Note : Les descriptions sont présentées dans la langue officielle dans laquelle elles ont été soumises.
DEMANDE OU BREVET VOLUMINEUX
LA PRESENTE PARTIE DE CETTE DEMANDE OU CE BREVET COMPREND
PLUS D'UN TOME.
CECI EST LE TOME 1 DE 2
CONTENANT LES PAGES 1 A 245
NOTE : Pour les tomes additionels, veuillez contacter le Bureau canadien des
brevets
JUMBO APPLICATIONS/PATENTS
THIS SECTION OF THE APPLICATION/PATENT CONTAINS MORE THAN ONE
VOLUME
THIS IS VOLUME 1 OF 2
CONTAINING PAGES 1 TO 245
NOTE: For additional volumes, please contact the Canadian Patent Office
NOM DU FICHIER / FILE NAME:
NOTE POUR LE TOME / VOLUME NOTE:
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
METHODS FOR INTERNET COMMUNICATION SECURITY
CROSS REFERENCE TO RELATED APPLICATION
[0001] This application is a continuation-in-part of U.S. Application No.
15/949,749,
filed April 10, 2018, and this application further claims the benefit of
priority from U.S.
Provisional Application No. 62/731,529, filed September 14, 2018, U.S.
Provisional
Application No. 62/655,633, filed April 10, 2018, U.S. Provisional Application
No.
62/609,252, filed December 21, 2017, U.S. Provisional Application No.
62/609,152, filed
December 21, 2017, and U.S. Provisional Application No. 62/569,300, filed
October 6,
2017. All of the foregoing related applications (hereinafter referred to as
the
"REFERENCE APPLICATIONS"), in their entirety, are incorporated herein by
reference.
FIELD OF THE INVENTION
[0002] The present disclosure relates to systems, methods, and apparatuses
to
secure computer networks against network-borne security threats.
BACKGROUND OF THE INVENTION
[0003] Considerable advances are being made in technologies for protected,
trusted,
Ethernet-based communications in the presence of malware attack vectors. One
of the
major barriers to their adoption is the capital expenditure and reengineering
required to
retrofit the vast existing legacy computing infrastructure. As a practical
matter,
governments and companies can be expected to proceed strategically by first
securing
their newest, most sensitive, proprietary, and/or business critical
communications and
infrastructure. In many companies, it likely that large portions of an
enterprise network
will not be addressed in the near term, if ever. For example, it may not be
practical to
fully secure communications with business applications such as web servers
which face
the public Internet. In addition, it may be cost-prohibitive to convert all
light weight edge
devices until they are replaced in due course by next generation devices. For
the
foreseeable future, protected communications networks must co-exist and
communicate
with unsecured networks. Accordingly, there is a pressing need for interfaces
to
immunize, or to at least limit the attendant risks of, communications between
protected
and unsecure networks.
[0004] The present disclosure relates, in certain embodiments, to methods,
systems,
products, software, middleware, computing infrastructure and/or apparatus
applicable for
bridging network communications between device networks sharing protected,
trusted
1
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
Ethernet-based communications with the large body of relatively unsecure
legacy
devices and networks.
BRIEF SUMMARY OF THE INVENTION
[0005] Certain embodiments may provide, for example, methods, systems,
products,
software, middleware, computing infrastructure and/or apparatus to mediate
communications between unsecured networks (for example the public internet or
portions of enterprise networks which are allowed to communicate in the clear
behind a
firewall) and secured networks (for example networks in which communications
are
secured by one or more of the methods, systems, products, communication
management operations, software, middleware, computing infrastructure and/or
apparatus disclosed herein and/or in one of the REFERENCE APPLICATIONS). In
certain embodiments, for example, communications between the two networks may
be
partitioned between two or more different network interface controllers. In
certain
embodiments, for example, all ingressed network packets from an unsecured
network
are validated against a pre-established data model (comprising at least one of
a data
type, a data range, an allowed command type, a prohibited command type, and
the like)
prior to passing to the secured network. In certain embodiments, validated
payloads
from the ingressed network packets are communicated to the secured network via
one or
more of the methods, systems, products, communication management operations,
software, middleware, computing infrastructure and/or apparatus disclosed
herein and/or
in one of the REFERENCE APPLICATIONS.
[0006] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) consuming a first network packet to obtain a first
payload and a
destination port number, the destination port number assigned to a destination
port on
one of the plurality of networked computing devices; ii) confirming the first
payload
conforms to at least one of a data model pre-assigned to the destination port
number, a
data range pre-assigned to the destination port number, and a command type pre-
assigned to the destination port number; iii) forming a second network packet
comprising
a second payload, and at least one of a local program identification code, and
a data
model identification code; and iv) executing at least one instruction to send
the second
2
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
network packet to network security software on the one of the plurality of
networked
computing devices via a secure communication pathway.
[0007] A. In certain embodiments, for example, the secure communication
pathway
may be formed by further communication management operations, the further
communication management operations comprising: a) sending a nonpublic first
identification code to the network security software via a pre-established
communication
pathway; b) receiving, in response to the sending, a nonpublic second
identification code
for the one of the plurality of networked computing devices; and c) comparing
the
nonpublic second identification code with a pre-established value for the one
of the
plurality of networked computing devices. In certain embodiments, for example,
the
further communication operations may comprise: a) sending the local program
identification code to the network security software via the pre-established
communication pathway; b) receiving, in response to the sending, a remote
application
identification code for a remote application program; and c) comparing the
remote
application identification code with a pre-established value for the remote
application
program. In certain embodiments, for example, the further communication
management
operations may comprise: a) sending the data model identification code for the
pre-
established communication pathway to the network security software via the pre-
established communication pathway; b) receiving, in response to the sending,
the data
model identification code; and c) comparing the received data model
identification code
with a pre-established value for the pre-established communication pathway. In
certain
embodiments, for example, the local program identification code and the data
model
identification code may be sent to the one of the plurality of networked
computing
devices in a single network packet. In certain embodiments, for example, the
comparing
the nonpublic second identification code, the comparing the remote application
identification code, and the comparing the received data model identification
code may
be performed prior to any communication of application data to the remote
application
program. In certain embodiments, for example, the formed second network packet
may
comprise the data model identification code. In certain embodiments, for
example, the
remote application identification code and/or the data model identification
code may be
located in a higher-than-OSI layer three and lower-than-OSI layer seven
portion of the
second network packet. In certain embodiments, for example, the comparing the
nonpublic second identification code, the comparing the remote application
identification
code, and/or the comparing the received data model identification code may be
configured to be initiated in kernel space accessible by the processor.
3
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
[0008] B. In certain embodiments, for example, the secure communication
pathway
may be encrypted by series of rotated cryptographic keys.
[0009] C. In certain embodiments, for example, the communication management
operations may further comprise intercepting a network connection request from
a first
port assigned to the local program, the network connection request comprising
a second
port number for a network security software port on the one of the plurality
of networked
computing devices. In certain embodiments, for example, the second network
packet
may be addressed to the second port number.
[0010] D. In certain embodiments, for example, the communication management
operations may comprise opening a listing port, and forming a connection
exclusively
between the listening port and the network security software port on the one
of the
plurality of networked computing devices.
[0011] E. In certain embodiments, for example, the communication management
operations may further comprise verifying that a local program to which the
local
program identification code refers is specifically authorized to send data to
the
destination port.
[0012] F. In certain embodiments, for example, the communication management
operations may further comprise verifying that a local program to which the
local
program identification code refers is specifically authorized to receive data
to the
destination port.
[0013] G. In certain embodiments, for example, at least a portion of the
communication management operations may be configured to be performed in a
processor-accessible kernel space.
[0014] H. In certain embodiments, for example, the communication management
operations may further comprise: translating, prior to forming the second
network packet,
the second payload to a pre-established format expected by the one of the
plurality of
networked computing devices. In certain embodiments, for example, the
communication
management operations may comprise determining the pre-established format
based on
data model identification code.
[0015] I. In certain embodiments, for example, the one of the plurality of
networked
computing devices may be a remote computing device. In certain embodiments,
for
example, the local program identification code may be an identification code
for local
network security software, the local network security software performing at
least one of
the communication management operations. In certain embodiments, for example,
the
consumed first network packet may be received from a first NIC, wherein the
dedicated
communication pathway is configured to not traverse the first NIC. In certain
4
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
embodiments, for example, the consumed first network packet may be received at
a first
port, wherein the second network packet is sent from a second port, the second
port
different from the first port. In certain embodiments, for example, the pre-
established
communication pathway may have a one-to-one correspondence to an n-tuple (as
referred to herein, an n-tuple may be, for example, an at least a 2-tuple, an
at least a 3-
tuple, an at least a 5-tuple, an at least a 6-tuple, an at least an 8-tuple,
an at least a 10-
tuple, or an at least a 12-tuple) comprising the local program identification
code, the
destination port number, and a data model identification code. In certain
embodiments,
for example, the second payload may comprise part or all of the first payload.
In certain
embodiments, for example, the second payload may be at least partially derived
from the
first payload.
[0016] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
consuming a first network packet to obtain a first payload and a destination
port number,
the destination port number assigned to a destination port on a computing
device, the
computing device one of the plurality of networked computing devices. In
certain
embodiments, for example, the communication management operations may
comprise:
confirming the first payload conforms to a data model pre-assigned to the
destination
port number, a data range pre-assigned to the destination port number, and a
command
type pre-assigned to the destination port number. In certain embodiments, for
example,
the communication management operations may comprise: forming a second network
packet comprising a second payload, a local program identification code (for a
local
computer program), and/or a data type identifier. In certain embodiments, for
example,
the communication management operations may comprise: executing at least one
instruction to send the second network packet to network security software on
the
computing device (for example a remote or second computing device) via a
secure
communication pathway.
[0017] A. In certain embodiments, for example, the destination port may be
a port
for a destination application (for example a destination user-application). In
certain
embodiments, for example, the computing device may be a remote computing
device.
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[0018] B. In certain embodiments, for example, the local program
identification code
may be an identification code for local network security software. In certain
embodiments, for example, the local program identification code may be an
identification
code for local network security software, the local network security software
performing
at least one of the communication management operations
[0019] C. In certain embodiments, for example, the secure communication
pathway
may be formed by further communication management operations, the further
communication management operations comprising: a) sending a nonpublic first
identification code to the network security software via a pre-established
communication
pathway; b) receiving, in response to the sending, a nonpublic second
identification code
for the computing device; and c) comparing the nonpublic second identification
code with
a pre-established value for the computing device. In certain embodiments, for
example,
the nonpublic second identification code may be obtained from a network
packet. In
certain embodiments, for example, the nonpublic second identification code may
be
obtained from a higher-than-Open Systems Interconnection (OSI) layer three
portion (for
example one or more of an OSI layer four portion, an OSI layer five portion,
an OSI layer
six portion, an OSI layer seven portion, or a layer between one or more of an
OSI layer
three portion, an OSI layer four portion, an OSI layer five portion, an OSI
layer six
portion, or an OSI layer seven portion) of the network packet. In certain
embodiments,
for example, the comparing the nonpublic second identification code may be
initiated in a
processor-accessible kernel space. In certain embodiments, for example, the
comparing
may be partially performed in a processor-accessible application space. In
certain
embodiments, for example, the pre-established value may be preprovisioned on
nonvolatile storage media accessible by the processor. In certain embodiments,
for
example, the communication management operations may further comprise:
decrypting
the nonpublic second identification code with a single-use cryptographic key.
In certain
embodiments, for example, the single-use cryptographic key may be rotated to
obtain a
further cryptographic key for use in further decrypting. In certain
embodiments, for
example, the nonpublic first identification code and nonpublic second
identification code
may be shared secrets with the computing device.
[0020] D. In certain embodiments, for example, the communication management
operations may further comprise sending the local program identification code
(for
example the local program identification code may be assigned to local network
security
software or to a local user-application) to the computing device via the pre-
established
communication pathway. In certain embodiments, for example, the communication
management operations may further comprise receiving, in response to the
sending, a
6
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
second application identifier for a second user-application (for example the
second
application identifier may be assigned to the second user-application). In
certain
embodiments, for example, the communication management operations may further
comprise comparing the second application identifier with a pre-established
value for the
second user-application. In certain embodiments, for example, the
communication
management operations may further comprise sending an identifier for the data
model
via the pre-established communication pathway. In certain embodiments, for
example,
the communication management operations may further comprise receiving, in
response
to the sending, the data model identifier from the computing device. In
certain
embodiments, for example, the communication management operations may further
comprise comparing the received data model identifier with a pre-established
value for
the pre-established communication pathway. In certain embodiments, for
example, the
local program identification code and the data model identifier may be sent to
the
computing device in a single network packet. In certain embodiments, for
example, the
comparing the nonpublic second identification code, the comparing the second
application identifier, and the comparing the received data model identifier
may be
performed prior to any communication of application data (including, for
example, the
second payload) to the second user-application (and may be performed in a
processor-
accessible kernel space). In certain embodiments, for example, the
communication
management operations may further comprise receiving a data packet from a
first port
assigned to a local program to which the local program identification code
refers, the
data packet comprising a second payload and a second port number. In certain
embodiments, for example, the communication management operations may further
comprise assembling a packet segment for the received data packet, the packet
segment comprising the second payload, the local program identification code,
and the
data model identifier. In certain embodiments, for example, the pre-
established
communication pathway may have a one-to-one correspondence to an n-tuple
comprising the local program identification code, the second application
identifier, the
second port number, and the data model identifier. In certain embodiments, for
example,
each of a series of network packet communications of user-application data
between the
first port and the second port may comprise: transmission of a network packet
to a third
port, the third port assigned to network security software resident on the
computing
device, the third port having a one-to-one correspondence with the second port
number,
the second port number assigned to the second port, the second port assigned
to the
second user-application, the network packet comprising the local program
identification
code and the data model identifier. In certain embodiments, for example, the
local
7
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
program identification code and the data model identifier in the each of the
series of
network packet communications may be encrypted by one of a series of single-
use
encryption keys (for example a series of rotated keys). In certain
embodiments, for
example, all communications of user-application data between the first port
and the
second port may comprise the series of network packet communications. In
certain
embodiments, for example, the communication management operations may further
comprise intercepting a network connection request from a first port assigned
to the local
program to which the local program identification code refers, the request
comprising a
second port number. In certain embodiments, for example, the communication
management operations may further comprise verifying that the local program is
specifically authorized to communicate with a second port, the second port
number
assigned to the second port. In certain embodiments, for example, the
verifying may be
performed prior to forming the pre-established communication pathway. In
certain
embodiments, for example, the communication management operations may further
comprise intercepting a network connection request from a second port, the
second port
hosted by the computing device, the request comprising a first port number. In
certain
embodiments, for example, the communication management operations may further
comprise verifying that a first port is specifically authorized to receive
packet data from
the second port, the first port number assigned to the first port. In certain
embodiments,
for example, the communication management operations may further comprise
confirming that the computing device has consulted a pre-specified local
policy to
specifically authorize network packet communication between the first port and
the
second port. In certain embodiments, for example, the communication management
operations may further comprise: receiving an encrypted identifier for the pre-
specified
local policy from the computing device. In certain embodiments, for example,
the pre-
specified local policy may comprise a record, the record comprising the local
program
identification code, the second application identifier, the data model
identifier, and the
first port number. In certain embodiments, for example, the pre-specified
local policy
may further comprise a flag, the flag specifying whether the communication
pathway is
unidirectional or bidirectional. In certain embodiments, for example, the
intercepting may
be initiated in a processor-accessible kernel space. In certain embodiments,
for
example, the communication management operations may further comprise
receiving a
network packet via the communication pathway, the network packet comprising
the first
port number, data from the second user-application, the second application
identifier,
and the data model identifier. In certain embodiments, for example, the
communication
management operations may further comprise comparing the second application
8
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
identifier and the data model identifier with pre-established values, the pre-
established
values identified based on the first port number. In certain embodiments, for
example,
the second application identifier and/or the data model identifier may be
located in
higher-than-OSI layer three portions (for example one or more of OSI layer
four portions,
OSI layer five portions, OSI layer six portions, OSI layer seven portions, or
layers
between one or more of the OSI layer three portions, OSI layer four portions,
OSI layer
five portions, OSI layer six portions, or OSI layer seven portions) of the
network packet.
In certain embodiments, for example, the comparing the second application
identifier
may be initiated in a processor-accessible kernel. In certain embodiments, for
example,
the communication management operations may further comprise: translating the
second payload to a format expected by the computing device prior to forming
the
second network packet. In certain embodiments, for example, the pre-
established
format determined from the identifier for the data model.
[0021] E. In certain embodiments, for example, the communication management
operations may comprise, prior to assembling the packet segment (and prior to
one or
more translation steps if the data undergoes translation), using the data
model identifier
to obtain a data definition for the second payload or a portion of the second
payload, and
evaluating the second payload to determine whether the second payload (or the
portion
of the second payload) complies with the data definition. In certain
embodiments, for
example, the data definition may comprise a required protocol header (for
example a
header for an MQTT payload), a list (for example a list of one) of allowed
data types (for
example integer, text, or floating point data types), a required value pair
(for example a
field description and a value having a specified data type), and/or required
control
characters (for example one or more required ASCII code characters at
predetermined
positions in the second payload). In certain embodiments, for example, the
communication management operations may comprise discarding (and taking no
further
steps to transmit) the second payload if the second payload does not comply
with the
data definition. In certain embodiments, for example, the communication
management
operations may comprise, prior to assembling the packet segment, comparing the
second payload or portions of the second payload based on the data model
identifier
against one or more pre-authorized ranges (for example minimum and/or maximum
values and/or discrete allowed values for numerical data, or for example a
range or
allowed values for text data) and evaluating the second payload to determine
whether
the second payload (or the portion of the second payload) falls within the one
or more
pre-authorized ranges. In certain embodiments, for example, the communication
management operations may comprise discarding (and taking no further steps to
9
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
transmit) the second payload if the second payload (or the portion of the
second
payload) does not fall within the one or more pre-authorized ranges. In
certain
embodiments, for example, the communication management operations may
comprise,
prior to assembling the packet segment, using the data model identifier to
obtain a list of
pre-authorized commands and/or a list of prohibited commands (for example
database
instruction commands such as SQLread and SQLwrite), and evaluating the second
payload to determine whether the second payload (or the portion of the second
payload)
contains one of the pre-authorized commands and/or does not contain one of the
prohibited commands. In certain further embodiments, for example, the list of
pre-
authorized commands may be exclusive. In certain embodiments, for example, the
communication management operations may comprise discarding (and taking no
further
steps to transmit) the second payload if the second payload (or the portion of
the second
payload) does not contain one of the pre-authorized commands and/or contains
one of
the prohibited commands.
[0022] F. In certain embodiments, for example, the communication management
operations may comprise, after receiving the network packet via the
communication
pathway, using the data model identifier to obtain a data definition for the
data from the
second user-application or a portion thereof, and evaluating said data to
determine
whether the data (or the portion thereof) complies with the data definition.
In certain
embodiments, for example, the data definition may comprise a required protocol
header
(for example a header for an MQTT payload), a list (for example a list of one)
of allowed
data types (for example integer, text, or floating point data types), a
required value pair
(for example a field description and a value having a specified data type),
and/or
required control characters (for example one or more required ASCII code
characters at
predetermined positions in a payload). In certain embodiments, for example,
the
communication management operations may comprise discarding (and taking no
further
steps to transmit) the received network packet (including the data) if the
data does not
comply with the data definition. In certain embodiments, for example, the
communication
management operations may comprise, after receiving the network packet via the
communication pathway, using the data model identifier to obtain one or more
allowed
ranges (for example minimum and/or maximum values and/or discrete allowed
values for
numerical data, or for example a range or allowed values for text data) for
the data or a
portion thereof, and evaluating the data to determine whether the data (or the
portion
thereof) falls within the one or more allowed ranges. In certain embodiments,
for
example, the communication management operations may comprise discarding (and
taking no further steps to transmit) the data if the data (or the portion of
the data) does
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
not fall within the one or more allowed ranges. In certain embodiments, for
example, the
communication management operations may comprise, after receiving the network
packet via the communication pathway, using the data model identifier to
obtain a list of
allowed commands and/or a list of prohibited commands (for example database
instruction commands such as SQLread and SQLwrite), and evaluating the data to
determine whether the data (or the portion of the data) contains one of the
allowed
commands and/or does not contain one of the prohibited commands. In certain
further
embodiments, for example, the list of allowed commands may be exclusive. In
certain
embodiments, for example, the communication management operations may comprise
discarding (and taking no further steps to consume) the data if the data (or
the portion of
the data) does not contain one of the allowed commands and/or contains one of
the
prohibited commands.
[0023] G. In certain embodiments, for example, the nonpublic first
identification code
may be preprovisioned as a static value for access by the processor (for
example in an
encrypted configuration file) that is used each time the processor executes
the
communication management operations (and the nonpublic second identification
code
may be similarly preprovisioned on the computing device) as described herein.
In
certain other embodiments, for example, the nonpublic first identification
code (and/or
nonpublic second identification code) may be obtained by requesting a security
token (or
token pair) for the first port (for example during establishment of the port
in a listening
mode, prior to sending a connection request, or during or after establishment
of the pre-
established communication pathway). In certain embodiments, for example, the
request
may specify identifiers (for example public identifiers) for a node hosting
the processor
and the computing device, and the token (or token pair) returned in response
to the
request may be a function of the node and the computing device. In certain
embodiments, for example, the computing device may also obtain a token (or
token pair)
complimentary to the token (or token pair) received by the node. In certain
embodiments, for example, a new token (or pair of tokens) is generated each
time a
connection between the node and the computing device is established. In
certain
embodiments, for example, all communications between the node and the third
computing device and all communications between the computing device and the
third
computing device may be secured by one of the methods, systems, products,
communication management operations, software, middleware, computing
infrastructure
and/or apparatus disclosed herein and/or in one of the REFERENCE APPLICATIONS.
[0024] H. In certain embodiments, for example, the local program
identification code
may be preprovisioned as a static value on a node hosting the processor (for
example in
11
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
an encrypted configuration file) that is used each time the node executes the
communication management operations (and the application identifier for the
second
user-application may be similarly preprovisioned on the computing device) as
described
herein. In certain other embodiments, for example, the local program
identification code
(and/or application identifier for the second user-application) may be
obtained by
requesting a security token (or token pair) for the first port (for example
during
establishment of the port in a listening mode, prior to sending a connection
request, or
during or after establishment of the pre-established communication pathway).
In certain
embodiments, for example, the request may specify identifiers for the local
program and
the second user-application (and optionally the data type), and the token (or
token pair)
returned in response to the request may be a function of the identifiers for
the local
program and the second user-application (and optionally the data type). In
certain
embodiments, for example, the computing device may also obtain a token (or
token pair)
complimentary to the token (or token pair) received by the node. In certain
embodiments, for example, a new token (or pair of tokens) is generated each
time a
connection between the node and the computing device is established. In
certain
embodiments, for example, all communications between the node and the third
computing device, and all communications between the computing device and the
third
computing device, may be secured by one of the methods, systems, products,
communication management operations, software, middleware, computing
infrastructure
and/or apparatus disclosed herein and/or in one of the REFERENCE APPLICATIONS.
[0025] I. In
certain embodiments, for example, all authentication and authorization
parameters required by the communication management operations may be obtained
from a local encrypted configuration file installed locally. In certain
embodiments, for
example, the local encrypted configuration file may include only those
authentication and
authorization parameters required locally to conduct pre-authorized
communications. In
certain other embodiments, for example, at least a portion (for example all)
authentication and authorization parameters required by the communication
management operations (whether static parameters or dynamically generated
tokens or
token pairs) may be obtained from a third node (for example a credentialing
server). In
certain embodiments, for example, the communication management operations may
comprise obtaining the nonpublic first identification code, the pre-
established value for
the computing device, the local program identification code, the pre-
established value for
the second user-application, the data model identifier, the pre-established
value for the
received data model identifier, the first port number, the second port number,
the third
port number, the data definition, the protocol header, the list of allowed
data types, the
12
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
required value pair, the required control characters, the one or more allowed
ranges, the
list of allowed commands, and/or the list of prohibited commands from at least
a third
computing device (for example a credentialing server). In certain embodiments,
for
example, a portion or all the obtaining may be performed during boot up of a
node
hosting the processor (including for example, obtaining all necessary
parameters for
communicating with remote computing devices at boot up of the node). In
certain
embodiments, for example, a portion or all of the obtaining may be performed
dynamically (for example in response to a confirmation that a communication
pathway
has been established (for example upon establishment of the pre-established
communication pathway). In certain embodiments, for example, the third node
may
maintain a master configuration file of a portion or all necessary
authentication and
authorization parameters for port-to-port communications between a plurality
of
networked computing devices.
[0026] J. In certain embodiments, for example, a portion of the
communication
management operations may be configured for execution in a kernel space
accessed by
the processor, and a further portion of the communication management
operations may
be configured for execution in an application space accessed by the processor.
[0027] K. In certain embodiments, for example, the consumed first network
packet
may be received from a first Network Interface Controller ("NIC"), wherein the
dedicated
communication pathway is configured to not traverse the first NIC. In certain
embodiments, for example, the consumed first network packet may be received at
a first
port, wherein the nonpublic first identification code is sent from a second
port, the
second port different from the first port. In certain embodiments, for
example, the
consumed first network packet may be received at a first port, wherein the
second
network packet is sent from a second port, the second port different from the
first port. In
certain embodiments, for example, the consumed first network packet may be
received
at a first port, wherein the secure communication pathway does not reach the
first port.
In certain embodiments, for example, the second port may be assigned
exclusively to a
second NIC.
[0028] L. In certain embodiments, for example, the pre-established
communication
pathway may have a one-to-one correspondence to an n-tuple comprising the
local
program identification code, the destination port number, and the data type
identifier.
[0029] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
13
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
consuming network packets, comprising: a) consuming a first incoming network
packet
to obtain a first payload and a first destination port number, the first
destination port
number assigned to a destination port for a destination application on a first
computing
device of the plurality of networked computing devices; and b) consuming at
least a
second incoming network packet to obtain at least a second payload and at
least a
second destination port number, the at least a second destination port number
assigned
to at least one destination port for at least one destination application on
at least a
second computing device of the plurality of networked computing devices. In
certain
embodiments, for example, the communication management operations may
comprise:
confirming payloads, comprising: a) confirming the first payload conforms to a
first data
model pre-assigned to the first destination port number, a first data range
pre-assigned
to the first destination port number, and a first command type pre-assigned to
the first
destination port number; and b) confirming the at least a second payload
conforms to an
at least a second data model pre-assigned to the first destination port
number, an at
least a second data range pre-assigned to the first destination port number,
and an at
least a second command type pre-assigned to the first destination port number.
In
certain embodiments, for example, the communication management operations may
comprise: forming outgoing packets, comprising: a) inserting the first
payload, a first local
program identification code, and a first data type identifier into a first
outgoing network
packet; and b) inserting the at least a second payload, an at least a second
local
program identification code, and an at least a second data type identifier
into an at least
a second outgoing network packet. In certain embodiments, for example, the
communication management operations may comprise: executing instructions to
send
the outgoing packets, the outgoing packets comprising the first outgoing
network packet
and the at least a second outgoing network packet.
[0030] A. In certain embodiments, for example, the executing instructions
may
comprise: a) executing at least one instruction to send the first outgoing
network packet
to first network security software on the first computing device via a first
secure
communication pathway, the first secure communication pathway formed by: A)
sending
a nonpublic local identification code to the first network security software
via a pre-
established first communication pathway; B) receiving, in response to the
sending, a
nonpublic identification code for the first computing device; and C) comparing
the
nonpublic identification code for the first computing device with a pre-
established value
14
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
for the first computing device; and b) executing at least one instruction to
send the at
least a second outgoing network packet to at least second network security
software on
the at least a second computing device via an at least a second secure
communication
pathway.
[0031] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
consuming ingressed network packets to obtain payloads and destination port
numbers,
the destination port numbers assigned to destination ports for destination
applications on
the plurality of networked computing devices. In certain embodiments, for
example, the
communication management operations may comprise: confirming the payloads
conform
to data models pre-assigned to the destination port numbers. In certain
embodiments,
for example, the communication management operations may comprise: inserting
at
least the payloads, and optionally local program identification codes, and
data type
identifiers into outgoing network packets. In certain embodiments, for
example, the
communication management operations may comprise: executing instructions to
send
the outgoing network packets to network security software on the plurality of
networked
computing devices via secure communication pathways.
[0032] A. In certain embodiments, for example, the secure communication
pathway
may be formed by further communication operations, the further communication
operations comprising: a) sending nonpublic first identification codes to the
network
security software via pre-established communication pathways; b) receiving, in
response
to the sending, nonpublic second identification codes for the computing
devices; and c)
comparing the nonpublic second identification codes with pre-established
values for the
computing devices.
[0033] B. In certain embodiments, for example, the data models may comprise
data
ranges pre-assigned to the destination port numbers, and command types pre-
assigned
to the destination port numbers.
[0034] C. In certain embodiments, for example, the consumed ingressed
network
packets may be received from first NICs, and the dedicated communication
pathways
may be configured to not traverse the first NICs.
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[0035] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
consuming a network packet, the network packet referencing a local port
number. In
certain embodiments, for example, the communication management operations may
comprise: consulting a preconfigured file to obtain an identifier for a remote
computing
device assigned to the local port number, a data type identifier assigned to
the local port
number, and at least one of a) a data model assigned to the local port number,
b) a data
range assigned to the local port number, or c) a command type assigned to the
local port
number. In certain embodiments, for example, the communication management
operations may comprise: confirming a payload obtained from the network packet
conforms to at least one of a) the data model, b) the data range, or c) the
command type.
In certain embodiments, for example, the communication management operations
may
comprise: inserting the payload and the data type identifier into a second
network
packet. In certain embodiments, for example, the communication management
operations may comprise: executing at least one instruction to send the second
network
packet to network security software on the remote computing device via a
secure
communication pathway.
[0036] A. In certain embodiments, for example, the secure communication
pathway
may be formed by further communication operations, the further communication
management operations comprising: a) sending a nonpublic first identification
code to
the network security software via a pre-established communication pathway; b)
receiving, in response to the sending, a nonpublic second identification code
for the
remote computing device; and c) comparing the nonpublic second identification
code
with the identifier for the remote computing device.
[0037] B. In certain embodiments, for example, the local port number may be
assigned to local network security software.
[0038] C. In certain embodiments, for example, the consumed network packet
may
be received from a first NIC, wherein the dedicated communication pathway is
configured to not traverse the first NIC.
[0039] D. In certain embodiments, for example, the local port number may be
assigned to a local port, wherein the nonpublic first identification code is
sent from a
16
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
second port, the second port different from the local port. In certain
embodiments, for
example, the local port number may be assigned to a local port, wherein the
second
network packet is sent from a second port, the second port different from the
local port.
In certain embodiments, for example, the local port number may be assigned to
a local
port, wherein the secure communication pathway does not reach the local port.
[0040] E. In certain embodiments, for example, the second port may be
assigned
exclusively to a second NIC.
[0041] F. In certain embodiments, for example, the pre-established
communication
pathway may have a one-to-one correspondence to an n-tuple comprising a local
application identifier, the destination port number, and the data type
identifier.
[0042] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
passing a first network packet having a first payload ingressed via a first
NIC to a user-
application. In certain embodiments, for example, the communication management
operations may comprise: receiving a second network packet comprising a second
payload (for example the second payload may be the same as, a portion of,
related to, or
derived from the first payload) from the user-application. In certain
embodiments, for
example, the communication management operations may comprise: confirming the
second payload conforms to a data model pre-assigned to the user-application,
a data
range pre-assigned to the user-application, and a command type pre-assigned to
the
pre-assigned user-application. In certain embodiments, for example, the
communication
management operations may comprise: executing at least one instruction to send
a third
network packet containing the second payload (or a portion of the second
payload) to
network security software on a remote computing device via a secure
communication
pathway, the secure communication pathway not reaching the first NIC, the
secure
communication pathway formed by: a) sending a nonpublic first identification
code to the
network security software via a pre-established communication pathway; b)
receiving, in
response to the sending, a nonpublic second identification code for the remote
computing device; and c) comparing the nonpublic second identification code
with a pre-
established value for the computing device.
17
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
[0043] Certain embodiments may provide, for example, a method for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the method may comprise: receiving a first network packet from a
remote
user-application via a first NIC, the first network packet comprising a first
port number,
first data, an application identifier for the remote application, and data
type identifier. In
certain embodiments, for example, the method may comprise: comparing the
application
identifier for the remote application and the data type identifier with pre-
established
values, the pre-established values identified based on the first port number.
In certain
embodiments, for example, the method may comprise: further receiving a second
network packet via a second NIC, the second NIC different from the first NIC,
the second
network packet comprising a second port number and second data. In certain
embodiments, for example, the method may comprise: confirming that the second
port
number is assigned to a local user-application that is authorized to receive
information
via the second NIC.
[0044] A. In certain embodiments, for example, the second network packet
may be
passed to the local user-application without comparing one or more portions of
the
second network packet to pre-established values for an application identifier
or a data
type identifier. In certain embodiments, for example, the second network
application
may be consumed by the local user-application.
[0045] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
receiving first network packets from remote user-applications via first NICs,
the first
network packets comprising first port numbers, first data, application
identifiers for the
remote applications, and data type identifiers. In certain embodiments, for
example, the
communication management operations may comprise: comparing the application
identifiers and the data type identifiers with pre-established values, the pre-
established
values identified based on the first port numbers. In certain embodiments, for
example,
the communication management operations may comprise: further receiving second
network packets via second NICs, the second NICs exclusive of the first NICs,
the
second network packets comprising a second port numbers and second data. In
certain
embodiments, for example, the communication management operations may
comprise:
18
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
confirming that the second port numbers are assigned to local user-
applications that are
authorized to receive information via the second NICs.
[0046] Certain embodiments may provide, for example, a product. In certain
embodiments, for example, the product may comprise a non-transitory computer-
readable storage medium having computer-readable program code embodied
therein. In
certain embodiments, for example, the computer-readable program code may be
executable by a first computing device to perform communication management
operations. In certain embodiments, for example, the communication management
operations may comprise: obtaining destination port numbers, user-application
identifiers, and data type identifiers from ingressing network packets. In
certain
embodiments, for example, the communication management operations may
comprise:
comparing the user-application identifiers and data type identifiers with pre-
established
values, the pre-established values identified based on the destination port
numbers,
subject to the proviso that the communication management operations are not
performed
on (or are disabled for) all network packets received via one or more
predetermined
NICs for which the communication management operations are not to be
performed.
[0047] A. In certain embodiments, for example, all ingressed network
packets to
which the proviso applies may be passed to a network security program.
[0048] Certain embodiments may provide, for example, a product. In certain
embodiments, for example, the product may comprise a non-transitory computer-
readable storage medium having computer-readable program code embodied
therein. In
certain embodiments, for example, the computer-readable program code may be
executable by a first computing device to perform communication management
operations. In certain embodiments, for example, the communication management
operations may comprise: passing all network packets having first destination
port
numbers and received via a first NIC to user-applications. In certain
embodiments, for
example, the communication management operations may comprise: authorizing all
network packets having second destination port numbers and received via a
second
NIC, the second NIC different from the first NIC, comprising: a) obtaining
destination port
numbers, identifiers for sending user-applications, and data type identifiers
from the
network packets received via the second NIC; and b) comparing the identifiers
for the
sending user-applications and the data type identifiers with pre-established
values, the
pre-established values identified based on the second destination port
numbers.
[0049] A. In certain embodiments, for example, the communication management
operations may further comprise authorizing, prior to the passing, that all
network
packets having first destination port numbers and received via a first NIC. In
certain
19
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
embodiments, for example, the authorizing may comprise: comparing the first
destination
port numbers with a pre-established list of authorized destination port
numbers for the
first NIC. In certain embodiments, for example, the authorizing that all
network packets
having first destination port numbers and received via a first NIC may further
comprise:
confirming the destination port numbers are assigned to the network security
program.
In certain further embodiments, for example, the confirming the destination
port numbers
are assigned to the network security program may comprise executing one or
more
operating system commands.
[0050] Certain embodiments may provide, for example, a product. In certain
embodiments, for example, the product may comprise a non-transitory computer-
readable storage medium having computer-readable program code embodied
therein. In
certain embodiments, for example, the computer-readable program code may be
executable by a first computing device to perform communication management
operations. In certain embodiments, for example, the communication management
operations may comprise: receiving, via a first NIC, a connection request
packet
comprising a destination port number. In certain embodiments, for example, the
communication management operations may comprise: verifying that a destination
port
assigned the destination port number is authorized to send data to and/or
receive data
via the NIC. In certain embodiments, for example, the communication management
operations may comprise: pre-establishing, via a second NIC, an encrypted
communication pathway with the destination port, the second NIC different from
the first
NIC. In certain embodiments, for example, the communication management
operations
may comprise: sending a nonpublic first identification code for the first
computing device
to the destination port via the pre-established encrypted communication
pathway. In
certain embodiments, for example, the communication management operations may
comprise: receiving, in response to the sending, a nonpublic second
identification code.
In certain embodiments, for example, the communication management operations
may
comprise: comparing the nonpublic second identification code with a pre-
established
value.
[0051] A. In certain embodiments, for example, the verifying may further
comprise
verifying that the destination port is authorized to receive data from a
source port having
the source port number.
[0052] B. In certain embodiments, for example, the nonpublic second
identification
code may be an identification code for a second computing device.
[0053] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a first computing device to perform communication management operations. In
certain
embodiments, for example, the communication management operations may
comprise:
confirming that a network packet ingressed via a first NIC conforms to at
least one data
model pre-assigned to the first NIC, at least one data range pre-assigned to
the first NIC,
and/or at least one command type pre-assigned to the first NIC. In certain
embodiments,
for example, the communication management operations may comprise: inserting,
into
an outgoing network packet, a payload of the ingressed network packet, a local
network
security software identification code, and a data type identifier. In certain
embodiments,
for example, the communication management operations may comprise: executing
at
least one instruction to send the outgoing network packet via a secure
communication
pathway, the secure communication pathway formed by: a) sending a nonpublic
first
identification code to a second computing device via a pre-established
communication
pathway; b) receiving, in response to the sending, a nonpublic second
identification code
for the second computing device; and c) comparing the nonpublic second
identification
code with a pre-established value for the second computing device.
[0054] A. In certain embodiments, for example, the edge device may provide
sensor
readings. In certain embodiments, for example, the edge device may be a
microcontroller. In certain embodiments, for example, the edge device may be a
monitoring device. In certain embodiments, for example, the edge device may be
embedded in (and/or integral to) a mechanical device.
[0055] B. In certain embodiments, for example, the first network packet may
be a
machine-to-machine communication.
[0056] C. In certain embodiments, for example, the computing device may
have 2
NICs, 3 NICs, 4 NICs, 5 NICs, 6 NICs, 7 NICs, 8 NICs, 9 NICs, 10 NICs, or any
number
of NICs up to 100 NICs. In certain embodiments, for example, the computing
device
may be a single board computer. In certain embodiments, for example, the
computing
device may be a microcontroller.
[0057] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a first computing device to perform communication management operations. In
certain
21
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
embodiments, for example, the communication management operations may
comprise:
confirming network packets, comprising: a) confirming that a first network
packet
ingressed via a first NIC conforms to at least one data model pre-assigned to
the first
NIC, at least one data range pre-assigned to the first NIC, and/or at least
one command
type pre-assigned to the first NIC; and b) confirming that at least a second
network
packet ingressed via an at least a second NIC conforms to at least one data
model pre-
assigned to the at least a second NIC, at least one data range pre-assigned to
the at
least a second NIC, and/or at least one command type pre-assigned to the at
least a
second NIC. In certain embodiments, for example, the communication management
operations may comprise: processing outgoing packets, comprising: a)
inserting, into a
first outgoing network packet, a first payload of the ingressed first network
packet, a local
network security software identification code, and a first data type
identifier; and b)
inserting, into an at least a second outgoing network packet, an at least a
second
payload from the ingressed at least a second network packet, a local network
security
software identification code, and an at least a second data type identifier.
In certain
embodiments, for example, the communication management operations may
comprise:
executing at least one instruction to send the first outgoing network packet
via a first
secure communication pathway, the first secure communication pathway formed
by: a)
sending a nonpublic first identification code to a second computing device via
a pre-
established communication pathway; b) receiving, in response to the sending, a
nonpublic second identification code for the second computing device; and c)
comparing
the nonpublic second identification code with a pre-established value for the
second
computing device. In certain embodiments, for example, the communication
management operations may comprise: executing at least one instruction to send
the
first outgoing network packet via an at least a second secure communication
pathway.
[0058] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
receiving a first port-to-port network packet from a first computing device.
In certain
embodiments, for example, the communication management operations may
comprise:
establishing a secure communication pathway with a user-application at a
second
computing device, comprising: a) sending an application identifier for local
network
22
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
security software to the second computing device via the pre-established
communication
pathway; b) receiving, in response to the sending, an application identifier
for the user-
application; and c) comparing the second application identifier with a pre-
established
value for the user-application. In certain embodiments, for example, the
communication
management operations may comprise: confirming a payload of the first port-to-
port
network packet conforms to a data model pre-assigned to the pre-established
value for
the user-application, a data range pre-assigned to the pre-established value
for the user-
application, and a command type pre-assigned to the pre-established value for
the user-
application. In certain embodiments, for example, the communication management
operations may comprise: passing the payload to the second computing device
via the
secure communication pathway.
[0059] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
by
a processor to perform communication management operations. In certain
embodiments, for example, the communication management operations may
comprise:
receiving a first port-to-port network packet from a first computing device,
the first port-to-
port network packet comprising a first payload. In certain embodiments, for
example, the
communication management operations may comprise: confirming the first payload
conforms to a first data model, a first data range, and a first command type.
In certain
embodiments, for example, the communication management operations may
comprise:
establishing a secure communication pathway with a user-application at a
second
computing device, comprising: a) sending an application identifier for local
network
security software to the second computing device via the pre-established
communication
pathway; b) receiving, in response to the sending, an application identifier
for the user-
application; and c) comparing the second application identifier with a pre-
established
value for the user-application. In certain embodiments, for example, the
communication
management operations may comprise: forming a second port-to-port network
packet
comprising a second payload. In certain embodiments, for example, the
communication
management operations may comprise: confirming the second payload conforms to
a
data model pre-assigned to the pre-established value for the user-application,
a data
range pre-assigned to the pre-established value for the user-application, and
a command
type pre-assigned to the pre-established value for the user-application. In
certain
embodiments, for example, the communication management operations may
comprise:
23
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
passing the second port-to-port network packet the second computing device via
the
secure communication pathway.
[0060] A. In certain embodiments, for example, at least a portion of the
first payload
may be consumed by a local program (for example a local user-application) and
at least
a portion of the second payload may be generated by the local program (or a
separate
local program).
[0061] B. In certain embodiments, for example, the first payload and the
second
payload may be identical. In certain embodiments, for example, the first
payload and the
second payload overlap by at least 5%, for example at least 10%, at least 20%,
at least
30%, at least 40%, at least 50%, at least 60%, at least 70%, at least 80%, at
least 90%,
at least 95%, or at least 99%.
[0062] C. In certain embodiments, for example, the first port-to-port
network packet
may be received on a first NIC of the first computing device, and the payload
may be
passed to the second computing device without using the first NIC. In certain
embodiments, for example, the first port-to-port network packet may be
received on a
first NIC of the first computing device, and the payload may be passed to the
second
computing device via a second NIC of the first computing device, the first NIC
different
from the second NIC.
[0063] Certain embodiments may provide, for example, a method for securing
communications among a plurality of networked computing devices. In certain
embodiments, for example, the method may comprise: passing an ingressed first
network packet to a network security application. In certain embodiments, for
example,
the method may comprise: receiving a payload from the network security
application in
response to the passed first network packet. In certain embodiments, for
example, the
method may comprise: inserting the payload, an identification code for the
network
security application, and a destination port number into a second network
packet, the
destination port number of the second network packet determined from a
destination port
number of the first network packet. In certain embodiments, for example, the
method
may comprise: confirming the payload conforms to a data model pre-assigned to
the
identification code for the network security application, a data range pre-
assigned to the
identification code for the network security application, and a command type
pre-
assigned to the identification code for the network security application. In
certain
embodiments, for example, the method may comprise: sending the second network
packet to a remote computing device via a first authorized communication
pathway.
[0064] A. In certain embodiments, for example, the network security
application may
perform computer security operations (for example the network security
application may
24
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
be antivirus software, malware detection software, endpoint detection
software, artificial
intelligence computer security software, and the like) on the ingressed first
network
packet.
[0065] B. In certain embodiments, for example, the first network packet may
ingress
via a first NIC, wherein the first authorized communication pathway does not
reach the
first NIC.
[0066] C. In certain embodiments, for example, the method may further
comprise
forming the first authorized communication pathway using one or more of the
methods,
systems, products, communication management operations, software, middleware,
computing infrastructure and/or apparatus disclosed herein and/or in one of
the
REFERENCE APPLICATIONS (for example exchanging device identification codes,
program identification codes, user identification codes, and/or data model
codes to
authenticate and authorized network communications). In certain embodiments,
for
example, the ingressed first network packet be passed to the network security
application via a second authorized communication pathway (for example a
second
authorized communication pathway formed using one or more of the methods,
systems,
products, communication management operations, software, middleware, computing
infrastructure and/or apparatus disclosed herein and/or in one of the
REFERENCE
APPLICATIONS). In certain embodiments, for example, the payload may be
received
from the network security application via a third authorized communication
pathway (for
example a third authorized communication pathway formed using one or more of
the
methods, systems, products, communication management operations, software,
middleware, computing infrastructure and/or apparatus disclosed herein and/or
in one of
the REFERENCE APPLICATIONS).
[0067] Certain embodiments may provide, for example, a system. In certain
embodiments, for example, the system may comprise: a first computer hosting a
first
application. In certain embodiments, for example, the system may comprise: a
router. In
certain embodiments, for example, the system may comprise: a second computer
hosting first network security software. In certain embodiments, for example,
the system
may comprise: a secured network hosting a second application and second
network
security software. In certain embodiments, for example, the first application
may be
configured to send and to receive data through non-overlapping connections via
the
router. In certain embodiments, for example, the first application may be
configured to
send data to the network security software. In certain embodiments, for
example, the
first network security software may be configured to perform communication
management operations on the data. In certain embodiments, for example, the
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communication management operations may comprise: A) confirming the data
conforms
to a data model pre-assigned to the second application, a data range pre-
assigned to the
second application, and a command type pre-assigned to the second application;
and B)
receive first codes from the second network security software and to compare
the first
codes with first parameters, to verify that the second application is
authorized to
consume the data before sending the data to the second network security
software.
[0068] A. In certain embodiments, for example, the first computer may be a
first
virtual machine. In certain embodiments, for example, the second computer may
be a
second virtual machine. In certain embodiments, for example, the first
computer and the
second computer share one or more bare metal computers in common. In certain
embodiments, for example, the first computer and the second computer
communicate
the data via a dedicated VPN.
[0069] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) consuming a first network packet to obtain a payload
and a
destination port number, the destination port number assigned to a destination
port on a
computing device, the computing device one of the plurality of networked
computing
devices; ii) confirming the payload conforms to a data model pre-assigned to
the
destination port number, a data range pre-assigned to the destination port
number, and a
command type pre-assigned to the destination port number; iii) forming a
second
network packet comprising the payload, a local program identification code,
and a data
type identifier; and iv) executing at least one instruction to send the second
network
packet to network security software on the computing device via a secure
communication pathway, the secure communication pathway.
