.
`
`
`
`
`
`Common numerical references represent like features/ele-
`
`
`
`
`
`
`
`
`ments. The following figures are included in the drawings:
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 1A is a schematic diagram illustrating a net-
`[0008]
`
`
`
`
`
`
`work using secure communications in accordance with an
`
`
`
`exemplary embodimentofthe invention;
`
`
`
`
`
`
`
`FIG. 1B is a schematic diagram of sending and
`[0009]
`
`
`
`
`
`
`receiving nodes in accordance with an exemplary embodi-
`
`
`mentof the invention;
`
`
`
`
`
`
`[0010]
`FIG. 2 is a data schema of an exemplary packet
`
`
`
`
`
`
`
`structure illustrating variable placementlocations for a secu-
`
`
`
`
`
`
`
`rity tag in accordancewith another exemplary embodiment of
`
`
`the invention;
`
`
`
`
`
`
`
`
`[0011]
`FIGS. 3A and 3B are flow charts illustrating a
`
`
`
`
`
`
`methodof creating an authenticated session between a send-
`
`
`
`
`
`
`
`
`ing node and a receiving node and of determining a location
`
`
`
`
`
`
`
`
`
`in which to insert a security tag in packets sentto the receiving
`
`
`
`
`
`
`
`node in accordance with yet another exemplary embodiment
`
`
`of the invention;
`
`
`
`
`
`
`[0012]
`FIG. 4 is a block diagram illustrating a network
`conditions table in accordance with various embodiments of
`
`
`
`
`
`
`
`
`
`the invention, and
`
`
`
`
`
`
`[0013]
`FIGS. 5A, 5B and 5Care flow charts illustrating a
`
`
`
`
`
`
`
`methodof sending packets from a sending nodeto a receiving
`
`
`
`
`
`
`
`
`nodeoveran authenticated session andoffinding and reading
`
`
`
`
`
`
`
`
`
`
`the security tags in the packets when the receiving node
`
`
`
`
`
`
`
`
`receives the packets in accordance with yet another exem-
`
`
`
`plary embodimentof the invention.
`
`
`
`
`
`
`
`
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`
`
`
`
`
`
`
`
`[0014] Although the invention is illustrated and described
`
`
`
`
`
`
`herein with reference to specific embodiments, the invention
`
`
`
`
`
`
`
`
`is not intended to be limited to the details shown. Rather,
`
`
`
`
`
`
`
`various modifications may be made in the details within the
`
`
`
`
`
`
`
`
`scope and range of equivalents of the claims and without
`
`
`
`
`departing from the invention.
`
`
`
`
`
`
`
`[0015] Direct user/client access through networks such as
`
`
`
`
`
`
`
`LANs, WANs,and the Internet may make them vulnerable to
`
`
`
`
`
`
`
`malicious trespasses. Computer security systems may pre-
`
`
`
`
`
`
`
`
`vent such trespasses by authenticating users that desire to use
`
`
`
`
`
`
`
`resources and then ensuring that
`the communications
`between authenticated users and resourcesare not taken over
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`by outside entities intent on malicioustrespass.
`
`
`
`
`
`
`
`[0016] One methodto maintain secure communicationsvia
`
`
`
`
`
`
`
`
`
`packetsis to insert a security tag into each packet. The secu-
`
`
`
`
`
`
`
`
`
`
`rity tag may include information that the sender and receiver
`
`
`
`
`
`
`
`
`
`
`mayverify, and, thus ensuresto the receiver that the packetis
`
`
`
`
`
`
`
`
`
`from a known(verified) sender and, for example, is not from
`
`
`
`
`
`
`
`
`an outside source that is attempting to break into a stream of
`
`
`
`
`
`
`
`
`
`
`packets. It may also ensure that the packet’s payload has not
`
`
`
`
`been altered during transmission.
`
`
`
`
`
`
`
`[0017] A security tag within a packet, however, may not
`
`
`
`
`
`
`
`make it through (across) a network. Different network ele-
`
`
`
`
`
`
`
`
`
`ments that check (verify) packets as the packets pass through
`
`
`
`
`
`
`
`
`the network may, for example, removethe security tag from a
`
`
`
`
`
`
`
`
`passing packet. A proxy server may, for example, consider a
`
`
`
`
`
`
`
`
`security tag as extraneous data and removeit, or stateful
`
`
`
`
`
`
`
`firewalls and intrusion detection systems may misinterpret
`
`
`
`
`
`
`
`
`
`
`the security tag and generate false alarms. In such cases, these
`
`
`
`
`
`
`
`network element (impediments) may reduceor eliminate the
`
`
`
`effectiveness of the security of the communication.
