公开(公告)号：US20110154472A1

公开(公告)日：2011-06-23

申请号：US12645913

申请日：2009-12-23

申请人： Craig Anderson ,  Anoop Reddy ,  Yariv Keinan

发明人： Craig Anderson ,  Anoop Reddy ,  Yariv Keinan

IPC分类号： G06F21/20 ,  G06F15/16

CPC分类号： H04L63/1408 ,  H04L63/0272 ,  H04L63/1441 ,  H04L63/166

摘要： Described herein is a method and system for prevention of personal computing attacks, such as JavaScript Objection Notation (JSON) attacks. An intermediary device is deployed between a plurality of clients and servers. A firewall executes on the intermediary device. A client sends a request to the server and the server sends a response to the request. The intermediary device intercepts the response and identifies that the response may contain possibly harmful content. The application firewall parses the content of the response and determines whether it contains any harmful content. If it does, the application firewall blocks the response from being sent to its destination. Additionally, the method and system can provide other security checks, such as content hijacking protection and data validation.

摘要翻译： 这里描述了一种用于防止个人计算攻击（例如JavaScript异议符号（JSON））攻击的方法和系统。 中间设备部署在多个客户端和服务器之间。 防火墙在中间设备上执行。 客户端向服务器发送请求，服务器向请求发送响应。 中间设备拦截响应并识别响应可能包含可能有害的内容。 应用程序防火墙解析响应的内容，并确定它是否包含任何有害的内容。 如果是这样，应用程序防火墙阻止响应发送到其目的地。 此外，该方法和系统可以提供其他安全检查，如内容劫持保护和数据验证。

公开(公告)号：US20090193126A1

公开(公告)日：2009-07-30

申请号：US12359998

申请日：2009-01-26

申请人： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapatti ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

发明人： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapatti ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

IPC分类号： G06F15/173

CPC分类号： H04L63/0272 ,  H04L29/08846 ,  H04L63/0281 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/14 ,  H04L67/2814

摘要： The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

摘要翻译： 本公开提供了向各种客户端提供服务的企业的解决方案，以使得客户端能够在转发请求之前通过修改所接收的URL和从服务器的响应到客户端的请求来使用由企业提供的资源，并且 对预期目的地的回应。 中介可以识别客户端通过无客户端SSL VPN会话访问服务器的请求的访问配置文件。 响应于使用访问简档的一个或多个正则表达式的请求，中介可以检测服务器所服务的内容中的一个或多个URL。 根据由访问简档的一个或多个重写策略指定的URL变换，中介可以响应于检测到一个或多个检测到的URL来重写或修改。 具有修改的URL的响应可以转发给客户端。

公开(公告)号：US08667146B2

公开(公告)日：2014-03-04

申请号：US12359998

申请日：2009-01-26

申请人： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapati ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

发明人： Puneet Agarwal ,  Srinivasan Thirunarayanan ,  Vamsi Korrapati ,  Prakash Khemani ,  Rajiv Mirani ,  Anoop Reddy

IPC分类号： G06F15/16

CPC分类号： H04L63/0272 ,  H04L29/08846 ,  H04L63/0281 ,  H04L63/105 ,  H04L63/166 ,  H04L63/20 ,  H04L67/02 ,  H04L67/14 ,  H04L67/2814

摘要： The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

摘要翻译： 本公开提供了向各种客户端提供服务的企业的解决方案，以使得客户端能够在转发请求之前，通过修改从服务器的响应到客户端请求的接收到的URL和URL来使用企业提供的资源，并且 对预期目的地的回应。 中介可以识别客户端通过无客户端SSL VPN会话访问服务器的请求的访问配置文件。 响应于使用访问简档的一个或多个正则表达式的请求，中介可以检测服务器所服务的内容中的一个或多个URL。 根据由访问简档的一个或多个重写策略指定的URL变换，中介可以响应于检测到一个或多个检测到的URL来重写或修改。 具有修改的URL的响应可以转发给客户端。

公开(公告)号：US20110154461A1

公开(公告)日：2011-06-23

申请号：US12976678

申请日：2010-12-22

申请人： CRAIG ANDERSON ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

发明人： CRAIG ANDERSON ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

IPC分类号： G06F21/20

CPC分类号： H04L63/0227 ,  H04L63/168

摘要： The present invention is directed towards systems and methods for efficiently an intermediary device processing strings in web pages across a plurality of user sessions. A device intermediary to a plurality of clients and a server identifies a plurality of strings in forms and uniform resource locators (URLs) of web pages traversing the device across a plurality of user sessions. The device stores each string of the plurality of strings to one or more allocation arenas shared among a plurality of user session. Each string is indexed using a hash key generated from the string. The device recognizes that a received string transmitted from a webpage of a session of a user is eligible to be shared among the plurality of user sessions. The device determines that a copy of the received string is stored in an allocation arena using a hash generated from the received string. The device uses the copy of the received string stored in the allocation arena in place of the string in the web page of the session of the user to process the web page.