[0070] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) consuming network packets, comprising: a) consuming
a first
incoming network packet to obtain a first payload and a first destination port
number, the
first destination port number assigned to a destination port for a destination
application
on a first computing device of the plurality of networked computing devices;
and b)
26
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
consuming at least a second incoming network packet to obtain at least a
second
payload and at least a second destination port number, the at least a second
destination
port number assigned to at least one destination port for at least one
destination
application on at least a second computing device of the plurality of
networked
computing devices; ii) confirming payloads, comprising: a) confirming the
first payload
conforms to a first data model pre-assigned to the first destination port
number, a first
data range pre-assigned to the first destination port number, and a first
command type
pre-assigned to the first destination port number; and b) confirming the at
least a second
payload conforms to an at least a second data model pre-assigned to the first
destination
port number, an at least a second data range pre-assigned to the first
destination port
number, and an at least a second command type pre-assigned to the first
destination
port number; iii) forming outgoing packets, comprising: a) inserting the first
payload, a
first local program identification code, and a first data type identifier into
a first outgoing
network packet; and b) inserting the at least a second payload, an at least a
second local
program identification code, and an at least a second data type identifier
into an at least
a second outgoing network packet; and iv) executing instructions to send the
outgoing
packets, the outgoing packets comprising the first outgoing network packet and
the at
least a second outgoing network packet.
[0071] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) consuming first network packets to obtain payloads
and
destination port numbers, the destination port numbers assigned to destination
ports for
destination applications on computing devices of the plurality of networked
computing
devices; ii) confirming the payloads conform to data models pre-assigned to
the
destination port numbers; iii) inserting at least the payloads, and optionally
local program
identification codes, and data type identifiers into second network packets;
and iv)
executing instructions to send the second network packets to network security
software
on the computing devices via secure communication pathways.
[0072] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
27
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
operations comprising: i) consuming a network packet, the network packet
referencing a
local port number; ii) consulting a preconfigured file to obtain an identifier
for a remote
computing device assigned to the local port number, a data type identifier
assigned to
the local port number, and at least one of a) a data model assigned to the
local port
number, b) a data range assigned to the local port number, or c) a command
type
assigned to the local port number; iii) confirming a payload obtained from the
network
packet conforms to at least one of a) the data model, b) the data range, or c)
the
command type; iv) inserting the payload and the data type identifier into a
second
network packet; and v) executing at least one instruction to send the second
network
packet to network security software on the computing device via a secure
communication pathway.
[0073] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) passing a first network packet having a first
payload ingressed
via a first NIC to a user-application; ii) receiving a second network packet
comprising a
second payload from the user-application; iii) confirming the second payload
of the
received second network packet conforms to a data model pre-assigned to the
user-
application, a data range pre-assigned to the user-application, and a command
type pre-
assigned to the pre-assigned user-application; iv) executing at least one
instruction to
send a third network packet containing the second payload to network security
software
on a remote computing device via a secure communication pathway, the secure
communication pathway not reaching the first NIC, the secure communication
pathway
formed by: a) sending a nonpublic first identification code to the network
security
software via a pre-established communication pathway; b) receiving, in
response to the
sending, a nonpublic second identification code for the remote computing
device; and c)
comparing the nonpublic second identification code with a pre-established
value for the
computing device.
[0074] Certain embodiments may provide, for example, a method, comprising:
i)
receiving a first network packet from a remote user-application via a first
NIC, the first
network packet comprising a first port number, first data, an application
identifier for the
remote application, and data type identifier; ii) comparing the application
identifier for the
remote application and the data type identifier with pre-established values,
the pre-
established values identified based on the first port number; iii) further
receiving a
28
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
second network packet via a second NIC, the second NIC different from the
first NIC, the
second network packet comprising a second port number and second data; and iv)
confirming that the second port number is assigned to a local user-application
that is
authorized to receive information via the second NIC.
[0075] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) receiving first network packets from remote user-
applications
via first NICs, the first network packets comprising first port numbers, first
data,
application identifiers for the remote applications, and data type
identifiers; ii) comparing
the application identifiers and the data type identifiers with pre-established
values, the
pre-established values identified based on the first port numbers; iii)
further receiving
second network packets via second NICs, the second NICs exclusive of the first
NICs,
the second network packets comprising a second port numbers and second data;
and iv)
confirming that the second port numbers are assigned to local user-
applications that are
authorized to receive information via the second NICs.
[0076] Certain embodiments may provide, for example, a product comprising a
non-
transitory computer-readable storage medium having computer-readable program
code
embodied therein, the computer-readable program code executable by a first
computing
device to perform communication management operations, the communication
management operations comprising: i) obtaining destination port numbers, user-
application identifiers, and data type identifiers from ingressing network
packets; and ii)
comparing the user-application identifiers and data type identifiers with pre-
established
values, the pre-established values identified based on the destination port
numbers,
subject to the proviso that the communication management operations are not
performed
on all network packets received via one or more predetermined NICs for which
the
communication management operations are not to be performed.
[0077] Certain embodiments may provide, for example, a product comprising a
non-
transitory computer-readable storage medium having computer-readable program
code
embodied therein, the computer-readable program code executable by a first
computing
device to perform communication management operations, the communication
management operations comprising: i) passing all network packets having first
destination port numbers and received via a first NIC to user-applications;
and ii)
authorizing all network packets having second destination port numbers and
received via
29
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
a second NIC, the second NIC different from the first NIC, comprising: a)
obtaining
destination port numbers, identifiers for sending user-applications, and data
type
identifiers from the network packets received via the second NIC; and b)
comparing the
identifiers for the sending user-applications and the data type identifiers
with pre-
established values, the pre-established values identified based on the second
destination port numbers.
[0078] Certain embodiments may provide, for example, a product comprising a
non-
transitory computer-readable storage medium having computer-readable program
code
embodied therein, the computer-readable program code executable by a first
computing
device to perform communication management operations, the communication
management operations comprising: i) receiving, via a first NIC, a connection
request
packet comprising a destination port number; ii) verifying that a destination
port assigned
the destination port number is authorized to send data to and/or receive data
via the NIC;
iii) pre-establishing, via a second NIC, an encrypted communication pathway
with the
destination port, the second NIC different from the first NIC; iv) sending a
nonpublic first
identification code for the first computing device to the destination port via
the pre-
established encrypted communication pathway; v) receiving, in response to the
sending,
a nonpublic second identification code; and vi) comparing the nonpublic second
identification code with a pre-established value.
[0079] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
first
computing device to perform communication management operations, the
communication management operations comprising: i) confirming that a network
packet
ingressed via a first NIC conforms to at least one data model pre-assigned to
the first
NIC, at least one data range pre-assigned to the first NIC, and/or at least
one command
type pre-assigned to the first NIC; ii) inserting, into an outgoing network
packet, a
payload of the ingressed network packet, a local network security software
identification
code, and a data type identifier; and iii) executing at least one instruction
to send the
outgoing network packet via a secure communication pathway, the secure
communication pathway formed by: a) sending a nonpublic first identification
code to a
second computing device via a pre-established communication pathway; b)
receiving, in
response to the sending, a nonpublic second identification code for the second
computing device; and c) comparing the nonpublic second identification code
with a pre-
established value for the second computing device.
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[0080] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
first
computing device to perform communication management operations, the
communication management operations comprising: i) confirming network packets,
comprising: a) confirming that a first network packet ingressed via a first
NIC conforms to
at least one data model pre-assigned to the first NIC, at least one data range
pre-
assigned to the first NIC, and/or at least one command type pre-assigned to
the first NIC;
and b) confirming that at least a second network packet ingressed via an at
least a
second NIC conforms to at least one data model pre-assigned to the at least a
second
NIC, at least one data range pre-assigned to the at least a second NIC, and/or
at least
one command type pre-assigned to the at least a second NIC; ii) processing
outgoing
packets, comprising: a) inserting, into a first outgoing network packet, a
first payload of
the ingressed first network packet, a local network security software
identification code,
and a first data type identifier; and b) inserting, into an at least a second
outgoing
network packet, an at least a second payload from the ingressed at least a
second
network packet, a local network security software identification code, and an
at least a
second data type identifier; iii) executing at least one instruction to send
the first outgoing
network packet via a first secure communication pathway, the first secure
communication pathway formed by: a) sending a nonpublic first identification
code to a
second computing device via a pre-established communication pathway; b)
receiving, in
response to the sending, a nonpublic second identification code for the second
computing device; and c) comparing the nonpublic second identification code
with a pre-
established value for the second computing device; and iv) executing at least
one
instruction to send the first outgoing network packet via an at least a second
secure
communication pathway.
[0081] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) receiving a first port-to-port network packet from a
first
computing device; ii) establishing a secure communication pathway with a user-
application at a second computing device, comprising: a) sending an
application
identifier for local network security software to the second computing device
via the pre-
31
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
established communication pathway; b) receiving, in response to the sending,
an
application identifier for the user-application; and c) comparing the second
application
identifier with a pre-established value for the user-application; iii)
confirming a payload of
the first port-to-port network packet conforms to a data model pre-assigned to
the pre-
established value for the user-application, a data range pre-assigned to the
pre-
established value for the user-application, and a command type pre-assigned to
the pre-
established value for the user-application; and iv) passing the payload to the
second
computing device via the secure communication pathway.
[0082] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: i) receiving a first port-to-port network packet from a
first
computing device, the first port-to-port network packet comprising a first
payload; ii)
confirming the first payload conforms to a first data model, a first data
range, and a first
command type; iii) establishing a secure communication pathway with a user-
application
at a second computing device, comprising: a) sending an application identifier
for local
network security software to the second computing device via the pre-
established
communication pathway; b) receiving, in response to the sending, an
application
identifier for the user-application; and c) comparing the second application
identifier with
a pre-established value for the user-application; iv) forming a second port-to-
port network
packet comprising a second payload; v) confirming the second payload conforms
to a
data model pre-assigned to the pre-established value for the user-application,
a data
range pre-assigned to the pre-established value for the user-application, and
a command
type pre-assigned to the pre-established value for the user-application; and
vi) passing
the second port-to-port network packet the second computing device via the
secure
communication pathway.
[0083] Certain embodiments may provide, for example, a method, comprising:
i)
passing an ingressed first network packet to a network security application;
ii) receiving a
payload from the network security application in response to the passed first
network
packet; iii) inserting the payload, an identification code for the network
security
application, and a destination port number into a second network packet, the
destination
port number of the second network packet determined from a destination port
number of
the first network packet; iv) confirming the payload conforms to a data model
pre-
assigned to the identification code for the network security application, a
data range pre-
32
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
assigned to the identification code for the network security application, and
a command
type pre-assigned to the identification code for the network security
application; and v)
sending the second network packet to a remote computing device via a first
authorized
communication pathway.
[0084] Certain embodiments may provide, for example, a system, comprising:
i) a
first computer hosting a first application; ii) a router; iii) a second
computer hosting first
network security software; and iv) a secured network hosting a second
application and
second network security software, a) the first application configured to send
and to
receive data through non-overlapping connections via the router, b) the first
application
configured to send data to the network security software, c) the first network
security
software configured to perform communication management operations on the
data, the
communication management operations comprising: A) confirming the data
conforms to
a data model pre-assigned to the second application, a data range pre-assigned
to the
second application, and a command type pre-assigned to the second application;
and B)
receive first codes from the second network security software and to compare
the first
codes with first parameters, to verify that the second application is
authorized to
consume the data before sending the data to the second network security
software.
[0085] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer readable program code embodied therein for execution by
a
processor to perform communication management operations. In certain
embodiments,
for example, the communication management operations may comprise establishing
authorized encrypted communication pathways for port-to-port network
communications
among the plurality of networked processor nodes and at least one Network
Interface
Controller ("N IC") of at least one gateway processor node. In certain
embodiments, for
example, the establishing may comprise intercepting network connection
requests from
source ports, the requests having associated destination port numbers. In
certain
embodiments, for example, the establishing may comprise verifying that the
source ports
are authorized to communicate with ports having the associated destination
port
numbers. In certain embodiments, for example, the establishing may comprise
requesting the negotiation of encrypted communication pathways, the requesting
comprising sending connection request packets comprising the associated
destination
port numbers. In certain embodiments, for example, the establishing may
comprise
authorizing the encrypted communication pathways, comprising comparing node
33
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
identifiers, user-application identifiers, and payload data-type identifiers
received from
the encrypted communication pathways with pre-defined authorization codes.
[0086] A. In certain embodiments, for example, the at least one NIC may be
at least
one Ethernet interface (for example a copper or fiber interface), at least one
wireless
interface (for example a wireless interface according to the IEEE 802.11
standard), at
least one wireless broadband interface (for example a "Wi-Max" interface
according to
the IEEE 802.16 standard), at least one wireless interface according to an
IEEE
802.15.4-based standard (for example an interface according to the Zigbee
specification), at least one Bluetooth interface (for example a Bluetooth
interface
according to the IEEE 802.15.1 standard), or at least one modem. In certain
embodiments, for example, the at least one NIC may be a plurality of Network
Interface
Controllers (NICs), and the plural NICs may comprise an Ethernet interface
(for example
a copper or fiber interface), a wireless interface (for example a wireless
interface
according to the IEEE 802.11 standard), a wireless broadband interface (for
example a
"Wi-Max" interface according to the IEEE 802.16 standard), a wireless
interface
according to an IEEE 802.15.4-based standard (for example an interface
according to
the Zigbee specification), a Bluetooth interface (for example a Bluetooth
interface
according to the IEEE 802.15.1 standard), a modem, or a combination of two or
more
thereof. In certain embodiments, for example, the at least one NIC may
comprise an
FPGA programmed for high speed network processing. In certain embodiments, for
example, the at least one NIC (for example an Ethernet interface or one of the
aforementioned wireless interfaces) may have a data transfer rate of 10 Mbps,
100
Mbps, 1 Gbps, 10 Gbps, or 100 Gbps. In certain embodiments, for example, the
at least
one NIC may have a data transfer rate of at least 10 Mbps, for example at
least 100
Mbps, at least 1 Gbps, at least 10 Gbps, or the one or more physical
interfaces may
have a data transfer rate of at least 100 Gbps. In certain embodiments, for
example, the
at least one NIC may have a data transfer rate of less than 100 Gbps, for
example less
than 10 Gbps, less than 1 Gbps, less than 100 Mbps, or the one or more
physical
interfaces may have a data transfer rate of less than 10 Mbps.
[0087] B. In certain embodiments, for example, the at least one NIC may be
a
physical interface. In certain embodiments, for example, the at least one NIC
may be a
virtual interface. In certain embodiments, for example, the at least one NIC
may be a
plurality of NICs, wherein at least one NIC of the plural NICs is a physical
interface and
at least another NIC of the plural NICs is a virtual interface. In certain
embodiments, for
example, the at least one NIC may be selected from a pre-determined list
present in a
nonvolatile memory of the at least one gateway processor node. In certain
34
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
embodiments, for example, the communication management operations may further
comprise identifying communication requests received at an least one further
NIC of the
at least one gateway processor node, followed by not intercepting, verifying,
requesting,
and/or authorizing relative to said communication requests. In certain
embodiments, for
example, the gateway processor node may be a bare metal server. In certain
embodiments, for example, the gateway processor node may be a virtual machine.
In
certain embodiments, for example, the at least one further NIC may be selected
from a
pre-determined list present in a nonvolatile memory of the at least one
gateway
processor node. In certain embodiments, for example, the at least one NIC may
be in
communication with a first series of processor nodes, and the at least one
further NIC
may be in communication with a second series of processor nodes. In certain
embodiments, for example, the first series of processor nodes may be non-
overlapping
with the second series of processor nodes.
[0088] Certain embodiments may provide, for example, a product for managing
communications of network of processor nodes and at least one gateway
processor
node having a plurality of NICs (for example plural Ethernet interfaces). In
certain
embodiments, for example, the product may comprise a non-transitory computer-
readable storage medium having computer readable program code embodied therein
for
execution by a processor to perform communication management operations. In
certain
embodiments, for example, the communication management operation may comprise
performing communication processing functions on all port-to-network
communications
of the at least one gateway processor node. In certain embodiments, for
example, the
performing communication processing functions may comprise receiving data
packets
having payloads from source ports on the at least one gateway processor node.
In
certain embodiments, for example, the performing communication processing
functions
may comprise diverting data packets having destination port numbers associated
with
pre-defined destination port numbers. In certain embodiments, for example, the
performing communication processing functions may comprise further processing
the
diverted packets by assembling packet segments, comprising the payloads,
associated
user-application identifiers, and a payload data type descriptors. In certain
embodiments, for example, the performing communication processing functions
may
comprise further processing the diverted packets by requesting transmission of
network
packets through a dedicated at least one NIC of the plurality of NICs, each
one of the
network packets comprising a port number associated with the pre-defined
destination
port number and one of the assembled packet segments. In certain embodiments,
for
example, the performing communication processing functions may comprise
requesting
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
transmission of the non-diverted packets through at least one NIC of the
plurality of NICs
different from the dedicated at least one NIC.
[0089] A. In certain embodiments, for example, the dedicated at least one
NIC may
be selected from a pre-determined list present in a nonvolatile memory of the
at least
one gateway processor node. In certain embodiments, for example, the different
at least
one NIC may be selected from a pre-determined list present in a nonvolatile
memory of
the at least one gateway processor node. In certain embodiments, for example,
the
dedicated at least one NIC may be in communication with a first series of
processor
nodes, and the different at least one NIC may be in communication with a
second series
of processor nodes. In certain embodiments, for example, the first series of
processor
nodes may be non-overlapping with the second series of processor nodes.
[0090] Certain embodiments may provide, for example, a product for managing
communications of at least one gateway processor node having a plurality of
NICs. In
certain embodiments, for example, the product may comprise a non-transitory
computer-
readable storage medium having computer readable program code embodied therein
for
execution by a processor to perform communication management operations. In
certain
embodiments, for example, the communication management operations may comprise
performing communication processing functions on all network-to-port
communications
received by the at least one gateway processor node through at least one of
the plurality
of NICs. In certain embodiments, for example, the performing communication
processing functions may comprise obtaining destination port numbers,
metadata, and
payloads associated with network packets. In certain embodiments, for example,
the
performing communication processing functions may comprise identifying pre-
defined
authorization codes associated with the destination port numbers, each one of
the pre-
defined authorization codes comprising a pre-defined user-application
identifier and a
pre-defined payload data-type identifier associated with one of the
destination port
numbers. In certain embodiments, for example, the performing communication
processing functions may comprise authorizing the network packets, comprising:
comparing metadata with the pre-defined authorization codes. In certain
embodiments,
for example, the performing communication processing functions may comprise
requesting transmission of payloads from the authorized network packets to
destinations
referenced by the destination port numbers.
[0091] A. In certain embodiments, for example, the at least one NIC may be
selected from a pre-determined list present in a nonvolatile memory of the at
least one
gateway processor node. In certain embodiments, for example, the communication
management operations may further comprise identifying communication requests
36
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
received at an at least one further NIC of the plurality of NICs of the at
least one gateway
processor node, followed by not intercepting, verifying, requesting, and/or
authorizing
relative to said communication requests. In certain embodiments, for example,
the at
least one further NIC may be selected from a pre-determined list present in a
nonvolatile
memory of the at least one gateway processor node. In certain embodiments, for
example, the at least one NIC may be in communication with a first series of
processor
nodes, and the at least one further NIC is in communication with a second
series of
processor nodes. In certain embodiments, for example, the first series of
processor
nodes may be non-overlapping with the second series of processor nodes.
[0092] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer readable
program
code embodied therein for execution by a processor to perform communication
management operations, the communication management operations comprising:
establishing authorized encrypted communication pathways for port-to-port
network
communications among the plurality of networked processor nodes and at least
one
Network Interface Controller (NIC) of at least one gateway processor node,
comprising: i)
intercepting network connection requests from source ports, the requests
having
associated destination port numbers; ii) verifying that the source ports are
authorized to
communicate with ports having the associated destination port numbers; iii)
requesting
the negotiation of encrypted communication pathways, the requesting comprising
sending connection request packets comprising the associated destination port
numbers;
and iv) authorizing the encrypted communication pathways, comprising comparing
node
identifiers, user-application identifiers, and payload data-type identifiers
received from
the encrypted communication pathways with pre-defined authorization codes.
[0093] Certain embodiments may provide, for example, a product for managing
communications of network of processor nodes and at least one gateway
processor
node having a plurality of NICs, the product comprising a non-transitory
computer-
readable storage medium having computer readable program code embodied therein
for
execution by a processor to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the at least one
gateway
processor node, the performing communication processing functions comprising:
i)
receiving data packets having payloads from source ports on the at least one
gateway
processor node; ii) diverting data packets having destination port numbers
associated
with pre-defined destination port numbers, further processing the diverted
packets by: a)
37
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
assembling packet segments, comprising the payloads, associated user-
application
identifiers, and a payload data type descriptors; and b) requesting
transmission of
network packets through a dedicated at least one NIC of the plurality of NICs,
each one
of the network packets comprising a port number associated with the pre-
defined
destination port number and one of the assembled packet segments; and iii)
requesting
transmission of the non-diverted packets through at least one NIC of the
plurality of NICs
different from the dedicated at least one NIC.
[0094] Certain embodiments may provide, for example, a product for managing
communications of at least one gateway processor node having a plurality of
NICs, the
product comprising a non-transitory computer-readable storage medium having
computer readable program code embodied therein for execution by a processor
to
perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
network-
to-port communications received by the at least one gateway processor node
through at
least one of the plurality of NICs, the performing communication processing
functions
comprising: i) obtaining destination port numbers, metadata, and payloads
associated
with network packets; ii) identifying pre-defined authorization codes
associated with the
destination port numbers, each one of the pre-defined authorization codes
comprising a
pre-defined user-application identifier and a pre-defined payload data-type
identifier
associated with one of the destination port numbers; iii) authorizing the
network packets,
comprising: comparing metadata with the pre-defined authorization codes; and
iv)
requesting transmission of payloads from the authorized network packets to
destinations
referenced by the destination port numbers.
[0095] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer readable
program
code embodied therein for execution by a processor to perform communication
management operations, the communication management operations comprising:
establishing authorized encrypted communication pathways for port-to-port
network
communications among the plurality of networked processor nodes and at least
one NIC
of at least one gateway processor node, comprising: i) intercepting a network
connection
request from a source port, the request having an associated destination port
number; ii)
verifying that the source port is authorized to communicate with a port having
the
associated destination port number; iii) requesting the negotiation of an
encrypted
communication pathway, the requesting comprising sending a connection request
packet
comprising the associated destination port number; and iv) authorizing the
encrypted
38
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communication pathway, comprising comparing a node identifier, a user-
application
identifier, and a payload data-type identifier received from the encrypted
communication
pathway with a pre-defined authorization code.
[0096] Certain embodiments may provide, for example, a product for managing
communications of network of processor nodes and at least one gateway
processor
node having a plurality of NICs, the product comprising a non-transitory
computer-
readable storage medium having computer readable program code embodied therein
for
execution by a processor to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the at least one
gateway
processor node, the performing communication processing functions comprising:
i)
receiving a data packet having a payload from a source port on the at least
one gateway
processor node; ii) diverting the data packet if it has a destination port
numbers
associated with a pre-defined destination port number, further processing the
diverted
packet by: a) assembling a packet segment, comprising the payload, an
associated user-
application identifier, and a payload data type descriptor; and b) requesting
transmission
of a network packets through a dedicated at least one NIC of the plurality of
NICs, the
network packets comprising a port number associated with the pre-defined
destination
port number and the assembled packet segments; and iii) if the packet is not
diverted,
requesting transmission of the non-diverted packet through at least one NIC of
the
plurality of NICs different from the dedicated at least one NIC.
[0097] Certain embodiments may provide, for example, a product for managing
communications of at least one gateway processor node having a plurality of
NICs, the
product comprising a non-transitory computer-readable storage medium having
computer readable program code embodied therein for execution by a processor
to
perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
network-
to-port communications received by the at least one gateway processor node
through at
least one of the plurality of NICs, the performing communication processing
functions
comprising: i) obtaining a destination port number, metadata, and payload
associated
with a network packet; ii) identifying a pre-defined authorization code
associated with the
destination port number, the pre-defined authorization code comprising a pre-
defined
user-application identifier and a pre-defined payload data-type identifier
associated with
the destination port number; iii) authorizing the network packet, comprising:
comparing
the metadata with the pre-defined authorization code; and iv) requesting
transmission of
39
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the payload from the authorized network packet to a destination referenced by
the
destination port number.
[0098] Certain embodiments may provide, for example, a gateway node in
communication with at least a first networked node via at least a first NIC of
the gateway
node and at least a second networked node via at least a second NIC of the
gateway
node. In certain embodiments, for example, the gateway node may comprise
network
security software. In certain embodiments, for example, the network security
software
may be configured for execution by the gateway node to perform communication
management operations. In certain embodiments, for example, the communication
management operations may comprise obtaining a NIC identifier associated with
each
port-to-port network communication traversing the at least a first NIC and the
at least a
second NIC. In certain embodiments, for example, the communication management
operations may comprise establishing authorized encrypted communication
pathways for
all port-to-port network communications traversing the first NIC. In certain
embodiments,
for example, the establishing authorized encrypted communication pathways may
comprise intercepting network connection requests from source ports, the
requests
having associated destination port numbers. In certain embodiments, for
example, the
establishing authorized encrypted communication pathways may comprise
verifying that
the source ports are authorized to communicate with ports having the
associated
destination port numbers. In certain embodiments, for example, the
establishing
authorized encrypted communication pathways may comprise requesting the
negotiation
of encrypted communication pathways, the requesting comprising sending
connection
request packets comprising the associated destination port numbers. In certain
embodiments, for example, the establishing authorized encrypted communication
pathways may comprise authorizing the encrypted communication pathways,
comprising
comparing node identifiers, user-application identifiers, and payload data-
type identifiers
received from the encrypted communication pathways with pre-defined
authorization
codes. In certain embodiments, for example, the communication management
operations may comprise refraining from establishing authorized encrypted
communication pathways for all port-to-port network communications traversing
the
second NIC.
[0099] Certain embodiments may provide, for example, a gateway node in
communication with at least a first networked node via at least a first NIC of
the gateway
node and at least a second networked node via at least a second NIC of the
gateway
node, the gateway node comprising network security software, the network
security
software configured for execution by the gateway node to perform communication
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
management operations, the communication management operations comprising: A)
obtaining a NIC identifier associated with each port-to-port network
communication
traversing the at least a first NIC and the at least a second NIC; B)
establishing
authorized encrypted communication pathways for all port-to-port network
communications traversing the first NIC, comprising: i) intercepting network
connection
requests from source ports, the requests having associated destination port
numbers; ii)
verifying that the source ports are authorized to communicate with ports
having the
associated destination port numbers; iii) requesting the negotiation of
encrypted
communication pathways, the requesting comprising sending connection request
packets comprising the associated destination port numbers; and iv)
authorizing the
encrypted communication pathways, comprising comparing node identifiers, user-
application identifiers, and payload data-type identifiers received from the
encrypted
communication pathways with pre-defined authorization codes; and C) refraining
from
establishing authorized encrypted communication pathways for all port-to-port
network
communications traversing the second NIC.
[00100] Certain embodiments may provide, for example, a method of secure
network
communications with an application running on a networked processor node. In
certain
embodiments, for example, the method may comprise receiving first network
packets at
a first NIC of the networked processor node, the first network packets
comprising first
payloads. In certain embodiments, for example, the method may comprise passing
the
first payloads to the running application. In certain embodiments, for
example, the
method may comprise generating second payloads in response to the passed first
payloads. In certain embodiments, for example, the method may comprise
directing
second network packets to a second NIC of the networked processor node, the
second
network packets comprising the second payloads, the second NIC different from
the first
NIC. In certain embodiments, for example, the method may comprise confirming
the
second network packets are directed to a pre-defined authorized destination
process
operating on a pre-defined authorized destination node.
[00101] A. In certain embodiments, for example, the method may further
comprise:
confirming the running application is pre-authorized to communicate with pre-
defined
authorized destination node.
[00102] Certain embodiments may provide, for example, a method of secure
network
communications with an application running on a networked processor node. In
certain
embodiments, for example, the method may comprise directing first network
packets to a
first NIC of the networked processor node, the first network packets
comprising
payloads. In certain embodiments, for example, the method may comprise further
41
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
directing second network packets to a second NIC of the networked processor
node, the
second network packets comprising at least a portion of the payloads, the
second NIC
different from the first NIC. In certain embodiments, for example, the method
may
comprise confirming the second network packets are from a pre-defined
authorized
source process operating on a pre-defined authorized source node and directed
to a pre-
defined authorized destination process operating on a pre-defined authorized
destination
node.
[00103] A. In certain embodiments, for example, the first NIC may be pre-
defined. In
certain embodiments, for example, the second NIC may be pre-defined. In
certain
embodiments, for example, the pre-defined authorized source process may be a
network
security process. In certain embodiments, for example, the pre-defined
authorized
source process may be the running application. In certain embodiments, for
example,
the first NIC may be in wired communication with a single edge device. In
certain
embodiments, for example, the processor node may be a 2 Ethernet port
computer. In
certain embodiments, for example, no network communications between the pre-
defined
authorized source process and the pre-defined authorized destination process
may (or
may be permitted) to pass through the first NIC. In certain embodiments, for
example,
no network communications between the pre-defined authorized source node and
the
pre-defined authorized destination node may (or may be permitted) pass through
the first
NIC. In certain embodiments, for example, all network communications between
the pre-
defined authorized source process and the pre-defined authorized destination
process
may (or may be required) to pass through the second NIC. In certain
embodiments, for
example, all network communications between the pre-defined authorized source
node
and the pre-defined authorized destination node pass may (or may be required)
through
the second NIC.
[00104] B. In certain embodiments, for example, the first network packets may
be
communicated with a first network and the second network packets may be
communicated with a second network. In certain embodiments, for example, the
networked processor node may bridge communications between the first network
and
the second network. In certain embodiments, for example, the pre-defined first
NIC may
be isolated from the second network. In certain embodiments, for example, the
pre-
defined second NIC may be isolated from the first network. In certain
embodiments, for
example, all network packets communicated with the second network may be (or
may be
required) from a pre-defined authorized source process operating on a pre-
defined
authorized source node and directed to a pre-defined authorized destination
process
operating on a pre-defined authorized destination node. In certain
embodiments, for
42
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
example, the first NIC may communicate exclusively with the first network. In
certain
embodiments, for example, the second NIC may communicate exclusively with the
second network. In certain embodiments, for example, the first network may be
defined
by a first series of nodes and the second network may be defined by a second
series of
nodes, wherein the two series of nodes do not overlap (or overlap only with
respect to a
number of pre-determined nodes (for example one, two or three pre-determined
nodes)).
[00105] Certain embodiments may provide, for example, a method of secure
network
communications with an application running on a networked processor node,
comprising:
i) receiving first network packets at a first NIC of the networked processor
node, the first
network packets comprising first payloads; ii) passing the first payloads to
the running
application; iii) generating second payloads in response to the passed first
payloads; iv)
directing second network packets to a second NIC of the networked processor
node, the
second network packets comprising the second payloads, the second NIC
different from
the first NIC; and v) confirming the second network packets are directed to a
pre-defined
authorized destination process operating on a pre-defined authorized
destination node.
[00106] Certain embodiments may provide, for example, a method of secure
network
communications with an application running on a networked processor node,
comprising:
i) directing first network packets to a first NIC of the networked processor
node, the first
network packets comprising payloads; ii) further directing second network
packets to a
second NIC of the networked processor node, the second network packets
comprising at
least a portion of the payloads, the second NIC different from the first NIC;
and iii)
confirming the second network packets are from a pre-defined authorized source
process operating on a pre-defined authorized source node and directed to a
pre-defined
authorized destination process operating on a pre-defined authorized
destination node.
[00107] Certain embodiments may provide, for example, a method of securing
network communications processed by a gateway node interposed between a
secured
group of networked computers and an unsecured group of networked computers,
the
gateway node having at least two NICs. In certain embodiments, for example,
the
method may comprise performing network security operations on all network
packets
that traverse a first NIC of the at least two NICs, the network security
operations
comprising: confirming that network packets are from a pre-defined authorized
source
process operating on a pre-defined authorized source node and directed to a
pre-defined
authorized destination process operating on a pre-defined authorized
destination node.
In certain embodiments, for example, the method may comprise not performing
network
security operations on all network packets that traverse a pre-determined
second NIC of
the gateway node.
43
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00108] A. In certain embodiments, for example, the method may further
comprise:
preventing network packets configured according to a pre-determined network
security
protocol accessing the first NIC.
[00109] Certain embodiments may provide, for example, a method of securing
network communications processed by a gateway node interposed between a
secured
group of networked computers and an unsecured group of networked computers,
the
gateway node having at least two NICs, comprising: i) performing network
security
operations on all network packets that traverse a first NIC of the at least
two NICs, the
network security operations comprising: confirming that network packets are
from a pre-
defined authorized source process operating on a pre-defined authorized source
node
and directed to a pre-defined authorized destination process operating on a
pre-defined
authorized destination node; and ii) not performing network security
operations on all
network packets that traverse a pre-determined second NIC of the gateway node.
[00110] Certain embodiments may provide, for example, a method of securing
network communications with one or plural applications, the one or plural
applications
running on one or plural networked processor nodes comprising plural NICs. In
certain
embodiments, for example, the method may comprise confirming network packets
traversing the plural NICs are from a pre-defined authorized source process
operating on
a pre-defined authorized source node and directed to a pre-defined authorized
destination process operating on a pre-defined authorized destination node. In
certain
embodiments, for example, the method may be subject to a proviso that the
confirming is
not performed on network packets traversing a pre-defined first subset of the
one or
plural NICs. In certain embodiments, for example, the method may be subject to
a
proviso that the confirming is performed only on network packets traversing a
pre-
defined second subset of the one or plural NICs.
[00111] A. In certain embodiments, for example, the pre-defined first subset
of the
one or plural NICs may not overlap with the pre-defined second subset of the
one or
plural NICs. In certain embodiments, for example, the pre-defined first subset
of the one
or plural NICs, the pre-defined second subset of the one or plural NICs, and
the third
subset of the one or plural NICs may not overlap. In certain embodiments, for
example,
the networked processor node may bridge all network communications between a
first
network and a second network. In certain embodiments, for example, the pre-
defined
first subset of the one or plural NICs may be dedicated to network
communication with
the first network. In certain embodiments, for example, the pre-defined second
subset of
the one or plural NICs may be dedicated to network communication with the
second
network.
44
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00112] Certain embodiments may provide, for example, a method of securing
network communications with one or plural applications, the one or plural
applications
running on one or plural networked processor nodes comprising plural NICs. In
certain
embodiments, for example, the method may comprise confirming network packets
traversing the plural NICs are from a pre-defined authorized source process
operating on
a pre-defined authorized source node and directed to a pre-defined authorized
destination process operating on a pre-defined authorized destination node. In
certain
embodiments, for example, the confirming may be subject to the proviso that
the
confirming is not performed on network packets traversing a pre-defined first
subset of
the one or plural NICs. In certain embodiments, for example, the confirming
may be
subject to the proviso that the confirming is performed only on network
packets
traversing a pre-defined second subset of the one or plural NICs.
[00113] Certain embodiments may provide, for example, a method of secure
communication between a first network and a second network. In certain
embodiments,
for example, the method may comprise communicating first network packets
between
the first network and an application running in a first virtual machine of a
networked
processor node via a first NIC of the networked processor node. In certain
embodiments, for example, the method may comprise passing second network
packets
between the application and a second virtual machine of the networked
processor node,
the second network packets comprising payloads. In certain embodiments, for
example,
the method may comprise confirming third network packets passed between the
second
virtual machine and a second network via a pre-defined second NIC of the
networked
processor node are from a pre-defined authorized source process operating on a
pre-
defined authorized source node and directed to a pre-defined authorized
destination
process operating on a pre-defined authorized destination node, the third
network
packets comprising at least a portion of the payloads, the pre-defined second
NIC
different from the pre-defined first NIC.
[00114] A. In certain embodiments, for example, the second network packets may
be
passed in response to the communicating the first network packets. In certain
embodiments, for example, the first network packets may be passed in response
to the
passing the second network packets.
[00115] Certain embodiments may provide, for example, a method of secure
communication between a first network and a second network, comprising: i)
communicating first network packets between the first network and an
application
running in a first virtual machine of a networked processor node via a first
NIC of the
networked processor node; ii) passing second network packets between the
application
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
and a second virtual machine of the networked processor node, the second
network
packets comprising payloads; and iii) confirming third network packets passed
between
the second virtual machine and a second network via a pre-defined second NIC
of the
networked processor node are from a pre-defined authorized source process
operating
on a pre-defined authorized source node and directed to a pre-defined
authorized
destination process operating on a pre-defined authorized destination node,
the third
network packets comprising at least a portion of the payloads, the pre-defined
second
NIC different from the pre-defined first NIC.
[00116] Certain embodiments may provide, for example, a method of secure
communication between a first network and a second network. In certain
embodiments,
for example, the method may comprise communicating first network packets
between
the first network and an application running in a first virtual machine of a
first networked
processor node, the first network packets communicated via a pre-defined first
NIC of
the first networked processor node. In certain embodiments, for example, the
method
may comprise passing second network packets between the application and
network
security software, the network software running on a second network processor
node,
the second network packets passed via a second NIC of the first processor node
and a
first NIC of the second processor node, the first NIC of the first processor
node different
from the second NIC of the first processor node, the second network packets
comprising
payloads. In certain embodiments, for example, the method may comprise
confirming
third network packets passed between the network security software and a
second
network are from a pre-defined authorized source process operating on a pre-
defined
authorized source node and directed to a pre-defined authorized destination
process
operating on a pre-defined authorized destination node, the third network
packets
passed via a pre-defined second NIC of the second networked processor node,
the pre-
defined second NIC of the second networked processor node different from the
pre-
defined first NIC of the second networked processor node, the third network
packets
comprising at least a portion of the payloads.
[00117] A. In certain embodiments, for example, the first NIC of the second
processor
node may be a default gateway for the first processor node. In certain
embodiments, for
example, the first NIC of the second processor node is the destination address
of the
second network packets.
[00118] Certain embodiments may provide, for example, a method of secure
communication between a first network and a second network, comprising: i)
communicating first network packets between the first network and an
application
running in a first virtual machine of a first networked processor node, the
first network
46
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
packets communicated via a pre-defined first NIC of the first networked
processor node;
ii) passing second network packets between the application and network
security
software, the network software running on a second network processor node, the
second
network packets passed via a second NIC of the first processor node and a
first NIC of
the second processor node, the first NIC of the first processor node different
from the
second NIC of the first processor node, the second network packets comprising
payloads; and iii) confirming third network packets passed between the network
security
software and a second network are from a pre-defined authorized source process
operating on a pre-defined authorized source node and directed to a pre-
defined
authorized destination process operating on a pre-defined authorized
destination node,
the third network packets passed via a pre-defined second NIC of the second
networked
processor node, the pre-defined second NIC of the second networked processor
node
different from the pre-defined first NIC of the second networked processor
node, the third
network packets comprising at least a portion of the payloads.
[00119] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
first
computing device to perform communication management operations, the
communication management operations comprising: i) sending a nonpublic first
identification code for the first computing device to a software port on a
second
computing device via a pre-established communication pathway; ii) receiving,
in
response to the sending the nonpublic first identification code, a nonpublic
second
identification code for the second computing device; iii) comparing the
nonpublic second
identification code with a pre-established value for the second computing
device; iv)
further sending a first application identifier for a first user-application to
the second
computing device via the pre-established communication pathway; v) further
receiving, in
response to the sending the first application identifier, a second application
identifier for a
second user-application; vi) comparing the second application identifier with
a pre-
established value for the second user-application; vii) confirming application
data
received from the second user-application conforms to a data model assigned to
a
predetermined port number, a data range assigned to the predetermined port
number,
and a command type assigned to the predetermined port number, the
predetermined
port number assigned to the first user-application and/or the second user-
application;
followed by viii) passing the confirmed application data to the first user-
application.
47
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00120] A. In certain embodiments, for example, the nonpublic second
identification
code may be obtained from a network packet. In certain embodiments, for
example, the
nonpublic second identification code may be obtained from a portion of the
network
packet that is higher-than-OSI layer three and lower-than-OSI layer seven. In
certain
embodiments, for example, the comparing may be initiated in a kernel space of
the first
computing device.
[00121] B. In certain embodiments, for example, the pre-established value may
be
preprovisioned on nonvolatile storage media of the first computing device. In
certain
embodiments, for example, the communication management operations may further
comprise: decrypting the nonpublic second identification code with a single-
use
cryptographic key.
[00122] C. In certain embodiments, for example, the nonpublic first
identification code
and the nonpublic second identification code may be shared secrets between the
first
computing device and the second computing device.
[00123] D. In certain embodiments, for example, the communication management
operations may further comprise translating, prior to the passing, the
application data
from a first pre-established format to a second pre-established format. In
certain
embodiments, for example, the communication management operations may further
comprise: determining the first pre-established format and the second pre-
established
format from (a) a data model identification code assigned to the data model
and/or (b)
the predetermined port number.
[00124] E. In certain embodiments, for example, the communication management
operations may further comprise: sending the first application identifier and
a data model
identifier assigned to the data model to the second computing device in a
single network
packet.
[00125] F. In certain embodiments, for example, the comparing the nonpublic
second
identification code and the comparing the second application identifier may be
performed
prior to any communication of application data between the first user-
application and the
second user-application.
[00126] G. In certain embodiments, for example, the communication management
operations may further comprise: i) receiving a data packet from a first port
assigned to
the first user-application, the first port hosted on the first computing
device, the data
packet comprising a payload and a second port number; and ii) assembling a
packet
segment for the received data packet, the packet segment comprising the
payload, the
first application identifier, and a data model identifier assigned to the data
model. In
certain embodiments, for example, the pre-established communication pathway
may
48
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
have a one-to-one correspondence to an n-tuple comprising the first
application
identifier, the second application identifier, the second port number, and the
data model
identifier. In certain embodiments, for example, each of a series of network
packet
communications of user-application data between the first port and the second
port may
comprise: transmission of a network packet to a third port, the third port
assigned to
network security software resident on the second computing device, the third
port having
a one-to-one correspondence with the second port number, the second port
number
assigned to the second port, the second port assigned to the second user-
application,
the network packet comprising the first application identifier and the data
model identifier.
In certain embodiments, for example, the first application identifier and the
data model
identifier in the each of the series of network packet communications may be
encrypted
by one of a series of single-use encryption keys. In certain embodiments, for
example,
all communications of user-application data between the first port and the
second port
may comprise the series of network packet communications.
[00127] H. In certain embodiments, for example, the communication management
operations may further comprise: i) intercepting a network connection request
from a first
port assigned to the first user-application, the first port hosted by the
first computing
device, the request comprising a second port number; and ii) verifying that
the first user-
application is specifically authorized to communicate with a second port, the
second port
number assigned to the second port. In certain embodiments, for example, the
verifying
may be performed prior to forming the pre-established communication pathway.
[00128] I. In certain embodiments, for example, the communication management
operations may further comprise: i) intercepting a network connection request
from a
second port, the second port hosted by the second computing device, the
request
comprising a first port number; and ii) verifying that a first port is
specifically authorized to
receive packet data from the second port, the first port number assigned to
the first port.
In certain embodiments, for example, the communication management operations
may
further comprise: confirming that the second computing device has consulted a
pre-
specified local policy to specifically authorize network packet communication
between
the first port and the second port. In certain embodiments, for example, the
communication management operations may further comprise: receiving an
encrypted
identifier for the pre-specified local policy from the second computing
device. In certain
embodiments, for example, the pre-specified local policy may comprise a
record, the
record comprising the first application identifier, the second application
identifier, the data
model identifier, and the first port number. In certain embodiments, for
example, the pre-
specified local policy may further comprise a flag, the flag specifying
whether the
49
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communication pathway is unidirectional or bidirectional. In certain
embodiments, for
example, the intercepting may be initiated in a kernel space of the first
computing device.
In certain embodiments, for example, the communication management operations
may
further comprise: i) receiving a network packet via the communication pathway,
the
network packet comprising the first port number, data from the second user-
application,
the second application identifier, and the data model identifier; and ii)
comparing the
second application identifier and the data model identifier with pre-
established values,
the pre-established values identified based on the first port number. In
certain
embodiments, for example, the second application identifier and the data model
identifier
may be located in higher-than-OSI layer three portions of the network packet.
In certain
embodiments, for example, the comparing may be initiated in a kernel of the
first
computing device. In certain embodiments, for example, the communication
management operations may further comprise: translating the data from the
second
user-application to a format expected by the first user-application.
[00129] J. In certain embodiments, for example, the communication management
operations may further comprise: confirming that further application data
received from
the first user-application conforms to a further data model assigned to a
further
predetermined port number, a further data range assigned to the further
predetermined
port number, and a further command type assigned to the further predetermined
port
number, the further predetermined port number assigned to the first user-
application
and/or the second user-application; followed by passing the confirmed further
application
data to the second user-application.
[00130] K. In certain embodiments, for example, a portion of the communication
management operations may be configured for execution in a kernel space of the
first
computing device, and a further portion of the communication management
operations
are configured for execution in an application space of the first computing
device.
[00131] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices (for example
network
packet-based communications among the network computing devices over a
network),
the product comprising a non-transitory computer-readable storage medium
having
computer-readable program code embodied therein, the computer-readable program
code executable by a first computing device to perform communication
management
operations. In certain embodiments, for example, the communication management
operations may comprise sending a nonpublic first identification code (for
example
sending an encrypted nonpublic first identification code) for the first
computing device
(for example the nonpublic first identification code may be assigned to the
first computing
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
device) to a software port on a second computing device via a pre-established
communication pathway. In certain embodiments, for example, the communication
management operations may comprise receiving, in response to the sending (or
in
response to receipt of the nonpublic first identification code by the second
computing
device), a nonpublic second identification code for the second computing
device (for
example the nonpublic second identification code may be assigned to the second
computing device). In certain embodiments, for example, the communication
management operations may comprise comparing the nonpublic second
identification
code with a pre-established (or preconfigured, predefined, or preprovisioned)
value for
the second computing device (for example the pre-established value may be
assigned to
the second computing device).
[00132] A. In certain embodiments, for example, the nonpublic second
identification
code may be obtained from a network packet. In certain embodiments, for
example, the
nonpublic second identification code may be obtained from a higher-than-Open
Systems
Interconnection (OSI) layer three portion (for example one or more of an OSI
layer four
portion, an OSI layer five portion, an OSI layer six portion, an OSI layer
seven portion, or
a layer between one or more of an OSI layer three portion, an OSI layer four
portion, an
OSI layer five portion, an OSI layer six portion, or an OSI layer seven
portion) of the
network packet. In certain embodiments, for example, the comparing may be
initiated in
a kernel space of the first computing device. In certain embodiments, for
example, the
comparing may be partially performed in an application space of the first
computing
device.
[00133] B. In certain embodiments, for example, the pre-established value may
be
preprovisioned on nonvolatile storage media of the first computing device. In
certain
embodiments, for example, the communication management operations may further
comprise: decrypting the nonpublic second identification code with a single-
use
cryptographic key. In certain embodiments, for example, the single-use
cryptographic
key may be rotated to obtain a further cryptographic key for use in further
decrypting.
[00134] C. In certain embodiments, for example, the nonpublic first
identification code
and the nonpublic second identification code may be shared secrets between the
first
computing device and the second computing device.
