Dynamic access control policy with port restrictions for a network security appliance

摘要

A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow.

主权项

1. A network security device comprising:
an interface configured to receive a packet flow; a control unit configured to receive a security policy to control access by the packet flow to a network, wherein the security policy includes:
(a) match criteria that include a static port list of one or more layer four ports for a transport-layer protocol and a type of layer seven application, and(b) actions to be applied to packet flows that match the match criteria; and a rules engine of the control unit configured to dynamically identify a type of layer seven application associated with the packet flow by inspecting application-layer data within payloads of packets of the packet flow and without basing the identification solely on a layer four port specified by headers within the packets, wherein the rules engine is further configured to determine whether the dynamically identified type of layer seven application associated with the packet flow matches the type of layer seven application of the security policy, wherein the rules engine is further configured to apply the security policy to determine whether the packet flow matches a layer four port in the static port list of the match criteria of the security policy, and wherein the rules engine is further configured to, upon determining that the packet flow matches a layer four port of the static port list and upon determining the dynamically identified type of layer seven application associated with the packet flow matches the type of layer seven application of the security policy, applies the actions of the security policy to the packet flow.