`
`
`
`
`
`
`
`FIG. 1A is a schematic diagram illustrating an
`[0018]
`
`
`
`
`
`
`exemplary network (environment) for secure communica-
`
`
`
`
`
`
`
`tions using variable placementlocations for placement of a
`
`
`security tag.
`
`
`
`
`
`
`
`
`[0019] Referring to FIG. 1A, a user 10 may work with
`
`
`
`
`
`
`
`
`(operate) a sending node 20, which may be a personal com-
`
`
`
`
`
`
`
`
`puter or other computing device. Sending node 20 may have
`
`
`
`
`
`
`
`
`an operating system (OS) 30 that allows sending node 20 to
`communicate via a network 50 with other devices.
`
`
`
`
`
`
`Page 11 of 16
`
`Netskope Exhibit 1006
`
`Page 11 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`US 2009/0144818 Al
`
`
`Jun. 4, 2009
`
`
`
`
`
`
`
`
`
`
`Incertain exemplary embodiments, a security plug-
`[0020]
`
`
`
`
`
`
`
`
`
`in 40 that may run within OS 30, may examine (analyze)
`
`
`
`
`
`
`
`
`and/or may modify packets sent by sending node 20. In other
`
`
`
`
`
`
`exemplary embodiments, the security plug-in may be an
`
`
`
`
`
`
`application program, other program or hardware module
`
`
`
`
`executing on sending node 20.
`
`
`
`
`
`
`[0021] A receiving node 60 may be a gatewayto a sub-
`network 90 of network 50 that connects to one or more net-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`work resources 95 such as webservers, database servers, and
`
`
`
`
`
`
`
`
`other services that user 10 may desire to access. A security
`
`
`
`
`
`
`gateway70 (e.g., a program or hardware module) may run on
`
`
`
`
`
`
`
`
`receiving node 60. A security server 80 may run as part of
`
`
`
`
`
`
`
`security gateway 70 to examine and/or modify incoming
`
`
`
`
`
`
`
`
`packets and may communicate with sending node 20 via
`sub-network 90 and/or network 50.
`
`
`
`
`
`
`
`
`
`
`
`
`[0022] Although the security plug-in and security gateway
`
`
`
`
`
`
`
`
`are illustrated in the network application and security server,
`
`
`
`
`
`
`
`
`respectively, the security plug-in and security gateway may
`
`
`
`
`
`
`
`be provided in any device on the network or sub-network that
`
`
`
`
`
`
`
`interacts with the stream of packets being secured.
`
`
`
`
`
`
`
`
`[0023] Referring to FIG. 1B, sending node 20 mayinclude:
`
`
`
`
`
`
`
`(1) a placement determination unit 22 for selecting at least
`
`
`
`
`
`
`
`
`one placement location amonga plurality of locations forthe
`
`
`
`
`
`
`security tag to be embeddedin each ofthe plurality of pack-
`
`
`
`
`
`
`
`
`
`ets; (2) an insertion unit 24for inserting the security tag at the
`
`
`
`
`
`
`
`
`
`at least one placementlocation for each ofthe packets; and (3)
`
`
`
`
`
`a transmission/reception unit 26 for transmitting/receiving
`
`
`
`
`
`
`information such as transmission of the tagged packets from
`
`
`
`
`
`
`sending node 20 toward receiving node 60.
`
`
`
`
`
`
`
`Incertain exemplary embodiments, receiving node
`[0024]
`
`
`
`
`
`
`
`
`
`
`60 may include: (1) a receiving unit 62 for receiving the
`
`
`
`
`
`
`
`
`
`tagged packets from sending node 20; (2) a packet processor
`
`
`
`
`
`
`
`64 for authenticating each of the security tags of the tagged
`
`
`
`
`
`
`
`packets, and (3) a transmitting unit 66 for transmitting infor-
`mation such as the network conditions table 68.