[00135] D. In certain embodiments, for example, the communication management
operations may further comprise sending a first application identifier for a
first user-
application (for example the first application identifier may be assigned to
the first user-
application) to the second computing device via the pre-established
communication
pathway. In certain embodiments, for example, the communication management
51
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
operations may further comprise receiving, in response to the sending, a
second
application identifier for a second user-application (for example the second
application
identifier may be assigned to the second user-application). In certain
embodiments, for
example, the communication management operations may further comprise
comparing
the second application identifier with a pre-established value for the second
user-
application. In certain embodiments, for example, the communication management
operations may further comprise sending a data type identifier for the pre-
established
communication pathway via the pre-established communication pathway. In
certain
embodiments, for example, the communication management operations may further
comprise receiving, in response to the sending, the data type identifier from
the second
computing device. In certain embodiments, for example, the communication
management operations may further comprise comparing the received data type
identifier with a pre-established value for the pre-established communication
pathway. In
certain embodiments, for example, the first application identifier and the
data type
identifier may be sent to the second computing device in a single network
packet. In
certain embodiments, for example, the comparing the nonpublic second
identification
code, the comparing the second application identifier, and the comparing the
received
data type identifier may be performed prior to any communication of
application data
between the first user-application and the second user-application. In certain
embodiments, for example, the communication management operations may further
comprise receiving a data packet from a first port assigned to the first user-
application,
the first port hosted on the first computing device, the data packet
comprising a payload
and a second port number. In certain embodiments, for example, the
communication
management operations may further comprise assembling a packet segment for the
received data packet, the packet segment comprising the payload, the first
application
identifier, and the data type identifier. In certain embodiments, for example,
the pre-
established communication pathway may have a one-to-one correspondence to an n-
tuple comprising the first application identifier, the second application
identifier, the
second port number, and the data type identifier. In certain embodiments, for
example,
each of a series of network packet communications of user-application data
between the
first port and the second port may comprise: transmission of a network packet
to a third
port, the third port assigned to network security software resident on the
second
computing device, the third port having a one-to-one correspondence with the
second
port number, the second port number assigned to the second port, the second
port
assigned to the second user-application, the network packet comprising the
first
application identifier and the data type identifier. In certain embodiments,
for example,
52
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the first application identifier and the data type identifier in the each of
the series of
network packet communications may be encrypted by one of a series of single-
use
encryption keys. In certain embodiments, for example, all communications of
user-
application data between the first port and the second port may comprise the
series of
network packet communications. In certain embodiments, for example, the
communication management operations may further comprise intercepting a
network
connection request from a first port assigned to the first user-application,
the first port
hosted by the first computing device, the request comprising a second port
number. In
certain embodiments, for example, the communication management operations may
further comprise verifying that the first user-application is specifically
authorized to
communicate with a second port, the second port number assigned to the second
port.
In certain embodiments, for example, the verifying may be performed prior to
forming the
pre-established communication pathway. In certain embodiments, for example,
the
communication management operations may further comprise intercepting a
network
connection request from a second port, the second port hosted by the second
computing
device, the request comprising a first port number. In certain embodiments,
for example,
the communication management operations may further comprise verifying that a
first
port is specifically authorized to receive packet data from the second port,
the first port
number assigned to the first port. In certain embodiments, for example, the
communication management operations may further comprise confirming that the
second computing device has consulted a pre-specified local policy to
specifically
authorize network packet communication between the first port and the second
port. In
certain embodiments, for example, the communication management operations may
further comprise: receiving an encrypted identifier for the pre-specified
local policy from
the second computing device. In certain embodiments, for example, the pre-
specified
local policy may comprise a record, the record comprising the first
application identifier,
the second application identifier, the data type identifier, and the first
port number. In
certain embodiments, for example, the pre-specified local policy may further
comprise a
flag, the flag specifying whether the communication pathway is unidirectional
or
bidirectional. In certain embodiments, for example, the intercepting may be
initiated in a
kernel space of the first computing device. In certain embodiments, for
example, the
communication management operations may further comprise receiving a network
packet via the communication pathway, the network packet comprising the first
port
number, data from the second user-application, the second application
identifier, and the
data type identifier. In certain embodiments, for example, the communication
management operations may further comprise comparing the second application
53
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
identifier and the data type identifier with pre-established values, the pre-
established
values identified based on the first port number. In certain embodiments, for
example,
the second application identifier and the data type identifier may be located
in higher-
than-OSI layer three portions (for example one or more of OSI layer four
portions, OSI
layer five portions, OSI layer six portions, OSI layer seven portions, or
layers between
one or more of the OSI layer three portions, OSI layer four portions, OSI
layer five
portions, OSI layer six portions, or OSI layer seven portions) of the network
packet. In
certain embodiments, for example, the comparing may be initiated in a kernel
of the first
computing device. In certain embodiments, for example, the communication
management operations may further comprise: translating the data from the
second
user-application to a format expected by the first user-application. In
certain
embodiments, for example, the data from the second user-application may be
translated
from a pre-established format, the pre-established format determined from the
data type
identifier.
[00136] E. In certain embodiments, for example, the communication management
operations may comprise, prior to assembling the packet segment (and prior to
one or
more translation steps if the data undergoes translation), using the data type
identifier to
obtain a data definition for the payload or a portion of the payload, and
evaluating the
payload to determine whether the payload (or the portion of the payload)
complies with
the data definition. In certain embodiments, for example, the data definition
may
comprise a required protocol header (for example a header for an MQTT
payload), a list
(for example a list of one) of allowed data types (for example integer, text,
or floating
point data types), a required value pair (for example a field description and
a value
having a specified data type), and/or required control characters (for example
one or
more required ASCII code characters at predetermined positions in the
payload). In
certain embodiments, for example, the communication management operations may
comprise discarding (and taking no further steps to transmit) the payload if
the payload
does not comply with the data definition. In certain embodiments, for example,
the
communication management operations may comprise, prior to assembling the
packet
segment, comparing the payload or portions of the payload based on the data
type
identifier against one or more pre-authorized ranges (for example minimum
and/or
maximum values and/or discrete allowed values for numerical data, or for
example a
range or allowed values for text data) and evaluating the payload to determine
whether
the payload (or the portion of the payload) falls within the one or more pre-
authorized
ranges. In certain embodiments, for example, the communication management
operations may comprise discarding (and taking no further steps to transmit)
the payload
54
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
if the payload (or the portion of the payload) does not fall within the one or
more pre-
authorized ranges. In certain embodiments, for example, the communication
management operations may comprise, prior to assembling the packet segment,
using
the data type identifier to obtain a list of pre-authorized commands and/or a
list of
prohibited commands (for example database instruction commands such as SQLread
and SQLwrite), and evaluating the payload to determine whether the payload (or
the
portion of the payload) contains one of the pre-authorized commands and/or
does not
contain one of the prohibited commands. In certain further embodiments, for
example,
the list of pre-authorized commands may be exclusive. In certain embodiments,
for
example, the communication management operations may comprise discarding (and
taking no further steps to transmit) the payload if the payload (or the
portion of the
payload) does not contain one of the pre-authorized commands and/or contains
one of
the prohibited commands.
[00137] F. In certain embodiments, for example, the communication management
operations may comprise, after receiving the network packet via the
communication
pathway, using the data type identifier to obtain a data definition for the
data from the
second user-application or a portion thereof, and evaluating said data to
determine
whether the data (or the portion thereof) complies with the data definition.
In certain
embodiments, for example, the data definition may comprise a required protocol
header
(for example a header for an MQTT payload), a list (for example a list of one)
of allowed
data types (for example integer, text, or floating point data types), a
required value pair
(for example a field description and a value having a specified data type),
and/or
required control characters (for example one or more required ASCII code
characters at
predetermined positions in the payload). In certain embodiments, for example,
the
communication management operations may comprise discarding (and taking no
further
steps to transmit) the received network packet (including the data) if the
data does not
comply with the data definition. In certain embodiments, for example, the
communication
management operations may comprise, after receiving the network packet via the
communication pathway, using the data type identifier to obtain one or more
allowed
ranges (for example minimum and/or maximum values and/or discrete allowed
values for
numerical data, or for example a range or allowed values for text data) for
the data or a
portion thereof, and evaluating the data to determine whether the data (or the
portion
thereof) falls within the one or more allowed ranges. In certain embodiments,
for
example, the communication management operations may comprise discarding (and
taking no further steps to transmit) the data if the data (or the portion of
the data) does
not fall within the one or more allowed ranges. In certain embodiments, for
example, the
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communication management operations may comprise, after receiving the network
packet via the communication pathway, using the data type identifier to obtain
a list of
allowed commands and/or a list of prohibited commands (for example database
instruction commands such as SQLread and SQLwrite), and evaluating the data to
determine whether the data (or the portion of the data) contains one of the
allowed
commands and/or does not contain one of the prohibited commands. In certain
further
embodiments, for example, the list of allowed commands may be exclusive. In
certain
embodiments, for example, the communication management operations may comprise
discarding (and taking no further steps to consume) the data if the data (or
the portion of
the data) does not contain one of the allowed commands and/or contains one of
the
prohibited commands.
[00138] G. In certain embodiments, for example, the nonpublic first
identification code
may be preprovisioned on the first computing device as a static value (for
example in an
encrypted configuration file) that is used each time the first computing
device executes
the communication management operations (and the nonpublic second
identification
code may be similarly preprovisioned on the second computing device) as
described
herein. In certain other embodiments, for example, the nonpublic first
identification code
(and/or nonpublic second identification code) may be obtained by requesting a
security
token (or token pair) for the first port (for example during establishment of
the port in a
listening mode, prior to sending a connection request, or during or after
establishment of
the pre-established communication pathway). In certain embodiments, for
example, the
request may specify identifiers (for example public identifiers) for the first
computing
device and the second computing device, and the token (or token pair) returned
in
response to the request may be a function of the first computing device and
the second
computing device. In certain embodiments, for example, the second computing
device
may also obtain a token (or token pair) complimentary to the token (or token
pair)
received by the first computing device. In certain embodiments, for example, a
new
token (or pair of tokens) is generated each time a connection between the
first
computing device and the second computing device is established. In certain
embodiments, for example, all communications between the first computing
device and
the third computing device and all communications between the second computing
device and the third computing device, are secured by one of the methods,
systems,
products, communication management operations, software, middleware, computing
infrastructure and/or apparatus disclosed herein.
[00139] H. In certain embodiments, for example, the application identifier for
the first
user-application may be preprovisioned on the first computing device as a
static value
56
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
(for example in an encrypted configuration file) that is used each time the
first computing
device executes the communication management operations (and the application
identifier for the second user-application may be similarly preprovisioned on
the second
computing device) as described herein. In certain other embodiments, for
example, the
application identifier for the first user-application (and/or application
identifier for the
second user-application) may be obtained by requesting a security token (or
token pair)
for the first port (for example during establishment of the port in a
listening mode, prior to
sending a connection request, or during or after establishment of the pre-
established
communication pathway). In certain embodiments, for example, the request may
specify
identifiers for the first user-application and the second user-application
(and optionally
the data type), and the token (or token pair) returned in response to the
request may be
a function of the identifiers for the first user-application and the second
user-application
(and optionally the data type). In certain embodiments, for example, the
second
computing device may also obtain a token (or token pair) complimentary to the
token (or
token pair) received by the first computing device. In certain embodiments,
for example,
a new token (or pair of tokens) is generated each time a connection between
the first
computing device and the second computing device is established. In certain
embodiments, for example, all communications between the first computing
device and
the third computing device and all communications between the second computing
device and the third computing device, are secured by one of the methods,
systems,
products, communication management operations, software, middleware, computing
infrastructure and/or apparatus disclosed herein.
[00140] I. In certain embodiments, for example, all authentication and
authorization
parameters required to perform the communication management operations may be
obtained from a local encrypted configuration file installed on a first node
(for example
the first computing device). In certain embodiments, for example, the local
encrypted
configuration file may include only those authentication and authorization
parameters
required by the first node to conduct pre-authorized communications. In
certain other
embodiments, for example, at least a portion (for example all) authentication
and
authorization parameters required to perform the communication management
operations (whether static parameters or dynamically generated tokens or token
pairs)
may be obtained from a third node (for example a credentialing server). In
certain
embodiments, for example, the communication management operations may comprise
obtaining the nonpublic first identification code, the pre-established value
for the second
computing device, the first application identifier, the pre-established value
for the second
user-application, the data type identifier, the pre-established value for the
received data
57
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
type identifier, the first port number, the second port number, the third port
number, the
data definition, the protocol header, the list of allowed data types, the
required value pair,
the required control characters, the one or more allowed ranges, the list of
allowed
commands, and/or the list of prohibited commands from at least a third node
(for
example a credentialing server). In certain embodiments, for example, one or
more (for
example all) of the nonpublic first identification code, the pre-established
value for the
second computing device, the first application identifier, the pre-established
value for the
second user-application, the data type identifier, the pre-established value
for the
received data type identifier, the first port number, the second port number,
the third port
number, the data definition, the protocol header, the list of allowed data
types, the
required value pair, the required control characters, the one or more allowed
ranges, the
list of allowed commands, and the list of prohibited commands may be obtained
upon
request, periodically, on boot-up of the first node or the third node, or upon
establishment
of a communication pathway between the first node and the third node. In
certain
embodiments, for example, two or more (for example all) of the nonpublic first
identification code, the pre-established value for the second computing
device, the first
application identifier, the pre-established value for the second user-
application, the data
type identifier, the pre-established value for the received data type
identifier, the first port
number, the second port number, the third port number, the data definition,
the protocol
header, the list of allowed data types, the required value pair, the required
control
characters, the one or more allowed ranges, the list of allowed commands, and
the list of
prohibited commands may be obtained simultaneously, essentially
simultaneously, or
sequentially. In certain embodiments, for example, a portion or all the
obtaining may be
performed during boot up of the first computing device (including for example,
obtaining
all necessary parameters for communicating with remote computing devices at
boot up
of the first computing devices). In certain embodiments, for example, a
portion or all of
the obtaining may be performed dynamically (for example in response to a
confirmation
that a communication pathway has been established (for example upon
establishment of
the pre-established communication pathway). In certain embodiments, for
example, the
third node may maintain a master configuration file of a portion or all
necessary
authentication and authorization parameters for port-to-port communications
between a
plurality of networked computing devices.
[00141] J. In certain embodiments, for example, a portion of the communication
management operations may be configured for execution in a kernel space of the
first
computing device, and a further portion of the communication management
operations
may be configured for execution in an application space of the first computing
device.
58
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00142] Certain embodiments may provide, for example, a product for securing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
first
computing device to perform communication management operations, the
communication management operations comprising: i) sending a nonpublic first
identification code for the first computing device to a software port on a
second
computing device via a pre-established communication pathway; ii) receiving,
in
response to the sending, a nonpublic second identification code for the second
computing device; and iii) comparing the nonpublic second identification code
with a pre-
established value for the second computing device.
[00143] A. In certain embodiments, for example, the nonpublic second
identification
code may be obtained from a network packet. In certain embodiments, for
example, the
nonpublic second identification code may be obtained from a higher-than-OSI
layer three
portion (for example one or more of an OSI layer four portion, an OSI layer
five portion,
an OSI layer six portion, an OSI layer seven portion, or a layer between one
or more of
an OSI layer three portion, an OSI layer four portion, an OSI layer five
portion, an OSI
layer six portion, or an OSI layer seven portion) of the network packet. In
certain
embodiments, for example, the comparing may be initiated in a kernel space of
the first
computing device. In certain embodiments, for example, the comparing may be
partially
performed in an application space of the first computing device.
[00144] B. In certain embodiments, for example, the pre-established value may
be
preprovisioned on nonvolatile storage media of the first computing device. In
certain
embodiments, for example, the communication management operations may further
comprise: decrypting the nonpublic second identification code with a single-
use
cryptographic key. In certain embodiments, for example, the single-use
cryptographic
key may be rotated to obtain a further cryptographic key for use in further
decrypting.
[00145] C. In certain embodiments, for example, the nonpublic first
identification code
and the nonpublic second identification code may be shared secrets between the
first
computing device and the second computing device.
[00146] D. In certain embodiments, for example, the communication management
operations may further comprise: i) sending a first application identifier for
a first user-
application to the second computing device via the pre-established
communication
pathway; ii) receiving, in response to the sending, a second application
identifier for a
second user-application; and iii) comparing the second application identifier
with a pre-
established value for the second user-application. In certain embodiments, for
example,
59
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the communication management operations may further comprise: i) sending a
data type
identifier for the pre-established communication pathway via the pre-
established
communication pathway; ii) receiving, in response to the sending, the data
type identifier
from the second computing device; and iii) comparing the received data type
identifier
with a pre-established value for the pre-established communication pathway. In
certain
embodiments, for example, the first application identifier and the data type
identifier may
be sent to the second computing device in a single network packet. In certain
embodiments, for example, the comparing the nonpublic second identification
code, the
comparing the second application identifier, and the comparing the received
data type
identifier may be performed prior to any communication of application data
between the
first user-application and the second user-application. In certain
embodiments, for
example, the communication management operations may further comprise: i)
receiving
a data packet from a first port assigned to the first user-application, the
first port hosted
on the first computing device, the data packet comprising a payload and a
second port
number; and ii) assembling a packet segment for the received data packet, the
packet
segment comprising the payload, the first application identifier, and the data
type
identifier. In certain embodiments, for example, the pre-established
communication
pathway may have a one-to-one correspondence to an n-tuple comprising the
first
application identifier, the second application identifier, the second port
number, and the
data type identifier. In certain embodiments, for example, each of a series of
network
packet communications of user-application data between the first port and a
second port
may comprise: the first application identifier and the data type identifier,
the second port
assigned to the second user-application, the second port number assigned to
the second
port. In certain embodiments, for example, the first application identifier
and the data
type identifier in the each of the series of network packet communications may
be
encrypted by one of a series of single-use encryption keys. In certain
embodiments, for
example, the series of network packet communications may comprise all network
packet
communications of user-application data between the first port and the second
port. In
certain embodiments, for example, the communication management operations may
further comprise: i) intercepting a network connection request from a first
port assigned
to the first user-application, the first port hosted by the first computing
device, the request
comprising a second port number; and ii) verifying that the first user-
application is
specifically authorized to communicate with a second port, the second port
number
assigned to the second port. In certain embodiments, for example, the
verifying may be
performed prior to forming the pre-established communication pathway. In
certain
embodiments, for example, the communication management operations may further
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
comprise: i) intercepting a network connection request from a second port, the
second
port hosted by the second computing device, the request comprising a first
port number;
and ii) verifying that a first port is specifically authorized to receive
packet data from the
second port, the first port number assigned to the first port. In certain
embodiments, for
example, the communication management operations may further comprise
confirming
that the second computing device has consulted a pre-specified local policy to
specifically authorize network packet communication between the first port and
the
second port. In certain embodiments, for example, the communication management
operations may further comprise: receiving an encrypted identifier for the pre-
specified
local policy from the second computing device. In certain embodiments, for
example, the
pre-specified local policy may comprise a record, the record comprising the
first
application identifier, the second application identifier, the data type
identifier, and the
first port number. In certain embodiments, for example, the pre-specified
local policy
may further comprise a flag, the flag specifying whether the communication
pathway is
unidirectional or bidirectional. In certain embodiments, for example, the
intercepting may
be initiated in a kernel space of the first computing device. In certain
embodiments, for
example, the communication management operations may further comprise: i)
receiving
a network packet via the communication pathway, the network packet comprising
the
first port number, data from the second user-application, the second
application
identifier, and the data type identifier; and ii) comparing the second
application identifier
and the data type identifier with pre-established values, the pre-established
values
identified based on the first port number. In certain embodiments, for
example, the
second application identifier and the data type identifier may be located in
higher-than-
OSI layer three portions (for example one or more of OSI layer four portions,
OSI layer
five portions, OSI layer six portions, OSI layer seven portions, or layers
between one or
more of the OSI layer three portions, OSI layer four portions, OSI layer five
portions, OSI
layer six portions, or OSI layer seven portions) of the network packet. In
certain
embodiments, for example, the comparing may be initiated in a kernel of the
first
computing device. In certain embodiments, for example, the communication
management operations may further comprise: translating the data from the
second
user-application to a format expected by the first user-application. In
certain
embodiments, for example, the data from the second user-application may be
translated
from a pre-established format, the pre-established format determined from the
data type
identifier.
[00147] E. In certain embodiments, for example, a portion of the communication
management operations may be configured for execution in a kernel space of the
first
61
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
computing device, and a further portion of the communication management
operations
may be configured for execution in an application space of the first computing
device.
[00148] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
network
tunnels (for example network tunnels based on protocol which involve
encrypting a
network packet and inserting the encrypted network packet inside a packet for
transport
(such as I Psec protocol), or network tunnels based on Socket Secured Layer
protocol, or
network tunnels which require encryption of part of all of a packet payload
but do not
involve additional headers (for example do not involve packaging an IP packet
inside
another IP packet) for network communication on all port-to-port network
communications (for example unencrypted or encrypted payload communications)
among the plurality of networked computing devices (inclusive, for example, of
port-to-
port communications according to User Datagram Protocol (UDP) or Transmission
Control Protocol (TCP) between end-user application processes over a
network)). In
certain embodiments, for example, the port-to-port communications may be
between
user-application processes (inclusive of application processes having a
process owner
(or user)). In certain embodiments, for example, one or more of the user-
application
processes may reside in kernel and/or application space. In certain
embodiments, for
example, the establishing may comprise intercepting network connection
requests (for
example by network application programming interfaces) having associated
destination
port numbers. In certain embodiments, for example, the establishing may
comprise
identifying preconfigured, predefined, pre-established and/or preprovisioned
tunnel port
numbers (for example predefined tunnel port numbers associated with servers),
comprising identifying at least one (for example, one) preconfigured,
predefined, pre-
established and/or preprovisioned tunnel port number for each associated
destination
port number of the associated destination port numbers. In certain
embodiments, for
62
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
example, the establishing may comprise requesting the negotiation of network
tunnels,
the requesting comprising sending connection request packets comprising the
tunnel
port numbers (and also, for example, cipher suite parameters), each one of the
network
tunnels having a one-to-one correspondence with one of the tunnel port
numbers. In
certain embodiments, for example, the establishing may comprise authorizing
the
network tunnels, comprising comparing computing device identifiers, user-
application
identifiers (for example user-application identifiers derived from application
process
identifiers and/or application process owners, together or in parts), and
payload data-
type identifiers received from the network tunnels with preconfigured,
predefined, pre-
established and/or preprovisioned authorization codes. In certain further
embodiments,
for example, the computing device identifiers, user-application identifiers,
and/or payload
data-type identifiers may be encrypted and require decryption before the
comparing.
[00149] A. In certain embodiments, for example, the intercepting, identifying,
requesting, and authorizing may be transparent to all user-application
processes (for
example all processes (except optionally for processes executing portions of
the
program code) executing in (non-kernel) application space and having process
owners)
on the plurality of networked computing devices. In certain embodiments, for
example,
the intercepting may be performed by a network application programming
interface
having standard syntax (for example using modified network application
programming
interface functions that retain standard syntax, for example: bind(),
connect(), listen(),
UDP sendto(), UDP bindto(), and close() functions).
[00150] B. In certain embodiments, for example, the intercepting, identifying,
requesting, and authorizing may be self-executing. In certain further
embodiments, for
example, the intercepting, identifying, requesting, and authorizing may be
automatic. In
certain further embodiments, for example, the identifying, requesting, and
authorizing
may be automatically invoked following the intercepting. In certain
embodiments, for
example, the intercepting, identifying, and authorizing may occur in the
kernel spaces of
the plurality of networked computing devices. In certain embodiments, for
example, one
or more of the intercepting, identifying, and authorizing may occur in
application spaces
of the plurality of networked computing devices. In certain further
embodiments, for
example, at least a portion (for example all) of the non-transitory computer-
readable
storage medium may be resident on a deployment server.
[00151] C. In certain further embodiments, for example, at least a portion
(for
example, all) of the non-transitory computer-readable storage medium may be
resident
on flash drive. In certain embodiments, for example, the communication
management
operations may further comprise: preventing all user-application process ports
from
63
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
binding to a portion or all physical interfaces of the plurality of networked
computing
devices.
[00152] D. In certain embodiments, for example, user-application process ports
may
transmit packets to network security software process ports by loopback
interfaces. In
certain embodiments, for example, user-application process ports may transmit
packets
to network security software process ports by TUN/TAP interfaces.
[00153] E. In certain embodiments, for example, the network tunnels may be
encrypted. In certain embodiments, for example, the network tunnels may be
interposed
between network security processes (for example middleware) running on
separate
computing devices. In certain embodiments, for example, the network security
processes may manage a segment of the data pathway that is interposed between
user-
application processes on separate computing devices of the plurality of
networked
computing devices. In certain embodiments, for example, the network security
processes may be conducted on the plural computing devices with user-
application
processes, wherein the user-application processes may engage in port-to-port
communications. In certain embodiments, for example, the network security
processes
may be resident on different computing devices from the user-application
processes. In
certain embodiments, for example, the product may be used to configure a
software-
defined perimeter.
[00154] F. In certain embodiments, for example, the tunnel port numbers,
computing
device identifiers, user-application identifiers, and/or payload data-type
identifiers may be
obtained from a plurality of configuration files. In certain embodiments, for
example, the
configuration files may contain private keys for negotiating encryption keys
for the
network tunnels. In certain embodiments, for example, the configuration files
may be
binary files. In certain embodiments, for example, the configuration files may
be
encrypted files. In certain embodiments, for example, the configuration files
may be
variable length files. In certain embodiments, for example, the configuration
files may be
read-only files.
[00155] G. In certain embodiments, for example, the communication management
operations may further comprise: executing operating system commands to
identify user-
application processes making the connection requests, and verifying that the
identified
user-application processes are authorized to transmit data to the associated
destination
port numbers. In certain embodiments, for example, the communication
management
operations may further comprise thwarting attempts by malware to form network
connections, the thwarting comprising: rejecting network connection requests
in which
identified user-application processes are not authorized to transmit data, for
example by
64
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
reference to a configuration file of authorized port-to-port connections. In
certain
embodiments, for example, the product may further comprise a configuration
file, the
configuration file comprising at least two of the following: tunnel port
numbers, computing
device identifiers, user-application identifiers, and payload data-type
identifiers. In
certain embodiments, for example, the communication management operations may
comprise updating a connection state indicator based on the comparing
computing
device identifiers, the comparing user-application process identifiers, and/or
the
comparing payload data-type identifiers. In certain embodiments, for example,
the
updated connection state indicator may be a field in a list of port-to-port
connections. In
certain embodiments, for example, the connection state indicator may be
changed from
a value indicating that no connection has been established to a value
indicating that an
open connection state exists for a particular port-to-port connection. In
certain
embodiments, for example, the connection state indicator may be changed from a
value
indicating that no connection has been established to a value indicating that
a
connection is in the process of being formed and that one or more of the
computing
device identifiers, the user-application process identifiers, and/or the
payload data-type
identifiers has been successfully exchanged, authenticated and/or authorized.
In certain
embodiments, for example, the connection state indicator may be changed from a
value
indicating that an open connection exists, that no connection exists, or that
a connection
is in the process of being formed to a value indicating that the connection is
being
declined due to failure to successfully exchange, authenticate and/or
authorize one or
more of the computing device identifiers, the user-application process
identifiers, and/or
the payload data-type identifiers.
[00156] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device executing an
operating system (for example a Linux operating system, a Linux-based
operating
system, a real time operating system, a mini-operating system, an edge device
operating
system, and/or an open source operating system) to enable and/or cause the
computing
device to perform communication management operations, the communication
management operations comprising: establishing authorized network tunnels for
all (or
substantially all, or most or greater than 80% or greater than 90% of the
connected or
operational physical ports across all the devices within the software defined
network)
port-to-port network communications among the plurality of networked computing
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
devices, comprising: i) intercepting network connection requests having
associated
destination port numbers; ii) identifying preconfigured, predefined, pre-
established and/or
preprovisioned tunnel port numbers, comprising identifying at least one tunnel
port
number for each associated destination port number of the associated
destination port
numbers; iii) requesting the negotiation of network tunnels, the requesting
comprising
sending connection request packets comprising the tunnel port numbers, each
one of the
network tunnels having a one-to-one correspondence with one of the tunnel port
numbers; and iv) authorizing the network tunnels, comprising comparing
computing
device identifiers, user-application identifiers, and payload data-type
identifiers received
from the network tunnels with preconfigured, predefined, pre-established
and/or
preprovisioned authorization codes.
[00157] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
network
tunnels for all port-to-port network communications among the plurality of
networked
computing devices. In certain embodiments, for example, the establishing may
comprise
intercepting a network connection request having an associated destination
port number.
In certain embodiments, for example, the establishing may comprise identifying
a
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
number
associated with the destination port number. In certain embodiments, for
example, the
establishing may comprise requesting the forming of a network tunnel, the
forming
comprising sending a connection request packet comprising the tunnel port
number. In
certain embodiments, for example, the establishing may comprise authorizing
the
network tunnel, comprising comparing a computing device identifier, a user-
application
identifier, and a payload data-type identifier received from the network
tunnel with a
preconfigured, predefined, pre-established and/or preprovisioned authorization
code.
66
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00158] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: establishing authorized
network
tunnels for all port-to-port network communications among the plurality of
networked
computing devices, comprising: i) intercepting a network connection request
having an
associated destination port number; ii) identifying a preconfigured,
predefined, pre-
established and/or preprovisioned tunnel port number associated with the
destination
port number; iii) requesting the forming of a network tunnel, the forming
comprising
sending a connection request packet comprising the tunnel port number; and iv)
authorizing the network tunnel, comprising comparing a computing device
identifier, a
user-application identifier, and a payload data-type identifier received from
the network
tunnel with a preconfigured, predefined, pre-established and/or preprovisioned
authorization code.
[00159] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
network
tunnels for at least one port-to-port network communication (including, for
example, all
port-to-port network communications (for example unencrypted or encrypted
payload
communications) among the plurality of networked computing devices (inclusive,
for
example, of port-to-port communications according to User Datagram Protocol
(UDP) or
Transmission Control Protocol (TCP) between end-user application processes
over a
network)). In certain embodiments, for example, the port-to-port
communications may
be between user-application processes (inclusive of application processes
having a
67
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
process owner (or user)). In certain embodiments, for example, one or more of
the user-
application processes may reside in kernel and/or application space. In
certain
embodiments, for example, the establishing may comprise intercepting network
connection requests from source ports (for example the source ports may
comprise ports
associated with user-application processes), the requests having associated
destination
port numbers. In certain embodiments, for example, the establishing may
comprise
verifying that the source ports are authorized to communicate with ports
having the
associated destination port numbers. In certain embodiments, for example, the
establishing may comprise requesting the negotiation of network tunnels,
comprising
sending connection request packets comprising the associated destination port
numbers,
each one of the network tunnels having a one-to-one correspondence with one of
the
associated destination port numbers. In certain embodiments, for example, the
establishing may comprise authorizing the network tunnels, comprising
comparing
computing device identifiers, user-application identifiers, and/or payload
data-type
identifiers received from the network tunnels with preconfigured, predefined,
pre-
established and/or preprovisioned authorization codes. In certain further
embodiments,
for example, the computing device identifiers, user-application identifiers,
and/or payload
data-type identifiers may be encrypted and require decryption before the
comparing.
[00160] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: establishing authorized
network
tunnels for all port-to-port network communications among the plurality of
networked
computing devices, comprising: i) intercepting network connection requests
from source
ports, the requests having associated destination port numbers; ii) verifying
that the
source ports are authorized to communicate with ports having the associated
destination
port numbers; iii) requesting the negotiation of network tunnels, comprising
sending
connection request packets comprising the associated destination port numbers,
each
one of the network tunnels having a one-to-one correspondence with one of the
associated destination port numbers; and iv) authorizing the network tunnels,
comprising
comparing computing device identifiers, user-application identifiers, and
payload data-
type identifiers received from the network tunnels with preconfigured,
predefined, pre-
established and/or preprovisioned authorization codes.
68
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00161] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
encrypted communication pathways for at least one port-to-port network
communication
(for example all port-to-port communications) among the plurality of networked
computing devices. In certain embodiments, for example, the establishing may
comprise
intercepting network connection requests having associated destination port
numbers.
In certain embodiments, for example, the establishing may comprise identifying
preconfigured, predefined, pre-established and/or preprovisioned encrypted
communication port numbers, comprising identifying at least one preconfigured,
predefined, pre-established and/or preprovisioned encrypted communication port
number for each associated destination port number of the associated
destination port
numbers. In certain embodiments, for example, the establishing may comprise
requesting the negotiation of encrypted communication pathways, the requesting
comprising sending connection request packets comprising the encrypted
communication port numbers, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the encrypted communication
port
numbers. In certain embodiments, for example, the establishing may comprise
authorizing the encrypted communication pathways, comprising comparing
computing
device identifiers, user-application identifiers, and/or payload data-type
identifiers
received from the encrypted communication pathways with preconfigured,
predefined,
pre-established and/or preprovisioned authorization codes.
[00162] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
69
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
cause the computing device to perform communication management operations, the
communication management operations comprising: establishing authorized
encrypted
communication pathways for all port-to-port network communications among the
plurality
of networked computing devices, comprising: i) intercepting network connection
requests
having associated destination port numbers; ii) identifying preconfigured,
predefined,
pre-established and/or preprovisioned encrypted communication port numbers,
comprising identifying at least one preconfigured, predefined, pre-established
and/or
preprovisioned encrypted communication port number for each associated
destination
port number of the associated destination port numbers; iii) requesting the
negotiation of
encrypted communication pathways, the requesting comprising sending connection
request packets comprising the encrypted communication port numbers, each one
of the
encrypted communication pathways having a one-to-one correspondence with one
of the
encrypted communication port numbers; and iv) authorizing the encrypted
communication pathways, comprising comparing computing device identifiers,
user-
application identifiers, and payload data-type identifiers received from the
encrypted
communication pathways with preconfigured, predefined, pre-established and/or
preprovisioned authorization codes.
[00163] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
encrypted communication pathways for at least one port-to-port network
communication
(including, for example, all port-to-port network communications) among the
plurality of
networked computing devices. In certain embodiments, for example, the
establishing
may comprise intercepting network connection requests from source ports (for
example
source ports that have been opened by and have a predetermined relationship
with
authorized applications), the requests having associated destination port
numbers. In
certain embodiments, for example, the establishing may comprise verifying that
the
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
source ports are authorized to communicate with ports having the associated
destination
port numbers. In certain embodiments, for example, the establishing may
comprise
requesting the negotiation of encrypted communication pathways, the requesting
comprising sending connection request packets comprising the associated
destination
port numbers. In certain embodiments, for example, the establishing may
comprise
authorizing the encrypted communication pathways, comprising comparing
computing
device identifiers, user-application identifiers, and/or payload data-type
identifiers
received from the encrypted communication pathways with preconfigured,
predefined,
pre-established and/or preprovisioned authorization codes.
[00164] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: establishing authorized
encrypted
communication pathways for all port-to-port network communications among the
plurality
of networked computing devices, comprising: i) intercepting network connection
requests
from source ports, the requests having associated destination port numbers;
ii) verifying
that the source ports are authorized to communicate with ports having the
associated
destination port numbers; iii) requesting the negotiation of encrypted
communication
pathways, the requesting comprising sending connection request packets
comprising the
associated destination port numbers; and iv) authorizing the encrypted
communication
pathways, comprising comparing computing device identifiers, user-application
identifiers, and payload data-type identifiers received from the encrypted
communication
pathways with preconfigured, predefined, pre-established and/or preprovisioned
authorization codes.
[00165] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
71
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
network
tunnels for all port-to-port network communications among the plurality of
networked
computing devices. In certain embodiments, for example, the establishing may
comprise
intercepting a network connection request from a source port, the request
having an
associated destination port number. In certain embodiments, for example, the
establishing may comprise verifying that the source port is authorized to
communicate
with a port having the associated destination port number. In certain
embodiments, for
example, the establishing may comprise requesting the negotiation of a network
tunnel,
comprising sending a connection request packet comprising the associated
destination
port number. In certain embodiments, for example, the establishing may
comprise
authorizing the network tunnel, comprising comparing a computing device
identifiers, a
user-application identifier, and a payload data-type identifier received from
the network
tunnel with a preconfigured, predefined, pre-established and/or preprovisioned
authorization code.
[00166] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: establishing authorized
network
tunnels for all port-to-port network communications among the plurality of
networked
computing devices, comprising: i) intercepting a network connection request
from a
source port, the request having an associated destination port number; ii)
verifying that
the source port is authorized to communicate with a port having the associated
destination port number; iii) requesting the negotiation of a network tunnel,
comprising
sending a connection request packet comprising the associated destination port
number;
and iv) authorizing the network tunnel, comprising comparing a computing
device
identifiers, a user-application identifier, and a payload data-type identifier
received from
the network tunnel with a preconfigured, predefined, pre-established and/or
preprovisioned authorization code.
[00167] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
72
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
encrypted communication pathways for all port-to-port network communications
among
the plurality of networked computing devices. In certain embodiments, for
example, the
establishing may comprise intercepting a network connection request having an
associated destination port number. In certain embodiments, for example, the
establishing may comprise identifying a preconfigured, predefined, pre-
established
and/or preprovisioned encrypted communication port number associated with the
destination port number. In certain embodiments, for example, the establishing
may
comprise requesting the negotiation of an encrypted communication pathway, the
requesting comprising sending a connection request packet comprising the
encrypted
communication port number. In certain embodiments, for example, the
establishing may
comprise authorizing the encrypted communication pathway, comprising comparing
a
computing device identifier, a user-application identifier, and a payload data-
type
identifier received from the encrypted communication pathway with a
preconfigured,
predefined, pre-established and/or preprovisioned authorization code.
[00168] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: establishing authorized
encrypted
communication pathways for all port-to-port network communications among the
plurality
of networked computing devices, comprising: i) intercepting a network
connection
request having an associated destination port number; ii) identifying a
preconfigured,
predefined, pre-established and/or preprovisioned encrypted communication port
number associated with the destination port number; iii) requesting the
negotiation of an
encrypted communication pathway, the requesting comprising sending a
connection
73
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
request packet comprising the encrypted communication port number; and iv)
authorizing the encrypted communication pathway, comprising comparing a
computing
device identifier, a user-application identifier, and a payload data-type
identifier received
from the encrypted communication pathway with a preconfigured, predefined, pre-
established and/or preprovisioned authorization code.
[00169] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
encrypted communication pathways for all port-to-port network communications
among
the plurality of networked computing devices. In certain embodiments, for
example, the
establishing may comprise intercepting a network connection request from a
source port,
the request having an associated destination port number. In certain
embodiments, for
example, the establishing may comprise verifying that the source port is
authorized to
communicate with a port having the associated destination port number. In
certain
embodiments, for example, the establishing may comprise requesting the
negotiation of
an encrypted communication pathway, the requesting comprising sending a
connection
request packet comprising the associated destination port number. In certain
embodiments, for example, the establishing may comprise authorizing the
encrypted
communication pathway, comprising comparing a computing device identifier, a
user-
application identifier, and a payload data-type identifier received from the
encrypted
communication pathway with a preconfigured, predefined, pre-established and/or
preprovisioned authorization code.
[00170] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
74
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
cause the computing device to perform communication management operations, the
communication management operations comprising: establishing authorized
encrypted
communication pathways for all port-to-port network communications among the
plurality
of networked computing devices, comprising: i) intercepting a network
connection
request from a source port, the request having an associated destination port
number; ii)
verifying that the source port is authorized to communicate with a port having
the
associated destination port number; iii) requesting the negotiation of an
encrypted
communication pathway, the requesting comprising sending a connection request
packet
comprising the associated destination port number; and iv) authorizing the
encrypted
communication pathway, comprising comparing a computing device identifier, a
user-
application identifier, and a payload data-type identifier received from the
encrypted
communication pathway with a preconfigured, predefined, pre-established and/or
preprovisioned authorization code.
[00171] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: performing communication
processing functions on at least a portion of port-to-network communications
(including,
for example, on all port-to-network communications) of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise: receiving data packets (for example from a
user-
application process via a loopback interface) having payloads and associated
destination
port numbers (the associated destination port numbers may include, for
example, a
destination port number associated with a destination port of a network
security
process). In certain embodiments, for example, the performing communication
processing functions may comprise: identifying preconfigured, predefined, pre-
established and/or preprovisioned tunnel port numbers, each one of the tunnel
port
numbers having a one-to-one correspondence with one of the associated
destination
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
port numbers. In certain embodiments, for example, the performing
communication
processing functions may comprise: assembling packet segments, each one of the
packet segments comprising one of the payloads, an associated user-application
process identifier, and a payload data type descriptor. In certain
embodiments, for
example, the associated user-application process identifier may comprise a
process
identifier and/or a process owner. In certain embodiments, for example, the
associated
user-application process identifier, and a payload data type descriptor may be
combined
(or concatenated) in a metadata portion of the packet segment. In certain
embodiments,
for example, the metadata may be encrypted, for example by a single-use
cryptographic
key. In certain embodiments, for example, the performing communication
processing
functions may comprise: requesting transmission of network packets through
network
tunnels (for example at least a different network tunnel for each application-
to-application
communication of a specified data protocol type), each one of the network
packets
comprising a tunnel port number of one of the tunnel port numbers and one of
the
assembled packet segments, each one of the network tunnels having a one-to-one
correspondence with one of the tunnel port numbers.
[00172] A. In certain embodiments, for example, the receiving, identifying,
assembling, and requesting may be transparent to all user-application
processes on the
plurality of networked computing devices. In certain embodiments, for example,
the data
packets may be received by loopback interfaces. In certain embodiments, for
example,
the data packets may be received by kernel read and/or write calls. In certain
embodiments, for example, the data packets may be received by TAP/TUN
interfaces.
In certain embodiments, for example, the receiving may occur in kernel spaces
of the
plural computing devices. In certain embodiments, for example, the receiving
may occur
in application spaces of the plural computing devices. In certain embodiments,
for
example, the received data packet may be received from user-application
processes
executing in application spaces of the plural computing devices. In certain
embodiments, for example, the user-application process identifiers may
comprise
process commands and process owners (for example process commands and process
owners comparable to the output of operating system commands). In certain
embodiments, for example, the communication processing functions may further
comprise: setting connection status indicators to a non-operative state if
more than a
fixed number (for example a fixed number such as 10 or 20) of requests to
transmit
network packets are rejected. In certain embodiments, for example, the
communication
processing functions may further comprise: setting connection status
indicators to a non-
76
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
operative state if the difference between rejected and successful requests to
transmit
network packets exceeds a fixed number (for example a fixed number such as 10
or 20).
[00173] B. In certain embodiments, for example, the communication processing
functions may further comprise: checking a connection status of the network
tunnels (for
example by checking lists maintained in kernel memory of the plural networked
computing devices). In certain embodiments, for example, the communication
processing functions may further comprise dropping network packets that are
received
via one or more network tunnels whose connection status indicators are set to
a non-
operative state.
[00174] C. In certain embodiments, for example, the payloads may be translated
into
a common format prior to the assembling.
[00175] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets having payloads and associated destination port numbers; ii)
identifying
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
numbers,
each one of the tunnel port numbers having a one-to-one correspondence with
one of
the associated destination port numbers; iii) assembling packet segments, each
one of
the packet segments comprising one of the payloads, an associated user-
application
process identifier, and a payload data type descriptor; and iv) requesting
transmission of
network packets through network tunnels, each one of the network packets
comprising a
tunnel port number of one of the tunnel port numbers and one of the assembled
packet
segments, each one of the network tunnels having a one-to-one correspondence
with
one of the tunnel port numbers.
[00176] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
77
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving a data packet having a payload and
an
associated destination port number. In certain embodiments, for example, the
performing communication processing functions may comprise identifying a
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
number
associated with the destination port number. In certain embodiments, for
example, the
performing communication processing functions may comprise assembling a packet
segment, the packet segment comprising the payload, an associated user-
application
identifier, and a payload data type descriptor. In certain embodiments, for
example, the
performing communication processing functions may comprise requesting
transmission
of a network packet through a network tunnel, the network packet comprising
the tunnel
port number and the assembled packet segment, the network tunnel having a one-
to-one
correspondence with the tunnel port number.
[00177] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving a
data packet having a payload and an associated destination port number; ii)
identifying a
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
number
associated with the destination port number; iii) assembling a packet segment,
the
packet segment comprising the payload, an associated user-application
identifier, and a
payload data type descriptor; and iv) requesting transmission of a network
packet
through a network tunnel, the network packet comprising the tunnel port number
and the
78
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
assembled packet segment, the network tunnel having a one-to-one
correspondence
with the tunnel port number.
[00178] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: performing communication
processing functions on at least a portion of port-to-network communications
(including,
for example, on all port-to-network communications) of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving data packets from source ports,
the data
packets having payloads and associated destination port numbers. In certain
embodiments, for example, the performing communication processing functions
may
comprise verifying that the source ports are authorized to communicate with
ports having
the associated destination port numbers. In certain embodiments, for example,
the
performing communication processing functions may comprise assembling packet
segments, each one of the packet segments comprising one of the payloads, an
associated user-application identifier, and a payload data type descriptor. In
certain
embodiments, for example, the performing communication processing functions
may
comprise requesting transmission of network packets through network tunnels,
each one
of the network packets comprising a port number of one of the associated
destination
port numbers and one of the assembled packet segments, each one of the network
tunnels having a one-to-one correspondence with one of the associated
destination port
numbers.
[00179] A. In certain embodiments, for example, the transmitted network
packets
may be exclusive of the destination port numbers associated with the received
data
packets. In certain embodiments, for example, the payloads in the transmitted
network
packets may be re-associated with the destination port numbers only after the
transmitted network packets are received at one or more second computing
devices of
79
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the plurality of networked computing devices, the second computing device
different from
the computing device. In certain embodiments, for example, the associated
destination
port numbers may not be transmitted from the computing device to one or more
second
computing devices of the plurality of networked computing devices. In certain
embodiments, for example, the associated destination port numbers may not be
transmitted across a network coupled to one or more computing devices of the
plurality
of networked computing devices. In certain embodiments, for example, the
associated
destination port numbers may not be transmitted from the computing device via
the
network tunnels.
[00180] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets from source ports, the data packets having payloads and
associated
destination port numbers; ii) verifying that the source ports are authorized
to
communicate with ports having the associated destination port numbers; iii)
assembling
packet segments, each one of the packet segments comprising one of the
payloads, an
associated user-application identifier, and a payload data type descriptor;
and iv)
requesting transmission of network packets through network tunnels, each one
of the
network packets comprising a port number of one of the associated destination
port
numbers and one of the assembled packet segments, each one of the network
tunnels
having a one-to-one correspondence with one of the associated destination port
numbers.
[00181] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving data packets having payloads and
associated destination port numbers. In certain embodiments, for example, the
performing communication processing functions may comprise identifying
preconfigured,
predefined, pre-established and/or preprovisioned port numbers, each one of
the port
numbers having a one-to-one correspondence with one of the associated
destination
port numbers. In certain embodiments, for example, the performing
communication
processing functions may comprise assembling packet segments, each one of the
packet segments comprising one of the payloads, an associated user-application
identifier, and a payload data type descriptor. In certain embodiments, for
example, the
performing communication processing functions may comprise requesting
transmission
of network packets through encrypted communication pathways, each one of the
network packets comprising a port number of one of the port numbers and one of
the
assembled packet segments, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the port numbers.
[00182] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets having payloads and associated destination port numbers; ii)
identifying
preconfigured, predefined, pre-established and/or preprovisioned port numbers,
each
one of the port numbers having a one-to-one correspondence with one of the
associated
destination port numbers; iii) assembling packet segments, each one of the
packet
segments comprising one of the payloads, an associated user-application
identifier, and
a payload data type descriptor; and iv) requesting transmission of network
packets
through encrypted communication pathways, each one of the network packets
81
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
comprising a port number of one of the port numbers and one of the assembled
packet
segments, each one of the encrypted communication pathways having a one-to-one
correspondence with one of the port numbers.
[00183] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations. In
certain embodiments, for example, the communication management operations may
comprise performing communication processing functions on all port-to-network
communications of the plurality of computing devices. In certain embodiments,
for
example, the performing communication processing functions may comprise
receiving
data packets, the data packets comprising messages and associated destination
port
numbers. In certain embodiments, for example, the performing communication
processing functions may comprise identifying preconfigured, predefined, pre-
established and/or preprovisioned port numbers, each one of the port numbers
having a
one-to-one correspondence with one of the associated destination port numbers.
In
certain embodiments, for example, the performing communication processing
functions
may comprise assembling packet segments, each one of the packet segments
comprising at least a portion of one of the messages, an associated user-
application
identifier, and a payload data type descriptor. In certain embodiments, for
example, the
performing communication processing functions may comprise requesting
transmission
of network packets through encrypted communication pathways, each one of the
network packets comprising a port number of one of the port numbers and one of
the
assembled packet segments, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the port numbers.