摘要翻译： 本发明涉及用于在多个用户会话中有效地中间设备处理网页中的字符串的系统和方法。 多个客户端的设备中介和服务器通过多个用户会话跨越该设备的网页的形式和统一的资源定位符（URL）来识别多个字符串。 该设备将多个字符串的每个字符串存储在多个用户会话之间共享的一个或多个分配区域中。 每个字符串都使用从字符串生成的哈希密钥进行索引。 该设备识别出从用户的会话的网页发送的接收到的字符串有资格在多个用户会话之间共享。 设备确定使用从接收到的字符串生成的散列来将所接收的字符串的副本存储在分配竞技场中。 该设备使用存储在分配竞技场中的接收到的字符串的副本来代替用户的会话的网页中的字符串来处理网页。

公开(公告)号：US08438626B2

公开(公告)日：2013-05-07

申请号：US12645845

申请日：2009-12-23

申请人： Craig Anderson ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

发明人： Craig Anderson ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

IPC分类号： G06F9/00

CPC分类号： G06F9/54 ,  G06F21/41 ,  H04L63/0236 ,  H04L63/0272

摘要： The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core.

摘要翻译： 本发明涉及用于在多核系统中的核之间共享会话数据的系统和方法。 第一应用防火墙模块在建立用户会话的多核中间设备的核心上执行。 第一个应用防火墙模块将应用程序防火墙会话数据存储到第一个内核可访问的存储器中 第二应用防火墙模块在多核中间设备的第二核上执行。 第二应用防火墙模块经由建立的用户会话从用户接收请求。 该请求包括标识用户会话由第一核建立的会话标识符。 第二应用防火墙模块确定对请求执行一个或多个安全检查，并将请求的一部分传送给第一核。 第二个应用程序防火墙模块接收并处理来自第一个核心的安全检查结果和指令。

公开(公告)号：US20120173870A1

公开(公告)日：2012-07-05

申请号：US13337735

申请日：2011-12-27

申请人： Anoop Reddy ,  Craig Anderson

发明人： Anoop Reddy ,  Craig Anderson

IPC分类号： H04L29/06

CPC分类号： H04L63/0428 ,  G06F21/51 ,  G06F2221/2107 ,  H04L67/02 ,  H04L67/28

摘要： The present disclosure is directed towards systems and methods for performing multi-level tagging of encrypted items for additional security and efficient encrypted item determination. A device intercepts a message from a server to a client, parses the message and identifies a cookie. The device processes and encrypts the cookie. The device adds a flag to the cookie indicating the device encrypted the cookie. The device re-inserts the modified cookie into the message and transmits the message. The device intercepts a message from a client and determines whether the cookie in the message was encrypted by the device. If the message was not encrypted by the device, the device transmits the message to its destination. If the message was encrypted by the device, the device removes the flag, decrypts the cookie, removes the tag from the cookie, re-inserts the cookie into the message and transmits the message to its final destination.

摘要翻译： 本公开涉及用于执行加密项目的多级标签以用于附加安全性和有效加密项目确定的系统和方法。 设备拦截从服务器到客户端的消息，解析消息并识别cookie。 设备处理和加密cookie。 该设备向Cookie添加一个标志，指示设备加密了Cookie。 设备将修改的cookie重新插入到消息中并发送消息。 设备拦截来自客户端的消息，并确定消息中的cookie是否被设备加密。 如果消息未被设备加密，则设备将消息发送到其目的地。 如果消息被设备加密，设备将删除该标志，解密cookie，从cookie中删除该标签，将该cookie重新插入到该消息中，并将该消息发送到其最终目的地。

公开(公告)号：US20110154473A1

公开(公告)日：2011-06-23

申请号：US12645924

申请日：2009-12-23

申请人： Craig Anderson ,  Anoop Reddy ,  Yariv Keinan

发明人： Craig Anderson ,  Anoop Reddy ,  Yariv Keinan

IPC分类号： G06F21/20 ,  G06F15/16

CPC分类号： G06F21/64 ,  G06F2221/2119 ,  H04L63/0209 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/1466 ,  H04L63/1483

摘要： The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted.