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 2 is a data schemaillustrating an exemplary
`[0025]
`
`
`
`
`
`
`packet structure (i.e., a Transmission Control Protocol/Inter-
`
`
`
`
`
`
`
`
`
`net Protocol (TCP/IP) packet 110 structure) that may be used
`
`
`
`
`
`
`
`
`
`to transport data between sending node 20 and receiving node
`
`
`
`
`
`
`
`
`
`60. FIG.2 illustrates exemplary locations 130, 150, 170 and
`
`
`
`
`
`
`
`
`
`180 within packet 110 where a security tag may beinserted to
`
`
`
`
`
`
`
`
`secure (verify) the packet (includingits origin). Other place-
`
`
`
`
`
`mentlocations are also possible.
`
`
`
`
`
`
`
`
`[0026] A TCP/IP packet may include; (1) an IP header 120
`
`
`
`
`
`
`
`
`that includes Internet Protocol (IP) information about packet
`
`
`
`
`
`
`
`
`
`110; (2) a TCP header 140 that includes transmission control
`
`
`
`
`
`
`
`
`
`protocol information about packet 110; and (3) payload 160
`
`
`
`
`
`
`
`
`
`may include data that one node requested to send to another
`
`
`
`
`
`
`
`
`
`node. IP header 120 may include an IP option field 130 that
`
`
`
`
`
`
`
`
`
`may include optional information. The TCP header 140 may
`
`
`
`
`
`
`
`
`
`include a TCP option field 150 that may include optional
`
`
`
`
`
`
`
`
`
`information. The payload 160 mayinclude any kind ofdata or
`information a node desires to communicate to another node.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Incertain exemplary embodiments, security plug-in
`[0027]
`
`
`
`
`
`
`
`
`
`40 mayinsert a security tag in one or more placementloca-
`
`
`
`
`
`
`
`
`
`
`tions within the packet 110 (e.g., in the IP option field 130, in
`
`
`
`
`
`
`
`
`
`
`the TCP option field 150, at the start of the payload field 170,
`
`
`
`
`
`
`
`
`
`
`at the end ofthe payload field 180 and/or, anywhere within the
`
`payload).
`
`
`
`
`
`
`
`
`
`Ifthe security tag is inserted in either IP optionfield
`[0028]
`
`
`
`
`
`
`
`
`
`
`130 or TCP option field 150, the option field having the
`
`
`
`
`
`
`
`
`
`inserted security tag may start with an op-code, (for example,
`
`
`
`
`
`
`
`
`
`a one-byte value that may indicate the rest of the contents of
`
`
`
`
`
`
`
`
`
`the optionfield. The op-code value maybeinserted in TCP or
`
`
`
`
`
`
`
`
`
`IP option field 130 or 150 to specify to receiving node 60 that
`
`
`
`
`
`
`
`
`
`the TCPorIP option field 130 or 150 includesa security tag.
`
`
`
`
`
`
`
`
`
`
`
`
`FIGS. 3A and 3B are flow charts illustrating a
`[0029]
`
`
`
`
`
`
`
`methodof using variable placement locations for inserting a
`
`
`
`
`
`
`
`
`security tag. The method includes, for example, sensing a
`
`
`
`
`
`
`
`
`user’s 10 request to login to the sending node 20 and then to
`
`
`
`
`
`
`
`
`
`use a protected network resource 95, and the action taken for
`
`
`
`
`
`
`initiating an authenticated session in which user 10 commu-
`nicates with a network resource 95.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0030] Nowreferring to FIGS. 3A and 3B, the sending node
`
`
`
`
`
`
`
`
`
`20, may include an operating system plug-in 40 and the
`
`
`
`
`
`
`
`
`receiving node 60 may includethe security server 80.
`
`
`
`
`
`
`
`
`
`[0031] At block 202 when user 10 logs into a network-
`
`
`
`
`
`
`
`connected computer and presents user credentials, such as
`
`
`
`
`
`
`
`
`user name and password, sending node 20 may send an
`
`
`
`
`
`
`
`authentication request including the user credentials along
`
`
`
`
`
`
`
`
`with information about the sending node’s capabilities and a
`
`
`
`
`
`
`
`
`profile of sending node 20. This information about sending
`
`
`
`
`
`
`
`node 20 maybe pre-established. For example, such informa-
`
`
`
`
`
`
`
`
`
`tion may beentered into security plug-in 40 when it was
`
`
`
`
`installed on sending node 20.