[00184] A. In certain embodiments, for example, one or more of the messages
may
have a size exceeding a maximum transfer unit.
[00185] B. In certain embodiments, for example, one of the packet segments may
comprise a portion of one of the messages, the one of the messages having a
size
exceeding a maximum transfer unit and the one of the packet segments having a
total
payload, the total payload having a size not exceeding the maximum transfer
unit or
another maximum transfer unit.
[00186] Certain embodiments may provide, for example product for managing
communications of a plurality of networked computing devices, the product
comprising a
82
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets, the data packets comprising messages and associated destination
port
numbers; ii) identifying preconfigured, predefined, pre-established and/or
preprovisioned
port numbers, each one of the port numbers having a one-to-one correspondence
with
one of the associated destination port numbers; iii) assembling packet
segments, each
one of the packet segments comprising at least a portion of one of the
messages, an
associated user-application identifier, and a payload data type descriptor;
and iv)
requesting transmission of network packets through encrypted communication
pathways,
each one of the network packets comprising a port number of one of the port
numbers
and one of the assembled packet segments, each one of the encrypted
communication
pathways having a one-to-one correspondence with one of the port numbers.
[00187] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein, the computer-
readable program code executable (or compilable, linkable, and/or loadable to
be
executable) by a computing device to enable and/or cause the computing device
to
perform communication management operations. In certain embodiments, for
example,
the communication management operations may comprise performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving data packets, the data packets
comprising
messages and associated destination port numbers, the messages comprising user-
application identifiers and payload data type descriptors. In certain
embodiments, for
example, the performing communication processing functions may comprise
identifying
preconfigured, predefined, pre-established and/or preprovisioned port numbers,
each
one of the port numbers having a one-to-one correspondence with one of the
associated
destination port numbers. In certain embodiments, for example, the performing
communication processing functions may comprise assembling packet segments,
each
one of the packet segments comprising at least a portion of one of the
messages, the at
83
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
least a portion of one of the messages comprising one of the user-application
identifiers
and one of the payload data type descriptors. In certain embodiments, for
example, the
performing communication processing functions may comprise requesting
transmission
of network packets through encrypted communication pathways, each one of the
network packets comprising a port number of one of the port numbers and one of
the
assembled packet segments, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the port numbers.
[00188] A. In certain embodiments, for example, the user-application
identifiers may
be spaced apart from one another and the payload data type descriptors are
spaced
apart from one another.
[00189] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets, the data packets comprising messages and associated destination
port
numbers, the messages comprising user-application identifiers and payload data
type
descriptors; ii) identifying preconfigured, predefined, pre-established and/or
preprovisioned port numbers, each one of the port numbers having a one-to-one
correspondence with one of the associated destination port numbers; iii)
assembling
packet segments, each one of the packet segments comprising at least a portion
of one
of the messages, the at least a portion of one of the messages comprising one
of the
user-application identifiers and one of the payload data type descriptors; and
iv)
requesting transmission of network packets through encrypted communication
pathways,
each one of the network packets comprising a port number of one of the port
numbers
and one of the assembled packet segments, each one of the encrypted
communication
pathways having a one-to-one correspondence with one of the port numbers.
[00190] A. In certain embodiments, for example, any given message to be sent
across a network may have a size exceeding a maximum transfer unit (for
example a
maximum transfer unit of 1500 bytes), requiring the message to be split into
plural
payloads for transport across the network, each of the plural payloads having
a size of
no greater than the maximum transfer unit, for insertion into plural network
packets. In
84
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
certain further embodiments, for example, the computing processing functions
may
comprise inserting plural metadata into the message, whereby each one of the
plural
payloads contains one of the plural metadata. In certain embodiments, for
example, the
plural metadata may be positioned at predetermined locations in the plural
payloads. In
certain embodiments, for example, two or more of the plural metadata may be
spaced a
predetermined distance in the any given message. In certain embodiments, for
example,
each one of the plural meta data may comprise one of the user-application
identifiers
and one of the payload data type descriptors.
[00191] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on at least a portion of port-to-network communications
(including,
for example, on all port-to-network communications) of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving data packets from source ports,
the data
packets having payloads and associated destination port numbers. In certain
embodiments, for example, the performing communication processing functions
may
comprise verifying that the source ports are authorized to communicate with
ports having
the associated destination port numbers. In certain embodiments, for example,
the
performing communication processing functions may comprise assembling packet
segments, each one of the packet segments comprising one of the payloads, an
associated user-application identifier, and a payload data type descriptor. In
certain
embodiments, for example, the performing communication processing functions
may
comprise requesting transmission of network packets through encrypted
communication
pathways, each one of the network packets comprising a port number of one of
the
associated destination port numbers and one of the assembled packet segments,
each
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
one of the encrypted communication pathways having a one-to-one correspondence
with
one of the associated destination port numbers.
[00192] A. In certain embodiments, for example, the transmitted network
packets
may be exclusive of the destination port numbers associated with the received
data
packets. In certain embodiments, for example, the payloads in the transmitted
network
packets may be re-associated with the destination port numbers only after the
transmitted network packets are received at one or more second computing
devices of
the plurality of networked computing devices, the second computing device
different from
the computing device. In certain embodiments, for example, the associated
destination
port numbers may not be transmitted from the computing device to one or more
second
computing devices of the plurality of networked computing devices. In certain
embodiments, for example, the associated destination port numbers may not be
transmitted across a network coupled to one or more computing devices of the
plurality
of networked computing devices. In certain embodiments, for example, the
associated
destination port numbers may not be transmitted from the computing device via
the
encrypted communication pathways.
[00193] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets from source ports, the data packets having payloads and
associated
destination port numbers; ii) verifying that the source ports are authorized
to
communicate with ports having the associated destination port numbers; iii)
assembling
packet segments, each one of the packet segments comprising one of the
payloads, an
associated user-application identifier, and a payload data type descriptor;
and iv)
requesting transmission of network packets through encrypted communication
pathways,
each one of the network packets comprising a port number of one of the
associated
destination port numbers and one of the assembled packet segments, each one of
the
encrypted communication pathways having a one-to-one correspondence with one
of the
associated destination port numbers.
86
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00194] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising. In
certain
embodiments, for example, the communication processing functions may comprise
receiving data packets from source ports, the data packets having payloads and
associated destination port numbers. In certain embodiments, for example, the
communication processing functions may comprise verifying that the source
ports are
authorized to communicate with ports having the associated destination port
numbers.
In certain embodiments, for example, the communication processing functions
may
comprise assembling packet segments, each one of the packet segments
comprising
one of the payloads, an associated user-application identifier, and a payload
data type
descriptor. In certain embodiments, for example, the communication processing
functions may comprise requesting transmission of network packets through
network
tunnels, each one of the network packets comprising a port number of one of
the
associated destination port numbers and one of the assembled packet segments,
each
one of the network tunnels having a one-to-one correspondence with one of the
associated destination port numbers.
[00195] A. In certain embodiments, for example, the transmitted network
packets
may be exclusive of the destination port numbers associated with the received
data
packets. In certain embodiments, for example, the payloads in the transmitted
network
packets may be re-associated with the destination port numbers only after the
transmitted network packets are received at one or more second computing
devices of
the plurality of networked computing devices, the second computing device
different from
the computing device. In certain embodiments, for example, the associated
destination
port numbers may not be transmitted from the computing device to one or more
second
87
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
computing devices of the plurality of networked computing devices. In certain
embodiments, for example, the associated destination port numbers may not be
transmitted across a network coupled to one or more computing devices of the
plurality
of networked computing devices. In certain embodiments, for example, the
associated
destination port numbers may not be transmitted from the computing device via
the
network tunnels.
[00196] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets from source ports, the data packets having payloads and
associated
destination port numbers; ii) verifying that the source ports are authorized
to
communicate with ports having the associated destination port numbers; iii)
assembling
packet segments, each one of the packet segments comprising one of the
payloads, an
associated user-application identifier, and a payload data type descriptor;
and iv)
requesting transmission of network packets through network tunnels, each one
of the
network packets comprising a port number of one of the associated destination
port
numbers and one of the assembled packet segments, each one of the network
tunnels
having a one-to-one correspondence with one of the associated destination port
numbers.
[00197] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations, the communication management operations
88
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
comprising: performing communication processing functions on all port-to-
network
communications of the plurality of computing devices. In certain embodiments,
for
example, the performing communication processing functions may comprise
receiving a
data packet from a source port, the data packet having a payload and an
associated
destination port number. In certain embodiments, for example, the performing
communication processing functions may comprise verifying that the source port
is
authorized to communicate with a port having the associated destination port
number. In
certain embodiments, for example, the performing communication processing
functions
may comprise assembling a packet segment, the packet segment comprising the
payload, an associated user-application identifier, and a payload data type
descriptor. In
certain embodiments, for example, the performing communication processing
functions
may comprise requesting transmission of a network packet through a network
tunnel, the
network packet comprising the associated destination port numbers and the
assembled
packet segment, the network tunnels having a one-to-one correspondence with
the
associated destination port number.
[00198] A. In certain embodiments, for example, the transmitted network packet
may
be exclusive of the destination port number associated with the received data
packet. In
certain embodiments, for example, the payload in the transmitted network
packet may be
re-associated with the destination port number only after the transmitted
network packet
is received at a second computing devices of the plurality of networked
computing
devices, the second computing device different from the computing device. In
certain
embodiments, for example, the associated destination port number may not be
transmitted from the computing device to the second computing device of the
plurality of
networked computing devices. In certain embodiments, for example, the
associated
destination port number may not be transmitted across a network coupled to one
or more
computing devices of the plurality of networked computing devices. In certain
embodiments, for example, the associated destination port number may not be
transmitted from the computing device via the network tunnel.
[00199] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
89
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
devices, the performing communication processing functions comprising: i)
receiving a
data packet from a source port, the data packet having a payload and an
associated
destination port number; ii) verifying that the source port is authorized to
communicate
with a port having the associated destination port number; iii) assembling a
packet
segment, the packet segment comprising the payload, an associated user-
application
identifier, and a payload data type descriptor, and iv) requesting
transmission of a
network packet through a network tunnel, the network packet comprising the
associated
destination port numbers and the assembled packet segment, the network tunnels
having a one-to-one correspondence with the associated destination port
number.
[00200] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving data packets having payloads and
associated destination port numbers. In certain embodiments, for example, the
performing communication processing functions may comprise identifying
preconfigured,
predefined, pre-established and/or preprovisioned port numbers, each one of
the port
numbers having a one-to-one correspondence with one of the associated
destination
port numbers. In certain embodiments, for example, the performing
communication
processing functions may comprise assembling packet segments, each one of the
packet segments comprising one of the payloads, an associated user-application
identifier, and a payload data type descriptor. In certain embodiments, for
example, the
performing communication processing functions may comprise requesting
transmission
of network packets through encrypted communication pathways, each one of the
network packets comprising a port number of one of the port numbers and one of
the
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
assembled packet segments, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the port numbers.
[00201] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets having payloads and associated destination port numbers; ii)
identifying
preconfigured, predefined, pre-established and/or preprovisioned port numbers,
each
one of the port numbers having a one-to-one correspondence with one of the
associated
destination port numbers; iii) assembling packet segments, each one of the
packet
segments comprising one of the payloads, an associated user-application
identifier, and
a payload data type descriptor; and iv) requesting transmission of network
packets
through encrypted communication pathways, each one of the network packets
comprising a port number of one of the port numbers and one of the assembled
packet
segments, each one of the encrypted communication pathways having a one-to-one
correspondence with one of the port numbers.
[00202] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving a data packet having a payload and
an
91
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
associated destination port number. In certain embodiments, for example, the
performing communication processing functions may comprise identifying a
preconfigured, predefined, pre-established and/or preprovisioned port number,
the port
number having a one-to-one correspondence with the associated destination port
number. In certain embodiments, for example, the performing communication
processing functions may comprise assembling a packet segment, the packet
segment
comprising the payload, an associated user-application identifier, and a
payload data
type descriptor. In certain embodiments, for example, the performing
communication
processing functions may comprise requesting encrypted communication over an
encrypted communication pathway of a network packet, the network packets
comprising
the port number and the assembled packet segment, the encrypted communication
pathway having a one-to-one correspondence with the port number.
[00203] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving a
data packet having a payload and an associated destination port number; ii)
identifying a
preconfigured, predefined, pre-established and/or preprovisioned port number,
the port
number having a one-to-one correspondence with the associated destination port
number; iii) assembling a packet segment, the packet segment comprising the
payload,
an associated user-application identifier, and a payload data type descriptor;
and iv)
requesting encrypted communication over an encrypted communication pathway of
a
network packet, the network packets comprising the port number and the
assembled
packet segment, the encrypted communication pathway having a one-to-one
correspondence with the port number.
[00204] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
92
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving data packets from source ports,
the data
packets having payloads and associated destination port numbers. In certain
embodiments, for example, the performing communication processing functions
may
comprise verifying that the source ports are authorized to communicate with
ports having
the associated destination port numbers. In certain embodiments, for example,
the
performing communication processing functions may comprise assembling packet
segments, each one of the packet segments comprising one of the payloads, an
associated user-application identifier, and a payload data type descriptor. In
certain
embodiments, for example, the performing communication processing functions
may
comprise requesting transmission of network packets through encrypted
communication
pathways, each one of the network packets comprising a port number of one of
the
associated destination port numbers and one of the assembled packet segments,
each
one of the encrypted communication pathways having a one-to-one correspondence
with
one of the associated destination port numbers.
[00205] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving
data packets from source ports, the data packets having payloads and
associated
destination port numbers; ii) verifying that the source ports are authorized
to
communicate with ports having the associated destination port numbers; iii)
assembling
packet segments, each one of the packet segments comprising one of the
payloads, an
associated user-application identifier, and a payload data type descriptor;
and iv)
93
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
requesting transmission of network packets through encrypted communication
pathways,
each one of the network packets comprising a port number of one of the
associated
destination port numbers and one of the assembled packet segments, each one of
the
encrypted communication pathways having a one-to-one correspondence with one
of the
associated destination port numbers.
[00206] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices. In certain embodiments, for example, the performing communication
processing functions may comprise receiving a data packet from a source port,
the data
packet having a payload and an associated destination port number. In certain
embodiments, for example, the performing communication processing functions
may
comprise verifying that the source port is authorized to communicate with a
port having
the associated destination port number. In certain embodiments, for example,
the
performing communication processing functions may comprise assembling a packet
segment, the packet segments comprising the payload, an associated user-
application
identifier, and a payload data type descriptor. In certain embodiments, for
example, the
performing communication processing functions may comprise requesting
transmission
of a network packet through an encrypted communication pathway, the network
packets
comprising the associated destination port number and the assembled packet
segment,
the encrypted communication pathway having a one-to-one correspondence with
the
associated destination port number.
[00207] A. In certain embodiments, for example, the transmitted network packet
may
be exclusive of the destination port number associated with the received data
packet. In
certain embodiments, for example, the payload in the transmitted network
packet may be
re-associated with the destination port number only after the transmitted
network packet
94
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
is received at a second computing devices of the plurality of networked
computing
devices, the second computing device different from the computing device. In
certain
embodiments, for example, the associated destination port number may not be
transmitted from the computing device to the second computing device of the
plurality of
networked computing devices. In certain embodiments, for example, the
associated
destination port number may not be transmitted across a network coupled to one
or more
computing devices of the plurality of networked computing devices. In certain
embodiments, for example, the associated destination port number may not be
transmitted from the computing device via the network tunnel.
[00208] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
computing
devices, the performing communication processing functions comprising: i)
receiving a
data packet from a source port, the data packet having a payload and an
associated
destination port number; ii) verifying that the source port is authorized to
communicate
with a port having the associated destination port number; iii) assembling a
packet
segment, the packet segments comprising the payload, an associated user-
application
identifier, and a payload data type descriptor; and iv) requesting
transmission of a
network packet through an encrypted communication pathway, the network packets
comprising the associated destination port number and the assembled packet
segment,
the encrypted communication pathway having a one-to-one correspondence with
the
associated destination port number.
[00209] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: performing communication
processing functions on at least a portion of network-to-port communications
(including,
for example, on all network-to-port communications) received by the plurality
of
computing devices. In certain embodiments, for example, the performing
communication
processing functions may comprise obtaining tunnel port numbers, metadata (for
example metadata encrypted using a single-use cryptographic key), and payloads
associated with network packets. In certain embodiments, for example, the
performing
communication processing functions may comprise identifying preconfigured,
predefined,
pre-established and/or preprovisioned destination port numbers and
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes
associated with
the tunnel port numbers, each one of the authorization codes comprising a
preconfigured, predefined, pre-established and/or preprovisioned user-
application
process identifier and a preconfigured, predefined, pre-established and/or
preprovisioned
payload data-type identifier associated with one of the obtained tunnel port
numbers. In
certain embodiments, for example, the performing communication processing
functions
may comprise authorizing the network packets, comprising: comparing (for
example
comparing in application spaces or kernel spaces of the plurality of computing
devices)
metadata with the authorization codes. In certain embodiments, for example,
the
performing communication processing functions may comprise requesting
transmission
(for example across loopback interfaces, by TUN/TAP interfaces, or by kernel
read
and/or write calls) of payloads from the authorized network packets to
destinations
referenced by the destination port numbers. In certain embodiments, for
example, the
payloads may be passed to the destination port numbers by one or more loopback
interfaces.
[00210] A. In certain embodiments, for example, the obtaining, identifying,
authorizing, and requesting may be transparent to all user-application
processes on the
plurality of networked computing devices (for example by employing modified
network
application programming interface functions (for example in a modified
operating system)
while maintaining standard syntax). In certain embodiments, for example, the
obtaining,
identifying, authorizing, and requesting may be self-executing and/or
automatic (for
example requiring no human intervention, no interruption in computer execution
other
than ordinary, temporary process scheduling).
[00211] B. In certain embodiments, for example, the communication processing
functions may be performed at 95% of wire speed or greater and less than 10%
of the
96
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
processor load may be committed to network communications. In certain
embodiments,
for example, the destinations may comprise user-application processes. In
certain
embodiments, for example, the program code may be middleware positioned
between
the network and the destinations referenced by the destination port number. In
certain
embodiments, for example, the communication processing functions may further
comprise: dropping network packets if they are not authorized following the
comparing
(for example dropping network packets for which the metadata does not match
expected
values based on the authorization codes).
[00212] C. In certain embodiments, for example, the communication processing
functions may further comprise: setting connection status indicators to a non-
operative
state if more than a fixed number of network packets are not authorized
following the
comparing. In certain embodiments, for example, the communication processing
functions may further comprise: checking, the checking at least partially
performed in
kernels of the plural networked computing devices, a connection status of the
network.
In certain embodiments, for example, the communication processing functions
may
further comprise: dropping network packets that are received via one or more
network
tunnels whose connection status indicators are set to a non-operative state.
[00213] Certain embodiments may comprise, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all network-to-port communications received by the
plurality of
computing devices, the performing communication processing functions
comprising: i)
obtaining tunnel port numbers, metadata, and payloads associated with network
packets;
ii) identifying preconfigured, predefined, pre-established and/or
preprovisioned
destination port numbers and preconfigured, predefined, pre-established and/or
preprovisioned authorization codes associated with the tunnel port numbers,
each one of
the authorization codes comprising a preconfigured, predefined, pre-
established and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
one of the
obtained tunnel port numbers; iii) authorizing the network packets,
comprising:
comparing at least a portion of the metadata with the authorization codes; and
iv)
97
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
requesting transmission of payloads from the authorized network packets to
destinations
referenced by the destination port numbers.
[00214] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all network-to-port communications received by the
plurality of
computing devices. In certain embodiments, for example, the performing
communication
processing functions may comprise obtaining a port number, metadata, and a
payload
associated with a network packet received by the networked computing device.
In
certain embodiments, for example, the performing communication processing
functions
may comprise identifying a preconfigured, predefined, pre-established and/or
preprovisioned destination port number and a preconfigured, predefined, pre-
established
and/or preprovisioned authorization code associated with the obtained port
number, the
authorization code comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
the
obtained port number. In certain embodiments, for example, the performing
communication processing functions may comprise authorizing the network
packet,
comprising: comparing the metadata with the authorization code. In certain
embodiments, for example, the performing communication processing functions
may
comprise requesting transmission of the payload to a destination referenced by
the
destination port number.
[00215] Certain embodiments may comprise, for example, a computer program
product for managing communications of a plurality of networked computing
devices, the
product comprising a non-transitory computer-readable storage medium having
computer-readable program code embodied therein, the computer-readable program
code executable (or compilable, linkable, and/or loadable to be executable) by
a
98
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
computing device to enable and/or cause the computing device to perform
communication management operations, the communication management operations
comprising: performing communication processing functions on all network-to-
port
communications received by the plurality of computing devices, the performing
communication processing functions comprising: i) obtaining a port number,
metadata,
and a payload associated with a network packet received by the networked
computing
device; ii) identifying a preconfigured, predefined, pre-established and/or
preprovisioned
destination port number and a preconfigured, predefined, pre-established
and/or
preprovisioned authorization code associated with the obtained port number,
the
authorization code comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
the
obtained port number; iii) authorizing the network packet, comprising:
comparing the
metadata with the authorization code; and iv) requesting transmission of the
payload to a
destination referenced by the destination port number.
[00216] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: performing communication
processing functions on at least a portion of network-to-port communications
(including,
for example, on all network-to-port communications) received by the plurality
of
computing devices. In certain embodiments, for example, the performing
communication
processing functions may comprise obtaining destination port numbers,
metadata, and
payloads associated with network packets. In certain embodiments, for example,
the
performing communication processing functions may comprise identifying
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes
associated with
the destination port numbers, each one of the authorization codes comprising a
preconfigured, predefined, pre-established and/or preprovisioned user-
application
99
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
identifier and a preconfigured, predefined, pre-established and/or
preprovisioned payload
data-type identifier associated with one of the destination port numbers. In
certain
embodiments, for example, the performing communication processing functions
may
comprise authorizing the network packets, comprising: comparing at least a
portion of
the metadata with the authorization codes. In certain embodiments, for
example, the
performing communication processing functions may comprise requesting
transmission
of payloads from the authorized network packets to destinations referenced by
the
destination port numbers.
[00217] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
computing device to enable and/or cause the computing device to perform
communication management operations, the communication management operations
comprising: performing communication processing functions on all network-to-
port
communications received by the plurality of computing devices, the performing
communication processing functions comprising: i) obtaining destination port
numbers,
metadata, and payloads associated with network packets; ii) identifying
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes
associated with
the destination port numbers, each one of the authorization codes comprising a
preconfigured, predefined, pre-established and/or preprovisioned user-
application
identifier and a preconfigured, predefined, pre-established and/or
preprovisioned payload
data-type identifier associated with one of the destination port numbers; iii)
authorizing
the network packets, comprising: comparing at least a portion of the metadata
with the
authorization codes; and iv) requesting transmission of payloads from the
authorized
network packets to destinations referenced by the destination port numbers.
[00218] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
100
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communication management operations. In certain embodiments, for example, the
communication management operations may comprise performing communication
processing functions on all network-to-port communications received by the
plurality of
computing devices. In certain embodiments, for example, the performing
communication
processing functions may comprise obtaining a port number, metadata, and a
payload
associated with a network packet received by the networked computing device.
In
certain embodiments, for example, the performing communication processing
functions
may comprise identifying a preconfigured, predefined, pre-established and/or
preprovisioned destination port number and a preconfigured, predefined, pre-
established
and/or preprovisioned authorization code associated with the obtained port
number, the
authorization code comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
the
obtained port number. In certain embodiments, for example, the performing
communication processing functions may comprise authorizing the network
packet,
comprising: comparing the metadata with the authorization code. In certain
embodiments, for example, the performing communication processing functions
may
comprise requesting transmission of the payload to a destination referenced by
the
preconfigured, predefined, pre-established and/or preprovisioned destination
port
number.
[00219] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to enable
and/or
cause the computing device to perform communication management operations, the
communication management operations comprising: performing communication
processing functions on all network-to-port communications received by the
plurality of
computing devices, the performing communication processing functions
comprising: i)
obtaining a port number, metadata, and a payload associated with a network
packet
received by the networked computing device; ii) identifying a preconfigured,
predefined,
pre-established and/or preprovisioned destination port number and a
preconfigured,
predefined, pre-established and/or preprovisioned authorization code
associated with the
obtained port number, the authorization code comprising a preconfigured,
predefined,
pre-established and/or preprovisioned user-application identifier and a
preconfigured,
predefined, pre-established and/or preprovisioned payload data-type identifier
101
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
associated with the obtained port number; iii) authorizing the network packet,
comprising:
comparing the metadata with the authorization code; and iv) requesting
transmission of
the payload to a destination referenced by the preconfigured, predefined, pre-
established
and/or preprovisioned destination port number.
[00220] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having a plurality of computer-readable program code embodied therein,
the
plurality of computer-readable program code for distributed execution across
the plurality
of networked computing devices to cooperatively enable and/or cause the
plurality of
networked computing devices to perform communication management operations. In
certain embodiments, for example, the communication management operations may
comprise negotiating, on a first computing device, a first data pathway
between a first
user-application and a first network security program code of the plurality of
computer-
readable program code. In certain embodiments, for example, the communication
management operations may comprise negotiating, on a second computing device,
a
second data pathway between a second network security program of the plurality
of
computer-readable program code and a second user-application. In certain
embodiments, for example, the communication management operations may comprise
negotiating a third data pathway between the first network security program
and the
second network security program, the third data pathway comprising an
encrypted
network tunnel, each of the first data pathway, second data pathway, and third
data
pathway participate to form at least a part of a dedicated data pathway for
exclusively
communicating data from a first port of the first user-application to a second
port of the
second user-application.
[00221] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having a plurality of computer-
readable program code embodied therein, the plurality of computer-readable
program
code for distributed execution across the plurality of networked computing
devices to
cooperatively enable and/or cause the plurality of networked computing devices
to
perform communication management operations, the communication management
operations comprising: i) negotiating, on a first computing device, a first
data pathway
between a first user-application and a first network security program code of
the plurality
of computer-readable program code; ii) negotiating, on a second computing
device, a
second data pathway between a second network security program of the plurality
of
102
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
computer-readable program code and a second user-application; and iii)
negotiating a
third data pathway between the first network security program and the second
network
security program, the third data pathway comprising an encrypted network
tunnel, each
of the first data pathway, second data pathway, and third data pathway
participate to
form at least a part of a dedicated data pathway for exclusively communicating
data from
a first port of the first user-application to a second port of the second user-
application.
[00222] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having a plurality of computer-readable program code embodied therein,
the
plurality of computer-readable program code for distributed execution across
the plurality
of networked computing devices to cooperatively enable and/or cause the
plurality of
networked computing devices to perform communication management operations. In
certain embodiments, for example, the communication management operations may
comprise negotiating, on a first computing device, a first data pathway
between a first
user-application and a first network security program of the plural security
programs. In
certain embodiments, for example, the communication management operations may
comprise negotiating, on a second computing device, a second data pathway
between a
second network security program of the plural security programs and a second
user-
application. In certain embodiments, for example, the communication management
operations may comprise negotiating a third data pathway between the first
network
security program and the second network security program, the third data
pathway
comprising an encrypted communication pathway, each of the first data pathway,
second
data pathway, and third data pathway exclusive to a dedicated data pathway for
communicating data from a first port of the first user-application to a second
port of the
second user-application.
[00223] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having a plurality of computer-
readable program code embodied therein, the plurality of computer-readable
program
code for distributed execution across the plurality of networked computing
devices to
cooperatively enable and/or cause the plurality of networked computing devices
to
perform communication management operations, the communication management
operations comprising: i) negotiating, on a first computing device, a first
data pathway
between a first user-application and a first network security program of the
plural security
programs; ii) negotiating, on a second computing device, a second data pathway
103
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
between a second network security program of the plural security programs and
a
second user-application; iii) negotiating a third data pathway between the
first network
security program and the second network security program, the third data
pathway
comprising an encrypted communication pathway, each of the first data pathway,
second
data pathway, and third data pathway exclusive to a dedicated data pathway for
communicating data from a first port of the first user-application to a second
port of the
second user-application.
[00224] Certain embodiments may provide, for example, a secured system,
comprising: i) a first node networked with a second node, the first node
hosting a first
application program, the second node hosting a second application program; and
ii)
plural network security programs cooperatively configured according to plural
configuration files to negotiate one or plural dedicated data pathways for all
communications between the first application program and the second
application
program, each of the one or plural data pathways comprising: an encrypted
network
tunnel extending from a first network security program of the plural network
security
programs to a second network security program of the plural network security
programs,
the first network security program and the second network security program
interposed
between the first application program and the second application program; each
of the
plural configuration files comprising: a) one or plural destination port
numbers associated
with the second application program; b) one or plural destination port numbers
associated with the second network security program, comprising at least one
port
number for each one of the one or plural destination port numbers associated
with the
second application program; c) one or plural first user-application
identifiers associated
with the first application program; d) one or plural second user-application
identifiers
associated with the second application program; e) one or plural data type
identifiers;
and f) node identification codes for the first node and the second node,
processor, or
computing device.
[00225] Certain embodiments may provide, for example, a secured system,
comprising: i) a first node networked with a second node, the first node
hosting a first
application program, the second node hosting a second application program; and
ii)
plural network security programs cooperatively configured according to plural
configuration files to negotiate one or plural dedicated data pathways for all
communications between the first application program and the second
application
program, each of the one or plural data pathways comprising: an encrypted
communication pathway extending from a first network security program of the
plural
network security programs to a second network security program of the plural
network
104
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
security programs, the first network security program and the second network
security
program interposed between the first application program and the second
application
program; each of the plural configuration files comprising: a) one or plural
destination
port numbers associated with the second application program; b) one or plural
first user-
application identifiers associated with the first application program; c) one
or plural
second user-application identifiers associated with the second application
program; d)
one or plural data type identifiers; and e) node identification codes for the
first node and
the second node, processor, or computing device.
[00226] Certain embodiments may provide, for example, a secured system,
comprising: i) a first node networked with a second node, a) the first node
hosting a first
application program, a first configuration file and a first network security
program
associated with the first configuration file; and b) the second node hosting a
second
application program, a second configuration file, and a second network
security program
associated with the second configuration file; and ii) the first and second
network security
programs cooperatively configured to negotiate one or plural dedicated data
pathways
for all communications between the first application program and the second
application
program, a) each of the one or plural data pathways comprising the first
network security
program and the second network security program interposed between the first
application program and the second application program; and b) each of the one
or
plural data pathways comprising: an encrypted network tunnel between the first
network
security program and the second network security program, each of the plural
configuration files comprising at least one of the following: a) one or plural
destination
port numbers associated with the second application program; b) one or plural
destination port numbers associated with the second network security program,
comprising at least one port number for each one of the one or plural
destination port
numbers associated with the second application program; c) one or plural first
user-
application identifiers associated with the first application program; d) one
or plural
second user-application identifiers associated with the second application
program; e)
one or plural data type identifiers; and f) node identification codes for the
first node and
the second node, processor, or computing device.
[00227] Certain embodiments may provide, for example, a secured system,
comprising: i) a first node networked with a second node, a) the first node
hosting a first
application program, a first configuration file and a first network security
program
associated with the first configuration file; and b) the second node hosting a
second
application program, a second configuration file, and a second network
security program
associated with the second configuration file; and ii) the first and second
network security
105
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
programs cooperatively configured to negotiate one or plural dedicated data
pathways
for all communications between the first application program and the second
application
program, a) each of the one or plural data pathways comprising the first
network security
program and the second network security program interposed between the first
application program and the second application program; and b) each of the one
or
plural data pathways comprising: an encrypted data pathway between the first
network
security program and the second network security program, each of the plural
configuration files comprising at least one of the following: a) one or plural
destination
port numbers associated with the second application program; b) one or plural
first user-
application identifiers associated with the first application program; c) one
or plural
second user-application identifiers associated with the second application
program; d)
one or plural data type identifiers; and e) node identification codes for the
first node and
the second node, processor, or computing device.
[00228] Certain embodiments may provide, for example, a product for managing
communications in a cloud, the product comprising a non-transitory computer-
readable
storage medium having computer-readable program code embodied therein, the
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to enable and/or cause the computing
device to
perform communication management operations. In certain embodiments, for
example,
the communication management operations may comprise performing communication
processing functions on all network-to-port communications received by a
virtual
machine. In certain embodiments, for example, the performing communication
processing functions may comprise obtaining port numbers, metadata, and
payloads
associated with network packets. In certain embodiments, for example, the
performing
communication processing functions may comprise identifying predefined
destination
port numbers and predefined authorization codes associated with the obtained
port
numbers, each one of the predefined authorization codes comprising a
predefined user-
application identifier and a predefined payload data-type identifier
associated with one of
the obtained port numbers. In certain embodiments, for example, the performing
communication processing functions may comprise authorizing the network
packets,
comprising: comparing at least a portion of the metadata with the predefined
authorization codes. In certain embodiments, for example, the performing
communication processing functions may comprise requesting transmission of
payloads
from the authorized network packets to cloud resources referenced by the
predefined
destination port numbers.
106
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00229] Certain embodiments may provide, for example, a product for managing
communications in a cloud, the product comprising a non-transitory computer-
readable
storage medium having computer-readable program code embodied therein, the
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to enable and/or cause the computing
device to
perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
network-
to-port communications received by a virtual machine, the performing
communication
processing functions comprising: i) obtaining port numbers, metadata, and
payloads
associated with network packets; ii) identifying predefined destination port
numbers and
predefined authorization codes associated with the obtained port numbers, each
one of
the predefined authorization codes comprising a predefined user-application
identifier
and a predefined payload data-type identifier associated with one of the
obtained port
numbers; iii) authorizing the network packets, comprising: comparing at least
a portion of
the metadata with the predefined authorization codes; and iv) requesting
transmission of
payloads from the authorized network packets to cloud resources referenced by
the
predefined destination port numbers.
[00230] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
intercepting network connection requests (for example by network application
programming interfaces) having associated destination port numbers. In certain
embodiments, for example, the method may comprise identifying preconfigured,
predefined, pre-established and/or preprovisioned tunnel port numbers (for
example
predefined tunnel port numbers associated with servers), comprising
identifying at least
one (for example, one) preconfigured, predefined, pre-established and/or
preprovisioned
tunnel port number for each associated destination port number of the
associated
destination port numbers. In certain embodiments, for example, the method may
comprise requesting the negotiation of network tunnels, the requesting
comprising
sending connection request packets comprising the tunnel port numbers (and
also, for
example, cipher suite parameters), each one of the network tunnels having a
one-to-one
correspondence with one of the tunnel port numbers. In certain embodiments,
for
example, the method may comprise authorizing the network tunnels, comprising
comparing computing device identifiers, user-application identifiers (for
example user-
application identifiers derived from application process identifiers and/or
application
process owners, together or in parts), and payload data-type identifiers
received from the
network tunnels with preconfigured, predefined, pre-established and/or
preprovisioned
107
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
authorization codes. In certain further embodiments, for example, the
computing device
identifiers, user-application identifiers, and/or payload data-type
identifiers may be
encrypted and require decryption before the comparing.
[00231] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting network connection requests having
associated destination port numbers; ii) identifying preconfigured,
predefined, pre-
established and/or preprovisioned tunnel port numbers, comprising identifying
at least
one tunnel port number for each associated destination port number of the
associated
destination port numbers; iii) requesting the negotiation of network tunnels,
the
requesting comprising sending connection request packets comprising the tunnel
port
numbers, each one of the network tunnels having a one-to-one correspondence
with one
of the tunnel port numbers; and iv) authorizing the network tunnels,
comprising
comparing computing device identifiers, user-application identifiers, and
payload data-
type identifiers received from the network tunnels with preconfigured,
predefined, pre-
established and/or preprovisioned authorization codes.
[00232] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
intercepting a network connection request having an associated destination
port number.
In certain embodiments, for example, the method may comprise identifying a
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
number
associated with the destination port number. In certain embodiments, for
example, the
method may comprise requesting the forming of a network tunnel, the forming
comprising sending a connection request packet comprising the tunnel port
number. In
certain embodiments, for example, the method may comprise authorizing the
network
tunnel, comprising comparing a computing device identifier, a user-application
identifier,
and a payload data-type identifier received from the network tunnel with a
preconfigured,
predefined, pre-established and/or preprovisioned authorization code.
[00233] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting a network connection request
having an
associated destination port number; ii) identifying a preconfigured,
predefined, pre-
established and/or preprovisioned tunnel port number associated with the
destination
port number; iii) requesting the forming of a network tunnel, the forming
comprising
sending a connection request packet comprising the tunnel port number; and iv)
authorizing the network tunnel, comprising comparing a computing device
identifier, a
user-application identifier, and a payload data-type identifier received from
the network
108
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
tunnel with a preconfigured, predefined, pre-established and/or preprovisioned
authorization code.
[00234] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
intercepting network connection requests from source ports (for example the
source
ports may comprise ports associated with user-application processes), the
requests
having associated destination port numbers. In certain embodiments, for
example, the
method may comprise verifying that the source ports are authorized to
communicate with
ports having the associated destination port numbers. In certain embodiments,
for
example, the method may comprise requesting the negotiation of network
tunnels,
comprising sending connection request packets comprising the associated
destination
port numbers, each one of the network tunnels having a one-to-one
correspondence with
one of the associated destination port numbers. In certain embodiments, for
example,
the method may comprise authorizing the network tunnels, comprising comparing
computing device identifiers, user-application identifiers, and/or payload
data-type
identifiers received from the network tunnels with preconfigured, predefined,
pre-
established and/or preprovisioned authorization codes. In certain further
embodiments,
for example, the computing device identifiers, user-application identifiers,
and/or payload
data-type identifiers may be encrypted and require decryption before the
comparing.
[00235] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting network connection requests from
source
ports, the requests having associated destination port numbers; ii) verifying
that the
source ports are authorized to communicate with ports having the associated
destination
port numbers; iii) requesting the negotiation of network tunnels, comprising
sending
connection request packets comprising the associated destination port numbers,
each
one of the network tunnels having a one-to-one correspondence with one of the
associated destination port numbers; and iv) authorizing the network tunnels,
comprising
comparing computing device identifiers, user-application identifiers, and
payload data-
type identifiers received from the network tunnels with preconfigured,
predefined, pre-
established and/or preprovisioned authorization codes.
[00236] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
intercepting network connection requests having associated destination port
numbers.
In certain embodiments, for example, the establishing may comprise identifying
preconfigured, predefined, pre-established and/or preprovisioned encrypted
communication port numbers, comprising identifying at least one preconfigured,
109
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
predefined, pre-established and/or preprovisioned encrypted communication port
number for each associated destination port number of the associated
destination port
numbers. In certain embodiments, for example, the establishing may comprise
requesting the negotiation of encrypted communication pathways, the requesting
comprising sending connection request packets comprising the encrypted
communication port numbers, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the encrypted communication
port
numbers. In certain embodiments, for example, the establishing may comprise
authorizing the encrypted communication pathways, comprising comparing
computing
device identifiers, user-application identifiers, and/or payload data-type
identifiers
received from the encrypted communication pathways with preconfigured,
predefined,
pre-established and/or preprovisioned authorization codes.
[00237] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting network connection requests having
associated destination port numbers; ii) identifying preconfigured,
predefined, pre-
established and/or preprovisioned encrypted communication port numbers,
comprising
identifying at least one preconfigured, predefined, pre-established and/or
preprovisioned
encrypted communication port number for each associated destination port
number of
the associated destination port numbers; iii) requesting the negotiation of
encrypted
communication pathways, the requesting comprising sending connection request
packets comprising the encrypted communication port numbers, each one of the
encrypted communication pathways having a one-to-one correspondence with one
of the
encrypted communication port numbers; and iv) authorizing the encrypted
communication pathways, comprising comparing computing device identifiers,
user-
application identifiers, and payload data-type identifiers received from the
encrypted
communication pathways with preconfigured, predefined, pre-established and/or
preprovisioned authorization codes.
[00238] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
110
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise establishing authorized
encrypted communication pathways for at least one port-to-port network
communication
(including, for example, all port-to-port network communications) among the
plurality of
networked computing devices. In certain embodiments, for example, the
establishing
may comprise intercepting network connection requests from source ports (for
example
source ports that have been opened by and have a predetermined relationship
with
authorized applications), the requests having associated destination port
numbers. In
certain embodiments, for example, the method may comprise verifying that the
source
ports are authorized to communicate with ports having the associated
destination port
numbers. In certain embodiments, for example, the method may comprise
requesting
the negotiation of encrypted communication pathways, the requesting comprising
sending connection request packets comprising the associated destination port
numbers.
In certain embodiments, for example, the method may comprise authorizing the
encrypted communication pathways, comprising comparing computing device
identifiers,
user-application identifiers, and/or payload data-type identifiers received
from the
encrypted communication pathways with preconfigured, predefined, pre-
established
and/or preprovisioned authorization codes.
[00239] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting network connection requests from
source
ports, the requests having associated destination port numbers; ii) verifying
that the
source ports are authorized to communicate with ports having the associated
destination
port numbers; iii) requesting the negotiation of encrypted communication
pathways, the
requesting comprising sending connection request packets comprising the
associated
destination port numbers; and iv) authorizing the encrypted communication
pathways,
comprising comparing computing device identifiers, user-application
identifiers, and
payload data-type identifiers received from the encrypted communication
pathways with
preconfigured, predefined, pre-established and/or preprovisioned authorization
codes.
[00240] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
intercepting a network connection request from a source port, the request
having an
associated destination port number. In certain embodiments, for example, the
method
may comprise verifying that the source port is authorized to communicate with
a port
having the associated destination port number. In certain embodiments, for
example,
the method may comprise may comprise requesting the negotiation of a network
tunnel,
111
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
comprising sending a connection request packet comprising the associated
destination
port number. In certain embodiments, for example, the method may comprise
authorizing the network tunnel, comprising comparing a computing device
identifiers, a
user-application identifier, and a payload data-type identifier received from
the network
tunnel with a preconfigured, predefined, pre-established and/or preprovisioned
authorization code.
[00241] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting a network connection request from
a source
port, the request having an associated destination port number; ii) verifying
that the
source port is authorized to communicate with a port having the associated
destination
port number; iii) requesting the negotiation of a network tunnel, comprising
sending a
connection request packet comprising the associated destination port number;
and iv)
authorizing the network tunnel, comprising comparing a computing device
identifiers, a
user-application identifier, and a payload data-type identifier received from
the network
tunnel with a preconfigured, predefined, pre-established and/or preprovisioned
authorization code.
[00242] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
intercepting a network connection request having an associated destination
port number.
In certain embodiments, for example, the method may comprise identifying a
preconfigured, predefined, pre-established and/or preprovisioned encrypted
communication port number associated with the destination port number. In
certain
embodiments, for example, the method may comprise requesting the negotiation
of an
encrypted communication pathway, the requesting comprising sending a
connection
request packet comprising the encrypted communication port number. In certain
embodiments, for example, the method may comprise authorizing the encrypted
communication pathway, comprising comparing a computing device identifier, a
user-
application identifier, and a payload data-type identifier received from the
encrypted
communication pathway with a preconfigured, predefined, pre-established and/or
preprovisioned authorization code.
[00243] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting a network connection request
having an
associated destination port number; ii) identifying a preconfigured,
predefined, pre-
established and/or preprovisioned encrypted communication port number
associated
with the destination port number; iii) requesting the negotiation of an
encrypted
communication pathway, the requesting comprising sending a connection request
packet
112
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
comprising the encrypted communication port number; and iv) authorizing the
encrypted
communication pathway, comprising comparing a computing device identifier, a
user-
application identifier, and a payload data-type identifier received from the
encrypted
communication pathway with a preconfigured, predefined, pre-established and/or
preprovisioned authorization code.
[00244] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
intercepting a network connection request from a source port, the request
having an
associated destination port number. In certain embodiments, for example, the
method
may comprise verifying that the source port is authorized to communicate with
a port
having the associated destination port number. In certain embodiments, for
example,
the method may comprise requesting the negotiation of an encrypted
communication
pathway, the requesting comprising sending a connection request packet
comprising the
associated destination port number. In certain embodiments, for example, the
method
may comprise authorizing the encrypted communication pathway, comprising
comparing
a computing device identifier, a user-application identifier, and a payload
data-type
identifier received from the encrypted communication pathway with a
preconfigured,
predefined, pre-established and/or preprovisioned authorization code.
[00245] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) intercepting a network connection request from
a source
port, the request having an associated destination port number; ii) verifying
that the
source port is authorized to communicate with a port having the associated
destination
port number; iii) requesting the negotiation of an encrypted communication
pathway, the
requesting comprising sending a connection request packet comprising the
associated
destination port number; and iv) authorizing the encrypted communication
pathway,
comprising comparing a computing device identifier, a user-application
identifier, and a
payload data-type identifier received from the encrypted communication pathway
with a
preconfigured, predefined, pre-established and/or preprovisioned authorization
code.
[00246] Certain embodiments may provide, for example, a method for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the method may comprise receiving data packets (for example from
a user-
application process via a loopback interface) having payloads and associated
destination
port numbers (the associated destination port numbers may include, for
example, a
destination port number associated with a destination port of a network
security
process). In certain embodiments, for example, the method may comprise
identifying
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
numbers,
113
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
each one of the tunnel port numbers having a one-to-one correspondence with
one of
the associated destination port numbers. In certain embodiments, for example,
the
method may comprise assembling packet segments, each one of the packet
segments
comprising one of the payloads, an associated user-application process
identifier, and a
payload data type descriptor. In certain embodiments, for example, the
associated user-
application process identifier may comprise a process identifier and/or a
process owner.
In certain embodiments, for example, the associated user-application process
identifier,
and a payload data type descriptor may be combined (or concatenated) in a
metadata
portion of the packet segment. In certain embodiments, for example, the
metadata may
be encrypted, for example by a single-use cryptographic key. In certain
embodiments,
for example, the method may comprise requesting transmission of network
packets
through network tunnels (for example at least a different network tunnel for
each
application-to-application communication of a specified data protocol type),
each one of
the network packets comprising a tunnel port number of one of the tunnel port
numbers
and one of the assembled packet segments, each one of the network tunnels
having a
one-to-one correspondence with one of the tunnel port numbers.
[00247] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets having payloads and
associated
destination port numbers; ii) identifying preconfigured, predefined, pre-
established and/or
preprovisioned tunnel port numbers, each one of the tunnel port numbers having
a one-
to-one correspondence with one of the associated destination port numbers;
iii)
assembling packet segments, each one of the packet segments comprising one of
the
payloads, an associated user-application process identifier, and a payload
data type
descriptor; and iv) requesting transmission of network packets through network
tunnels,
each one of the network packets comprising a tunnel port number of one of the
tunnel
port numbers and one of the assembled packet segments, each one of the network
tunnels having a one-to-one correspondence with one of the tunnel port
numbers.
[00248] Certain embodiments may provide, for example, a method for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the method may comprise receiving a data packet having a payload
and an
associated destination port number. In certain embodiments, for example, the
method
may comprise identifying a preconfigured, predefined, pre-established and/or
preprovisioned tunnel port number associated with the destination port number.
In
certain embodiments, for example, the method may comprise assembling a packet
segment, the packet segment comprising the payload, an associated user-
application
identifier, and a payload data type descriptor. In certain embodiments, for
example, the
114
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
method may comprise requesting transmission of a network packet through a
network
tunnel, the network packet comprising the tunnel port number and the assembled
packet
segment, the network tunnel having a one-to-one correspondence with the tunnel
port
number.
[00249] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving a data packet having a payload and an
associated destination port number; ii) identifying a preconfigured,
predefined, pre-
established and/or preprovisioned tunnel port number associated with the
destination
port number; iii) assembling a packet segment, the packet segment comprising
the
payload, an associated user-application identifier, and a payload data type
descriptor;
and iv) requesting transmission of a network packet through a network tunnel,
the
network packet comprising the tunnel port number and the assembled packet
segment,
the network tunnel having a one-to-one correspondence with the tunnel port
number.