摘要翻译： 本文描述的本解决方案涉及用于使用唯一标识符基于web表单验证来防止跨站点请求伪造的系统和方法。 本解决方案从响应中提供的具有唯一且不可预测的标识符的服务器标记每个表单。 当表单发布时，本解决方案强制要返回的标识符与向用户提供的标识符相同。 这样可以防止恶意的未经授权的第三方用户代表用户提交表单，因为他们无法猜测插入的唯一标识符的值。

公开(公告)号：US20080229381A1

公开(公告)日：2008-09-18

申请号：US11685177

申请日：2007-03-12

申请人： Namit Sikka ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

发明人： Namit Sikka ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

IPC分类号： G06F17/00

CPC分类号： H04L63/20 ,  H04L63/102

摘要： Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching.

摘要翻译： 描述了用于配置和评估直接处理一个或多个数据流的策略的系统和方法。 描述了用于允许用户指定面向对象策略的配置界面。 这些面向对象的策略可以允许针对所接收的分组流的有效载荷（包括HTTP流量的任何部分）应用任何数据结构。 配置界面还可以允许用户控制执行策略和策略组的顺序，以及如果未定义一个或多个策略，则指定要采取的操作。 用于处理策略的系统和方法可以允许通过将潜在的复杂数据结构应用于非结构化数据流来有效地处理面向对象的策略。 设备还可以解释和处理多个流控制命令和策略组调用语句以确定多个策略和策略组中的执行顺序。 这些策略配置和处理可能允许配置和处理与负载均衡，VPN，SSL卸载，内容切换，应用安全，加速和缓存相关的复杂网络行为。

公开(公告)号：US08640216B2

公开(公告)日：2014-01-28

申请号：US12645924

申请日：2009-12-23

申请人： Craig Anderson ,  Anoop Reddy ,  Yariv Keinan

发明人： Craig Anderson ,  Anoop Reddy ,  Yariv Keinan

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： G06F21/64 ,  G06F2221/2119 ,  H04L63/0209 ,  H04L63/0272 ,  H04L63/08 ,  H04L63/1466 ,  H04L63/1483

摘要： The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted.

摘要翻译： 本文描述的本解决方案涉及用于使用唯一标识符基于web表单验证来防止跨站点请求伪造的系统和方法。 本解决方案从响应中提供的具有唯一且不可预测的标识符的服务器标记每个表单。 当表单发布时，本解决方案强制要返回的标识符与向用户提供的标识符相同。 这样可以防止恶意的未经授权的第三方用户代表用户提交表单，因为他们无法猜测插入的唯一标识符的值。

公开(公告)号：US08413225B2

公开(公告)日：2013-04-02

申请号：US12976678

申请日：2010-12-22

申请人： Craig Anderson ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

发明人： Craig Anderson ,  Anoop Reddy ,  Rajiv Mirani ,  Abhishek Chauhan

IPC分类号： H04L29/02

CPC分类号： H04L63/0227 ,  H04L63/168

摘要： The present invention is directed towards systems and methods for efficiently an intermediary device processing strings in web pages across a plurality of user sessions. A device intermediary to a plurality of clients and a server identifies a plurality of strings in forms and uniform resource locators (URLs) of web pages traversing the device across a plurality of user sessions. The device stores each string of the plurality of strings to one or more allocation arenas shared among a plurality of user session. Each string is indexed using a hash key generated from the string. The device recognizes that a received string transmitted from a webpage of a session of a user is eligible to be shared among the plurality of user sessions. The device determines that a copy of the received string is stored in an allocation arena using a hash generated from the received string. The device uses the copy of the received string stored in the allocation arena in place of the string in the web page of the session of the user to process the web page.

摘要翻译： 本发明涉及用于在多个用户会话中有效地中间设备处理网页中的字符串的系统和方法。 多个客户端的设备中介和服务器通过多个用户会话跨越该设备的网页的形式和统一的资源定位符（URL）来识别多个字符串。 该设备将多个字符串的每个字符串存储在多个用户会话之间共享的一个或多个分配区域中。 每个字符串都使用从字符串生成的哈希密钥进行索引。 该设备识别出从用户的会话的网页发送的接收到的字符串有资格在多个用户会话之间共享。 设备确定使用从接收到的字符串生成的散列来将所接收的字符串的副本存储在分配竞技场中。 该设备使用存储在分配竞技场中的接收到的字符串的副本来代替用户的会话的网页中的字符串来处理网页。