`
`
`
`
`
`
`
`
`[0032] At block 204, receiving node 60 authenticates user
`
`
`
`
`
`
`
`
`10 using the information in the request and an authentication
`
`
`
`
`
`
`
`server, such as a Light Directory Access Protocol (LDAP)
`
`
`
`
`
`
`
`server, that may be accessed by receiving node 60. Receiving
`
`
`
`
`
`
`
`
`
`
`
`node 60, may also read packet data from the packets that
`
`
`
`
`
`
`
`
`
`include the log-in information. The packet data may indicate
`
`
`
`
`
`
`
`
`
`to receiving node 60, sending node’s 20 (i) IP address, (11)
`
`
`
`
`
`
`
`system health status (e.g., security compliance information),
`
`
`
`
`
`
`(111) host capabilities and/or (iv) profile.
`
`
`
`
`
`
`
`
`
`[0033] At block 206, receiving node 60 maythen create a
`
`
`
`
`
`
`
`
`
`
`unique client ID andsession key for user 10 for the authenti-
`
`
`
`
`
`
`
`
`cated session. Receiving node 60 may also assemble session
`
`
`
`
`
`
`
`
`
`
`data that may include security tag directives, a list of pro-
`
`
`
`
`
`
`
`
`
`tected subnets that are available through receiving node 60,
`
`
`
`
`
`
`
`
`and a network conditions table 310 (shown in FIG. 4) for
`
`
`
`
`
`
`
`
`
`
`sending node 20. The list of protected subnets and the net-
`
`
`
`
`
`
`
`
`work conditions table 310 may be stored in a location acces-
`
`
`
`
`sible by receiving node (60).
`
`
`
`
`
`
`
`
`[0034]
`Security tag directives may specify a tag location in
`
`
`
`
`
`
`
`
`
`a TCP/IP packet that sending node 20 may use whenit inserts
`
`
`
`
`
`
`
`
`
`asecurity tag into outgoing packets traversing through receiv-
`
`
`
`
`
`
`
`
`ing node 60. If the security tag directives specify an IP option
`
`
`
`
`
`
`
`
`location or a TCP option location, then an op-code value may
`
`
`
`
`
`
`
`
`
`also be specified for IP/TCP option field 130 or 150 to indi-
`
`
`
`
`
`cate that it contains a security tag.
`
`
`
`
`
`
`
`[0035]
`In various exemplary embodiments, security tag
`
`
`
`
`
`
`
`
`
`directives may also specify that sending node 20 may auto
`
`
`
`
`
`
`
`
`sense a tag location. That is, sending node 20 may automati-
`
`
`
`
`
`
`
`
`cally determine the best (optimum) security tag location by
`
`
`
`
`performing an automatedtest procedure.
`
`
`
`
`
`
`
`
`
`[0036] At block 208, receiving node 60 may senda client
`
`
`
`
`
`
`
`
`
`ID, a session key, and any other relevant connection data to
`
`
`
`
`
`
`
`
`sending node 20. At block 210, sending node 20 mayuse the
`
`
`
`
`
`
`
`
`
`
`
`client ID, the session key, and the other session data, as
`
`
`
`
`
`
`
`
`appropriate, to create a digital signature for the outgoing
`
`
`
`
`
`
`
`
`packet. The digital signature may be created in many ways
`
`
`
`
`
`
`
`including hashing the client ID withall or part of the packet’s
`
`
`
`
`
`payload using the session key.
`
`
`
`
`
`
`
`
`
`[0037] At block 212, sending node 20 may check whether
`
`
`
`
`
`
`receiving node 60 specified an auto-sense, as a security tag
`
`
`
`
`
`
`
`
`directive. If receiving node 60 did not specify the auto-sense,
`
`
`
`
`
`
`
`
`
`
`
`at block 214, sending node 20 checksfor(e.g., notes) the tag
`
`
`
`
`
`
`
`
`location that receiving node 60 may have specified. Sending
`node 20 has then established an authenticated session to
`
`
`
`
`
`
`
`
`
`
`
`
`
`receiving node 60 for user 10.
`
`
`
`
`
`
`
`If receiving node 60 specified the auto-sense, as a
`[0038]
`
`
`
`
`
`
`
`
`security tag directive, at block 216, sending node 20 may
`
`
`
`
`
`
`
`
`insert a security tag at each possible location (e.g., in the IP
`
`Page 12 of 16
`
`Netskope Exhibit 1006
`
`Page 12 of 16
`
`Netskope Exhibit 1006
`
`

`

`
`
`US 2009/0144818 Al
`
`
`Jun. 4, 2009
`
`
`
`
`
`
`
`
`
`
`
`
`headerfield, in the TCP headerfield, and/or the beginning or
`
`
`
`
`
`
`
`
`
`
`end ofthe payloadfield) in a test packet and may sendthetest
`
`
`
`
`packet to receiving node 60.