[00250] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving data packets from source ports, the data packets having payloads and
associated destination port numbers. In certain embodiments, for example, the
method
may comprise verifying that the source ports are authorized to communicate
with ports
having the associated destination port numbers. In certain embodiments, for
example,
the method may comprise assembling packet segments, each one of the packet
segments comprising one of the payloads, an associated user-application
identifier, and
a payload data type descriptor. In certain embodiments, for example, the
method may
comprise requesting transmission of network packets through network tunnels,
each one
of the network packets comprising a port number of one of the associated
destination
port numbers and one of the assembled packet segments, each one of the network
tunnels having a one-to-one correspondence with one of the associated
destination port
numbers.
[00251] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets from source ports, the
data
packets having payloads and associated destination port numbers; ii) verifying
that the
source ports are authorized to communicate with ports having the associated
destination
port numbers; iii) assembling packet segments, each one of the packet segments
comprising one of the payloads, an associated user-application identifier, and
a payload
data type descriptor; and iv) requesting transmission of network packets
through network
tunnels, each one of the network packets comprising a port number of one of
the
associated destination port numbers and one of the assembled packet segments,
each
115
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
one of the network tunnels having a one-to-one correspondence with one of the
associated destination port numbers.
[00252] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving data packets having payloads and associated destination port
numbers. In
certain embodiments, for example, the method may comprise identifying
preconfigured,
predefined, pre-established and/or preprovisioned port numbers, each one of
the port
numbers having a one-to-one correspondence with one of the associated
destination
port numbers. In certain embodiments, for example, the method may comprise
assembling packet segments, each one of the packet segments comprising one of
the
payloads, an associated user-application identifier, and a payload data type
descriptor.
In certain embodiments, for example, the method may comprise requesting
transmission
of network packets through encrypted communication pathways, each one of the
network packets comprising a port number of one of the port numbers and one of
the
assembled packet segments, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the port numbers.
[00253] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets having payloads and
associated
destination port numbers; ii) identifying preconfigured, predefined, pre-
established and/or
preprovisioned port numbers, each one of the port numbers having a one-to-one
correspondence with one of the associated destination port numbers; iii)
assembling
packet segments, each one of the packet segments comprising one of the
payloads, an
associated user-application identifier, and a payload data type descriptor;
and iv)
requesting transmission of network packets through encrypted communication
pathways,
each one of the network packets comprising a port number of one of the port
numbers
and one of the assembled packet segments, each one of the encrypted
communication
pathways having a one-to-one correspondence with one of the port numbers.
[00254] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving data packets, the data packets comprising messages and associated
destination port numbers. In certain embodiments, for example, the method may
comprise identifying preconfigured, predefined, pre-established and/or
preprovisioned
port numbers, each one of the port numbers having a one-to-one correspondence
with
one of the associated destination port numbers. In certain embodiments, for
example,
the method may comprise may comprise assembling packet segments, each one of
the
packet segments comprising at least a portion of one of the messages, an
associated
116
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
user-application identifier, and a payload data type descriptor. In certain
embodiments,
for example, the method may comprise requesting transmission of network
packets
through encrypted communication pathways, each one of the network packets
comprising a port number of one of the port numbers and one of the assembled
packet
segments, each one of the encrypted communication pathways having a one-to-one
correspondence with one of the port numbers.
[00255] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets, the data packets
comprising
messages and associated destination port numbers; ii) identifying
preconfigured,
predefined, pre-established and/or preprovisioned port numbers, each one of
the port
numbers having a one-to-one correspondence with one of the associated
destination
port numbers; iii) assembling packet segments, each one of the packet segments
comprising at least a portion of one of the messages, an associated user-
application
identifier, and a payload data type descriptor; and iv) requesting
transmission of network
packets through encrypted communication pathways, each one of the network
packets
comprising a port number of one of the port numbers and one of the assembled
packet
segments, each one of the encrypted communication pathways having a one-to-one
correspondence with one of the port numbers.
[00256] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving data packets, the data packets comprising messages and associated
destination port numbers, the messages comprising user-application identifiers
and
payload data type descriptors. In certain embodiments, for example, the method
may
comprise identifying preconfigured, predefined, pre-established and/or
preprovisioned
port numbers, each one of the port numbers having a one-to-one correspondence
with
one of the associated destination port numbers. In certain embodiments, for
example,
the method may comprise assembling packet segments, each one of the packet
segments comprising at least a portion of one of the messages, the at least a
portion of
one of the messages comprising one of the user-application identifiers and one
of the
payload data type descriptors. In certain embodiments, for example, the method
may
comprise requesting transmission of network packets through encrypted
communication
pathways, each one of the network packets comprising a port number of one of
the port
numbers and one of the assembled packet segments, each one of the encrypted
communication pathways having a one-to-one correspondence with one of the port
numbers.
117
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00257] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets, the data packets
comprising
messages and associated destination port numbers, the messages comprising user-
application identifiers and payload data type descriptors; ii) identifying
preconfigured,
predefined, pre-established and/or preprovisioned port numbers, each one of
the port
numbers having a one-to-one correspondence with one of the associated
destination
port numbers; iii) assembling packet segments, each one of the packet segments
comprising at least a portion of one of the messages, the at least a portion
of one of the
messages comprising one of the user-application identifiers and one of the
payload data
type descriptors; and iv) requesting transmission of network packets through
encrypted
communication pathways, each one of the network packets comprising a port
number of
one of the port numbers and one of the assembled packet segments, each one of
the
encrypted communication pathways having a one-to-one correspondence with one
of the
port numbers.
[00258] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving data packets from source ports, the data packets having payloads and
associated destination port numbers. In certain embodiments, for example, the
method
may comprise verifying that the source ports are authorized to communicate
with ports
having the associated destination port numbers. In certain embodiments, for
example,
the method may comprise assembling packet segments, each one of the packet
segments comprising one of the payloads, an associated user-application
identifier, and
a payload data type descriptor. In certain embodiments, for example, the
method may
comprise requesting transmission of network packets through encrypted
communication
pathways, each one of the network packets comprising a port number of one of
the
associated destination port numbers and one of the assembled packet segments,
each
one of the encrypted communication pathways having a one-to-one correspondence
with
one of the associated destination port numbers.
[00259] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets from source ports, the
data
packets having payloads and associated destination port numbers; ii) verifying
that the
source ports are authorized to communicate with ports having the associated
destination
port numbers; iii) assembling packet segments, each one of the packet segments
comprising one of the payloads, an associated user-application identifier, and
a payload
data type descriptor; and iv) requesting transmission of network packets
through
encrypted communication pathways, each one of the network packets comprising a
port
118
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
number of one of the associated destination port numbers and one of the
assembled
packet segments, each one of the encrypted communication pathways having a one-
to-
one correspondence with one of the associated destination port numbers.
[00260] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving data packets from source ports, the data packets having payloads and
associated destination port numbers. In certain embodiments, for example, the
method
may comprise verifying that the source ports are authorized to communicate
with ports
having the associated destination port numbers. In certain embodiments, for
example,
the method may comprise assembling packet segments, each one of the packet
segments comprising one of the payloads, an associated user-application
identifier, and
a payload data type descriptor. In certain embodiments, for example, the
method may
comprise requesting transmission of network packets through network tunnels,
each one
of the network packets comprising a port number of one of the associated
destination
port numbers and one of the assembled packet segments, each one of the network
tunnels having a one-to-one correspondence with one of the associated
destination port
numbers.
[00261] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets from source ports, the
data
packets having payloads and associated destination port numbers; ii) verifying
that the
source ports are authorized to communicate with ports having the associated
destination
port numbers; iii) assembling packet segments, each one of the packet segments
comprising one of the payloads, an associated user-application identifier, and
a payload
data type descriptor; and iv) requesting transmission of network packets
through network
tunnels, each one of the network packets comprising a port number of one of
the
associated destination port numbers and one of the assembled packet segments,
each
one of the network tunnels having a one-to-one correspondence with one of the
associated destination port numbers.
[00262] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving a data packet from a source port, the data packet having a payload
and an
associated destination port number. In certain embodiments, for example, the
method
may comprise verifying that the source port is authorized to communicate with
a port
having the associated destination port number. In certain embodiments, for
example,
the method may comprise assembling a packet segment, the packet segment
comprising the payload, an associated user-application identifier, and a
payload data
119
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
type descriptor. In certain embodiments, for example, the method may comprise
requesting transmission of a network packet through a network tunnel, the
network
packet comprising the associated destination port numbers and the assembled
packet
segment, the network tunnels having a one-to-one correspondence with the
associated
destination port number.
[00263] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving a data packet from a source port, the
data
packet having a payload and an associated destination port number; ii)
verifying that the
source port is authorized to communicate with a port having the associated
destination
port number; iii) assembling a packet segment, the packet segment comprising
the
payload, an associated user-application identifier, and a payload data type
descriptor,
and iv) requesting transmission of a network packet through a network tunnel,
the
network packet comprising the associated destination port numbers and the
assembled
packet segment, the network tunnels having a one-to-one correspondence with
the
associated destination port number.
[00264] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
receiving data packets having payloads and associated destination port
numbers. In
certain embodiments, for example, the method may comprise identifying
preconfigured,
predefined, pre-established and/or preprovisioned port numbers, each one of
the port
numbers having a one-to-one correspondence with one of the associated
destination
port numbers. In certain embodiments, for example, the method may comprise
assembling packet segments, each one of the packet segments comprising one of
the
payloads, an associated user-application identifier, and a payload data type
descriptor.
In certain embodiments, for example, the method may comprise requesting
transmission
of network packets through encrypted communication pathways, each one of the
network packets comprising a port number of one of the port numbers and one of
the
assembled packet segments, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the port numbers.
[00265] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets having payloads and
associated
destination port numbers; ii) identifying preconfigured, predefined, pre-
established and/or
preprovisioned port numbers, each one of the port numbers having a one-to-one
correspondence with one of the associated destination port numbers; iii)
assembling
packet segments, each one of the packet segments comprising one of the
payloads, an
associated user-application identifier, and a payload data type descriptor;
and iv)
120
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
requesting transmission of network packets through encrypted communication
pathways,
each one of the network packets comprising a port number of one of the port
numbers
and one of the assembled packet segments, each one of the encrypted
communication
pathways having a one-to-one correspondence with one of the port numbers.
[00266] Certain embodiments may provide, for example, a method for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the method may comprise receiving a data packet having a payload
and an
associated destination port number. In certain embodiments, for example, the
method
may comprise identifying a preconfigured, predefined, pre-established and/or
preprovisioned port number, the port number having a one-to-one correspondence
with
the associated destination port number. In certain embodiments, for example,
the
method may comprise assembling a packet segment, the packet segment comprising
the payload, an associated user-application identifier, and a payload data
type
descriptor. In certain embodiments, for example, the method may comprise
requesting
encrypted communication over an encrypted communication pathway of a network
packet, the network packets comprising the port number and the assembled
packet
segment, the encrypted communication pathway having a one-to-one
correspondence
with the port number.
[00267] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving a data packet having a payload and an
associated destination port number; ii) identifying a preconfigured,
predefined, pre-
established and/or preprovisioned port number, the port number having a one-to-
one
correspondence with the associated destination port number; iii) assembling a
packet
segment, the packet segment comprising the payload, an associated user-
application
identifier, and a payload data type descriptor; and iv) requesting encrypted
communication over an encrypted communication pathway of a network packet, the
network packets comprising the port number and the assembled packet segment,
the
encrypted communication pathway having a one-to-one correspondence with the
port
number.
[00268] Certain embodiments may provide, for example, a method for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the method may comprise receiving data packets from source ports,
the
data packets having payloads and associated destination port numbers. In
certain
embodiments, for example, the method may comprise verifying that the source
ports are
authorized to communicate with ports having the associated destination port
numbers.
In certain embodiments, for example, the method may comprise assembling packet
121
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
segments, each one of the packet segments comprising one of the payloads, an
associated user-application identifier, and a payload data type descriptor. In
certain
embodiments, for example, the method may comprise requesting transmission of
network packets through encrypted communication pathways, each one of the
network
packets comprising a port number of one of the associated destination port
numbers and
one of the assembled packet segments, each one of the encrypted communication
pathways having a one-to-one correspondence with one of the associated
destination
port numbers.
[00269] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving data packets from source ports, the
data
packets having payloads and associated destination port numbers; ii) verifying
that the
source ports are authorized to communicate with ports having the associated
destination
port numbers; iii) assembling packet segments, each one of the packet segments
comprising one of the payloads, an associated user-application identifier, and
a payload
data type descriptor; and iv) requesting transmission of network packets
through
encrypted communication pathways, each one of the network packets comprising a
port
number of one of the associated destination port numbers and one of the
assembled
packet segments, each one of the encrypted communication pathways having a one-
to-
one correspondence with one of the associated destination port numbers.
[00270] Certain embodiments may provide, for example, a method for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the method may comprise receiving a data packet from a source
port, the
data packet having a payload and an associated destination port number. In
certain
embodiments, for example, the method may comprise verifying that the source
port is
authorized to communicate with a port having the associated destination port
number. In
certain embodiments, for example, the method may comprise assembling a packet
segment, the packet segments comprising the payload, an associated user-
application
identifier, and a payload data type descriptor. In certain embodiments, for
example, the
method may comprise requesting transmission of a network packet through an
encrypted
communication pathway, the network packets comprising the associated
destination port
number and the assembled packet segment, the encrypted communication pathway
having a one-to-one correspondence with the associated destination port
number.
[00271] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) receiving a data packet from a source port, the
data
packet having a payload and an associated destination port number; ii)
verifying that the
source port is authorized to communicate with a port having the associated
destination
122
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
port number; iii) assembling a packet segment, the packet segments comprising
the
payload, an associated user-application identifier, and a payload data type
descriptor;
and iv) requesting transmission of a network packet through an encrypted
communication pathway, the network packets comprising the associated
destination port
number and the assembled packet segment, the encrypted communication pathway
having a one-to-one correspondence with the associated destination port
number.
[00272] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
obtaining port numbers, metadata (for example metadata encrypted using a
single-use
cryptographic key), and payloads associated with network packets. In certain
embodiments, for example, the method may comprise identifying preconfigured,
predefined, pre-established and/or preprovisioned destination port numbers and
preconfigured, predefined, pre-established and/or preprovisioned authorization
codes
associated with the obtained port numbers, each one of the authorization codes
comprising a preconfigured, predefined, pre-established and/or preprovisioned
user-
application process identifier and a preconfigured, predefined, pre-
established and/or
preprovisioned payload data-type identifier associated with one of the
obtained port
numbers. In certain embodiments, for example, the method may comprise
authorizing
the network packets, comprising: comparing (for example comparing in
application
spaces or kernel spaces of the plurality of computing devices) metadata with
the
authorization codes. In certain embodiments, for example, the method may
comprise
requesting transmission (for example across loopback interfaces, by TUN/TAP
interfaces, or by kernel read and/or write calls) of payloads from the
authorized network
packets to destinations referenced by the destination port numbers. In certain
embodiments, for example, the payloads may be passed to the destination port
numbers
by one or more loopback interfaces.
[00273] Certain embodiments may provide, for example, a method for managing
communications, comprising: performing communication processing functions on
all
network-to-port communications received by the plurality of computing devices,
the
performing communication processing functions comprising: i) obtaining port
numbers,
metadata, and payloads associated with network packets; ii) identifying
preconfigured,
predefined, pre-established and/or preprovisioned destination port numbers and
preconfigured, predefined, pre-established and/or preprovisioned authorization
codes
associated with the obtained port numbers, each one of the authorization codes
comprising a preconfigured, predefined, pre-established and/or preprovisioned
user-
application identifier and a preconfigured, predefined, pre-established and/or
123
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
preprovisioned payload data-type identifier associated with one of the
obtained port
numbers; iii) authorizing the network packets, comprising: comparing at least
a portion of
the metadata with the authorization codes; and iv) requesting transmission of
payloads
from the authorized network packets to destinations referenced by the
destination port
numbers.
[00274] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
obtaining a port number, metadata, and a payload associated with a network
packet
received by the networked computing device. In certain embodiments, for
example, the
method may comprise identifying a preconfigured, predefined, pre-established
and/or
preprovisioned destination port number and a preconfigured, predefined, pre-
established
and/or preprovisioned authorization code associated with the obtained port
number, the
authorization code comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
the
obtained port number. In certain embodiments, for example, the method may
comprise
authorizing the network packet, comprising: comparing the metadata with the
authorization code. In certain embodiments, for example, the method may
comprise
requesting transmission of the payload to a destination referenced by the
destination port
number.
[00275] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) obtaining a port number, metadata, and a
payload
associated with a network packet received by the networked computing device;
ii)
identifying a preconfigured, predefined, pre-established and/or preprovisioned
destination port number and a preconfigured, predefined, pre-established
and/or
preprovisioned authorization code associated with the obtained port number,
the
authorization code comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
the
obtained port number; iii) authorizing the network packet, comprising:
comparing the
metadata with the authorization code; and iv) requesting transmission of the
payload to a
destination referenced by the destination port number.
[00276] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
obtaining destination port numbers, metadata, and payloads associated with
network
packets. In certain embodiments, for example, the method may comprise
identifying
124
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
preconfigured, predefined, pre-established and/or preprovisioned authorization
codes
associated with the destination port numbers, each one of the authorization
codes
comprising a preconfigured, predefined, pre-established and/or preprovisioned
user-
application identifier and a preconfigured, predefined, pre-established and/or
preprovisioned payload data-type identifier associated with one of the
destination port
numbers. In certain embodiments, for example, the method may comprise
authorizing
the network packets, comprising: comparing at least a portion of the metadata
with the
authorization codes. In certain embodiments, for example, the method may
comprise
requesting transmission of payloads from the authorized network packets to
destinations
referenced by the destination port numbers.
[00277] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) obtaining destination port numbers, metadata,
and
payloads associated with network packets; ii) identifying preconfigured,
predefined, pre-
established and/or preprovisioned authorization codes associated with the
destination
port numbers, each one of the authorization codes comprising a preconfigured,
predefined, pre-established and/or preprovisioned user-application identifier
and a
preconfigured, predefined, pre-established and/or preprovisioned payload data-
type
identifier associated with one of the destination port numbers; iii)
authorizing the network
packets, comprising: comparing at least a portion of the metadata with the
authorization
codes; and iv) requesting transmission of payloads from the authorized network
packets
to destinations referenced by the destination port numbers.
[00278] Certain embodiments may provide, for example, a method for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the method may comprise obtaining a port number, metadata, and a
payload associated with a network packet received by the networked computing
device.
In certain embodiments, for example, the method may comprise identifying a
preconfigured, predefined, pre-established and/or preprovisioned destination
port
number and a preconfigured, predefined, pre-established and/or preprovisioned
authorization code associated with the obtained port number, the authorization
code
comprising a preconfigured, predefined, pre-established and/or preprovisioned
user-
application identifier and a preconfigured, predefined, pre-established and/or
preprovisioned payload data-type identifier associated with the obtained port
number. In
certain embodiments, for example, the method may comprise authorizing the
network
packet, comprising: comparing the metadata with the authorization code. In
certain
embodiments, for example, the method may comprise requesting transmission of
the
125
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
payload to a destination referenced by the preconfigured, predefined, pre-
established
and/or preprovisioned destination port number.
[00279] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) obtaining a port number, metadata, and a
payload
associated with a network packet received by the networked computing device;
ii)
identifying a preconfigured, predefined, pre-established and/or preprovisioned
destination port number and a preconfigured, predefined, pre-established
and/or
preprovisioned authorization code associated with the obtained port number,
the
authorization code comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
the
obtained port number; iii) authorizing the network packet, comprising:
comparing the
metadata with the authorization code; and iv) requesting transmission of the
payload to a
destination referenced by the preconfigured, predefined, pre-established
and/or
preprovisioned destination port number.
[00280] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
negotiating, on a first computing device, a first data pathway between a first
user-
application and a first network security program code of a plurality of
computer-readable
program code. In certain embodiments, for example, the method may comprise
negotiating, on a second computing device, a second data pathway between a
second
network security program of the plurality of computer-readable program code
and a
second user-application. In certain embodiments, for example, the method may
comprise negotiating a third data pathway between the first network security
program
and the second network security program, the third data pathway comprising an
encrypted network tunnel, each of the first data pathway, second data pathway,
and third
data pathway participate to form at least a part of a dedicated data pathway
for
exclusively communicating data from a first port of the first user-application
to a second
port of the second user-application.
[00281] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) negotiating, on a first computing device, a
first data
pathway between a first user-application and a first network security program
code of a
plurality of computer-readable program code; ii) negotiating, on a second
computing
device, a second data pathway between a second network security program of the
plurality of computer-readable program code and a second user-application; and
iii)
negotiating a third data pathway between the first network security program
and the
126
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
second network security program, the third data pathway comprising an
encrypted
network tunnel, each of the first data pathway, second data pathway, and third
data
pathway participate to form at least a part of a dedicated data pathway for
exclusively
communicating data from a first port of the first user-application to a second
port of the
second user-application.
[00282] Certain embodiments may provide, for example, a method for managing
communications. In certain embodiments, for example, the method may comprise
negotiating, on a first computing device, a first data pathway between a first
user-
application and a first network security program of plural security programs.
In certain
embodiments, for example, the method may comprise negotiating, on a second
computing device, a second data pathway between a second network security
program
of the plural security programs and a second user-application. In certain
embodiments,
for example, the method may comprise negotiating a third data pathway between
the first
network security program and the second network security program, the third
data
pathway comprising an encrypted communication pathway, each of the first data
pathway, second data pathway, and third data pathway exclusive to a dedicated
data
pathway for communicating data from a first port of the first user-application
to a second
port of the second user-application.
[00283] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) negotiating, on a first computing device, a
first data
pathway between a first user-application and a first network security program
of plural
security programs; ii) negotiating, on a second computing device, a second
data pathway
between a second network security program of the plural security programs and
a
second user-application; iii) negotiating a third data pathway between the
first network
security program and the second network security program, the third data
pathway
comprising an encrypted communication pathway, each of the first data pathway,
second
data pathway, and third data pathway exclusive to a dedicated data pathway for
communicating data from a first port of the first user-application to a second
port of the
second user-application.
[00284] Certain embodiments may provide, for example, a method for managing
communications in a cloud. In certain embodiments, for example, the method may
comprise obtaining port numbers, metadata, and payloads associated with
network
packets. In certain embodiments, for example, the method may comprise
identifying
predefined destination port numbers and predefined authorization codes
associated with
the obtained port numbers, each one of the predefined authorization codes
comprising a
predefined user-application identifier and a predefined payload data-type
identifier
127
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
associated with one of the obtained port numbers. In certain embodiments, for
example,
the method may comprise authorizing the network packets, comprising: comparing
at
least a portion of the metadata with the predefined authorization codes. In
certain
embodiments, for example, the method may comprise requesting transmission of
payloads from the authorized network packets to cloud resources referenced by
the
predefined destination port numbers.
[00285] Certain embodiments may provide, for example, a method for managing
communications, comprising: i) obtaining port numbers, metadata, and payloads
associated with network packets; ii) identifying predefined destination port
numbers and
predefined authorization codes associated with the obtained port numbers, each
one of
the predefined authorization codes comprising a predefined user-application
identifier
and a predefined payload data-type identifier associated with one of the
obtained port
numbers; iii) authorizing the network packets, comprising: comparing at least
a portion of
the metadata with the predefined authorization codes; and iv) requesting
transmission of
payloads from the authorized network packets to cloud resources referenced by
the
predefined destination port numbers.
[00286] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes. In certain
embodiments,
for example, the product may comprise a computer-readable storage medium (for
example a non-transitory computer-readable storage medium) having computer-
readable
program code embodied therein, the computer-readable program code executable
by a
processor to perform communication management operations. In certain
embodiments,
for example, the communication management operations may comprise establishing
authorized network tunnels (for example network tunnels based on protocol
which
involve encrypting a network packet and inserting the encrypted network packet
inside a
packet for transport (such as I Psec protocol), or network tunnels based on
Socket
Secured Layer protocol, or network tunnels which require encryption of part of
all of a
packet payload but do not involve additional headers (for example do not
involve
packaging an IP packet inside another IP packet) for network communication) on
all port-
to-port network communications (for example unencrypted or encrypted payload
communications) among the plurality of networked processor nodes (inclusive,
for
example, of port-to-port communications according to User Datagram Protocol
(UDP) or
Transmission Control Protocol (TCP) between end-user application processes
over a
network)). In certain embodiments, for example, the port-to-port
communications may
be between user-application processes (inclusive of application processes
having a
process owner (or user)). In certain embodiments, for example, one or more of
the user-
128
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
application processes may reside in kernel and/or application space. In
certain
embodiments, for example, the establishing may comprise intercepting network
connection requests (for example by network application programming
interfaces) having
associated destination port numbers. In certain embodiments, for example, the
establishing may comprise identifying preconfigured, predefined, pre-
established and/or
preprovisioned tunnel port numbers (for example predefined tunnel port numbers
associated with servers), comprising identifying at least one (for example,
one)
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
number for
each associated destination port number of the associated destination port
numbers. In
certain embodiments, for example, the establishing may comprise requesting the
negotiation of network tunnels, the requesting comprising sending connection
request
packets comprising the tunnel port numbers (and also, for example, cipher
suite
parameters), each one of the network tunnels having a one-to-one
correspondence with
one of the tunnel port numbers. In certain embodiments, for example, the
establishing
may comprise authorizing the network tunnels, comprising comparing node
identifiers,
user-application identifiers (for example user-application identifiers derived
from
application process identifiers and/or application process owners, together or
in parts),
and payload data-type identifiers received from the network tunnels with
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes. In
certain further
embodiments, for example, the node identifiers, user-application identifiers,
and/or
payload data-type identifiers may be encrypted and require decryption before
the
comparing.
[00287] A. In certain embodiments, for example, the intercepting, identifying,
requesting, and authorizing may be transparent to all user-application
processes (for
example all processes (except optionally for processes executing portions of
the
program code) executing in (non-kernel) application space and having process
owners)
on the plurality of networked nodes. In certain embodiments, for example, the
intercepting may be performed by a network application programming interface
having
standard syntax (for example using modified network application programming
interface
functions that retain standard syntax, for example: bind(), connect(),
listen(), UDP
sendto(), UDP bindto(), and close() functions).
[00288] B. In certain embodiments, for example, the intercepting, identifying,
requesting, and authorizing may be self-executing. In certain further
embodiments, for
example, the intercepting, identifying, requesting, and authorizing may be
automatic. In
certain further embodiments, for example, the identifying, requesting, and
authorizing
may be automatically invoked following the intercepting. In certain
embodiments, for
129
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
example, the intercepting, identifying, and authorizing may occur in the
kernel spaces of
the plurality of networked nodes. In certain embodiments, for example, one or
more of
the intercepting, identifying, and authorizing occur in application spaces of
the plurality of
networked nodes. In certain further embodiments, for example, at least a
portion (for
example all) of the non-transitory computer-readable storage medium may be
resident
on a deployment server.
[00289] C. In certain further embodiments, for example, at least a portion
(for
example all) of the non-transitory computer-readable storage medium may be
resident
on flash drive. In certain embodiments, for example, the communication
management
operations may further comprise: preventing all user-application process ports
from
binding to a portion or all physical interfaces of the plurality of networked
nodes.
[00290] D. In certain embodiments, for example, user-application process ports
may
transmit packets to network security software process ports by loopback
interfaces. In
certain embodiments, for example, user-application process ports may transmit
packets
to network security software process ports by TUN/TAP interfaces.
[00291] E. In certain embodiments, for example, the network tunnels may be
encrypted. In certain embodiments, for example, the network tunnels may be
interposed
between network security processes (for example middleware) running on
separate
nodes. In certain embodiments, for example, the network security processes may
manage a segment of the data pathway that is interposed between user-
application
processes on separate nodes of the plurality of networked processor nodes. In
certain
embodiments, for example, the network security processes may be conducted on
the
plural nodes with user-application processes, wherein the user-application
processes
may engage in port-to-port communications. In certain embodiments, for
example, the
network security processes may be resident on different nodes from the user-
application
processes. In certain embodiments, for example, the product may be used to
configure
a software-defined perimeter.
[00292] F. In certain embodiments, for example, the tunnel port numbers, node
identifiers, user-application identifiers, and/or payload data-type
identifiers may be
obtained from a plurality of configuration files. In certain embodiments, for
example, the
configuration files may contain private keys for negotiating encryption keys
for the
network tunnels. In certain embodiments, for example, the configuration files
may be
binary files. In certain embodiments, for example, the configuration files may
be
encrypted files. In certain embodiments, for example, the configuration files
may be
variable length files. In certain embodiments, for example, the configuration
files may be
read-only files.
130
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00293] G. In certain embodiments, for example, the communication management
operations may further comprise: executing operating system commands to
identify user-
application processes making the connection requests, and verifying that the
identified
user-application processes are authorized to transmit data to the associated
destination
port numbers. In certain embodiments, for example, the communication
management
operations may further comprise thwarting attempts by malware to form network
connections, the thwarting comprising: rejecting network connection requests
in which
identified user-application processes are not authorized to transmit data, for
example by
reference to a configuration file of authorized port-to-port connections. In
certain
embodiments, for example, the product may further comprise a configuration
file, the
configuration file comprising at least two of the following: tunnel port
numbers, node
identifiers, user-application identifiers, and payload data-type identifiers.
In certain
embodiments, for example, the communication management operations may comprise
updating a connection state indicator based on the comparing node identifiers,
the
comparing user-application process identifiers, and/or the comparing payload
data-type
identifiers. In certain embodiments, for example, the updated connection state
indicator
may be a field in a list of port-to-port connections. In certain embodiments,
for example,
the connection state indicator may be changed from a value indicating that no
connection has been established to a value indicating that an open connection
state
exists for a particular port-to-port connection. In certain embodiments, for
example, the
connection state indicator may be changed from a value indicating that no
connection
has been established to a value indicating that a connection is in the process
of being
formed and that one or more of the node identifiers, the user-application
process
identifiers, and/or the payload data-type identifiers has been successfully
exchanged,
authenticated and/or authorized. In certain embodiments, for example, the
connection
state indicator may be changed from a value indicating that an open connection
exists,
that no connection exists, or that a connection is in the process of being
formed to a
value indicating that the connection is being declined due to failure to
successfully
exchange, authenticate and/or authorize one or more of the node identifiers,
the user-
application process identifiers, and/or the payload data-type identifiers.
[00294] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: establishing authorized network tunnels for at least
one port-to-
131
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
port network communication (inclusive, for example, of all port-to-port
network
communications) among the plurality of networked processor nodes, comprising:
i)
intercepting network connection requests having associated destination port
numbers; ii)
identifying preconfigured, predefined, pre-established and/or preprovisioned
tunnel port
numbers, comprising identifying at least one tunnel port number for each
associated
destination port number of the associated destination port numbers; iii)
requesting the
negotiation of network tunnels, the requesting comprising sending connection
request
packets comprising the tunnel port numbers, each one of the network tunnels
having a
one-to-one correspondence with one of the tunnel port numbers; and iv)
authorizing the
network tunnels, comprising comparing node identifiers, user-application
identifiers, and
payload data-type identifiers received from the network tunnels with
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes.
[00295] Certain embodiments may provide, for example, a computer program
product
for managing communications of a networked node comprising a processor, the
computer program product comprising a computer-readable storage medium (for
example a non-transitory computer-readable storage medium) having computer-
readable
program code embodied therein, the computer-readable program code executable
by the
processor to perform communication management operations, the communication
management operations comprising: establishing authorized network tunnels for
all port-
to-port network communications for the networked node, comprising: i)
intercepting a
network connection request having an associated destination port number; ii)
identifying
a preconfigured, predefined, pre-established and/or preprovisioned tunnel port
number
associated with the destination port number; iii) requesting the forming of a
network
tunnel, the forming comprising sending a connection request packet comprising
the
tunnel port number; and iv) authorizing the network tunnel, comprising
comparing a node
identifier, a user-application identifier, and a payload data-type identifier
received from
the network tunnel with a preconfigured, predefined, pre-established and/or
preprovisioned authorization code.
[00296] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes. In certain
embodiments,
for example, the product may comprise a computer-readable storage medium (for
example a non-transitory computer-readable storage medium) having computer-
readable
program code embodied therein, the computer-readable program code executable
by a
processor to perform communication management operations. In certain
embodiments,
for example, the communication management operations may comprise establishing
authorized network tunnels for at least one port-to-port network communication
132
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
(including, for example, all port-to-port network communications (for example
unencrypted or encrypted payload communications) among the plurality of
networked
processor nodes (inclusive, for example, of port-to-port communications
according to
User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) between
end-
user application processes over a network)). In certain embodiments, for
example, the
port-to-port communications may be between user-application processes
(inclusive of
application processes having a process owner (or user)). In certain
embodiments, for
example, one or more of the user-application processes may reside in kernel
and/or
application space. In certain embodiments, for example, the establishing may
comprise
intercepting network connection requests from source ports (for example the
source
ports may comprise ports associated with user-application processes), the
requests
having associated destination port numbers. In certain embodiments, for
example, the
establishing may comprise verifying that the source ports are authorized to
communicate
with ports having the associated destination port numbers. In certain
embodiments, for
example, the establishing may comprise requesting the negotiation of network
tunnels,
comprising sending connection request packets comprising the associated
destination
port numbers, each one of the network tunnels having a one-to-one
correspondence with
one of the associated destination port numbers. In certain embodiments, for
example,
the establishing may comprise authorizing the network tunnels, comprising
comparing
node identifiers, user-application identifiers, and/or payload data-type
identifiers received
from the network tunnels with preconfigured, predefined, pre-established
and/or
preprovisioned authorization codes. In certain further embodiments, for
example, the
node identifiers, user-application identifiers, and/or payload data-type
identifiers may be
encrypted and require decryption before the comparing.
[00297] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: establishing authorized network tunnels for all port-to-
port
network communications among the plurality of networked processor nodes,
comprising:
i) intercepting network connection requests from source ports, the requests
having
associated destination port numbers; ii) verifying that the source ports are
authorized to
communicate with ports having the associated destination port numbers; iii)
requesting
the negotiation of network tunnels, comprising sending connection request
packets
comprising the associated destination port numbers, each one of the network
tunnels
133
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
having a one-to-one correspondence with one of the associated destination port
numbers; and iv) authorizing the network tunnels, comprising comparing node
identifiers,
user-application identifiers, and payload data-type identifiers received from
the network
tunnels with preconfigured, predefined, pre-established and/or preprovisioned
authorization codes.
[00298] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein, the computer-
readable program code executable by a processor to perform communication
management operations. In certain embodiments, for example, the communication
management operations may comprise establishing authorized encrypted
communication pathways for at least one port-to-port network communication
(for
example all port-to-port communications) among the plurality of networked
processor
nodes. In certain embodiments, for example, the establishing may comprise
intercepting
network connection requests having associated destination port numbers. In
certain
embodiments, for example, the establishing may comprise identifying
preconfigured,
predefined, pre-established and/or preprovisioned encrypted communication port
numbers, comprising identifying at least one preconfigured, predefined, pre-
established
and/or preprovisioned encrypted communication port number for each associated
destination port number of the associated destination port numbers. In certain
embodiments, for example, the establishing may comprise requesting the
negotiation of
encrypted communication pathways, the requesting comprising sending connection
request packets comprising the encrypted communication port numbers, each one
of the
encrypted communication pathways having a one-to-one correspondence with one
of the
encrypted communication port numbers. In certain embodiments, for example, the
establishing may comprise authorizing the encrypted communication pathways,
comprising comparing node identifiers, user-application identifiers, and/or
payload data-
type identifiers received from the encrypted communication pathways with
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes.
[00299] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: establishing authorized encrypted communication
pathways for
134
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
all port-to-port network communications among the plurality of networked
processor
nodes, comprising: i) intercepting network connection requests having
associated
destination port numbers; ii) identifying preconfigured, predefined, pre-
established and/or
preprovisioned encrypted communication port numbers, comprising identifying at
least
one preconfigured, predefined, pre-established and/or preprovisioned encrypted
communication port number for each associated destination port number of the
associated destination port numbers; iii) requesting the negotiation of
encrypted
communication pathways, the requesting comprising sending connection request
packets comprising the encrypted communication port numbers, each one of the
encrypted communication pathways having a one-to-one correspondence with one
of the
encrypted communication port numbers; and iv) authorizing the encrypted
communication pathways, comprising comparing node identifiers, user-
application
identifiers, and payload data-type identifiers received from the encrypted
communication
pathways with preconfigured, predefined, pre-established and/or preprovisioned
authorization codes.
[00300] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein, the computer-
readable program code executable by a processor to perform communication
management operations. In certain embodiments, for example, the communication
management operations may comprise establishing authorized encrypted
communication pathways for at least one port-to-port network communication
(including,
for example, all port-to-port network communications) among the plurality of
networked
processor nodes. In certain embodiments, for example, the establishing may
comprise
intercepting network connection requests from source ports (for example source
ports
that have been opened by and have a predetermined relationship with authorized
applications), the requests having associated destination port numbers. In
certain
embodiments, for example, the establishing may comprise verifying that the
source ports
are authorized to communicate with ports having the associated destination
port
numbers. In certain embodiments, for example, the establishing may comprise
requesting the negotiation of encrypted communication pathways, the requesting
comprising sending connection request packets comprising the associated
destination
port numbers. In certain embodiments, for example, the establishing may
comprise
authorizing the encrypted communication pathways, comprising comparing node
identifiers, user-application identifiers, and/or payload data-type
identifiers received from
135
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the encrypted communication pathways with preconfigured, predefined, pre-
established
and/or preprovisioned authorization codes.
[00301] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: establishing authorized encrypted communication
pathways for
all port-to-port network communications among the plurality of networked
processor
nodes, comprising: i) intercepting network connection requests from source
ports, the
requests having associated destination port numbers; ii) verifying that the
source ports
are authorized to communicate with ports having the associated destination
port
numbers; iii) requesting the negotiation of encrypted communication pathways,
the
requesting comprising sending connection request packets comprising the
associated
destination port numbers; and iv) authorizing the encrypted communication
pathways,
comprising comparing node identifiers, user-application identifiers, and
payload data-
type identifiers received from the encrypted communication pathways with
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes.
[00302] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: establishing authorized network tunnels for all port-to-
port
network communications among the plurality of networked processor nodes,
comprising:
i) intercepting a network connection request from a source port, the request
having an
associated destination port number; ii) verifying that the source port is
authorized to
communicate with a port having the associated destination port number; iii)
requesting
the negotiation of a network tunnel, comprising sending a connection request
packet
comprising the associated destination port number; and iv) authorizing the
network
tunnel, comprising comparing a node identifiers, a user-application
identifier, and a
payload data-type identifier received from the network tunnel with a
preconfigured,
predefined, pre-established and/or preprovisioned authorization code.
[00303] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
136
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: establishing authorized network tunnels for all port-to-
port
network communications among the plurality of networked processor nodes,
comprising:
i) intercepting a network connection request having an associated destination
port
number; ii) identifying a preconfigured, predefined, pre-established and/or
preprovisioned
encrypted communication port number associated with the destination port
number; iii)
requesting the negotiation of an encrypted communication pathway, the
requesting
comprising sending a connection request packet comprising the encrypted
communication port number; and iv) authorizing the encrypted communication
pathway,
comprising comparing a node identifier, a user-application identifier, and a
payload data-
type identifier received from the encrypted communication pathway with a
preconfigured,
predefined, pre-established and/or preprovisioned authorization code.
[00304] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: establishing authorized network tunnels for all port-to-
port
network communications among the plurality of networked processor nodes,
comprising:
i) intercepting a network connection request from a source port, the request
having an
associated destination port number; ii) verifying that the source port is
authorized to
communicate with a port having the associated destination port number; iii)
requesting
the negotiation of an encrypted communication pathway, the requesting
comprising
sending a connection request packet comprising the associated destination port
number;
and iv) authorizing the encrypted communication pathway, comprising comparing
a node
identifier, a user-application identifier, and a payload data-type identifier
received from
the encrypted communication pathway with a preconfigured, predefined, pre-
established
and/or preprovisioned authorization code.
[00305] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on at
least a
portion of port-to-network communications (including, for example, on all port-
to-network
137
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communications) of the plurality of processor nodes. In certain embodiments,
for
example, the performing communication processing functions may comprise:
receiving
data packets (for example from a user-application process via a loopback
interface)
having payloads and associated destination port numbers (the associated
destination
port numbers may include, for example, a destination port number associated
with a
destination port of a network security process). In certain embodiments, for
example, the
performing communication processing functions may comprise: identifying
preconfigured, predefined, pre-established and/or preprovisioned tunnel port
numbers,
each one of the tunnel port numbers having a one-to-one correspondence with
one of
the associated destination port numbers. In certain embodiments, for example,
the
performing communication processing functions may comprise: assembling packet
segments, each one of the packet segments comprising one of the payloads, an
associated user-application process identifier, and a payload data type
descriptor. In
certain embodiments, for example, the associated user-application process
identifier
may comprise a process identifier and/or a process owner. In certain
embodiments, for
example, the associated user-application process identifier, and a payload
data type
descriptor may be combined (or concatenated) in a metadata portion of the
packet
segment. In certain embodiments, for example, the metadata may be encrypted,
for
example by a single-use cryptographic key. In certain embodiments, for
example, the
performing communication processing functions may comprise: requesting
transmission
of network packets through network tunnels (for example at least a different
network
tunnel for each application-to-application communication of a specified data
protocol
type), each one of the network packets comprising a tunnel port number of one
of the
tunnel port numbers and one of the assembled packet segments, each one of the
network tunnels having a one-to-one correspondence with one of the tunnel port
numbers.
[00306] A. In certain embodiments, for example, the receiving, identifying,
assembling, and requesting may be transparent to all user-application
processes on the
plurality of networked nodes. In certain embodiments, for example, the data
packets
may be received by loopback interfaces. In certain embodiments, for example,
the data
packets may be received by kernel read and/or write calls. In certain
embodiments, for
example, the data packets may be received by TAP/TUN interfaces. In certain
embodiments, for example, the receiving may occur in kernel spaces of the
plural nodes.
In certain embodiments, for example, the receiving may occur in application
spaces of
the plural nodes. In certain embodiments, for example, the received data
packet may be
received from user-application processes executing in application spaces of
the plural
138
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
nodes. In certain embodiments, for example, the user-application process
identifiers
may comprise process commands and process owners (for example process commands
and process owners comparable to the output of operating system commands). In
certain embodiments, for example, the communication processing functions may
further
comprise: setting connection status indicators to a non-operative state if
more than a
fixed number (for example a fixed number such as 10 or 20) of requests to
transmit
network packets are rejected. In certain embodiments, for example, the
communication
processing functions may further comprise: setting connection status
indicators to a non-
operative state if the difference between rejected and successful requests to
transmit
network packets exceeds a fixed number (for example a fixed number such as 10
or 20).
[00307] B. In certain embodiments, for example, the communication processing
functions may further comprise: checking a connection status of the network
tunnels (for
example by checking lists maintained in kernel memory of the plural networked
nodes).
In certain embodiments, for example, the communication processing functions
may
further comprise dropping network packets that are received via one or more
network
tunnels whose connection status indicators are set to a non-operative state.
[00308] C. In certain embodiments, for example, the payloads may be translated
into
a common format prior to the assembling.
[00309] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on at
least a
portion of port-to-network communications (including, for example, on all port-
to-network
communications) of the plurality of processor nodes, the performing
communication
processing functions comprising: i) receiving data packets having payloads and
associated destination port numbers; ii) identifying preconfigured,
predefined, pre-
established and/or preprovisioned tunnel port numbers, each one of the tunnel
port
numbers having a one-to-one correspondence with one of the associated
destination
port numbers; iii) assembling packet segments, each one of the packet segments
comprising one of the payloads, an associated user-application process
identifier, and a
payload data type descriptor; and iv) requesting transmission of network
packets through
network tunnels, each one of the network packets comprising a tunnel port
number of
one of the tunnel port numbers and one of the assembled packet segments, each
one of
139
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the network tunnels having a one-to-one correspondence with one of the tunnel
port
numbers.
[00310] Certain embodiments may provide, for example, a computer program
product
for managing communications of a networked node comprising a processor, the
computer program product comprising a non-transitory computer-readable storage
medium having computer-readable program code embodied therein, the computer-
readable program code executable by the processor to perform communication
management operations, the communication management operations comprising:
performing communication processing functions on all port-to-network
communications
of the networked node, the performing communication processing functions
comprising:
i) receiving a data packet having a payload and an associated destination port
number;
ii) identifying a preconfigured, predefined, pre-established and/or
preprovisioned tunnel
port number associated with the destination port number; iii) assembling a
packet
segment, the packet segment comprising the payload, an associated user-
application
identifier, and a payload data type descriptor; and iv) requesting
transmission of a
network packet through a network tunnel, the network packet comprising the
tunnel port
number and the assembled packet segment, the network tunnel having a one-to-
one
correspondence with the tunnel port number.
[00311] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on at
least a
portion of port-to-network communications (including, for example, on all port-
to-network
communications) of the plurality of processor nodes. In certain embodiments,
for
example, the performing communication processing functions may comprise
receiving
data packets from source ports, the data packets having payloads and
associated
destination port numbers. In certain embodiments, for example, the performing
communication processing functions may comprise verifying that the source
ports are
authorized to communicate with ports having the associated destination port
numbers.
In certain embodiments, for example, the performing communication processing
functions may comprise assembling packet segments, each one of the packet
segments
comprising one of the payloads, an associated user-application identifier, and
a payload
data type descriptor. In certain embodiments, for example, the performing
communication processing functions may comprise requesting transmission of
network
140
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
packets through network tunnels, each one of the network packets comprising a
port
number of one of the associated destination port numbers and one of the
assembled
packet segments, each one of the network tunnels having a one-to-one
correspondence
with one of the associated destination port numbers.
[00312] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
port-to-
network communications of the plurality of processor nodes. In certain
embodiments, for
example, the performing communication processing functions may comprise
receiving
data packets having payloads and associated destination port numbers. In
certain
embodiments, for example, the performing communication processing functions
may
comprise identifying preconfigured, predefined, pre-established and/or
preprovisioned
tunnel port numbers, each one of the tunnel port numbers having a one-to-one
correspondence with one of the associated destination port numbers. In certain
embodiments, for example, the performing communication processing functions
may
comprise assembling packet segments, each one of the packet segments
comprising
one of the payloads, an associated user-application identifier, and a payload
data type
descriptor. In certain embodiments, for example, the performing communication
processing functions may comprise requesting transmission of network packets
through
encrypted communication pathways, each one of the network packets comprising a
tunnel port number of one of the tunnel port numbers and one of the assembled
packet
segments, each one of the encrypted communication pathways having a one-to-one
correspondence with one of the tunnel port numbers.
[00313] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on at
least a
portion of port-to-network communications (including, for example, on all port-
to-network
communications) of the plurality of processor nodes. In certain embodiments,
for
example, the performing communication processing functions may comprise
receiving
data packets from source ports, the data packets having payloads and
associated
141
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
destination port numbers. In certain embodiments, for example, the performing
communication processing functions may comprise verifying that the source
ports are
authorized to communicate with ports having the associated destination port
numbers.
In certain embodiments, for example, the performing communication processing
functions may comprise assembling packet segments, each one of the packet
segments
comprising one of the payloads, an associated user-application identifier, and
a payload
data type descriptor. In certain embodiments, for example, the performing
communication processing functions may comprise requesting transmission of
network
packets through encrypted communication pathways, each one of the network
packets
comprising a port number of one of the associated destination port numbers and
one of
the assembled packet segments, each one of the encrypted communication
pathways
having a one-to-one correspondence with one of the associated destination port
numbers.
[00314] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
port-to-
network communications of the plurality of processor nodes, the performing
communication processing functions comprising: i) receiving data packets from
source
ports, the data packets having payloads and associated destination port
numbers; ii)
verifying that the source ports are authorized to communicate with ports
having the
associated destination port numbers; iii) assembling packet segments, each one
of the
packet segments comprising one of the payloads, an associated user-application
identifier, and a payload data type descriptor; and iv) requesting
transmission of network
packets through network tunnels, each one of the network packets comprising a
port
number of one of the associated destination port numbers and one of the
assembled
packet segments, each one of the network tunnels having a one-to-one
correspondence
with one of the associated destination port numbers.
[00315] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
port-to-
142
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
network communications of the plurality of processor nodes, the performing
communication processing functions comprising: i) receiving a data packet from
a source
port, the data packet having a payload and an associated destination port
number; ii)
verifying that the source port is authorized to communicate with a port having
the
associated destination port number; iii) assembling a packet segment, the
packet
segment comprising the payload, an associated user-application identifier, and
a payload
data type descriptor, and iv) requesting transmission of a network packet
through a
network tunnel, the network packet comprising the associated destination port
numbers
and the assembled packet segment, the network tunnels having a one-to-one
correspondence with the associated destination port number.
[00316] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
port-to-
network communications of the plurality of processor nodes, the performing
communication processing functions comprising: i) receiving data packets
having
payloads and associated destination port numbers; ii) identifying
preconfigured,
predefined, pre-established and/or preprovisioned tunnel port numbers, each
one of the
tunnel port numbers having a one-to-one correspondence with one of the
associated
destination port numbers; iii) assembling packet segments, each one of the
packet
segments comprising one of the payloads, an associated user-application
identifier, and
a payload data type descriptor; and iv) requesting transmission of network
packets
through encrypted communication pathways, each one of the network packets
comprising a tunnel port number of one of the tunnel port numbers and one of
the
assembled packet segments, each one of the encrypted communication pathways
having a one-to-one correspondence with one of the tunnel port numbers.
[00317] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
port-to-
network communications of the plurality of processor nodes, the performing
communication processing functions comprising: i) receiving a data packet
having a
143
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
payload and an associated destination port number; ii) identifying a
preconfigured,
predefined, pre-established and/or preprovisioned tunnel port number, the
tunnel port
number having a one-to-one correspondence with the associated destination port
number; iii) assembling a packet segment, the packet segment comprising the
payload,
an associated user-application identifier, and a payload data type descriptor;
and iv)
requesting encrypted communication over an encrypted communication pathway of
a
network packet, the network packets comprising the tunnel port number and the
assembled packet segment, the encrypted communication pathway having a one-to-
one
correspondence with the tunnel port number.
[00318] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
port-to-
network communications of the plurality of processor nodes, the performing
communication processing functions comprising: i) receiving data packets from
source
ports, the data packets having payloads and associated destination port
numbers; ii)
verifying that the source ports are authorized to communicate with ports
having the
associated destination port numbers; iii) assembling packet segments, each one
of the
packet segments comprising one of the payloads, an associated user-application
identifier, and a payload data type descriptor; and iv) requesting
transmission of network
packets through encrypted communication pathways, each one of the network
packets
comprising a port number of one of the associated destination port numbers and
one of
the assembled packet segments, each one of the encrypted communication
pathways
having a one-to-one correspondence with one of the associated destination port
numbers.
[00319] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
port-to-
network communications of the plurality of processor nodes, the performing
communication processing functions comprising: i) receiving a data packet from
a source
port, the data packet having a payload and an associated destination port
number; ii)
144
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
verifying that the source port is authorized to communicate with a port having
the
associated destination port number; iii) assembling a packet segment, the
packet
segments comprising the payload, an associated user-application identifier,
and a
payload data type descriptor; and iv) requesting transmission of a network
packet
through an encrypted communication pathway, the network packets comprising the
associated destination port number and the assembled packet segment, the
encrypted
communication pathway having a one-to-one correspondence with the associated
destination port number.
[00320] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
computer-readable storage medium (for example a non-transitory computer-
readable
storage medium) having computer-readable program code embodied therein, the
computer-readable program code executable by a processor to perform
communication
management operations, the communication management operations comprising:
performing communication processing functions on at least a portion of network-
to-port
communications (including, for example, on all network-to-port communications)
received by the plurality of processor nodes. In certain embodiments, for
example, the
performing communication processing functions may comprise obtaining tunnel
port
numbers, metadata (for example metadata encrypted using a single-use
cryptographic
key), and payloads associated with network packets. In certain embodiments,
for
example, the performing communication processing functions may comprise
identifying
preconfigured, predefined, pre-established and/or preprovisioned destination
port
numbers and preconfigured, predefined, pre-established and/or preprovisioned
authorization codes associated with the tunnel port numbers, each one of the
authorization codes comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application process identifier and a preconfigured,
predefined, pre-
established and/or preprovisioned payload data-type identifier associated with
one of the
obtained tunnel port numbers. In certain embodiments, for example, the
performing
communication processing functions may comprise authorizing the network
packets,
comprising: comparing (for example comparing in application spaces or kernel
spaces of
the plurality of nodes) metadata with the authorization codes. In certain
embodiments,
for example, the performing communication processing functions may comprise
requesting transmission (for example across loopback interfaces, by TUN/TAP
interfaces, or by kernel read and/or write calls) of payloads from the
authorized network
packets to destinations referenced by the destination port numbers. In certain
145
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
embodiments, for example, the payloads may be passed to the destination port
numbers
by one or more loopback interfaces.
[00321] A. In certain embodiments, for example, the obtaining, identifying,
authorizing, and requesting may be transparent to all user-application
processes on the
plurality of networked nodes (for example by employing modified network
application
programming interface functions (for example in a modified operating system)
while
maintaining standard syntax). In certain embodiments, for example, the
obtaining,
identifying, authorizing, and requesting may be self-executing and/or
automatic (for
example requiring no human intervention, no interruption in computer execution
other
than ordinary, temporary process scheduling).
[00322] B. In certain embodiments, for example, the communication processing
functions may be performed at 95% of wire speed or greater and less than 10%
of the
processor load may be committed to network communications. In certain
embodiments,
for example, the destinations may comprise user-application processes. In
certain
embodiments, for example, the program code may be middleware positioned
between
the network and the destinations referenced by the destination port number. In
certain
embodiments, for example, the communication processing functions may further
comprise: dropping network packets if they are not authorized following the
comparing
(for example dropping network packets for which the metadata does not match
expected
values based on the authorization codes).
[00323] C. In certain embodiments, for example, the communication processing
functions may further comprise: setting connection status indicators to a non-
operative
state if more than a fixed number of network packets are not authorized
following the
comparing. In certain embodiments, for example, the communication processing
functions may further comprise: checking, the checking at least partially
performed in
kernels of the plural networked nodes, a connection status of the network. In
certain
embodiments, for example, the communication processing functions may further
comprise: dropping network packets that are received via one or more network
tunnels
whose connection status indicators are set to a non-operative state.
[00324] Certain embodiments may comprise, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on at
least a
portion of network-to-port communications (including, for example, on all
network-to-port
146
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communications) received by the plurality of processor nodes, the performing
communication processing functions comprising: i) obtaining tunnel port
numbers,
metadata, and payloads associated with network packets; ii) identifying
preconfigured,
predefined, pre-established and/or preprovisioned destination port numbers and
preconfigured, predefined, pre-established and/or preprovisioned authorization
codes
associated with the tunnel port numbers, each one of the authorization codes
comprising
a preconfigured, predefined, pre-established and/or preprovisioned user-
application
identifier and a preconfigured, predefined, pre-established and/or
preprovisioned payload
data-type identifier associated with one of the obtained tunnel port numbers;
iii)
authorizing the network packets, comprising: comparing at least a portion of
the
metadata with the authorization codes; and iv) requesting transmission of
payloads from
the authorized network packets to destinations referenced by the destination
port
numbers.
[00325] Certain embodiments may comprise, for example, a computer program
product for managing communications of a networked nodes comprising a
processor, the
computer program product comprising a non-transitory computer-readable storage
medium having computer-readable program code embodied therein, the computer-
readable program code executable by the processor to perform communication
management operations, the communication management operations comprising:
performing communication processing functions on all network-to-port
communications
received by the networked node, the performing communication processing
functions
comprising: i) obtaining a tunnel port number, metadata, and a payload
associated with a
network packet received by the networked node; ii) identifying a
preconfigured,
predefined, pre-established and/or preprovisioned destination port number and
a
preconfigured, predefined, pre-established and/or preprovisioned authorization
code
associated with the tunnel port number, the authorization code comprising a
preconfigured, predefined, pre-established and/or preprovisioned user-
application
identifier and a preconfigured, predefined, pre-established and/or
preprovisioned payload
data-type identifier associated with the obtained tunnel port number; iii)
authorizing the
network packet, comprising: comparing the metadata with the authorization
code; and iv)
requesting transmission of the payload to a destination referenced by the
destination port
number.
[00326] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
computer-readable storage medium (for example a non-transitory computer-
readable
storage medium) having computer-readable program code embodied therein, the
147
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
computer-readable program code executable by a processor to perform
communication
management operations, the communication management operations comprising:
performing communication processing functions on at least a portion of network-
to-port
communications (including, for example, on all network-to-port communications)
received by the plurality of processor nodes. In certain embodiments, for
example, the
performing communication processing functions may comprise obtaining
destination port
numbers, metadata, and payloads associated with network packets. In certain
embodiments, for example, the performing communication processing functions
may
comprise identifying preconfigured, predefined, pre-established and/or
preprovisioned
authorization codes associated with the destination port numbers, each one of
the
authorization codes comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
one of the
destination port numbers. In certain embodiments, for example, the performing
communication processing functions may comprise authorizing the network
packets,
comprising: comparing at least a portion of the metadata with the
authorization codes. In
certain embodiments, for example, the performing communication processing
functions
may comprise requesting transmission of payloads from the authorized network
packets
to destinations referenced by the destination port numbers.
[00327] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
network-
to-port communications received by the plurality of processor nodes, the
performing
communication processing functions comprising: i) obtaining destination port
numbers,
metadata, and payloads associated with network packets; ii) identifying
preconfigured,
predefined, pre-established and/or preprovisioned authorization codes
associated with
the destination port numbers, each one of the authorization codes comprising a
preconfigured, predefined, pre-established and/or preprovisioned user-
application
identifier and a preconfigured, predefined, pre-established and/or
preprovisioned payload
data-type identifier associated with one of the destination port numbers; iii)
authorizing
the network packets, comprising: comparing at least a portion of the metadata
with the
authorization codes; and iv) requesting transmission of payloads from the
authorized
network packets to destinations referenced by the destination port numbers.
148
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00328] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked processor nodes, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable by a
processor
to perform communication management operations, the communication management
operations comprising: performing communication processing functions on all
network-
to-port communications received by the plurality of processor nodes, the
performing
communication processing functions comprising: i) obtaining a tunnel port
number,
metadata, and a payload associated with a network packet received by the
networked
node; ii) identifying a preconfigured, predefined, pre-established and/or
preprovisioned
destination port number and a preconfigured, predefined, pre-established
and/or
preprovisioned authorization code associated with the tunnel port number, the
authorization code comprising a preconfigured, predefined, pre-established
and/or
preprovisioned user-application identifier and a preconfigured, predefined,
pre-
established and/or preprovisioned payload data-type identifier associated with
the
obtained tunnel port number; iii) authorizing the network packet, comprising:
comparing
the metadata with the authorization code; and iv) requesting transmission of
the payload
to a destination referenced by the preconfigured, predefined, pre-established
and/or
preprovisioned destination port number.
[00329] Certain embodiments may provide, for example, a method for authorized
network communication, comprising: detecting a request by a first application
present on
a first node to transmit data to a destination port associated with a second
application
present on a second node, validating the authority of the first application to
transmit the
data to the destination port at least by checking a preconfigured list present
on the first
node, passing the data from the first application to a first middleware on the
first node,
and mutual authorization and authentication of the first node and the second
node, the
first application and the second application, and a data protocol of the data.
In certain
further embodiments, for example, the method may further comprise transmitting
a
network packet containing the data through a network tunnel (for example a
network
tunnel configured according to User Datagram Protocol (UDP), a "mid-weight"
UDP
comprising UDP plus additional connection acknowledgments devised to increase
reliability of a UDP connection, or Transmission Control Protocol (TCP)), the
network
tunnel extending from the first middleware to a second middleware present on
the
second node, the network tunnel initialized based on the detected request, the
initialization based at least on the mutual authentication and authorization.
149
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00330] A. In certain embodiments, for example, the first node may be a first
computing device. In certain embodiments, for example, the first node may
comprise a
first processor, a first kernel, a first network stack, a first loopback
interface, a first
network application programming interface of the first network stack, and a
first non-
transitory computer-readable storage medium. In certain embodiments, for
example, the
second node may comprise a second processor, a second kernel, a second network
stack, and a second non-transitory computer-readable storage medium. In
certain
embodiments, for example, the detecting may be performed by a first execution
thread
being executed by the first processor, and at least a portion of the
validating may be
performed by a second execution thread being executed by the first processor.
In
certain embodiments, for example, the detecting and the validating may be
performed by
a first execution thread being executed by the first processor, and at least a
portion of
the mutual authorization and authentication may be performed by a second
execution
thread being executed by the first processor. In certain embodiments, for
example, the
validating may be performed by the first middleware. In certain embodiments,
for
example, execution of the first middleware may be distributed at least between
a first
execution thread and a second execution thread being executed by the first
processor.
In certain embodiments, for example, the request from the first application
may be
passed through the first loopback interface to the first middleware. In
certain
embodiments, for example, the request from the first application may not be
passed
through the first loopback interface to the first middleware. In certain
embodiments, for
example, the request from the first application may be passed through a shim
in the first
network stack to the first middleware. In certain embodiments, for example,
the request
from the first application may be passed from the first network application
programming
interface directly to the first middleware. In certain embodiments, for
example, the data
may be passed through the loopback interface to the first middleware. In
certain
embodiments, for example, the data may not be passed through the first
loopback
interface to the first middleware. In certain embodiments, for example, the
data may be
passed through a shim in the first network stack to the first middleware. In
certain
embodiments, for example, the data may be passed from the first network
application
programming interface directly to the first middleware. In certain
embodiments, for
example, the detecting may comprise receiving (or intercepting), by the first
middleware,
the request. In certain embodiments, for example, the detecting may occur in
the first
network stack. In certain embodiments, for example, the detecting may occur in
the first
network application programming interface.
150
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00331] B. In certain embodiments, for example, at least a portion of the
first
middleware may comprise a kernel driver. In certain embodiments, for example,
at least
a portion of the first middleware may comprise a kernel module process.
[00332] C. In certain embodiments, for example, the method may further
comprise:
preventing the first application and the second application from associating
with any
socket comprising a physical interface. In certain embodiments, for example,
the
method may further comprise: preventing any port associated with the first
application
from binding with a physical interface. In certain embodiments, for example,
the method
may further comprise: preventing any port associated with the second
application from
binding with a physical interface. In certain embodiments, for example, the
method may
further comprise: preventing any port associated with the first application
from binding
with a physical interface, preventing any port associated with the second
application from
binding with a physical interface.
[00333] D. In certain embodiments, for example, the network tunnel may be
encrypted. In certain further embodiments, for example, at least a portion of
the network
packet (for example the payload, a portion of the payload, or a metadata
portion of the
payload) may be encrypted using a symmetric key algorithm (for example a
symmetric
key algorithm such as an Advanced Encryption Standard (AES) algorithm (for
example
256-bit AES). In certain further embodiments, for example, the symmetric key
may be
obtained by executing a key exchange algorithm (for example Elliptic-Curve
Diffie-
Hellman (ECDH) key exchange). In certain further embodiments, for example, the
symmetric key may be a single-use key. In certain further embodiments, for
example,
the symmetric key may be obtained by rotating a key derived from ECDH key
exchange.
[00334] E. In certain embodiments, for example, the data protocol may be
obtained
from metadata present in the network packet. In certain further embodiments,
for
example, the metadata may be encrypted.
[00335] F. In certain embodiments, for example, the metadata may comprise a
connection state indicator for the network tunnel. In certain embodiments, for
example, a
connection state indicator for the network tunnel may be inserted into the
metadata by
the first middleware. In certain embodiments, for example, a second middleware
present
on the second node may determine a connection state of the network tunnel by
inspecting the metadata (for example by decrypting encrypted metadata followed
by
parsing the metadata).
[00336] G. In certain embodiments, for example, at least a portion of the
validating
(for example all of the validating) may be performed by the first middleware.
In certain
further embodiments, for example, validating may comprise the first middleware
151
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
inspecting a connection state of the network tunnel (for example checking a
port state of
an endpoint of the network tunnel such as a network tunnel endpoint present on
the first
node). In certain embodiments, for example, validating may comprise matching a
2-tuple
comprising a destination port number of the destination port and a unique
first application
identifier of the first application with record present in the preconfigured
list.
[00337] H. In certain embodiments, for example, the network tunnel may be
encrypted based on executing an encryption algorithm (for example encrypted
based on
executing a key exchange algorithm) and the mutual authentication and
authorization of
the first node and the second node may be performed separately from the
executing the
encryption algorithm (for example may be performed after the executing the
encryption
algorithm). In certain embodiments, for example, the mutual authentication and
authorization of the first node and the second node may comprise encrypting a
first node
identification code using a cryptographic key derived from the executing the
key
exchange algorithm. In certain further embodiments, for example, the
cryptographic key
may be nonpublic (for example the cryptographic key may be a shared secret
between
the first middleware and a second middleware executing on the second node). In
certain
embodiments, for example, the mutual authentication and authorization of the
first node
and the second node may comprise: (a) encrypting a first node identification
code using
a first cryptographic key derived from the executing the key exchange
algorithm, and (b)
encrypting a second node identification code using a second cryptographic key
(for
example a second cryptographic key that is different from the first
cryptographic key)
derived from the executing the key exchange algorithm. In certain further
embodiments,
for example, the cryptographic key may be nonpublic (for example the first
cryptographic
key and the second cryptographic key may each be a shared secret between the
first
middleware and a second middleware executing on the second node).
[00338] I. In certain embodiments, for example, the mutual authentication and
authorization of the first node and the second node may be independent of
mutual
authentication and authorization of the first application and the second
application and/or
mutual authentication and authorization of the data protocol. In certain
embodiments, for
example, the mutual authentication and authorization of the first node and the
second
node may be independent of initializing the network tunnel. In certain
embodiments, for
example, the mutual authentication and authorization of the first node and the
second
node may occur after the network tunnel is initialized. In certain
embodiments, for
example, the exchange of the data protocol identifier between the first node
and the
second node may occur during initialization of the network tunnel to at least
partially
authorize the network tunnel.
152
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00339] J. In certain embodiments, for example, mutual authorization and
authentication of the first application and the second application may
comprise key
exchange (for example by execution of a key exchange algorithm such as ECDH)
during
initialization of the network tunnel. In certain embodiments, for example, a
first private
key associated with the first application and a second private key associated
with the
second application may be used during the key exchange. In certain
embodiments, for
example, the first private key may be uniquely associated with the first
application and
the second private key may be uniquely associated with the second application.
In
certain embodiments, for example, the first private key may be uniquely
associated with
the first application and a user (for example a single-user) of the first
application and the
second private key may be uniquely associated with the second application and
a user
(for example a single-user) of the second application.
[00340] K. In certain embodiments, for example, mutual authorization and
authentication of the first application and the second application may
comprise
encrypting a unique first application identifier and sending the encrypted
unique first
application identifier from the first node to the second node, followed by
decrypting the
unique first application identifier and comparing the unique first application
identifier to a
predetermined first identifier value that is specific to the network tunnel.
In certain further
embodiments, for example, mutual authorization and authentication of the first
application and the second application may comprise encrypting a unique second
application identifier and sending the encrypted unique second application
identifier from
the second node to the first node, followed by decrypting the unique second
application
identifier and comparing the unique second application identifier to a
predetermined
second identifier value that is specific to the network tunnel. In certain
embodiments, for
example, the unique first application identifier may comprise a first
application identifier
and an associated first user identifier. In certain embodiments, for example,
the unique
second application identifier may comprise a second application identifier and
an
associated second user identifier. In certain embodiments, for example, the
unique first
application identifier and the unique second application identifier may be
exchanged
during initialization of the network tunnel to at least partially authorize
the network tunnel.
In certain embodiments, for example, the network packet may contain the unique
first
application identifier. In certain embodiments, for example, mutual
authentication and
authorization of the data protocol may further comprise encrypting a data
protocol
identifier and sending the encrypted data protocol identifier from the first
node to the
second node, followed by decrypting the data protocol identifier and comparing
the data
protocol identifier to a predetermined data protocol identifier value that is
specific to the
153
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
network tunnel. In certain further embodiments, for example, mutual
authorization and
authentication of data protocol may comprise encrypting a data protocol
identifier and
sending the encrypted data protocol identifier from the second node to the
first node,
followed by decrypting the data protocol identifier and comparing the data
protocol
identifier to a predetermined data protocol identifier value that is specific
to the network
tunnel. In certain embodiments, for example, the above-described exchange of
the data
protocol identifier between the first node and the second may be performed
during
initialization of the network tunnel to at least partially authorize the
network tunnel. In
certain embodiments, for example, the network packet may contain the unique
first
application identifier. In certain embodiments, for example, mutual
authentication and
authorization of the first application and second application and mutual
authentication
and authorization of the data protocol may be combined. In certain further
embodiments,
for example, a first combined identifier comprising the unique first
application identifier
and the data protocol identifier may be encrypted and sent from the from the
first node to
the second node, followed by decrypting the first combined identifier and
comparing the
first combined identifier to a predetermined first combined identifier value
that is specific
to the network tunnel. In certain further embodiments, for example, a second
combined
identifier comprising the unique second application identifier and the data
protocol
identifier may be encrypted and sent from the from the second node to the
first node,
followed by decrypting the second combined identifier and comparing the second
combined identifier to a predetermined second combined identifier value that
is specific
to the network tunnel. In certain embodiments, for example, the first combined
identifier
and the second combined identifier may be exchanged during initialization of
the network
tunnel to at least partially authorize the network tunnel. In certain
embodiments, for
example, the network packet may contain the unique first application
identifier. In certain
embodiments, for example, the first application identifier and the first user
identifier may
be obtained from a process status request (for example a "ps" command in
Linux).
[00341] L. In certain embodiments, for example, the method may comprise
detecting
a request by the second application to open a port. In certain embodiments,
for
example, the method may comprise validating the authority of the second
application to
open the port at least by checking a further preconfigured list present on the
second
node, processor, or computing device. In certain embodiments, for example, the
checking the further preconfigured list may comprise matching at least a
portion of a
member of the further preconfigured list with a 2-tuple comprising (a) a
unique identifier
for the second application and the user of the second application and (b) a
port number
154
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
associated with the port. In certain further embodiments, for example, the
port may be
the destination port.
[00342] M. In certain embodiments, for example, the method may further
comprise:
communicating the data from a second middleware present on the second node to
the
second application.
[00343] Certain embodiments may provide, for example, a method for authorized
network communication. In certain embodiments, for example, the method may
comprise: detecting (for example receiving or intercepting) a request by a
first application
present on a first node (for example a computing device such as an edge device
in an
Internet-of-Things) to transmit data to a second application present on a
second node,
validating the authority of the first application to transmit the data,
passing the data from
the first application to a first middleware on the first node, transmitting a
network packet
(for example an Internet Protocol (IP) packet) containing the data through a
network
tunnel (for example an encrypted network tunnel), and testing the authority of
the second
application to receive the data.
[00344] A. In certain further embodiments, for example, the validating may be
based
at least on a first port number (for example a transport layer port number
according to
the OSI model). In certain further embodiments, for example, the first
application may
comprise a computer program executing on the first node and the first port
number may
be associated with the first application. In certain embodiments, for example,
the first
middleware may comprise a computer program executing on the first node and the
first
port number may be associated with the first middleware (for example the port
number
may be associated with the second middleware and may be an endpoint of the
network
tunnel). In certain embodiments, for example, the first port number may be
predetermined prior to the initialization of the network tunnel. In certain
embodiments,
for example, the first port number may be assigned dynamically during
initialization of the
network tunnel.
[00345] B. In certain embodiments, for example, the network tunnel may extend
from
the first middleware to a second middleware present on the second node (for
example
the network tunnel may extend from a port associated with the first middleware
to a
different port associated with the second middleware. In certain further
embodiments,
for example, the network tunnel may be initialized based on the detected
request (for
example, the initialization may be triggered by the detected request). In
certain further
embodiments, for example, the initialization may be based at least on mutual
authentication and authorization of the first node and the second node (for
example by
exchange of encrypted node identification codes).
155
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00346] C. In certain embodiments, for example, the testing may be based at
least on
a second port number and a data protocol of the data. In certain further
embodiments,
for example, the second port number may be associated with a computer program
executing on the second node, processor, or computing device. In certain
further
embodiments, for example, the second port number may be associated with the
second
application. In certain embodiments, for example, the second port number may
be
associated with a second middleware (for example the port number may be
associated
with the second middleware and may be an endpoint of the network tunnel). In
certain
embodiments, for example, the second port number may be predetermined prior to
the
initialization of the network tunnel. In certain embodiments, for example, the
second port
number may be assigned dynamically during initialization of the network
tunnel.
[00347] D. In certain embodiments, for example, the first node may be a first
computing device. In certain embodiments, for example, the first node may
comprise a
first processor, a first kernel, a first network stack, a first loopback
interface, a first
network application programming interface of the first network stack, and a
first non-
transitory computer-readable storage medium. In certain embodiments, for
example, the
second node may comprise a second processor, a second kernel, a second network
stack, and a second non-transitory computer-readable storage medium. In
certain
embodiments, for example, the detecting may be performed by a first execution
thread
being executed by the first processor and at least a portion of the testing
may be
performed by a second execution thread being executed by the first processor.
In
certain embodiments, for example, the validating may be performed by the first
middleware. In certain further embodiments, for example, the validating may be
performed by the first execution thread. In certain further embodiments, for
example, the
validating may be performed by the second execution thread. In certain
embodiments,
for example, execution of the first middleware may be distributed at least
between the
first execution thread and the second execution thread. In certain
embodiments, for
example, the request from the first application may be passed through the
first loopback
interface to the first middleware. In certain embodiments, for example, the
request from
the first application may not be passed through the first loopback interface
to the first
middleware. In certain embodiments, for example, the request from the first
application
may be passed through a shim in the first network stack to the first
middleware. In
certain embodiments, for example, the request from the first application may
be passed
from the first network application programming interface directly to the first
middleware.
In certain embodiments, for example, the data may be passed through the
loopback
interface to the first middleware. In certain embodiments, for example, the
data may not
156
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
be passed through the first loopback interface to the first middleware. In
certain
embodiments, for example, the data may be passed through a shim in the first
network
stack to the first middleware. In certain embodiments, for example, the data
may be
passed from the first network application programming interface directly to
the first
middleware. In certain embodiments, for example, the detecting may comprise
receiving
or intercepting, by the first middleware, the request. In certain embodiments,
for
example, the detecting may occur in the first network stack. In certain
embodiments, for
example, the detecting may occur in the first network application programming
interface.
[00348] E. In certain embodiments, for example, at least a portion of the
first
middleware may comprise a kernel driver. In certain embodiments, for example,
at least
a portion of the first middleware may comprise a kernel module process.
[00349] F. In certain embodiments, for example, the method may further
comprise:
preventing the first application and the second application from associating
with any
socket comprising a physical interface. In certain embodiments, for example,
the
method may further comprise: preventing any port associated with the first
application
from binding with a physical interface. In certain embodiments, for example,
the method
may further comprise: preventing any port associated with the second
application from
binding with a physical interface. In certain embodiments, for example, the
method may
further comprise: preventing any port associated with the first application
from binding
with a physical interface, preventing any port associated with the second
application from
binding with a physical interface.
[00350] G. In certain embodiments, for example, the network tunnel may be
encrypted. In certain further embodiments, for example, at least a portion of
the network
packet (for example the payload, a portion of the payload, or a metadata
portion of the
payload) may be encrypted using a symmetric key algorithm (for example a
symmetric
key algorithm such as an Advanced Encryption Standard (AES) algorithm (for
example
256-bit AES). In certain further embodiments, for example, the symmetric key
may be
obtained by Diffie-Hellman key exchange (for example Elliptic-Curve Diffie-
Hellman
(ECDH) key exchange). In certain further embodiments, for example, the
symmetric key
may be a single-use key. In certain further embodiments, for example, the
symmetric
key may be obtained by rotating a key derived from ECDH key exchange.
[00351] H. In certain embodiments, for example, the data protocol may be
obtained
from metadata present in the network packet. In certain further embodiments,
for
example, the metadata may be encrypted.
[00352] I. In certain embodiments, for example, the metadata may comprise a
connection state indicator for the network tunnel. In certain embodiments, for
example, a
157
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
connection state indicator for the network tunnel may be inserted into the
metadata by
the first middleware. In certain embodiments, for example, a second middleware
present
on the second node may determine a connection state of the network tunnel by
inspecting the metadata (for example by decrypting encrypted metadata followed
by
parsing the metadata).
[00353] J. In certain embodiments, for example, at least a portion of the
validating
(for example all of the validating) may be performed by the first middleware.
In certain
further embodiments, for example, validating may comprise the first middleware
inspecting a connection state of the network tunnel (for example checking a
port state of
an endpoint of the network tunnel such as a network tunnel endpoint present on
the first
node). In certain embodiments, for example, validating may comprise matching a
2-tuple
comprising the first port number and an application identifier with a
predetermined, pre-
authorized 2-tuple. In certain further embodiments, for example, the
application identifier
may comprise an application code and an application user code. In certain
embodiments, for example, the application identifier and the application user
code may
be constructed based on a process status command (for example the "ps" command
in
Linux). In certain embodiments, for example, validating may comprise matching
a 3-
tuple comprising the first port number, an application identifier, and an
application user
with a predetermined, pre-authorized 3-tuple. In certain embodiments, for
example, at
least a portion of the validating (for example all of the validating) may be
performed by a
second middleware present on the second node, processor, or computing device.
In
certain embodiments, for example, a first portion of the validating may be
performed by
the first middleware and a second portion of the validating may be performed
by the
second middleware.
[00354] K. In certain embodiments, for example, validating may comprise the
second
middleware inspecting the metadata. In certain embodiments, for example,
validating
may comprise the second middleware inspecting the metadata to determine a
connection state of the network tunnel. In certain embodiments, for example,
validating
may comprise the second middleware inspecting the metadata to verify the first
application is authorized. In certain embodiments, for example, validating may
comprise
the second middleware inspecting the metadata to verify a user of the first
application is
an authorized user of the first application. In certain embodiments, for
example,
validating may comprise the second middleware inspecting the metadata to
verify a data
protocol of the data is an authorized data protocol. In certain embodiments,
for example,
validating may comprise the second middleware inspecting the metadata to
verify a
descriptor comprising at least a portion of the user of the first application,
at least a
158
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
portion of the first application, and at least a portion of the data protocol
matches a pre-
stored, pre-authorized value for the descriptor.
[00355] L. In certain further embodiments, for example, the pre-stored, pre-
authorized value may be selected based on (for example the pre-stored, pre-
authorized
value may be indexed by) at least one port number associated with the first
application.
In certain further embodiments, for example, the pre-stored, pre-authorized
value may be
selected based on at least one port number associated with the second
application. In
certain further embodiments, for example, the pre-stored, pre-authorized value
may be
selected based on at least one port number associated with the first
middleware. In
certain further embodiments, for example, the pre-stored, pre-authorized value
may be
selected based on at least one port number associated with the second
middleware (for
example the port number may be associated with the second middleware and may
be an
endpoint of the network tunnel).
[00356] M. In certain embodiments, for example, the initializing the network
tunnel
may comprise obtaining the predetermined, pre-authorized 2-tuple. In certain
embodiments, for example, the initializing the network tunnel may comprise
obtaining the
predetermined, pre-authorized 3-tuple.
[00357] N. In certain embodiments, for example, the validating may comprise
the first
middleware verifying (for example verifying in a kernel of the first node)
that data sent
from the first application is permitted to pass through a first port
identified by a first port
number (for example wherein the first port number is a port number associated
with the
first middleware). In certain further embodiments, for example, the validating
may
comprise a second middleware present on the second node parsing metadata
present in
the network packet to obtain a descriptor comprising a first application
component, a first
application user component, and a data protocol component. In certain further
embodiments, for example, the validating may comprise the second middleware
looking
up a predetermined value based on a destination port number of the network
packet. In
certain further embodiments, for example, the validating may comprise
comparing the
obtained descriptor with the looked-up, predetermined value. In certain
embodiments,
for example, at least a portion of the testing (for example all of the
testing) may be
performed by a second middleware present on the second node, processor, or
computing device. In certain embodiments, for example, a first portion of the
testing may
be performed by the first middleware and a second portion of the testing may
be
performed by the second middleware. In certain embodiments, for example, the
testing
may comprise the second middleware inspecting metadata of the network packet.
In
certain further embodiments, for example, the testing may comprise the second
159
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
middleware parsing the metadata to obtain a connection state indicator of the
network
tunnel. In certain embodiments, for example, the testing may comprise the
second
middleware comparing a destination port number of the network packet with a
predetermined, pre-authorized destination port number.
[00358] 0. In certain embodiments, for example, the testing may comprise
testing, by
at least a portion of a second middleware present on the second node (for
example at
least a portion of a middleware executing in a kernel of the second node),
whether a
destination port of the network packet matches an open, pre-authenticated
second port
number. In certain embodiments, for example, the open, pre-authenticated
second port
number may be pre-authenticated during the initialization of the tunnel
network based on
(a) being associated with the second middleware; (b) appearing in a record
present on
the second node, the record comprising the second application, a user of the
second
application, and a port number associated with the second application and the
user of
the second application; and (c) an open connection comprising the port number
associated with the second application and the user of the second application.
[00359] P. In certain embodiments, for example, the method may further
comprise:
communicating the data from a second middleware present on the second node to
the
second application.
[00360] Q. In certain embodiments, for example, the mutual authentication and
authorization of the first node and the second node may be independent of
initializing the
network tunnel. In certain embodiments, for example, the mutual authentication
and
authorization of the first node and the second node may occur after the
network tunnel is
initialized. In certain embodiments, for example, the network tunnel may be
encrypted
based on executing an encryption algorithm (for example encrypted based on
executing
a key exchange algorithm) and the mutual authentication and authorization of
the first
node and the second node may be performed separately from the executing the
encryption algorithm (for example may be performed after the executing the
encryption
algorithm). In certain embodiments, for example, the mutual authentication and
authorization of the first node and the second node may comprise encrypting a
first node
identification code using a cryptographic key derived from the executing the
key
exchange algorithm. In certain further embodiments, for example, the
cryptographic key
may be nonpublic (for example the cryptographic key may be a shared secret
between
the first middleware and a second middleware executing on the second node). In
certain
embodiments, for example, the mutual authentication and authorization of the
first node
and the second node may comprise: (a) encrypting a first node identification
code using
a first cryptographic key derived from the executing the key exchange
algorithm, and (b)
160
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
encrypting a second node identification code using a second cryptographic key
(for
example a second cryptographic key that is different from the first
cryptographic key)
derived from the executing the key exchange algorithm. In certain further
embodiments,
for example, the cryptographic key may be nonpublic (for example the first
cryptographic
key and the second cryptographic key may each be a shared secret between the
first
middleware and a second middleware executing on the second node).
[00361] Certain embodiments may provide, for example, a method for authorized
network communication, comprising: i) detecting a request by a first
application present
on a first node to transmit data to a second application present on a second
node; ii)
validating the authority of the first application to transmit the data, the
validating based at
least on a predetermined port number of the first application; iii) passing
the data from
the first application to a first middleware on the first node; iv)
transmitting a network
packet containing the data through a network tunnel, the network tunnel
extending from
the first middleware to a second middleware present on the second node, the
network
tunnel initialized based on the detected request, the initialization based at
least on
mutual authentication and authorization of the first node and the second node;
and v)
testing the authority of the second application to receive the data, the
testing based at
least on a predetermined port number of the second application and a data
protocol of
the data.
[00362] Certain embodiments may provide, for example, a method for authorized
network communication. In certain embodiments, for example, the method may
comprise detecting a request by a first application process on a first node to
establish a
connection for transmitting data having a data type to a second application
process at a
destination port number. In certain embodiments, for example, the method may
comprise validating the authority of the first application process to transmit
the data at
least by checking a preconfigured list present on the first node for a
combination of a first
application process identifier and the destination port number. In certain
embodiments,
for example, the method may comprise passing the data from the first
application
process to a first middleware process on the first node, processor, or
computing device.
In certain embodiments, for example, the method may comprise establishing a
dedicated
encrypted communication pathway for transmitting data having the data type
between
the first application process and the second application process, the
dedicated encrypted
communication pathway extending from the first middleware process to a second
middleware process on the second node, by mutual authentication and
authorization of
the first node and/or the second node, the first application process and/or
the second
161
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
application process, a first application process owner and/or a second
application
process owner, and/or a data protocol of the data.
[00363] A. In certain embodiments, for example, the data may be passed from
the
first application process to the first middleware process by a TOP connection.
In certain
embodiments, for example, the encrypted communication pathway may comprise a
UDP
connection. In certain embodiments, for example, the data may be passed from
the first
application process to the first middleware process by a TOP connection and
the
encrypted communication pathway may comprise a UDP connection. In certain
embodiments, for example, the data may be passed from the second application
process
to the second middleware process by a further TOP connection. In certain
embodiments, for example, the data may be passed from the first application
process to
the first middleware process by a TOP connection, the encrypted communication
pathway may comprise a UDP connection, and the data may be passed from the
second
application process to the second middleware process by a further TOP
connection.
[00364] Certain embodiments may provide, for example, a method for authorized
network communication, comprising: i) detecting a request by a first
application process
on a first node to establish a connection for transmitting data having a data
type to a
second application process at a destination port number; ii) validating the
authority of the
first application process to transmit the data at least by checking a
preconfigured list
present on the first node for a combination of a first application process
identifier and the
destination port number; iii) passing the data from the first application
process to a first
middleware process on the first node; iv) establishing a dedicated encrypted
communication pathway for transmitting data having the data type between the
first
application process and the second application process, the dedicated
encrypted
communication pathway extending from the first middleware process to a second
middleware process on the second node, by mutual authentication and
authorization of
the first node and/or the second node, the first application process and/or
the second
application process, a first application process owner and/or a second
application
process owner, and/or a data protocol of the data.
[00365] Certain embodiments may provide, for example, plural nodes coupled to
a
network, wherein each data transfer between a first node of the plural nodes
and a
second node (for example each second node) of the plural nodes may be
according to
one of the foregoing methods for authorized communication. In certain further
embodiments, for example, the plural nodes coupled to the network may define a
software-defined network (for example plural virtual router switches
cooperatively
configured with one another).
162
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00366] Certain embodiments may provide, for example, a method to securely
transport plural data packets (for example plural IP packets), comprising:
configuring a
data pathway from a first application (for example an application program)
executing on
a first node to a second application executing on a second node, and
exchanging node
identification codes over at least a portion of the data pathway to at least
partially
authorize the at least a portion of the data pathway. In certain further
embodiments, for
example, the method may comprise, for each one of the transported plural
packets from
the first application: executing operating system commands to verify that the
at least
partially authorized at least a portion of the data pathway remains unaltered;
reading first
application user and data protocol metadata to obtain at least one descriptor
(for
example at one 4-byte or 8-type descriptor); and comparing the at least one
descriptor
with members of a static list (for example a predetermined white list of
authorized
descriptors).
[00367] A. In certain embodiments, for example, the data pathway may transport
packets exclusively between endpoints defined by the first application and the
second
application (for example a port associated with the first application and a
port associated
with the second application). In certain further embodiments, for example, the
authorized at least a portion of the data pathway may transport packets
exclusively on
the data pathway.
[00368] B. In certain embodiments, for example, the at least a portion of the
data
pathway may be encrypted based on executing an encryption algorithm (for
example
encrypted based on executing a key exchange algorithm) and the exchanging node
identification codes may be performed separately from the executing the
encryption
algorithm (for example may be performed after the executing the encryption
algorithm).
In certain embodiments, for example, the exchanging node identification codes
may
comprise encrypting a first node identification code using a cryptographic key
derived
from the executing the key exchange algorithm. In certain further embodiments,
for
example, the cryptographic key may be nonpublic (for example the cryptographic
key
may be a shared secret between the first middleware and a second middleware
executing on the second node). In certain embodiments, for example, the
exchanging
node identification codes may comprise: (a) encrypting a first node
identification code
using a first cryptographic key derived from the executing the key exchange
algorithm,
and (b) encrypting a second node identification code using a second
cryptographic key
(for example a second cryptographic key that is different from the first
cryptographic key)
derived from the executing the key exchange algorithm. In certain further
embodiments,
for example, at least one of the node identification codes may be nonpublic
(for example
163
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the first node identification code and the second node identification code may
each be a
shared secret between a network security software executing on the first node
and a
network security software executing on the second node).
[00369] C. In certain embodiments, for example, the method may comprise
decrypting the first application user and data protocol metadata prior to the
reading.
[00370] D. In certain embodiments, for example, the at least one descriptor
may be
an n-tuple, wherein n may be at least 2 (for example a 2-tuple). In certain
embodiments,
for example, the n-tuple may be an at least a 2-tuple, an at least a 3-tuple,
an at least a
5-tuple, an at least a 6-tuple, an at least an 8-tuple, an at least a 10-
tuple, or an at least a
12-tuple.
[00371] E. In certain embodiments, for example, the static list may be present
on the
second node, processor, or computing device. In certain embodiments, for
example, the
comparing may be performed on the second node, processor, or computing device.
[00372] F. In certain embodiments, for example, the executing operating system
commands may verify that a packet originated from an authenticated, authorized
process
on the first node, processor, or computing device. In certain further
embodiments, for
example, the verifying may comprise inspecting packet metadata to confirm that
a packet
originated from an authorized user on the first node, processor, or computing
device.
[00373] G. In certain embodiments, for example, the executing operating system
commands may comprise checking a connection state of the at least partially
authorized
at least a portion of the data pathway. In certain further embodiments, for
example, said
checking may comprise parsing packet metadata. In certain further embodiments,
for
example, said checking may comprise comparing the parsed metadata to members
of a
list of connections. In certain further embodiments, for example, each member
of the list
of connections may comprise a connection status indicator. In certain
embodiments, for
example, one or more members of the list of connections may comprise a
disallowed flag
indicating, when the disallowed flag is set to a predetermined value, that the
at least
partially authorized at least a portion of the data pathway is disallowed. In
certain further
embodiments, for example, the method may comprise terminating the at least
partially
authorized at least a portion of the data pathway if the checking the
connection status,
based on detecting the disallowed flag, determines that the at least partially
authorized at
least a portion of the data pathway is disallowed. In certain embodiments, for
example,
the connection status of a member of the list of connections may be updated at
least
based on the parsed metadata. In certain further embodiments, for example, a
disallowed flag of a member of the list of connections may be set at least
based on the
parsed metadata.
164
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00374] H. In certain embodiments, for example, the method may further
comprise,
for each one of the transported plural packets from the first application:
comparing a
destination port number with a white list of authorized destination port
numbers.
[00375] Certain embodiments may provide, for example, a method to securely
transport plural data packets, comprising: i) configuring a data pathway from
a first
application executing on a first node to a second application executing on a
second
node; ii) exchanging node identification codes over at least a portion of the
data pathway
to at least partially authorize the at least a portion of the data pathway;
and iii) for each
one of the transported plural packets from the first application: a) executing
operating
system commands to verify that the at least partially authorized at least a
portion of the
data pathway remains unaltered; b) reading first application user and data
protocol
metadata to obtain at least one descriptor; and c) comparing the at least one
descriptor
with a static list of authorized descriptors.
[00376] Certain embodiments may provide, for example, a multifactor method
having
overlapping security layers to securely transport plural data packets from a
first
application executing on a first node to a second application executing on a
second
node, processor, or computing device. In certain embodiments, for example,
each one
of the plural data packets may share a common data protocol with each other
one of the
plural data packets. In certain further embodiments, for example, the method
may
comprise: configuring a series of dedicated network tunnels, and exchanging
and
authorizing node identification codes over the encrypted second middleware
tunnel using
at least two single-use cryptographic keys to authorize the second network
tunnel
independently of the configuring. In certain further embodiments, for example,
the series
of network tunnels may comprise: a first network tunnel between a first
application port
associated with the first application and a first security middleware port
associated with
first security middleware on the first node, a second network tunnel between
the first
security middleware port and a second security middleware port associated with
second
security middleware on the second node, the second network tunnel encrypted
based on
shared secret cryptography, and a third network tunnel between the second
security
middleware port and a second application port associated with a second
application on
the second node, processor, or computing device. In certain further
embodiments, for
example, the method may comprise, for each one of the transported plural data
packets
arriving at the second security middleware port: executing operating system
commands
to verify that connection states of the series of dedicated network tunnels
are
unchanged, encrypting, inserting, decrypting, and reading first application
user and data
protocol metadata, the encrypting and decrypting each using a single-use
cryptographic
165
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
key, and comparing the first application user and data protocol metadata with
members
of a static list (for example a static list of authorized 2-tuples).
[00377] Certain embodiments may provide, for example, a multifactor method
having
overlapping security layers to securely transport plural data packets from a
first
application executing on a first node to a second application executing on a
second
node, each one of the plural data packets sharing a common data protocol with
each
other one of the plural data packets, comprising: i) configuring a series of
dedicated
network tunnels comprising: a) a first network tunnel between a first
application port
associated with the first application and a first security middleware port
associated with
first security middleware on the first node; b) a second network tunnel
between the first
security middleware port and a second security middleware port associated with
second
security middleware on the second node, the second network tunnel encrypted
based on
shared secret cryptography; and c) a third network tunnel between the second
security
middleware port and a second application port associated with a second
application on
the second node; ii) exchanging and authorizing node identification codes over
the
encrypted second middleware tunnel using at least two single-use cryptographic
keys to
authorize the second network tunnel independently of the configuring; and for
each one
of the transported plural data packets arriving at the second security
middleware port: iii)
executing operating system commands to verify that connection states of the
series of
dedicated network tunnels are unchanged; iv) encrypting, inserting,
decrypting, and
reading first application user and data protocol metadata, the encrypting and
decrypting
each using a single-use cryptographic key; and v) comparing the first
application user
and data protocol metadata with members of a static list.
[00378] Certain embodiments may provide, for example, a method to provision
resources for authorized communication over a network, comprising: detecting
an
attempt by a first user of a first program to trigger a transmission of data
from a first port
on a first node to a second port on a second node, filtering the attempt to
determine
whether the attempt is permissible, and if the attempt is permissible,
configuring a data
pathway for transmitting the data, the data pathway comprising a third port
and a fourth
port each interposed between the first port and the second port. In certain
further
embodiments, for example, the filtering may be based at least on: identity of
the first
user, identity of the first program, and the second port.
[00379] A. In certain embodiments, for example, the attempt may comprise a
connection request (for example a connection request initiated at a network
application
programming interface).
166
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00380] B. In certain embodiments, for example, the configuring may further
comprise
recording a connection state of at least a portion of the data pathway. In
certain
embodiments, for example, the configuring may further comprise recording a
connection
state of at least a portion of the data pathway having the third port and the
fourth port as
endpoints. In certain embodiments, for example, the configuring may further
comprise
recording a connection state of the data pathway.
[00381] C. In certain embodiments, for example, the determining may comprise
comparing the attempt to a list of permissible attempts.
[00382] D. In certain embodiments, for example, at least a portion of the list
of
permissible attempts may be maintained on the first node solely in kernel
random access
memory. In certain further embodiments, for example, the at least a portion of
the list of
permissible attempts may comprise a list of data destination ports and, for
each member
of the list of destination ports, a user (for example a user of an application
associated
with the destination port). In certain further embodiments, for example, the
at least a
portion of the list of permissible attempts may comprise an application
program. In
certain embodiments, for example, the at least a portion of the list of
permissible
attempts may be accessible solely by a singular program executing in the
kernel. In
certain further embodiments, for example, the at least a portion of the list
of permissible
attempts may be loaded into the kernel random access memory of the first node
from a
file (for example a file resident on a non-transitory computer-readable
storage medium
(for example a nonvolatile memory) of the first node) solely by a different
singular
program.