`
`
`
`
`
`
`
`
`
`[0039] At block 218, receiving node 60 may check for
`
`
`
`
`
`
`
`
`
`security tags in each possible location and may detect from
`
`
`
`
`
`
`
`
`
`which locations the security tags have been removed by the
`
`
`
`
`
`
`
`network impediments. At block 220, receiving node 60 may
`
`
`
`
`
`
`
`send a placement messageto sending node 20. The placement
`
`
`
`
`
`
`
`
`message may indicate one or more successful tag locations
`
`
`
`
`
`
`
`
`
`locations which were not affected by the network
`(e.g.,
`
`
`
`
`
`
`
`impediments). At block 222, sending node 20 may choose
`
`
`
`
`one of those tag locations.
`
`
`
`
`
`
`
`[0040]
`Incertain exemplary embodiments, the tag locations
`
`
`
`
`
`
`
`
`
`are prioritized such that whenthe successful tag locations are
`
`
`
`
`
`
`
`
`determined, sending and receiving nodes 20 and 60 both
`
`
`
`
`
`
`
`
`determine the actual tag location based on the predetermined
`
`prioritization.
`
`
`
`
`
`
`
`
`
`[0041] At block 224, sending node 20 establishes an
`
`
`
`
`
`
`
`authenticated session to receiving node 60 for user 10.
`
`
`
`
`
`
`FIG. 4 is a block diagram illustrating a network
`[0042]
`conditions table in accordance with various embodiments of
`
`
`
`
`
`
`the invention.
`
`
`
`
`
`
`
`
`
`[0043] Now referring to FIG. 4, network conditions table
`
`
`
`
`
`
`
`310 may be sent by receiving node 60 to sending node 20
`
`
`
`
`
`
`
`when sending node 20 establishes the authenticated session.
`
`
`
`
`
`
`
`
`
`
`Table 310 may include a set of entries 320. Each entry 320
`
`
`
`
`
`
`
`
`
`may include an IP address range 330 that may specify a
`
`
`
`
`
`
`
`
`
`network address and subnet mask, and tag placementdirec-
`
`
`
`
`
`
`
`
`tives 340 that are provisioned based on informationrelated to,
`
`
`
`
`
`
`
`
`for example, location and type ofnetwork impediments(e.g.,
`
`
`
`
`
`
`predetermined network impediments) located between send-
`
`
`
`
`
`
`
`
`
`ing node 20 and receiving node 60 that may remove security
`
`
`
`
`
`
`
`
`
`tags from packets. Sending node 60 may read network con-
`
`
`
`
`
`
`
`ditions table 310 to determine if sending node 20 is located at
`
`
`
`
`
`
`
`
`an IP address defined within the IP address ranges in network
`
`
`
`
`
`
`
`
`conditions table 310 and, if so, to determine one or more tag
`
`
`
`
`
`
`
`
`
`locations mostlikely to carry a security tag intact over net-
`
`
`
`
`work 50 to receiving node 60.
`
`
`
`
`
`
`[0044]
`FIGS. 5A, 5B and 5C are flow charts illustrating a
`
`
`
`
`
`
`
`methodof sending packets from sending node 60 to receiving
`
`
`
`
`
`
`
`node 20 over an authenticated session and of finding and
`
`
`
`
`
`
`
`
`reading security tags in the packets when receiving node 60
`
`
`
`
`
`
`
`
`receives the packets in accordance with yet another exem-
`
`
`
`plary embodimentof the invention.
`
`
`
`
`
`
`
`[0045] Referring to FIGS. 5A, 5B and 5C, at block 402,
`
`
`
`
`
`
`
`when sending node 20 detects that an outgoing packet is
`
`
`
`
`
`
`
`destined for (going to) protected network resource 95 or
`
`
`
`
`
`
`
`protected network 90 to which sending node 20 has an
`
`
`
`
`
`
`
`
`authenticated session, sending node 20 may use the digital
`
`
`
`
`
`
`
`
`signature, client ID, placement directives, and other control
`
`
`
`
`
`
`
`information sent by receiving node 60 to create a security tag.