[00383] E. In certain embodiments, for example, the file may be
cryptographically
signed. In certain embodiments, for example, the file may be encrypted. In
certain
embodiments, for example, the file may be read-only. In certain embodiments,
for
example, the file may be a kernel access-only file. In certain embodiments,
for example,
the file may be a kernel access-only file. In certain embodiments, for
example, the file
may not be a kernel access-only file. In certain embodiments, for example, the
file may
be a binary file. In certain embodiments, for example, the file may be
accessible from
the first node solely be a single program (for example a program executing in
an OSI
application layer of the first node) executing on a processor of the first
node, processor,
or computing device. In certain embodiments, for example, the file may be a
read-only,
encrypted file readable only by a single program executing on a processor of
the first
node, processor, or computing device.
[00384] F. In certain embodiments, for example, the first port, second port,
third port,
and fourth port may each be restricted to establishing no more than a single
data
167
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communications session. In certain embodiments, for example, the data may pass
through each port.
[00385] G. In certain embodiments, for example, the first port may be
exclusively
associated with a first user mode program. In certain embodiments, for
example, the
first port may be exclusively associated with a first application program. In
certain
embodiments, for example, the second port may be exclusively associated with a
second
user mode program. In certain embodiments, for example, the second port may be
exclusively associated with a second application program. In certain
embodiments, for
example, the first port may be exclusively associated with a first user mode
program and
the second port may be exclusively associated with a second application
program. In
certain embodiments, for example, the first port may be exclusively associated
with a
first user mode program. In certain embodiments, for example, the first port
may be
exclusively associated with a first user mode program. In certain embodiments,
for
example, the second port may be exclusively associated with a second user mode
program. In certain embodiments, for example, the second port may be
exclusively
associated with a second user mode program. In certain embodiments, for
example, the
first port may be exclusively associated with a first user mode program and
the second
port may be exclusively associated with a second user mode program.
[00386] H. In certain embodiments, for example, the data may be translated
into a
common format (for example a format based on MQ Telemetry Transport protocol)
for
transport between the third and fourth port.
[00387] Certain embodiments may provide, for example, a method of transmitting
non-malicious packets of data over a network, comprising: loading data packet
filters into
random access memory on a first node coupled to the network, initializing a
network
tunnel (and/or an encrypted communication pathway) to transmit the data,
assigning one
of the loaded data packet filters to the network tunnel (and/or the encrypted
communication pathway), passing packets of data from the transmitting
application
through the assigned data packet filter, encrypting at least a portion of the
filtered
packets, and transmitting through the network tunnel (and/or the encrypted
communication pathway) only the filtered packets having at least a destination
port
number, a data source application, and a user of the data source application
matching
the assigned data packet filter.
[00388] A. In certain embodiments, for example, the data packet filter may
further
comprise a destination network address. In certain embodiments, for example,
an
encryption key used in the encrypting may be used only once. In certain
embodiments,
for example, initializing the network tunnel (and/or the encrypted
communication
168
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
pathway) may comprise shared secret cryptography. In certain embodiments, for
example, the network tunnel (and/or the encrypted communication pathway) may
be
unidirectional. In certain embodiments, for example, the network tunnel
(and/or the
encrypted communication pathway) may be bidirectional. In certain embodiments,
for
example, each one of the data packet filters may comprise a sequential series
of sub-
filters.
[00389] Certain embodiments may provide, for example, a method of transmitting
non-malicious packets of data over a network, comprising: loading data packet
filters into
random access memory on a first node coupled to the network, initializing a
network
tunnel (and/or an encrypted communication pathway) to receive the data,
assigning one
of the loaded data packet filters to the network tunnel (and/or the encrypted
communication pathway), receiving packets of data from the network tunnel
(and/or the
encrypted communication pathway), passing the packets of data through the
assigned
data packet filter, and passing to an OSI application layer of the first node
only the
filtered packets having at least a destination port number, a data source
application, a
user of the data source application, and a data protocol descriptor matching
the assigned
data packet filter.
[00390] A. In certain embodiments, for example, filtered packets passed to the
OSI
application layer further may have a command type descriptor having a value
and/or
falling in a range specified by the assigned data packet filter. In certain
embodiments,
for example, filtered packets passed to the OSI application layer may further
have a date
and/or time falling in a range specified by the assigned data packet filter.
In certain
embodiments, for example, filtered packets passed to the OSI application layer
further
may have an expected elapse time falling in a range specified by the assigned
data
packet filter. In certain embodiments, for example, the data protocol
descriptor may
conform to an MQ Telemetry Transport protocol. In certain embodiments, for
example,
the data protocol descriptor may conform to a file transfer protocol. In
certain
embodiments, for example, the data protocol descriptor may conform to a domain
name
server protocol. In certain embodiments, for example, the data protocol
descriptor may
conform to an internet control message protocol. In certain embodiments, for
example,
the data protocol descriptor may conform to a structured query language
protocol. In
certain embodiments, for example, the data protocol descriptor may conform to
a
publish-subscribe messaging pattern protocol. In certain embodiments, for
example, the
data protocol descriptor may conform to a data distribution service protocol.
In certain
embodiments, for example, the data protocol descriptor may comprise a publish-
subscribe topic identifier. In certain embodiments, for example, the data
protocol
169
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
descriptor may comprise a data structure identifier. In certain embodiments,
for
example, the data protocol descriptor may comprise a data type identifier. In
certain
embodiments, for example, the data protocol descriptor may comprise a data
definition
identifier.
[00391] Certain embodiments may comprise, for example, a method of
transmitting
non-malicious packets of data over a network. In certain embodiments, for
example, the
method may comprise: loading data packet filters into kernel random access
memory (or
in certain other embodiments, for example, loading the data packet filters in
application
space memory) on a first node coupled to the network, initializing a network
tunnel
(and/or an encrypted communication pathway) to transmit the data, assigning
one of the
loaded data packet filters to the network tunnel (and/or the encrypted
communication
pathway), passing packets of data from the transmitting application through
the assigned
data packet filter, encrypting at least a portion of the filtered packets, and
transmitting
through the network tunnel (and/or encrypted communication pathway) only the
filtered
packets having at least an application port number, an encrypted port number,
a data
protocol field, and a destination port number matching the assigned data
packet filter.
[00392] A. In certain embodiments, for example, the data may be application
program
data. In certain embodiments, for example, the data may be a file or a portion
thereof
(for example an executable file). In certain embodiments, for example, an
encryption key
used in the encrypting may be a single-use key. In certain embodiments, for
example,
the encryption key may be used only once. In certain embodiments, for example,
initializing the network tunnel (and/or the encrypted communication pathway)
may
comprise shared secret cryptography. In certain embodiments, for example, the
network
tunnel (and/or the encrypted communication pathway) may be unidirectional. In
certain
embodiments, for example, the network tunnel (and/or the encrypted
communication
pathway) may be bidirectional. In certain embodiments, for example, each one
of the
data packet filters may comprise a sequential series of sub-filters. In
certain
embodiments, for example, the method may further comprise: transmitting to the
network
only the filtered packets containing a parameter specifying a file size of a
file, wherein
the file size falls in a range specified by the assigned data packet filter.
In certain
embodiments, for example, the method may further comprise: transmitting to the
network
only the filtered packets containing a parameter specifying a command type,
wherein the
command type has a value and/or falls in a range specified by the assigned
data packet
filter. In certain embodiments, for example, the method may further comprise:
transmitting to the network only the filtered packets containing a parameter
specifying a
date and/or time, wherein the specified data and/or time falls in a range
specified by the
170
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
assigned data packet filter. In certain embodiments, for example, the method
may
further comprise: transmitting to the network only the filtered packets
containing a
parameter specifying a an expected elapsed time, wherein the expected elapsed
time
falls in a range specified by the assigned data packet filter. In certain
further
embodiments, for example, the method may further comprise: transmitting to the
network
only the filtered packets having an actual and/or estimated transmission time
falling in a
range specified by the assigned data packet filter.
[00393] B. In certain embodiments, for example, the data protocol field may
identify
an MQTT protocol. In certain embodiments, for example, the data protocol field
may
conform to a publish-subscribe messaging pattern protocol (for example a data
distribution service (DDS) protocol). In certain embodiments, for example, the
data
protocol field may identify a Constrained Application Protocol (Ca0P). In
certain
embodiments, for example, the data protocol field may identify an OMA
LightweightM2M
(LWM2M) protocol. In certain embodiments, for example, the data protocol field
may
identify a JavaScript Object Notation (JSON) protocol. In certain embodiments,
for
example, the data protocol field may identify a Representational State
Transfer (REST)
protocol. In certain embodiments, for example, the data protocol field may
identify an
OPC Unified Architecture (OPC-UA) protocol. In certain embodiments, for
example, the
data protocol field may identify a file transfer protocol. In certain
embodiments, for
example, the data protocol field may identify a domain name server protocol.
In certain
embodiments, for example, the data protocol field may identify an internet
control
message protocol. In certain embodiments, for example, the data protocol field
may
identify a structured query language protocol. In certain embodiments, for
example, the
data protocol field may comprise a publish-subscribe topic identifier. In
certain
embodiments, for example, the data protocol field may comprise a data
structure
identifier. In certain embodiments, for example, the data protocol field may
comprise a
data type identifier. In certain embodiments, for example, the data protocol
field may
comprise a data definition identifier.
[00394] Certain embodiments may provide, for example, a network security
product
for managing all port-to-port communications of a networked processor node,
processor,
or computing device. In certain embodiments, for example, the product may
comprise a
non-transitory computer-readable storage medium having a configuration file
embodied
therein for processing in the networked processor node by network security
software to
define authorized port-to-port communications. In certain embodiments, for
example, the
configuration file may comprise a universal nonpublic identifier for the
networked
processor node, processor, or computing device. In certain further
embodiments, for
171
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
example, the configuration file may comprise a series of records comprising
parameters
for authorized port-to-port communications. In certain embodiments, for
example, each
of one or more of (for example each of) the series of records may comprise an
identifier
for an authorized application resident on the networked processor node,
processor, or
computing device. In certain embodiments, for example, each of one or more of
(for
example each of) the series of records may comprise an identifier for an
authorized user
associated with the authorized application resident on the networked processor
node,
processor, or computing device. In certain embodiments, for example, each of
one or
more of (for example each of) the series of records may comprise a universal
nonpublic
identifier for a remote networked processor node, processor, or computing
device. In
certain embodiments, for example, each of one or more of (for example each of)
the
series of records may comprise an identifier for an authorized application
resident on the
remote networked processor node, processor, or computing device. In certain
embodiments, for example, each of one or more of (for example each of) the
series of
records may comprise an identifier for an authorized user associated with the
authorized
application resident on the remote networked processor node, processor, or
computing
device. In certain embodiments, for example, each of one or more of (for
example each
of) the series of records may comprise a port associated with the authorized
application
resident on the remote networked processor node, processor, or computing
device. In
certain embodiments, for example, each of one or more of (for example each of)
the
series of records may comprise a port associated with a network security
software
resident on the remote networked processor node, processor, or computing
device. In
certain embodiments, for example, each of one or more of (for example each of)
the
series of records may comprise a data protocol descriptor.
[00395] Certain embodiments may provide, for example, a network security
product
for managing all port-to-port communications of a networked processor node,
processor,
or computing device. In certain embodiments, for example, the product may
comprise a
non-transitory computer-readable storage medium having a configuration file
embodied
therein for processing in the networked processor node by network security
software to
define authorized port-to-port communications. In certain embodiments, for
example, the
configuration file may comprise a universal nonpublic identifier for the
networked
processor node, processor, or computing device. In certain further
embodiments, for
example, the configuration file may comprise a series of records comprising
parameters
for authorized port-to-port communications. In certain embodiments, for
example, each
of one or more of (for example each of) the series of records may comprise an
identifier
for an authorized application resident on the networked processor node, an
identifier for
172
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
an authorized user associated with the authorized application resident on the
networked
processor node, a universal nonpublic identifier for a remote networked
processor node,
an identifier for an authorized application resident on the remote networked
processor
node, an identifier for an authorized user associated with the authorized
application
resident on the remote networked processor node, and a data protocol
descriptor. In
certain further embodiments, for example, each of one or more of (for example
each of)
the series of records may comprise a port associated with the authorized
application
resident on the remote networked processor node, processor, or computing
device. In
certain embodiments, for example, each of one or more of (for example each of)
the
series of records may comprise a port associated with a network security
software
resident on the remote networked processor node, processor, or computing
device.
[00396] Certain embodiments may provide, for example, a network security
product
for managing all port-to-port communications of a networked processor node,
the
product comprising a non-transitory computer-readable storage medium having a
configuration file embodied therein for processing in the networked processor
node by
network security software to define authorized port-to-port communications,
the
configuration file comprising: i) a universal nonpublic identifier for the
networked
processor node; and ii) a series of records comprising parameters for
authorized port-to-
port communications, each of the series of records comprising at least two of
the
following: a) an identifier for an authorized application resident on the
networked
processor node; b) an identifier for an authorized user associated with the
authorized
application resident on the networked processor node; c) a universal nonpublic
identifier
for a remote networked processor node; d) an identifier for an authorized
application
resident on the remote networked processor node; e) an identifier for an
authorized user
associated with the authorized application resident on the remote networked
processor
node; f) optionally, a port associated with the authorized application
resident on the
remote networked processor node; g) optionally, a port associated with a
network
security software resident on the remote networked processor node; and h)
optionally, a
data protocol descriptor.
[00397] Certain embodiments may provide, for example, a distributed system. In
certain embodiments, for example, the distributed system may comprise: plural
security
programs resident on computer-readable storage media of plural networked
nodes, the
plural security programs cooperatively configured to negotiate dedicated data
pathways
for port-to-port communications between the plural networked nodes. In certain
embodiments, for example, the negotiating may comprise, on a first node,
negotiating a
first data pathway between a first user-application and a first network
security program of
173
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the plural security programs. In certain embodiments, for example, the
negotiating may
comprise, on a second node, negotiating a second data pathway between a second
network security program of the plural security programs and a second user-
application.
In certain embodiments, for example, the negotiating may comprise negotiating
a third
data pathway between the first network security program and the second network
security program, the third data pathway comprising a network tunnel and/or an
encrypted communication pathway. In certain embodiments, for example, each of
the
first data pathway, second data pathway, and third data pathway participate to
form at
least a part of a dedicated data pathway for exclusively communicating data
from a first
port of the first user-application to a second port of the second user-
application.
[00398] A. In certain embodiments, for example, the first data pathway and/or
the
second data pathway may comprise a TOP connection. In certain embodiments, for
example, the third data pathway may comprise a UDP connection. In certain
embodiments, for example, the first data pathway and/or the second data
pathway may
comprise a TOP connection, and the third data pathway may comprise a UDP
connection.
[00399] Certain embodiments may provide, for example, a distributed system
comprising: plural security programs resident on computer-readable storage
media of
plural networked nodes, the plural security programs cooperatively configured
to
negotiate dedicated data pathways for port-to-port communications between the
plural
networked nodes, the negotiating comprising: i) on a first node, negotiating a
first data
pathway between a first user-application and a first network security program
of the
plural security programs; ii) on a second node, negotiating a second data
pathway
between a second network security program of the plural security programs and
a
second user-application; and iii) negotiating a third data pathway between the
first
network security program and the second network security program, the third
data
pathway comprising a network tunnel and/or an encrypted communication pathway,
each
of the first data pathway, second data pathway, and third data pathway
participate to
form at least a part of a dedicated data pathway for exclusively communicating
data from
a first port of the first user-application to a second port of the second user-
application.
[00400] Certain embodiments may provide, for example, a method of securing a
node
connected to the internet, comprising: authorizing incoming packets by
comparing
metadata from the packets to a list of authorized packet sources,
applications, and
payload protocols, and allowing only payloads from authorized packets to pass
to an OSI
application layer of the node, processor, or computing device. In certain
further
174
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
embodiments, for example, the method may be performed at a rate of at least
95% of
wire speed and at most 10% processor load.
[00401] Certain embodiments may provide, for example, a method of securing a
node
(for example a computing device) connected to the internet. In certain
embodiments, for
example, the method may comprise: authorizing incoming IP packets at wire
speed,
allowing only payloads from authorized incoming IP packets to pass to an OSI
application layer of the node, authorizing outgoing packets, allowing only
authorized
outgoing packets to pass to the internet. In certain further embodiments, for
example,
the method may be performed at a rate of at least 95% of wire speed and at
most 10%
processor load. In certain further embodiments, for example, the authorizing
the
incoming packets may comprise comparing metadata from the incoming packets to
a list
of authorized packet sources, applications, and payload protocols. In certain
embodiments, for example, the authorizing the outgoing packets may comprise
processing a list of authorized sending applications, the list containing, for
each sending
application present on the list of authorized sending applications, a port
associated with
the sending application.
[00402] A. In certain embodiments, for example, one of the foregoing methods
to
secure may induce a processor load of less than 5% according to the Load
Benchmark
Test.
[00403] B. In certain embodiments, for example, one of the foregoing methods
to
secure may slow network packet processing by less than 2 ms according to the
Speed
Benchmark Test. In certain embodiments, for example, one of the foregoing
methods to
secure may process at least 50,000 packets per second according to the Packet
Processing Benchmark Test. In certain embodiments, for example, one of the
foregoing
methods to secure may prevent the secure node from establishing data
communications
sessions if greater than 90% of random access memory is utilized. In certain
embodiments, for example, one of the foregoing methods to secure may be
further
configured to terminate all secure node data communications sessions if
greater than
99% of random access memory is utilized. In certain embodiments, for example,
the
metadata may be obtained from a predetermined portion of each packet. In
certain
embodiments, for example, the rate and processor load of one of the foregoing
methods
to secure may be measured based on an Ethernet port having at least a 1
Gigabit (Gb)
bandwidth (for example a 10 Gb bandwidth) and having less than 10% overhead.
In
certain embodiments, for example, the processor load may be based on a 1 GHz
ARM9
processor running Microlinux.
175
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00404] Certain embodiments may provide, for example, a method of securing a
computing device connected to the internet, comprising: i) authorizing
incoming packets,
at wire speed, by comparing metadata from the incoming packets to a list of
authorized
packet sources, applications, and payload protocols; ii) allowing only
payloads from
authorized incoming packets to pass to the OSI application layer of the node;
iii)
authorizing outgoing packets, based on a list of authorized source ports and
sending
applications; and iv) allowing only authorized outgoing packets to pass to the
internet, at
a rate of at least 95% of wire speed and at most 10% processor load.
[00405] Certain embodiments may provide, for example, a secure node comprising
a
processor, random access memory, and network security software, the network
security
software configured to: match, in a kernel of the secure node (or, in certain
other
embodiments, for example, an application space of the secure node), a
destination port
number of each incoming network packet to a member of a list of authorized
destination
ports, decrypt metadata from each incoming network packet, and compare the
decrypted
metadata to a list of authorized n-tuples (for example at least 2-tuples, an
at least 3-
tuples, at least 5-tuples, at least 6-tuples, at least 8-tuples, at least 10-
tuples, or at least
12-tuples), each n-tuples in the list of authorized n-tuples comprising
descriptors for: a
packet payload source application and a payload protocol. In certain further
embodiments, for example, the matching, decrypting, and comparing may be
performed
at a rate of at least 95% of wire speed and at most 10% processor load based
on a 1 Gb
Ethernet port having less than 10% overhead.
[00406] A. In certain embodiments, for example, the network security software
may
induce a processor load of less than 5% according to the Load Benchmark Test.
In
certain embodiments, for example, the network security software may slow
network
packet processing by less than 2 ms according to the Speed Benchmark Test. In
certain
embodiments, for example, the node may process at least 50,000 packets per
second
according to the Packet Processing Benchmark Test. In certain embodiments, for
example, the network security software may be further configured to prevent
the secure
node from establishing data communications sessions if greater than 90% of
random
access memory is utilized. In certain embodiments, for example, the network
security
software may be further configured to terminate all secure node data
communications
sessions if greater than 99% of random access memory is utilized. In certain
embodiments, for example, packet payload source application descriptor may
comprise
an application identifier and a user identifier. In certain embodiments, for
example, the
metadata may be obtained from a predetermined portion of each packet.
176
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00407] B. In certain embodiments, for example, the processor load may be
based on
an Ethernet port having at least a 1 Gigabit (Gb) bandwidth (for example a 10
Gb
bandwidth) and having less than 10% overhead. In certain embodiments, for
example,
the processor load may be based on a 1 GHz ARM9 processor running Microlinux.
In
certain embodiments, for example, the metadata may be decrypted using a
symmetric
decryption algorithm (for example 256-bit AES). In certain further
embodiments, for
example, the decrypting may comprise using a cryptographic key (for example a
cryptographic key derived from Elliptic-Curve Diffie-Hellman (ECDH) key
exchange. In
certain further embodiments, for example, the key may be a single-use key. In
certain
embodiments, for example, the key may be a rotated key.
[00408] C. In certain embodiments, for example, the network security software
may
be configured to drop (or discard) an incoming network packet if a destination
port
number of the network packet is not present on the list of authorized
destination ports.
[00409] D. In certain further embodiments, for example, the matching may
further
comprise checking a connection state associated with the destination port
number. In
certain embodiments, for example, the network security software may be
configured to
drop an incoming network packet based on a status of a connection state
associated
with a destination port of the network packet (for example if the connection
state is not
open).
[00410] E. In certain embodiments, for example, the decrypting and comparing
may
be performed in an OSI application layer of the secure node, processor, or
computing
device.
[00411] F. In certain embodiments, for example, the list of sending
applications and
authorized ports may comprise a security middleware application having a root
user and
a port associated with the security middleware application. In certain
embodiments, for
example, the list of sending applications and authorized ports may comprise an
application program and a port associated with the application program.
[00412] Certain embodiments may provide, for example, a node preconfigured to
constrain communication over a network, comprising: a file stored on non-
transitory
computer-readable storage medium, the file defining a list of authorized data
communications sessions, each record of the file comprising. In certain
further
embodiments, for example, each record of the file may further comprise: a) a
universal
identifier for a data source, comprising an authorized source application
identifier and an
identifier for an authorized user of the source application; b) a universal
identifier for a
data destination, comprising an authorized destination application identifier
and an
identifier for an authorized user of the destination application; c) a port
associated with
177
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
the destination application; d) a different port associated with a middleware;
and e) a
data protocol field.
[00413] A. In certain embodiments, for example, the file may be a binary file.
In
certain embodiments, for example, the file may be a variable record length
file. In certain
embodiments, for example, the file may be encrypted on the non-transitory
computer-
readable storage medium. In certain embodiments, for example, the port
associated
with the destination application may communicate with the middleware by a
loopback
interface. In certain embodiments, for example, the different port associated
with the
middleware may be an endpoint of an encrypted tunnel-portion of an authorized
data
communications session of the authorized data communications sessions. In
certain
embodiments, for example, each record of the file may comprise a network
interface
controller code for a network interface controller present on the node,
processor, or
computing device. In certain further embodiments, for example, a network
address of
the network interface controller may be determined based at least in part on
the network
interface controller code. In certain embodiments, for example, each record of
the file
may further comprise a different network interface controller code for a
network interface
controller present on a remote node, processor, or computing device. In
certain further
embodiments, for example, a network address of the remote network interface
controller
may be determined based at least in part on the different network interface
controller
code. In certain embodiments, for example, each record of the file may
comprise a
nonpublic identification code for the node, processor, or computing device. In
certain
embodiments, for example, each record of the file may comprise a nonpublic
identification code for a remote node, processor, or computing device.
[00414] B. In certain embodiments, for example, each record of the file may
comprise
a private key (or a cryptographic parameter or primitive). In certain further
embodiments,
for example, the private key may be used by a key exchange algorithm executing
on a
processor of the node to establish a shared key with a remote node, processor,
or
computing device. In certain embodiments, each record of the file has a
different private
key.
[00415] C. In certain embodiments, for example, a portion of the file may be
read into
kernel random access memory on boot-up of the node, processor, or computing
device.
In certain embodiments, for example, the file may be accessible only by a
kernel of the
node, processor, or computing device. In certain embodiments, for example, the
file may
be accessible only by a root user of the node, processor, or computing device.
In certain
embodiments, for example, the file may be accessible by an application program
module
executed by a root user.
178
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00416] Certain embodiments may provide, for example, a node preconfigured to
constrain communication over a network, comprising: a file stored on non-
transitory
computer-readable storage medium, the file defining a list of authorized data
communications sessions, each record of the file comprising: a) a universal
identifier for
a data source, comprising an authorized source application identifier and an
identifier for
an authorized user of the source application; b) a universal identifier for a
data
destination, comprising an authorized destination application identifier and
an identifier
for an authorized user of the destination application; c) a port associated
with the
destination application; d) a different port associated with a middleware; e)
a data
protocol field; f) a network interface controller code for a network interface
controller
present on the node; g) a different network interface controller code for a
network
interface controller present on a remote node; h) a nonpublic identification
code for the
node; i) a different nonpublic identification code for the remote node; and j)
a private key
provisioned for use by a key exchange algorithm executing on the node to
establish a
shared key with the remote node, processor, or computing device.
[00417] Certain embodiments may provide, for example, a node preconfigured to
constrain communication over a network, comprising a file stored on non-
transitory
computer-readable storage medium, the file having a list of authorized data
communications sessions. In certain further embodiments, for example, each
member of
the list may comprise: an index defined by an application authorized to be
executed on
the processor and an authorized user of the application, a unique 2-tuple
consisting of a
port number assigned to the application and a port number assigned to a
network
security middleware, a unique 2-tuple consisting of a port number assigned to
a remote
application and a port number assigned to a remote network security
middleware, and a
data protocol descriptor.
[00418] A. In certain embodiments, for example, the file may be read-only. In
certain
embodiments, for example, the file may be cryptographically signed. In certain
embodiments, for example, the read-only file may be encrypted. In certain
embodiments, for example, the read-only file may be a binary file. In certain
embodiments, for example, one member of the list may have a different record
length
than another member of the list.
[00419] B. In certain embodiments, for example, the index of a member of the
list
may be derived from a concatenation of a user name (or a portion thereof) and
an
application name (or a portion thereof), or at least portions thereof.
[00420] C. In certain embodiments, for example, the port number assigned to
the
application may appear only once in the list. In certain embodiments, for
example, the
179
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
port number assigned to the network security middleware may appear only once
in the
list. In certain embodiments, for example, the port number assigned to a
remote
application appears only once in the list. In certain embodiments, for
example, the port
number assigned to the remote network security middleware appears only once in
the
list. In certain embodiments, for example, each of the port number assigned to
the
application, port number assigned to the network security middleware, port
number
assigned to a remote application, and the remote network security middleware
may
appear only once in the list. In certain embodiments, for example, the data
protocol
descriptor may appear in a plurality of members of the list.
[00421] Certain embodiments may provide, for example, a node preconfigured to
constrain communication over a network, comprising: a processor, a non-
transitory
computer-readable storage medium, and a read-only file stored on the non-
transitory
computer-readable storage medium. In certain further embodiments, for example,
the
file may comprise plural n-tuples, the plural n-tuples defining an exclusive
list of
authorized data communications sessions. In certain further embodiments, for
example,
each one of the plural n-tuples may comprise: an index defined by an
application
authorized to be executed on the processor and an authorized user of the
application, a
unique 2-tuple consisting of a port number assigned to the application and a
port number
assigned to a network security middleware, a unique 2-tuple consisting of a
port number
assigned to a remote application and a port number assigned to a remote
network
security middleware, and a data protocol descriptor.
[00422] A. In certain embodiments, for example, the network security
middleware
may be stored on the non-transitory computer-readable storage medium.
[00423] B. In certain embodiments, for example, the remote application and the
remote network security middleware may reside on a common remote node,
processor,
or computing device. In certain embodiments, for example, the remote
application and
the remote network security middleware may reside on separate remote nodes. In
certain further embodiments, for example, the remote network security
middleware may
reside on a software-defined perimeter controller.
[00424] C. In certain embodiments, for example, the read-only file may be
cryptographically signed. In certain embodiments, for example, the read-only
file may be
encrypted. In certain embodiments, for example, the read-only file may be a
binary file.
In certain embodiments, for example, one of the n-tuples may have a different
record
length than another one of the n-tuples.
[00425] D. In certain embodiments, for example, the node may further comprise:
network security software stored on the non-transitory computer-readable
storage
180
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
medium different from the network security middleware, the different network
security
software having sole permission to read the file. In certain further
embodiments, for
example, the different network security software may be configured to be
executed by
the processor to load at least a portion of the file into the kernel random
access memory.
In certain embodiments, for example, the different network security software
may be
executed in an OSI application layer of the node, processor, or computing
device. In
certain embodiments, for example, the different network security software may
be
executed in a kernel of the node, processor, or computing device. In certain
further
embodiments, for example, the at least a portion of the file may be loaded
solely upon
boot-up of the node, processor, or computing device.
[00426] E. In certain embodiments, for example, the network security
middleware
may be configured to be executed by the processor to prevent initialization of
any data
communications session except for the list of authorized data communications
sessions.
[00427] Certain embodiments may provide, for example, a node preconfigured to
constrain communication over a network, comprising: i) a processor; ii) a non-
transitory
computer-readable storage medium; iii) a read-only file stored on the non-
transitory
computer-readable storage medium, the file comprising plural n-tuples, the
plural n-
tuples defining an exclusive list of authorized data communications sessions,
each one
of the plural n-tuples comprising: a) an index defined by an application
authorized to be
executed on the processor and an authorized user of the application; b) a
unique 2-tuple
consisting of a port number assigned to the application and a port number
assigned to a
network security middleware, the network security middleware stored on the non-
transitory computer-readable storage medium; c) a unique 2-tuple consisting of
a port
number assigned to a remote application and a port number assigned to a remote
network security middleware; and d) a data protocol descriptor.
[00428] Certain embodiments may provide, for example, a method to retrofit a
computing device coupled to a network. In certain embodiments, for example,
the
method may comprise: storing an encrypted file on a non-transitory computer-
readable
storage medium of the computing device, installing network security software
on the non-
transitory computer-readable storage medium of the computing device, setting
permissions of the file whereby the file is readable only by the network
security software;
and modifying a network stack resident on the computing device to receive or
intercept
each data packet incoming from or outgoing to the network. In certain further
embodiments, for example, the file may comprise a list interpretable by the
network
security middleware to define authorized communication sessions and an
authorized
data protocol for each authorized communication session of the authorized
181
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
communication sessions. In certain further embodiments, for example, the
network
security software may be configured to load at least a portion of the file
into kernel
random access memory upon boot-up of the computing device. In certain further
embodiments, for example, the network stack may be modified to route each
received or
intercepted data packet through the network security middleware. In certain
further
embodiments, for example, the network security middleware may be configured to
drop a
received or an intercepted data packet unless the received or intercepted data
packet is
authorized to be transmitted using one of the authorized communication
sessions.
[00429] A. In certain embodiments, for example, the method may be exclusive of
any
modification to a pre-existing application program. In certain embodiments,
for example,
the modifying a network stack may comprise modifying a network protocol
application
programming interface. In certain embodiments, for example, the method may
further
comprise: installing cryptographic primitives (for example cryptographic
primitives
provided by Secured Socket Layer (SSL) software) to enable a separate
encrypted
network tunnel to be established for each authorized communication session of
the
authorized communication sessions.
[00430] Certain embodiments may provide, for example, a method to retrofit a
computing device coupled to a network, comprising: i) storing an encrypted
file on a non-
transitory computer-readable storage medium of the computing device, the file
comprising a list interpretable by network security middleware executing on
the
computing device to define authorized communication sessions and an authorized
data
protocol for each authorized communication session of the authorized
communication
sessions; ii) installing the network security software on the non-transitory
computer-
readable storage medium of the computing device, the network security software
configured to load at least a portion of the file into kernel random access
memory (or, in
certain other embodiments, for example, into application space memory) upon
boot-up of
the computing device; iii) setting permissions of the file whereby the file is
readable only
by the network security software; and iv) modifying a network stack resident
on the
computing device to: a) receive or intercept each data packet incoming from or
outgoing
to the network; and b) route each received or intercepted data packet through
the
executing network security middleware, the network security middleware
configured to
drop a received or an intercepted data packet unless it is authorized to be
transmitted
using one of the authorized communication sessions.
[00431] Certain embodiments may provide, for example, a secure system. In
certain
embodiments, for example, the secure system may comprise: a network configured
to
transmit data based on at least one network packet-based protocol, and plural
nodes
182
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
coupled to the network, each one of the plural nodes comprising a network
stack, a
network protocol application programming interface, and middleware. In certain
further
embodiments, for example, the network protocol application programming
interface may
be configured to pass each data packet received to the middleware. In certain
further
embodiments, for example, the middleware may be configured to verify, prior to
sending
data towards a destination port, that the data: has been generated by an
authorized
application, conforms to an authorized data protocol, has been received from
an
authorized node, contains at least one port number that is present on a
predetermined
list of port numbers.
[00432] A. In certain embodiments, for example, the middleware may obtain data
from a data packet passing through the network stack. In certain embodiments,
for
example, the data packet may be encrypted. In certain embodiments, for
example, the
middleware may generate metadata, encrypt metadata, and insert metadata into a
partially assembled network packet.
[00433] B. In certain embodiments, for example, the at least one network
packet-
based protocol may comprise Ethernet protocol. In certain embodiments, for
example,
the at least one network packet-based protocol may comprise Wi-Fi protocol. In
certain
embodiments, for example, the at least one network packet-based protocol may
comprise Bluetooth protocol.
[00434] C. In certain embodiments, for example, the at least one port number
may be
associated with an application responsible for producing a data packet. In
certain
embodiments, for example, the at least one port number may be associated with
source
port (for example may be a source port) in a network packet header. In certain
embodiments, for example, the at least one port number may be associated with
a
destination port (for example may be a destination port) in a network packet
header.
[00435] Certain embodiments may provide, for example, a secure system,
comprising: i) a network configured to transmit data based on at least one
network
packet-based protocol; and ii) plural nodes coupled to the network, each one
of the plural
nodes comprising a network stack, a network protocol application programming
interface, and middleware, the network protocol application programming
interface
configured to pass each data packet received to the middleware, the middleware
configured to verify, prior to sending data towards a destination port, that
the data: a) has
been generated by an authorized application; b) conforms to an authorized data
protocol;
c) has been received from an authorized node; and d) contains at least one
port number
that is present on a predetermined list of port numbers.
183
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00436] Certain embodiments may provide, for example, a secure system,
comprising: i) a network configured to transmit data based on at least one
network
packet-based protocol; and ii) plural nodes coupled to the network, each one
of the plural
nodes comprising a network stack, a network protocol application programming
interface, and a middleware, invocation of the middleware being triggered by
each data
packet crossing the network protocol application programming interface for the
first time,
the middleware configured to verify, prior to sending data towards a
destination port, that
the data: a) has been generated by an authorized application, as determined
based at
least on metadata obtained by the middleware; b) conforms to an authorized
data
protocol, as determined based at least on the metadata; c) has been received
from an
authorized node; and d) contains at least one port number that is present on a
predetermined list of port numbers.
[00437] Certain embodiments may provide, for example, a distributed method to
secure plural computing devices coupled to a network. In certain embodiments,
for
example, the distributed method may comprise: having preprovisioned (or
predetermined) configuration files on the plural computing devices, defining
authorized
port-to-port connections based in part on information from the configuration
files on at
least two of the plural computing devices (for example a first configuration
file on a first
computing device and a second configuration file on a second computing
device), and
restricting network communications to and from the plural computing devices to
the
authorized port-to-port connections.
[00438] A. In certain embodiments, for example, the preprovisioned (or
predetermined) configuration files may be read on boot-up. In certain
embodiments, for
example, the preprovisioned (or predetermined) configuration files may be read
by one
or more application space programs. In certain embodiments, for example, the
preprovisioned (or predetermined) configuration files may be read by one or
more kernel
space programs. In certain embodiments, for example, the preprovisioned (or
predetermined) configuration files may be read by a combination of application
space
programs and kernel space programs.
[00439] B. In certain embodiments, for example, each one of the authorized
port-to-
port connections may comprise: a first socket referenced by first network
security
software executing on a first computing device of the plural computing
devices; and a
second socket referenced by network security software. In certain further
embodiments,
for example, the network security software may execute on: a second computing
device
of the plural computing devices, a third computing device executing an
authorized
deployment server, the authorized deployment server exclusively responsible
for
184
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
managing the static, preconfigured list of authorized pathways, or a fourth
computing
device executing a gateway server, network communication of the gateway server
restricted to the authorized pathways. In certain embodiments, for example,
data may
be passed to the gateway server and processed by network security software on
the
fourth computing device unless the data is received from one of the authorized
pathways. In certain embodiments, for example, the fourth computing device may
be
constrained, by an operating system, to executing only a static, preconfigured
list of
computer programs. In certain embodiments, for example, one or more of the
preprovisioned (or predetermined) configuration files may be distributed by
the
authorized deployment server to at least two of the plural computing devices.
[00440] C. In certain embodiments, for example, the plural computing devices
may
be physically located at a common facility (for example a hospital, factory,
chemical
processing facility, power station, or offshore platform).
[00441] D. In certain embodiments, for example, at least one (for example each
one)
of the authorized port-to-port connections may be stateful. In certain
embodiments, for
example, at least one (for example each one) of the authorized port-to-port
connections
may be stateless.
[00442] Certain embodiments may provide, for example, a secured system
comprising: plural nodes coupled to a network, and plural security programs
for
management of all communication between the plural nodes over the network, the
plural
security programs cooperatively configured to form dedicated data pathways for
inter-
application communication between the plural nodes. In certain further
embodiments, for
example, at least one of the dedicated data pathways may comprise: a first
security
program to send data from a first one of the plural nodes and a second
security program
to receive data on a second one of the plural nodes, and a dedicated encrypted
network
tunnel between the first security program and a second security program.
[00443] A. In certain embodiments, for example, the network may be a packet-
switched network. In certain embodiments, for example, the received data may
comprise a series of data packets. In certain embodiments, for example, the
first
security program may verify that each data packet of the series of data
packets was
transmitted from an authorized application. In certain embodiments, for
example, the
first security program may verify that a data packet of the series of data
packets was
transmitted from a port associated with an application authorized to transmit
the data
packet, based at least on a port number associated with the transmitting
application, an
identifier for the transmitting application, a user of the transmitting
application, and a data
protocol descriptor for the data packet. In certain embodiments, for example,
the second
185
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
security program may verify that each data packet of the series of data
packets was
transmitted from an authorized application. In certain embodiments, for
example, the
second security program may verify that each data packet of the series of data
packets
is being transmitted to an authorized port associated with an authorized
application. In
certain embodiments, for example, the second security program may verify that
a data
packet of the series of data packets is being transmitted to a port associated
with an
application authorized to receive the data packet, based at least on an
identifier for the
receiving application, an identifier for an application associated with the
transmission of
the data packet, a user of the transmitting application, and a data protocol
descriptor for
the data packet.
[00444] Certain embodiments may provide, for example, a secured system
comprising: plural nodes coupled to a network, a first application program
executing on a
first node and a second application program executing on a second node, plural
security
programs for management of all communication between the plural nodes over the
network, and plural read-only configuration files accessible by the plural
security
programs. In certain embodiments, for example, the plural security programs
may be
cooperatively configured to form a dedicated data pathway for inter-
application
communication between the first application program and the second application
program. In certain further embodiments, for example, the dedicated data
pathway may
pass through a first security program and a second security program of the
plural
security programs, the first security program and a second security program
interposed
between the first application program and the second application program, and
the data
pathway may comprise a dedicated encrypted network tunnel between the first
security
program and a second security program. In certain further embodiments, for
example,
each of the plural configuration files may define an exclusive list of
authorized inter-
application communications, may further define an exclusive data protocol for
each
authorized inter-application communication of the exclusive list of authorized
inter-
application communications, may assigning a fixed port number to the first
security
software, and may contain nonpublic node identification codes.
[00445] A. In certain embodiments, for example, the fixed port number may be
unique to a 5-tuple consisting of: an identifier for the first application
program, a user of
the first application program, an identifier for the second application
program, a user of
the second application program, and the exclusive data protocol. In certain
embodiments, for example, the fixed port number may be unique on the first
node and
the second node to a 5-tuple consisting of: an identifier for the first
application program,
186
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
a user of the first application program, an identifier for the second
application program, a
user of the second application program, and the exclusive data protocol.
[00446] B. In certain embodiments, for example, each of the plural
configuration files
may be a binary file. In certain embodiments, for example, each of the plural
configuration files may be divided into records. In certain further
embodiments, for
example, the records may be indexed by the fixed port number.
[00447] C. In certain embodiments, for example, each of the records may have a
variable length. In certain embodiments, for example, each of the records may
comprise
a private key (or a cryptographic parameter or primitive). In certain
embodiments, for
example, each private key may be unique to the secured system.
[00448] D. In certain embodiments, for example, the nonpublic node
identification
codes may comprise a first node identification code assigned to the first node
and a
second node identification code assigned to the second node, processor, or
computing
device.
[00449] Certain embodiments may provide, for example, a secured system
comprising: i) plural nodes coupled to a network; ii) a first application
program executing
on a first node and a second application program executing on a second node;
iii) plural
security programs for management of all communication between the plural nodes
over
the network, the plural security programs cooperatively configured to form a
dedicated
data pathway for inter-application communication between the first application
program
and the second application program, wherein the dedicated data pathway¨ a)
passes
through a first security program and a second security program of the plural
security
programs, the first security program and a second security program interposed
between
the first application program and the second application program; and b)
comprises a
dedicated encrypted network tunnel between the first security program and a
second
security program; iv) plural read-only configuration files accessible by the
plural security
programs, each of the plural configuration files¨ a) defining an exclusive
list of authorized
inter-application communications; b) further defining an exclusive data
protocol for each
authorized inter-application communication of the exclusive list of authorized
inter-
application communications; c) assigning a fixed port number to the first
security
software; and d) containing nonpublic node identification codes.
[00450] Certain embodiments may provide, for example, a secure system
comprising:
plural nodes configured to communicate over a network exclusively by plural
encrypted
communication pathways (for example by plural encrypted network tunnels), each
one of
the plural encrypted communication pathways (for example each one of the
network
tunnels) restricted to transmitting data sent from a single transmitting
application on a
187
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
first node of the plural nodes and directed to a single receiving application
on a second
node of the plural nodes. In certain further embodiments, for example, each
one of the
plural encrypted communication pathways (for example the plural encrypted
network
tunnels) may be restricted to transmitting data having a single payload data
type, and
encrypted with a cryptographic key that may be used only once. In certain
further
embodiments, for example, each one of the plural encrypted communication
pathways
(for example each one of the plural encrypted network tunnels) may be
established by
mutual exchange and authentication of preconfigu red application
authentication
identification codes and nonpublic node identification codes. In each of the
foregoing
embodiments, the transmitting application, first node, receiving application,
and/or
receiving node may be different for each different encrypted network
communication (for
example each different network tunnel) of the plural encrypted network
communication
pathways (for example of the plural encrypted network tunnels).
[00451] A. In certain embodiments, for example, the plural encrypted
communication
pathways (for example the plural encrypted network tunnels) may comprise one
or plural
unidirectional encrypted communication pathways (for example one or plural
unidirectional encrypted network tunnels). In certain embodiments, for
example, the
plural encrypted communication pathways (for example the plural encrypted
network
tunnels) may comprise one or plural bidirectional encrypted communication
pathways
(for example one or plural bidirectional network tunnels).
[00452] B. In certain embodiments, for example, the plural encrypted
communication
pathways (for example the plural encrypted network tunnels) may comprise one
or plural
stateful data communications sessions. In certain embodiments, for example,
the plural
encrypted communication pathways (for example the plural encrypted network
tunnels)
may be at least partially managed by middleware present on the plural nodes.
In certain
embodiments, for example, the plural encrypted communication pathways (for
example
the plural encrypted network tunnels) may be at least partially managed by a
broker
software present on at least one node of the plural nodes.
[00453] Certain embodiments may provide, for example, a secure system
comprising:
plural nodes configured to communicate over a network exclusively by plural
encrypted
network tunnels, each one of the plural encrypted network tunnels¨ i)
restricted to
transmitting data¨ a) sent from a single transmitting application on a first
node of the
plural nodes; b) directed to a single receiving application on a second node
of the plural
nodes; c) having a single payload data type; and d) encrypted with a
cryptographic key
that is used only once; and ii) established by mutual exchange and
authentication of
188
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
preconfigured¨ a) application authentication identification codes; and b)
nonpublic node
identification codes.
[00454] Certain embodiments may provide, for example, a secure system,
comprising: plural nodes coupled to a network, plural application software
executing on
at least a first node and a second node of the plural nodes, at least one
encrypted
network tunnel configured to perform at least a partial data pathway for
transport of data
from a first application software of the plural application software on the
first node of the
plural nodes to a second application software of the plural application
software on the
second node of the plural nodes, the data conforming to a preconfigured,
predefined,
pre-established and/or preprovisioned first data protocol, and at least one
security
software initiating the at least one encrypted network tunnel. In certain
further
embodiments, for example, the at least one security software may be configured
to
authorize the encrypted network tunnel, based at least on authorizing the
first node, the
second node, the first application software, and the second application
software. In
certain further embodiments, for example, the at least one security software
may be
configured to confirm that the first application software is authorized to
transmit the first
data protocol. In certain further embodiments, for example, the at least one
security
software may be positioned between the first application software and the
second
application software in a data pathway comprising the at least one encrypted
network
tunnel.
[00455] A. In certain embodiments, for example, the encrypted tunnel may have
an
endpoint at a port associated with one of the at least one security software.
[00456] B. In certain embodiments, for example, the at least one security
software
may be plural security software, and the encrypted tunnel may have a first
endpoint at a
first port associated with a first security software of the plural security
software and a
second endpoint at a second port associated with a second security software of
the
plural security software.
[00457] C. In certain embodiments, for example, authorizing the first
application
software may comprise authorizing a user of the first application software. In
certain
embodiments, for example, the at least one security software may be
transparent to the
first application software and the second application software. In certain
embodiments,
for example, the authorizing and the confirming may each comprise encrypted
communication over the network. In certain embodiments, for example, the
system may
be configured as a software-defined perimeter. In certain embodiments, for
example, an
access controller of the software-defined perimeter may comprise one of the at
least one
security software.
189
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00458] Certain embodiments may provide, for example, a secure system,
comprising: i) plural nodes coupled to a network; ii) plural application
software executing
on at least a first node and a second node of the plural nodes; iii) at least
one encrypted
network tunnel configured to perform at least a partial data pathway for
transport of data
from a first application software of the plural application software on the
first node of the
plural nodes to a second application software of the plural application
software on the
second node of the plural nodes, the data conforming to a preconfigured,
predefined,
pre-established and/or preprovisioned first data protocol; and iv) at least
one middleware
initiating the at least one encrypted network tunnel, the at least one
middleware
positioned between the first application software and the second application
software in
a data pathway comprising the at least one encrypted network tunnel, the at
least one
middleware configured to: a) authorize the encrypted network tunnel, based at
least on
authorizing the first node, the second node, the first application software,
and the second
application software; and b) confirm that the first application software is
authorized to
transmit the first data protocol.
[00459] Certain embodiments may provide, for example, a secure system
comprising:
plural nodes coupled to a network, plural application software executing on at
least a first
node and a second node of the plural nodes, at least one encrypted network
tunnel
established between a first application software of the plural application
software on the
first node of the plural nodes and a second application software of the plural
application
software on the second node of the plural nodes, the first application
software configured
to send data conforming to a preconfigured, predefined, pre-established and/or
preprovisioned first data protocol, and at least one middleware initiating the
at least one
encrypted network tunnel. In certain further embodiments, for example, the at
least one
middleware may be positioned between the first application software and the
second
application software in a data pathway comprising the at least one encrypted
network
tunnel. In certain further embodiments, for example, the at least one
middleware may be
configured to authorize the encrypted network tunnel, based at least on
authorizing at
least one of the plural nodes, the first application software, and the second
application
software. In certain further embodiments, for example, the at least one
middleware may
be configured to confirm that the second application software is authorized to
receive the
first data protocol.