`
`
`
`
`
`
`
`
`
`[0046] At block 404, sending node 20 may check whether
`
`
`
`
`
`
`
`
`receiving node 60 sent network conditions table 310. Ifnot, at
`
`
`
`
`
`
`
`
`
`block 408 sending node 20 may insert a security tag in the
`
`
`
`
`
`
`
`
`packet at the specified location. The specified location was
`
`
`
`
`
`
`
`previously determined when sending node 20 established the
`
`
`
`
`
`
`
`
`authenticated session with receiving node 60 for user 10.
`
`
`
`
`
`
`
`
`[0047] At block 406, if receiving node 60 sent network
`
`
`
`
`
`
`
`
`conditions table 310, sending node 20 may check network
`
`
`
`
`
`
`
`
`conditions table 310 to determine if the sending node’s cur-
`
`
`
`
`
`
`
`
`rent IP address is within the IP address ranges 320 defined by
`
`
`
`
`
`
`
`
`entries in network conditions table 310. At block 408, if the
`
`
`
`
`
`
`
`current IP address is not defined within an IP address range in
`
`
`
`
`
`
`
`
`
`the network conditions table 310, sending node 20 mayinsert
`
`
`
`
`
`
`
`
`the security tag in the packetat the specified location.
`
`
`
`
`
`
`
`
`[0048] At block 410, if the current IP address is defined in
`
`
`
`
`
`
`
`
`an IP address range in the network conditions table 310,
`
`
`
`
`
`
`
`
`
`
`
`sending node mayreadthe table entry’s tag placementdirec-
`
`
`
`
`
`
`
`tives 330 to determine network impediments which are
`
`
`
`
`
`
`
`
`
`located between sending and receiving nodes 20 and 60.
`
`
`
`
`
`
`
`
`Sending node 20 may determinethe tag location or locations
`
`
`
`
`
`
`
`
`
`
`
`that are most likely to carry the security tag intact over net-
`
`
`
`
`
`
`
`
`
`
`work 50 and mayinsert the security tag at one or more ofthese
`locations.
`
`
`
`
`
`
`
`
`
`
`
`[0049] At block 412, sending node 20 maysendthe packet
`
`
`
`
`
`
`
`
`
`with the security tag to receiving node 60. At block 414, when
`
`
`
`
`
`
`
`
`
`receiving node 60 receives the packet from sending node 20,
`
`
`
`
`
`
`
`receiving node 60 may determine whether ornot it previously
`
`
`
`
`
`
`
`
`specified a fixed tag location to sending node 20. At block
`
`
`
`
`
`
`
`416, if receiving node 60 specified a fixed location, receiving
`
`
`
`
`
`
`
`
`
`node 60 may check for the security tag in the specified loca-
`
`
`
`
`
`
`
`
`tion. At block 418, if receiving node 60 locates (finds) the
`
`
`
`
`
`
`
`
`
`security tag at the specified location, it may read the security
`
`
`
`
`
`
`
`
`
`
`tag and, at block 446, may check whether the security tag is
`authentic.
`
`
`
`
`
`
`
`
`
`[0050] Manydifferent methods for authentication are pos-
`
`
`
`
`
`
`
`
`sible including receiving node 60 reading the client ID in the
`
`
`
`
`
`
`
`
`
`
`security tag, retrieving the session key it created for that user
`
`
`
`
`
`
`
`
`
`for the authenticated session, then hashing the client ID with
`
`
`
`
`
`
`
`
`
`
`the packet’s payload using the session key and checking the
`
`
`
`
`
`
`
`
`resultant value against the digital signature contained in the
`
`
`security tag.
`
`
`
`
`
`
`
`
`
`[0051] At block 420, if receiving node 60 had notprevi-
`
`
`
`
`
`
`
`ously specify a fixed tag location, or if receiving node 60 is
`
`
`
`
`
`
`
`
`
`unable to allocatethe security tag in the fixed location, receiv-
`
`
`
`
`
`
`
`
`ing node 60 may checka size of the packet’s IP option field.
`
`
`
`
`
`
`
`
`
`
`Atblock 422, ifthe IP optionfield size is greater than or equal
`
`
`
`
`
`
`
`
`
`
`to the security tag size, receiving node 60 may check the op
`
`
`
`
`
`
`
`
`code value ofIP optionfield 130 to determineif it matches the
`
`
`
`
`
`
`
`
`op code value receiving node 60 previously specified whenit
`
`
`
`
`
`
`
`
`first negotiated the session information with sending node 20.
`
`
`
`
`
`
`
`
`
`Atblock, 424, if so, receiving node 60 may read IP option
`
`
`
`
`
`
`
`
`field 130 to deter