[00460] A. In certain embodiments, for example, the at least one middleware
may be
transparent to the first application software and the second application
software. In
certain embodiments, for example, the authorize and the confirm may each
comprise
encrypted communication over the network.
190
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00461] Certain embodiments may provide, for example, a secure system
comprising:
i) plural nodes coupled to a network; ii) plural application software
executing on at least a
first node and a second node of the plural nodes; iii) at least one encrypted
network
tunnel established between a first application software of the plural
application software
on the first node of the plural nodes and a second application software of the
plural
application software on the second node of the plural nodes, the first
application software
configured to send data conforming to a preconfigured, predefined, pre-
established
and/or preprovisioned first data protocol; and iv) at least one middleware
initiating the at
least one encrypted network tunnel, the at least one middleware positioned
between the
first application software and the second application software in a data
pathway
comprising the at least one encrypted network tunnel, the at least one
middleware
configured to: a) authorize the encrypted network tunnel, based at least on
authorizing at
least one of the plural nodes, the first application software, and the second
application
software; and b) confirm that the second application software is authorized to
receive the
first data protocol.
[00462] Certain embodiments may provide, for example, a secure system
comprising
plural nodes communicating over a network by machine-to-machine middleware,
each
node of the plural nodes comprising: a preconfigured list, and machine-to-
machine
middleware. In certain embodiments, for example, each member of the
preconfigured
list may comprise a 2-tuple, the 2-tuple comprising a port number. In certain
further
embodiments, for example, the machine-to-machine middleware may be configured
to:
interpret the preconfigured list to define authorized client-server
connections, receive a
network packet from the network, decrypt an encrypted metadata portion of the
network
packet using a single-use cryptographic key, extract an authorization
parameter from the
decrypted metadata portion of the network packet, and compare a 2-tuple
consisting of
the destination port number of the network packet and the authorization
parameter with
at least one member of the preconfigured list.
[00463] A. In certain embodiments, for example, the preconfigured file may be
stored
on a non-transitory computer-readable storage medium (for example a
nonvolatile
memory storage medium) exclusively as an encrypted binary file. In certain
embodiments, for example, the authorization parameter may be a remote node
identification code. In certain embodiments, for example, the remote node
identification
code may be nonpublic. In certain embodiments, for example, the remote node
identification code may be a shared secret among a subset of the plural nodes.
[00464] B. In certain embodiments, for example, the authorization parameter
may
comprise a remote descriptor, the remote descriptor comprising a remote
application
191
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
identifier, an identifier for a user of the remote application, and a data
protocol code. In
certain embodiments, for example, the machine-to-machine middleware may be at
least
partially embedded in a kernel.
[00465] Certain embodiments may provide, for example, a secure system
comprising
plural nodes communicating over a network by machine-to-machine middleware,
each
node of the plural nodes comprising: i) a preconfigured list, each member of
the
preconfigured list comprising a 2-tuple, the 2-tuple comprising a port number;
and ii)
machine-to-machine middleware configured to: a) interpret the preconfigured
list to
define authorized client-server connections; b) receive a network packet from
the
network; c) decrypt an encrypted metadata portion of the network packet using
a single-
use cryptographic key; d) extract an authorization parameter from the
decrypted
metadata portion of the network packet; and e) compare a 2-tuple consisting of
the
destination port number of the network packet and the authorization parameter
with at
least one member of the preconfigured list.
[00466] A. In certain embodiments, for example, the machine-to-machine
middleware
may be transparent to the client application. In certain embodiments, for
example, the
network packet may comprise a segmented payload. In certain embodiments, for
example, at least 25% (for example at least 50%, such as at least 75%) of the
plural
nodes may be dedicated computing devices.
[00467] Certain embodiments may provide, for example, a secure system
comprising
plural nodes communicating over a network by machine-to-machine middleware,
each
node of the plural nodes comprising: a client application, a preconfigured
list, a security
layer, a kernel, and machine-to-machine middleware at least partially embedded
in the
kernel. In certain further embodiments, for example, the machine-to-machine
middleware may be configured to: interpret the preconfigured list to define
authorized
client-server connections, receive a network packet from the network, decrypt
an
encrypted metadata portion of the network packet using a single-use
cryptographic key
(for example a rotated key derived from ECDH key exchange), extract at least a
2-tuple
consisting of a remote server code and a data protocol code from the decrypted
metadata portion of the network packet, and compare the 2-tuple to at least
one member
of the preconfigured list. In certain further embodiments, for example, each
member of
the preconfigured list may consist of an n-tuple, the n-tuple comprising a 2-
tuple
consisting of a remote server code and a data protocol code.
[00468] A. In certain embodiments, for example, the machine-to-machine
middleware
may be transparent to the client application. In certain embodiments, for
example, the
network packet may comprise a segmented payload. In certain embodiments, for
192
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
example, at least 25% (for example at least 50%, such as at least 75%) of the
plural
nodes may be dedicated computing devices.
[00469] Certain embodiments may provide, for example, a secure system
comprising
plural nodes communicating over a network by machine-to-machine middleware,
each
node of the plural nodes comprising: i) a client application; ii) a
preconfigured list, each
member of the preconfigured list consisting of an n-tuple, the n-tuple
comprising a 2-
tuple consisting of a remote server code and a data protocol code; iii) a
security layer; iv)
a kernel; and v) machine-to-machine middleware at least partially embedded in
the
kernel, the machine-to-machine middleware configured to: a) interpret the
preconfigured
list to define authorized client-server connections; b) receive a network
packet from the
network; c) decrypt an encrypted metadata portion of the network packet using
a single-
use cryptographic key; d) extract at least a 2-tuple consisting of a remote
server code
and a data protocol code from the decrypted metadata portion of the network
packet;
and e) compare the 2-tuple to at least one member of the preconfigured list.
[00470] Certain embodiments may provide, for example, a method to instantiate
and
manage a dedicated data pathway extending from a source port on a first node
to a
destination port on a second node, processor, or computing device. In certain
embodiments, for example, the method may comprise selecting, from a
predetermined,
exclusive list of authorized data pathways, a security port number exclusively
paired with
a port number of the destination port. In certain embodiments, for example,
the method
may comprise forming an encrypted communication pathway extending from the
first
node to a security port present on the second node, the security port having
the selected
security port number (i.e., the selected security port number assigned to the
security
port). In certain embodiments, for example, the method may comprise, prior to
transmitting any data from the source port to the destination port: verifying,
at the first
node, that a first n-tuple (for example the first n-tuple may be an at least a
2-tuple, an at
least a 3-tuple, an at least a 5-tuple, an at least a 6-tuple, an at least an
8-tuple, an at
least a 10-tuple, or an at least a 12-tuple) received from the encrypted
communication
pathway matches an expected value based on the security port number, the first
n-tuple
comprising: a nonpublic device code for the second node, a user associated
with the
destination port, an application associated with the destination port, and a
data protocol
descriptor. In certain embodiments, for example, the method may comprise,
prior to
passing a network packet to the destination port: verifying, at the second
node, that an
second n-tuple obtained from the network packet matches an expected value
based on
the security port number, the second n-tuple comprising: a user associated
with the
193
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
source port, an application associated with the source port, and the data
protocol
descriptor.
[00471] Certain embodiments may comprise, for example, a method to instantiate
and
manage a dedicated data pathway extending from a source port on a first node
to a
destination port on a second node, comprising: i) selecting, from a
predetermined,
exclusive list of authorized data pathways, a security port number exclusively
paired with
a port number of the destination port; ii) forming an encrypted communication
pathway
extending from the first node to a security port present on the second node,
the security
port having the selected security port number (i.e., the selected security
port number
assigned to the security port); iii) prior to transmitting any data from the
source port to the
destination port: verifying, at the first node, that a first n-tuple received
from the
encrypted communication pathway matches an expected value based on the
security
port number, the first n-tuple comprising: a nonpublic device code for the
second node, a
user associated with the destination port, an application associated with the
destination
port, and a data protocol descriptor; and iv) prior to passing a network
packet to the
destination port: verifying, at the second node, that an second n-tuple
obtained from the
network packet matches an expected value based on the security port number,
the
second n-tuple comprising: a user associated with the source port, an
application
associated with the source port, and the data protocol descriptor.
[00472] Certain embodiments may provide, for example, a method to instantiate
and
manage a dedicated data pathway extending from a source port on a first node
to a
destination port on a second node, comprising: selecting, from a
predetermined,
exclusive list of authorized data pathways, a tunnel port number exclusively
paired with a
port number of the destination port; forming a network tunnel extending from
the first
node to a tunnel port present on the second node, the tunnel port having the
selected
tunnel port number (i.e., the selected tunnel port number assigned to the
tunnel port); iii)
prior to transmitting any data from the source port to the destination port:
verifying, at the
first node, that a first n-tuple received from the network tunnel matches an
expected
value based on the tunnel port number, the first n-tuple comprising: a
nonpublic device
code for the second node, a user associated with the destination port, an
application
associated with the destination port, and a data protocol descriptor; and iv)
prior to
passing a network packet to the destination port: verifying, at the second
node, that an
second n-tuple obtained from the network packet matches an expected value
based on
the tunnel port number, the second n-tuple comprising: a user associated with
the source
port, an application associated with the source port, and the data protocol
descriptor.
194
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00473] Certain embodiments may provide, for example, a system comprising:
plural
nodes communicating over a network according to a shared network protocol,
wherein
each one of the plural nodes may be preconfigured to initialize at least one
encrypted
network tunnel with at least another one of the plural nodes, and each one of
the plural
nodes having application and/or data transfer privileges may be limited to
transferring
data to another one of the plural nodes exclusively by an encrypted network
tunnel of the
at least one encrypted network tunnel.
[00474] A. In certain embodiments, for example, each one of the least 25% (for
example at least 50%, such as at least 90%) of the plural nodes may be an edge
computing device.
[00475] Certain embodiments may provide, for example, a method to retrofit a
node
interface to a network, comprising: inserting a computing device between a
node and the
network. In certain further embodiments, for example, the computing device may
comprise: a file stored on non-transitory computer-readable storage medium,
the file
having a list of authorized data communications sessions, the file comprising:
an index
defined by an application authorized to be executed on a processor of the node
and an
authorized user of the application, a unique 2-tuple consisting of a port
number assigned
to the application and a port number assigned to a network security
middleware, a
unique 2-tuple consisting of a port number assigned to a remote application
and a port
number assigned to a remote network security middleware, and a data protocol
descriptor.
[00476] Certain embodiments may provide, for example, a method to retrofit a
node
interface to a network, comprising: inserting a computing device between a
node and the
network, the computing device comprising: a file on a non-transitory computer-
readable
storage medium of the computing device, the file interpretable by network
security
middleware executing on the computing device to define authorized
communication
sessions and an authorized data protocol for each one of the authorized
communication
sessions. In certain further embodiments, for example, the computing device
may
further comprise a network stack configured to route each data packet through
the
network security middleware, the network security middleware configured to
drop a data
packet unless it is authorized to be transmitted using one of the authorized
communication sessions.
[00477] Certain embodiments may provide, for example, a secure method for a
first
computing device to update resident software, comprising: receiving, from a
predetermined, authenticated, authorized client executing on a second
computing
device, an encrypted non-executable payload noticing availability of updated
software.
195
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
In certain further embodiments, for example, the receiving may be followed by
establishing a unidirectional encrypted network tunnel with a predetermined
server
executing on a third computing device. In certain further embodiments, for
example, the
establishing may comprise exchanging and authenticating encrypted device
identifiers
between the first computing device and the third computing device, and
verifying that the
second computing device and the third computing device are different devices.
In
certain further embodiments, for example, the method may further comprise
downloading
the updated software over the unidirectional encrypted network tunnel.
[00478] Certain embodiments may provide, for example, a secure computing
device
comprising a physical network interface, the physical network interface
configured to:
compare a destination port number of each incoming network packet to a list of
authorized destination ports, execute remote procedure calls to first software
program (or
module or portion of code) executing on a central processing unit of the
computing
device, the first software configured to decrypt metadata from each incoming
network
packet, and execute remote procedure calls to second software executing on the
central
processing unit. In certain further embodiments, for example, the second
software
program may be configured to compare the decrypted metadata to a list of
authorized n-
tuples, each of the n-tuples in the list of authorized n-tuples comprising
descriptors for: a
source application for the incoming network packet, a user for the source
application,
and a payload protocol for the network packet.
[00479] A. In certain embodiments, for example, the physical network interface
may
be a field-programmable gate array.
[00480] B. In certain embodiments, for example, the physical network interface
may
be further configured (for example programmed) to execute remote procedure
calls to a
third software program executing on the central processing unit, the third
software
configured to translate a payload of the incoming network packet into native
formatted
data for consumption by the receiving application.
[00481] C. In certain embodiments, for example, at least one of the first
software,
second software, or third software execute in an OSI application layer of the
computing
device.
[00482] Certain embodiments may provide, for example, a method to filter a
network
packet in an edge computing device, comprising: parsing at least a portion of
the
network packet to obtain payload data in a network stack of the edge computing
device;
and invoking publish-subscribe pattern messaging software from a sub-session
layer of
the network stack to retrieve, based on at least a portion of the payload
data, one or
more network packet authentication and/or access control parameters.
196
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00483] A. In certain embodiments, for example, the publish-subscribe pattern
messaging software may conform to the Data Distribution Service standard.
[00484] B. In certain embodiments, for example, the publish-subscribe pattern
messaging software may conform to an MQ Telemetry Transport messaging
protocol.
[00485] C. In certain embodiments, for example, the one or more network packet
authentication and/or access control parameters may be retrieved from metadata
encoded in the payload data. In certain embodiments, for example, the one or
more
network packet authentication and/or access control parameters may comprise a
source
application, a source application user, and a data protocol of the payload
data. In certain
embodiments, for example, the one or more network packet authentication and/or
access control parameters may be encrypted. In certain embodiments, for
example, the
method may further comprise: comparing a port address number of the network
packet
to a list of pre-authorized port address numbers stored in kernel random
access memory.
[00486] Certain embodiments may provide, for example, a method to filter a
network
packet (for example an IP packet containing an IP header and a TCP segment).
In
certain embodiments, for example, the method may comprise parsing the network
packet
to obtain network packet data; and invoking data distribution service software
from a
sub-session layer (for example a transport layer according to the Open Systems
Interconnection model) of a network stack to retrieve, based on at least a
portion of the
network packet data (for example a metadata portion), one or more network
packet
authentication and/or access control parameters. In certain embodiments, for
example,
the network packet may be an incoming packet received from an Ethernet
connection.
In certain embodiments, for example, the network packet may be an outgoing
packet
being directed towards received from an Ethernet connection. In certain
embodiments,
for example, parsing the network packet may comprise parsing a header of the
network
packet (for example a network header such as an IP header, an I Psec header,
or a TCP
header of a TCP segment). In certain embodiments, for example, the one or more
network packet authentication and/or access control parameters may comprise a
destination port. In certain embodiments, for example, parsing the network
packet may
comprise parsing metadata (for example payload metadata). In certain further
embodiments, for example, the metadata may comprise metadata useful for
authenticating a computing device sending at least a portion of a payload
present in the
network packet. In certain embodiments, for example, the metadata may comprise
metadata useful for authenticating an application and/or user sending at least
a portion
of a payload present in the network packet. In certain embodiments, for
example, the
197
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
metadata may comprise metadata useful for authorizing an application to have
access to
at least a portion of a payload present in the network packet.
[00487] A. In certain embodiments, for example, the network stack may be
executing
on a node in a data distribution service domain. In certain embodiments, for
example,
the node may be a subscriber in the data distribution service domain. In
certain
embodiments, for example, the node may be a publisher in the data distribution
service
domain. In certain embodiments, for example, the metadata may comprise
metadata
inserted by data distribution service middleware. In certain embodiments, for
example,
the metadata may comprise a publish-subscribe topic. In certain embodiments,
for
example, the network packet may comprise a payload having at least a portion
that is
strongly typed. In certain embodiments, for example, the metadata may comprise
a
publish-subscribe data type definition. In certain further embodiments, for
example, the
one or more network packet access control parameters may comprise the publish-
subscribe data type definition. In certain embodiments, for example, the
method may
further comprise comparing the one or more network packet authentication
and/or
access control parameters with settings of a domain participant in a data
distribution
service domain. In certain embodiments, for example, the settings may define
at least
one data reader in the data distribution service domain. In certain
embodiments, for
example, the settings may define at least one data writer in the data
distribution service
domain. In certain embodiments, for example, the method may further comprise
creating
and maintaining an event log.
[00488] B. In certain further embodiments, for example, the data distribution
service
software may be invoked by operating system software, for example by operating
system
software operating at kernel priority. In certain embodiments, for example,
the data
distribution service software defines at least part of a software library, for
example a pre-
built library. In certain embodiments, for example, the data distribution
service software
defines at least one subroutine. In certain embodiments, for example, the data
distribution service software defines at least one module. In certain
embodiments, for
example, the data distribution service software defines at least one function.
In certain
embodiments, for example, the data distribution service software defines at
least a
portion of an object.
[00489] C. In certain embodiments, for example, the network stack may be
executing
on a dedicated computing device. In certain embodiments, for example, the
method may
be performed at wire speed.
[00490] Certain embodiments may provide, for example, a kernel-based method
for
authorized network communication, comprising: detecting a network packet added
to a
198
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
network stack memory, moving the detected network packet from the network
stack
memory to a heap space; authorizing the network packet, and removing the
authorized
network packet from the heap space and replacing the network packet in network
stack
memory. In certain embodiments, for example, the authorizing may be based at
least
on: a) a universal identifier for a source of the network packet, comprising
an authorized
source application identifier and an identifier for an authorized user of the
source
application; b) a universal identifier for destination of the network packet,
comprising an
authorized destination application identifier and an identifier for an
authorized user of the
destination application; c) a port associated with the destination
application; d) a different
port associated with a middleware; and e) a data protocol field.
[00491] A. In certain embodiments, for example, the middleware may be
responsible
for the detecting. In certain embodiments, for example, the middleware may be
responsible for the moving. In certain embodiments, for example, the
middleware may
be responsible for the authorizing. In certain embodiments, for example, the
middleware
may be responsible for the detecting, the moving, and the authorizing.
[00492] Certain embodiments may provide, for example, a kernel-based method
for
authorized network communication, comprising: i) detecting a network packet
added to a
network stack memory; ii) moving the detected network packet from the network
stack
memory to a heap space; iii) authorizing the network packet, based at least
on: a) a
universal identifier for a source of the network packet, comprising an
authorized source
application identifier and an identifier for an authorized user of the source
application; b)
a universal identifier for destination of the network packet, comprising an
authorized
destination application identifier and an identifier for an authorized user of
the destination
application; c) a port associated with the destination application; d) a
different port
associated with a middleware; and e) a data protocol field; and iv) removing
the
authorized network packet from the heap space and replacing the network packet
in
network stack memory.
[00493] Certain embodiments may comprise, for example, a kernel-based method
for
authorized network communication, comprising: detecting (for example receiving
or
intercepting) a network packet added to a network stack memory, making the
detected
network packet accessible to a heap space (for example by moving or copying
the
network packet from the network stack memory to the heap space), authorizing
the
network packet, and removing the authorized network packet from the heap space
and
replacing the network packet in network stack memory. In certain further
embodiments,
for example, the authorizing may reference: an index defined by a pre-approved
application a pre-approved user of the application, a unique 2-tuple
consisting of a port
199
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
number assigned to the application and a port number assigned to an encryption
layer, a
unique 2-tuple consisting of a port number assigned to a remote application
and a port
number assigned to a remote encryption layer, and a data protocol field.
[00494] Certain embodiments may provide, for example, a method to prevent an
attack by malware resident on a node, comprising: a network security agent
opening a
port in listening mode, the port configured to establish a compromised
encrypted
connection, receiving a connection request at the port from a malware
configured to
exploit the compromised encryption protocol, establishing an encrypted tunnel
between
the network security agent and the malware, the encrypted tunnel having the
port as an
endpoint, and the network security agent terminating the encrypted tunnel
after a fixed
number of attempts by the malware to provide an expected identification code
for the
node, the expected identification code selected by the network security agent
based on
the port number of the port.
[00495] A. In certain embodiments, for example, the network security agent may
be
present on the node, processor, or computing device. In certain embodiments,
for
example, the network security agent may be present on a remote node,
processor, or
computing device. In certain embodiments, for example, the encrypted
connection may
be compromised due to a compromised private key. In certain embodiments, for
example, the encrypted connection may be compromised due to one or more
compromised components of a cipher suite. In certain embodiments, for example,
the
encrypted connection may be compromised due to one or more security holes in a
software implementation of an encryption protocol. In certain embodiments, for
example,
the malware may be present on the node, processor, or computing device. In
certain
embodiments, for example, the malware may be present on a different node,
processor,
or computing device. In certain embodiments, for example, the port may be
configured
according to a secure socket layer protocol. In certain embodiments, for
example, the
port may be configured according to an I Psec protocol. In certain
embodiments, for
example, the malware may identify the port based on a port scan. In certain
embodiments, for example, the expected node identification code may have a
length of
at least 2048 bits. In certain embodiments, for example, the sum-of-digits of
the
expected node identification code may be a prime number. In certain
embodiments, for
example, a portion of the expected node identification code may be a randomly
generated number. In certain embodiments, for example, at least 90% of the
digits of
the expected node identification code may be a randomly generated number. In
certain
embodiments, for example, the expected node identification code may be stored
in a
proprietary binary format configured to be interpreted solely by the network
security
200
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
agent. In certain embodiments, for example, the expected node identification
code may
be stored on a non-transitory computer-readable storage medium (for example a
nonvolatile memory storage medium) in an encrypted, read-only binary file, the
binary file
comprising a proprietary record structure. In certain embodiments, for
example, the
binary file may comprise plural records having variable record length. In
certain
embodiments, for example, the binary file may be readable into random access
memory
solely by the network security agent. In certain embodiments, for example, the
security
agent may terminate the encrypted tunnel after no more than 20 attempts to
provide the
expected identification code.
[00496] Certain embodiments may provide, for example, a method to prevent an
attack by malware resident on a node, comprising: a network security agent
sending a
connection request to a spoofed listening port associated with a malware, the
network
security agent configured to establish a compromised encrypted connection,
establishing
an encrypted tunnel between the network security agent and the malware, the
encrypted
tunnel having the malware port as an endpoint, and the network security agent
terminating the encrypted tunnel after a fixed number of attempts by the
malware to
provide an expected identification code for the node, the expected
identification code
selected by the network security agent based on the port number of the port.
In certain
embodiments, for example, the network security agent may inadvertently send
the
connection request to the spoofed listening port. In certain embodiments, for
example,
the network security agent may be directed (for example by malware) to send
the
connection request to the spoofed listening port.
[00497] Certain embodiments may provide, for example, a method to prevent an
attack by malware resident on a node, comprising: the malware attempting to
transmit a
connection request to a remote destination port, and checking an application
code (for
example an application code obtained from process status check) and a user
code value
of the malware against expected values, the expected values selected based on
the
destination port.
[00498] A. In certain embodiments, for example, the method may further
comprise
dropping the connection request based on the application code and a user code
failing to
match the expected values. In certain embodiments, for example, the method may
further comprise dropping the connection request based on the absence of the
destination port in a preconfigured list of allowed destination ports. In
certain
embodiments, for example, the malware may be introduced to the node via a USB
port.
[00499] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, processor, or computing device. In
certain
201
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
embodiments, for example, the method may comprise establishing an encrypted
connection to transfer data exclusively between a first process running on the
first node
and a second process running on the second node, processor, or computing
device. In
certain embodiments, for example, the establishing may comprise the second
node
receiving a node identification packet from the first node and confirming a
shared secret
node identification code received from the first node, processor, or computing
device. In
certain embodiments, for example, the method may comprise managing a
connection
state of the authorized encrypted connection. In certain embodiments, for
example, the
managing may comprise confirming that network packets received at the second
node
via the encrypted connection comprise at least a predetermined user
identification code,
a predetermined process identification code, and/or a predetermined data
protocol
identification code. In certain embodiments, for example, the node
identification packet
may comprise a packet type header configured for processing by network
security
software. In certain embodiments, for example, the network security software
may be
invoked in a network stack. In certain further embodiments, for example, the
packet type
header may be located after a layer three header according to the OSI Seven
Layer
Model. In certain further embodiments, for example, the packet type header may
be
located after a layer four header according to the OSI Seven Layer Model. In
certain
further embodiments, for example, the packet type header may be located after
an
SSLJTLS header. In certain embodiments, for example, a data protocol of the
data to be
transferred may match an expected data protocol based on the data protocol
identification code. In certain embodiments, for example, the predetermined
user
identification code, the predetermined process identification code, and/or the
predetermined data protocol identification code may be metadata present in the
network
packets. In certain embodiments, for example, the metadata may be configured
for
processing by network security software. In certain embodiments, for example,
the
network security software may be invoked in a network stack. In certain
further
embodiments, for example, the packet type header may be located after a layer
three
header according to the OSI Seven Layer Model. In certain further embodiments,
for
example, the metadata may be located after a layer four header according to
the OSI
Seven Layer Model. In certain further embodiments, for example, the packet
type
header may be located after an SSL/TLS header.
[00500] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, processor, or computing device. In
certain
embodiments, for example, the method may comprise authorizing an encrypted
connection to transfer data exclusively between a first process (for example a
first user
202
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
process) running on the first node and a second process (for example a second
user
process) running on the second node, processor, or computing device. In
certain
embodiments, for example, the authorizing may comprise transmitting a node
identification packet from the first node to the second node, the node
identification
packet comprising a shared secret node identification code for the first node,
processor,
or computing device. In certain embodiments, for example, the authorizing may
be
followed by managing a connection state of the authorized encrypted
connection. In
certain embodiments, for example, the managing may comprise withdrawing the
authorization if at least one network packet received from the authorized
encrypted
connection is missing one or more of an expected user identification code,
process
identification code, and data protocol identification code. In certain
embodiments, for
example, the authorizing may further comprise: transmitting a node
identification packet
from the second node to the first node, the node identification packet
comprising a
shared secret node identification code for the second node, processor, or
computing
device. In certain embodiments, for example, the authorizing may further
comprise:
transmitting a process identification packet from the first node to the second
node, the
process identification packet comprising a user identifier for the first
process, an
application identifier for the first process, a data protocol identifier for
the connection, or a
combination of two or more of the foregoing identifiers. In certain
embodiments, for
example, the authorizing may further comprise: executing operating system
commands
to identify a process requesting the data transfer, followed by verifying that
the
requesting process is authorized to transfer and/or receive the data. In
certain
embodiments, for example, the managing may further comprise: executing
operating
system commands to identify a process requesting the data transfer, followed
by
verifying that the requesting process is authorized to transfer and/or receive
the data. In
certain embodiments, for example, the authorizing may comprise consulting
configuration files present on the first node and second node to obtain one or
more of the
shared secret node identification code, user identification code, process
identification
code, and data protocol identification code. In certain embodiments, for
example, the
managing may comprise consulting configuration files present on the first node
and
second node to obtain one or more of the shared secret node identification
code, user
identification code, process identification code, and data protocol
identification code. In
certain embodiments, for example, a 3-tuple comprising the user identification
code,
process identification code, and data protocol identification code may be a
shared secret
between the first node and the second node, processor, or computing device. In
certain
embodiments, for example, a 4-tuple comprising the shared secret node
identification
203
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
code, user identification code, process identification code, and data protocol
identification code may be a shared secret between the first node and the
second node,
processor, or computing device. In certain embodiments, for example, the
authorizing
may comprise mutual exchange from and authorization by the first node and
second
node of one or more of the shared secret node identification code, user
identification
code, process identification code, and data protocol identification code.
[00501] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, processor, or computing device. In
certain
embodiments, for example, the method may comprise authorizing an encrypted
connection to transfer data between a first process running on the first node
and a
second process running on the second node, processor, or computing device. In
certain
embodiments, for example, the authorizing may comprise mutual exchange,
authentication, and authorization of shared secret first and second node
identification
codes. In certain embodiments, for example, the authorizing may be followed by
managing a connection state of the authorized encrypted connection. In certain
embodiments, for example, the managing may comprise dropping the connection if
an
incoming network packet from the authorized encrypted connection is missing
one or
more of an expected user identification code, process identification code, and
data
protocol identification code.
[00502] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, processor, or computing device. In
certain
embodiments, for example, the method may comprise authorizing an encrypted
connection to transfer data exclusively between a first process running on the
first node
and a second process running on the second node, processor, or computing
device. In
certain embodiments, for example, the authorizing may comprise transmitting a
node
identification packet from the first node to the second node, the node
identification
packet comprising a shared secret node identification code for the first node,
processor,
or computing device. In certain embodiments, for example, the authorizing may
be
followed by managing a connection state of the authorized encrypted
connection. In
certain embodiments, for example, the managing may comprise withdrawing the
authorization if at least one network packet received from the authorized
encrypted
connection is missing an expected user, process, and/or packet payload data
protocol
identification code.
[00503] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, comprising: i) establishing an
encrypted
connection to transfer data exclusively between a first process running on the
first node
204
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
and a second process running on the second node, comprising: the second node
receiving a node identification packet from the first node and confirming a
shared secret
node identification code received from the first node; and ii) managing a
connection state
of the authorized encrypted connection, comprising: confirming that network
packets
received at the second node via the encrypted connection comprise at least an
predetermined user identification code, a predetermined process identification
code,
and/or a predetermined data protocol identification code.
[00504] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, comprising: i) authorizing an
encrypted
connection to transfer data exclusively between a first process running on the
first node
and a second process running on the second node, comprising: transmitting a
node
identification packet from the first node to the second node, the node
identification
packet comprising a shared secret node identification code for the first node;
followed by
ii) managing a connection state of the authorized encrypted connection,
comprising:
withdrawing the authorization if at least one network packet received from the
authorized
encrypted connection is missing one or more of an expected user identification
code,
process identification code, and data protocol identification code.
[00505] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, comprising: i) authorizing an
encrypted
connection to transfer data between a first process running on the first node
and a
second process running on the second node, comprising: mutual exchange,
authentication, and authorization of shared secret first and second node
identification
codes; followed by ii) managing a connection state of the authorized encrypted
connection, comprising: dropping the connection if an incoming network packet
from the
authorized encrypted connection is missing one or more of an expected user
identification code, process identification code, and data protocol
identification code.
[00506] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, comprising: i) authorizing an
encrypted
connection to transfer data exclusively between a first process running on the
first node
and a second process running on the second node, comprising: transmitting a
node
identification packet from the first node to the second node, the node
identification
packet comprising a shared secret node identification code for the first node;
followed by
ii) managing a connection state of the authorized encrypted connection,
comprising:
withdrawing the authorization if at least one network packet received from the
authorized
encrypted connection is missing an expected user, process, and/or packet
payload data
protocol identification code.
205
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00507] Certain embodiments may provide, for example, a method of securing
network communications received by a network node, processor, or computing
device.
In certain embodiments, for example, the method may comprise confirming
network
packets received are from a preconfigured, predefined, pre-established and/or
preprovisioned source process running on a preconfigured, predefined, pre-
established
and/or preprovisioned authorized source node and directed to a preconfigured,
predefined, pre-established and/or preprovisioned authorized destination
process
running on a preconfigured, predefined, pre-established and/or preprovisioned
authorized destination node, processor, or computing device. In certain
embodiments,
for example, the method may further comprise passing at least a portion of the
payloads
from the network packets to the authorized destination process.
[00508] A. In certain embodiments, for example, the authorized source process
may
be preconfigured, predefined, pre-established and/or preprovisioned relative
to the
network node (for example the network node may contain a file identifying the
source
process, wherein the file is present on the network node prior to the
confirming and
passing). In certain embodiments, for example, the authorized source node may
be
preconfigured, predefined, pre-established and/or preprovisioned relative to
the network
node (for example the network node may contain a file identifying the source
node,
wherein the file is present on the network node prior to the confirming and
passing). In
certain embodiments, for example, the authorized destination process may be
preconfigured, predefined, pre-established and/or preprovisioned relative to
the network
node (for example the network node may contain a file identifying the
destination
process, wherein the file is present on the network node prior to the
confirming and
passing). In certain embodiments, for example, the authorized destination node
may be
preconfigured, predefined, pre-established and/or preprovisioned relative to
the network
node (for example the network node may contain a file identifying the
destination node,
wherein the file is present on the network node prior to the confirming and
passing). In
certain embodiments, for example, the authorized source process may be
preconfigured,
predefined, pre-established and/or preprovisioned relative to the authorized
source node
(for example the authorized source node may contain a file identifying the
source
process, wherein the file is present on the authorized source node prior to
the confirming
and passing). In certain embodiments, for example, the authorized source node
may be
preconfigured, predefined, pre-established and/or preprovisioned relative to
the
authorized source node (for example the authorized source node may contain a
file
identifying the source node, wherein the file is present on the authorized
source node
prior to the confirming and passing). In certain embodiments, for example, the
206
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
authorized destination process may be preconfigured, predefined, pre-
established and/or
preprovisioned relative to the authorized source node (for example the
authorized source
node may contain a file identifying the destination process, wherein the file
is present on
the authorized source node prior to the confirming and passing). In certain
embodiments, for example, the authorized destination node may be
preconfigured,
predefined, pre-established and/or preprovisioned relative to the authorized
source node
(for example the authorized source node may contain a file identifying the
destination
node, wherein the file is present on the authorized source node prior to the
confirming
and passing). In certain embodiments, for example, the authorized source
process may
be preconfigured, predefined, pre-established and/or preprovisioned relative
to the
authorized destination node (for example the authorized destination node may
contain a
file identifying the source process, wherein the file is present on the
authorized
destination node prior to the confirming and passing). In certain embodiments,
for
example, the authorized source node may be preconfigured, predefined, pre-
established
and/or preprovisioned relative to the authorized destination node (for example
the
authorized destination node may contain a file identifying the source node,
wherein the
file is present on the authorized destination node prior to the confirming and
passing). In
certain embodiments, for example, the authorized destination process may be
preconfigured, predefined, pre-established and/or preprovisioned relative to
the
authorized destination node (for example the authorized destination node may
contain a
file identifying the destination process, wherein the file is present on the
authorized
destination node prior to the confirming and passing). In certain embodiments,
for
example, the authorized destination node may be preconfigured, predefined, pre-
established and/or preprovisioned relative to the authorized destination node
(for
example the authorized destination node may contain a file identifying the
destination
node, wherein the file is present on the authorized destination node prior to
the
confirming and passing).
[00509] B. In certain embodiments, for example, the received packets may be
received via an authorized encrypted communication pathway, wherein the
authorized
encrypted communication pathway may be established, wherein the establishing
of the
authorized encrypted communication pathway may comprise authorizing a
preconfigured, predefined, pre-established and/or preprovisioned source node
and a
preconfigured, predefined, pre-established and/or preprovisioned destination
node,
processor, or computing device.
207
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00510] C. In certain embodiments, for example, the authorized destination
node may
be the network node, processor, or computing device. In certain embodiments,
for
example, the authorized destination node may perform the confirming and
passing.
[00511] D. In certain embodiments, for example, the confirming may be
transparent
to the authorized source process. In certain embodiments, for example, the
confirming
may be transparent to the authorized destination process. In certain
embodiments, for
example, the confirming may be transparent to the authorized source process
and the
authorized destination process. In certain embodiments, for example, the
confirming
may comprise: comparing destination port numbers of the network packets with a
preconfigured, predefined, pre-established and/or preprovisioned port number
associated with the authorized destination process. In certain embodiments,
for
example, the associated port may be assigned to the authorized destination
process. In
certain embodiments, for example, the associated port may be assigned to
network
security software in communication with the authorized destination process. In
certain
embodiments, for example, the confirming may comprise: obtaining destination
port
numbers and source application codes, source process owners, and/or data type
protocol from the network packets; selecting one or plural preconfigured,
predefined, pre-
established and/or preprovisioned authorization codes assigned to the
destination port
numbers; and matching the source application codes, source process owners,
and/or
data type protocol obtained from the network packets to the one or plural
authorization
codes.
[00512] E. In certain embodiments, for example, the passing may comprise
transmitting the least a portion of the payloads from the network packets on a
dedicated
communication pathway for the authorized source process. In certain
embodiments, for
example, the passing may comprise transmitting the at least a portion of the
payloads
from the network packets via a loopback interface. In certain embodiments, for
example,
the passing may comprise passing the at least a portion of the payloads from
the
network packets via kernel functions (for example read and/or write
functions). In certain
embodiments, for example, the passing may comprise copying the at least a
portion of
the payloads from one memory location to another memory location. In certain
embodiments, for example, the passing may not comprise copying the at least a
portion
of the payloads from one memory location to another memory location. In
certain
embodiments, for example, the passing may comprise adjusting a pointer to a
location in
kernel memory.
208
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00513] F. In certain embodiments, for example, the method may further
comprise:
establishing an authorized connection having the associated port as an
endpoint,
followed by receiving the network packets received.
[00514] Certain embodiments may provide, for example, a method of securing
network communications received by a network node, processor, or computing
device.
In certain embodiments, for example, the method may comprise establishing an
authorized encrypted communication pathway, which may comprise authorizing a
preconfigured, predefined, pre-established and/or preprovisioned source node
and a
preconfigured, predefined, pre-established and/or preprovisioned destination
node,
processor, or computing device. In certain embodiments, for example, the
method may
comprise confirming network packets received via the encrypted communication
pathway are from a preconfigured, predefined, pre-established and/or
preprovisioned
authorized source process running on the authorized source node and directed
to a
preconfigured, predefined, pre-established and/or preprovisioned authorized
destination
process running on the authorized destination node, processor, or computing
device. In
certain embodiments, for example, the method may comprise passing at least a
portion
of the payloads from the network packets to the authorized destination
process. In
certain embodiments, for example, the source node and the destination node may
authorize one another based on mutual exchange, authentication, and
authorization of
shared secret device codes between the source node and the destination node,
processor, or computing device. In certain embodiments, for example, the
mutual
exchange may be made across the encrypted communication pathway prior to its
authorization. In certain embodiments, for example, the shared secret device
codes may
be created independently of any internet protocol. In certain embodiments, for
example,
the encrypted communication pathway may be formed according to SSL/TLS
protocol
prior to its authorization. In certain embodiments, for example, the encrypted
communication pathway may be formed according to I Psec protocol prior to its
authorization. In certain embodiments, for example, the encrypted
communication
pathway may be formed according to L2TP protocol prior to its authorization.
[00515] Certain embodiments may provide, for example, a method of securing
network communications received by a network node, comprising: i) confirming
network
packets received are from a preconfigured, predefined, pre-established and/or
preprovisioned authorized source process running on a preconfigured,
predefined, pre-
established and/or preprovisioned authorized source node and directed to a
preconfigured, predefined, pre-established and/or preprovisioned authorized
destination
process running on a preconfigured, predefined, pre-established and/or
preprovisioned
209
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
authorized destination node; and ii) passing at least a portion of the
payloads from the
network packets to the authorized destination process.
[00516] Certain embodiments may provide, for example, a method of securing
network communications received by a network node, comprising: i) establishing
an
authorized encrypted communication pathway, comprising authorizing a
preconfigured,
predefined, pre-established and/or preprovisioned source node and a
preconfigured,
predefined, pre-established and/or preprovisioned destination node; ii)
confirming
network packets received via the encrypted communication pathway are from a
preconfigured, predefined, pre-established and/or preprovisioned authorized
source
process running on the authorized source node and directed to a preconfigured,
predefined, pre-established and/or preprovisioned authorized destination
process
running on the authorized destination node; and iii) passing at least a
portion of the
payloads from the network packets to the authorized destination process.
[00517] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, processor, or computing device. In
certain
embodiments, for example, the method may comprise pre-loading a first
configuration
file (for example a preprovisioned first configuration file) on the first node
(for example
loading the file onto a non-transitory computer-readable storage medium (for
example a
nonvolatile memory storage medium) of the first node prior to boot-up of the
first node, or
loading the file into memory of the first node prior to other steps of the
method
enumerated herein) and a second configuration file (for example a
preprovisioned
second configuration file) on the second node, processor, or computing device.
In
certain embodiments, for example, the method may comprise forming an encrypted
communication pathway. In certain embodiments, for example, the method may
comprise authorizing the encrypted communication pathway to transfer data
between a
first process running on the first node and a second process running on the
second
node, processor, or computing device. In certain embodiments, for example, the
authorizing may comprise transmitting a first node identification packet from
the first
node to the second node, the first node identification packet comprising a
payload having
a first node identifier assigned to the first node, the first node identifier
obtained from the
pre-loaded first configuration file on the first node, processor, or computing
device. In
certain embodiments, for example, the authorizing may comprise comparing the
first
node identifier from the first node identification packet with a further node
identifier
assigned to the first node, the further node identifier obtained from the pre-
loaded
second configuration file on the second node, processor, or computing device.
In certain
embodiments, for example, the data may comprise an executable program, a
program
210
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
command, typed data, a combination of two or more of the foregoing, or a
portion of one
of the foregoing.
[00518] A. In certain embodiments, for example, the method may be transparent
to
the first process and the second process (for example the first process and
the second
process may execute first and second compiled code whether or not the method
is
invoked, or each of the source code for the first process and the source code
for the
second process may interface with a network stack using standard function
syntax of a
network application programmer's interface).
[00519] B. In certain embodiments, for example, the first node identification
packet
may be transmitted through the encrypted communication pathway. In certain
embodiments, for example, the first node identifier may be nonpublic and a
shared
secret. In certain embodiments, for example, the first node identifier may be
nonpublic.
In certain embodiments, for example, the first node identifier may be a shared
secret
between the first node and the second node, processor, or computing device. In
certain
embodiments, for example, the first node identifier may not be an IP address.
In certain
embodiments, for example, the first node identifier may not be a MAC address.
In
certain embodiments, for example, the first node identifier may not be a
parameter used
in (or a field present in) a layer 2-5 protocol header according to the OSI
model.
[00520] C. In certain embodiments, for example, the comparing may be performed
by
network security software, the network security software invoked in a network
stack of
the second node, processor, or computing device. In certain embodiments, for
example,
the network security software may be transparent to the first process and the
second
process. In certain embodiments, for example, an interface to the network
security
software may be invoked using standard network API syntax.
[00521] D. In certain embodiments, for example, the first configuration file
may be
pre-loaded on first nonvolatile storage media (for example first physical
nonvolatile
storage media) and the second configuration file may be pre-loaded on second
nonvolatile storage media (for example second physical nonvolatile storage
media). In
certain embodiments, for example, the pre-loaded second configuration file may
comprise at least one record, no more than one of the at least one record
comprising an
n-tuple consisting of the first node identifier and one or more of a first
application code,
first process owner code, and first data type code. In certain embodiments,
for example,
the at least one record may comprise an identifier, the identifier used in
forming the
encrypted communication pathway. In certain embodiments, for example, the
identifier
may be a cryptographic primitive (for example a prime number, or for example a
private
key). In certain embodiments, for example, the at least one record may be a
variable
211
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
length record. In certain embodiments, for example, the second configuration
file may
be an encrypted binary file.
[00522] E. In certain embodiments, for example, the method may further
comprise:
transmitting a data packet from the first node to the second node, the data
packet
comprising a payload, the payload comprising: data from the first process; and
at least
one first process identifier comprising one or more of an application code
(i.e., a code or
identifier assigned to the application), process owner code, and data type
code, the at
least one first process identifier assigned to the first node, the at least
one first process
identifier obtained from the pre-loaded first configuration file on the first
node, processor,
or computing device. In certain embodiments, for example, the data may conform
(for
example the formatting of the data may conform) to a data type assigned to the
data type
code.
[00523] F. In certain embodiments, for example, the method may further
comprise:
comparing the at least one first process identifier with an at least one
process identifier
assigned to the first process, the at least one process identifier obtained
from the pre-
loaded second configuration file on the second node, processor, or computing
device. In
certain embodiments, for example, the method may further comprise: updating an
authorized connection list to show an open connection state for the authorized
encrypted
communication pathway.
[00524] G. In certain embodiments, for example, the method may further
comprise:
transmitting data packets from the first node to the second node, the data
packets
comprising payloads, each of the payloads comprising: data from the first
process; and
at least one first process identifier comprising one or more of an application
code,
process owner code, and data type code, the at least one first process
identifier
assigned to the first node, the at least one first process identifier obtained
from the pre-
loaded first configuration file on the first node, processor, or computing
device. In certain
embodiments, for example, the method may further comprise: checking an
authorized
connection list resident on the second node to confirm that the encrypted
communication
pathway is in an open connection state. In certain embodiments, for example,
the at
least one first process identifier may be positioned in the payload to be
processed by
network security software. In certain embodiments, for example, the processing
may be
timed to occur prior to the processing of any application layer protocol
header. In certain
embodiments, for example, the method may further comprise: comparing the at
least one
first process identifier contained in each one of the payloads with an at
least one process
identifier assigned to the first process, the at least one process identifier
obtained from
the pre-loaded second configuration file on the second node, processor, or
computing
212
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
device. In certain embodiments, for example, the method may further comprise:
updating an authorized connection list to change the authorized encrypted
communication pathway connection state from open to closed if the at least one
first
process identifier contained in at least one of the payloads does not match
the at least
one first process identifier obtained from the pre-loaded first configuration
file on the first
node, processor, or computing device.
[00525] H. In certain embodiments, for example, the authorizing may comprise:
[00526] transmitting a second node identification packet from the second node
to the
first node, the second node identification packet comprising a payload having
a second
node identifier assigned to the second node, the second node identifier
obtained from
the pre-loaded second configuration file on the second node; and comparing the
second
node identifier from the second node identification packet with an additional
node
identifier assigned to the second node, the additional node identifier
obtained from the
pre-loaded first configuration file on the first node, processor, or computing
device.
[00527] I. In certain embodiments, for example, the authorizing may comprise:
transmitting a first process identification packet from the first node to the
second node,
the first process identification packet comprising a payload having at least
one first
process identifier assigned to the first process, the at least one first
process identifier
comprising one or more of a first application code, first process owner code,
and first
data type code, the at least one first process identifier assigned to the
first node, the first
process identifier obtained from the pre-loaded first configuration file on
the first node;
and comparing the at least one first process identifier from the first process
identification
packet with a further at least one process identifier assigned to the first
node, the further
at least one process identifier obtained from the pre-loaded second
configuration file on
the second node, processor, or computing device.
[00528] J. In certain embodiments, for example, the authorizing may comprise:
transmitting a second process identification packet from the second node to
the first
node, the second process identification packet comprising a payload having at
least one
second process identifier assigned to the second process, the at least one
second
process identifier comprising one or more of a second application code, second
process
owner code, and second data type code, the at least one second process
identifier
assigned to the second node, the second process identifier obtained from the
pre-loaded
second configuration file on the first node; and comparing the at least one
second
process identifier from the second process identification packet with an
additional at least
one process identifier assigned to the second node, the additional at least
one process
213
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
identifier obtained from the pre-loaded first configuration file on the second
node,
processor, or computing device.
[00529] K. In certain embodiments, for example, the method may further
comprise:
executing operating system commands to identify a process requesting the data
transfer,
followed by verifying that the requesting process is the first process.
[00530] Certain embodiments may provide, for example, a method for
communication
between a first node and a second node, comprising: i) pre-loading a first
configuration
file on the first node and a second configuration file on the second node; ii)
forming an
encrypted communication pathway; and iii) authorizing the encrypted
communication
pathway to transfer data between a first process running on the first node and
a second
process running on the second node, comprising: a) transmitting a first node
identification packet from the first node to the second node, the first node
identification
packet comprising a payload having a first node identifier assigned to the
first node, the
first node identifier obtained from the pre-loaded first configuration file on
the first node;
and b) comparing the first node identifier from the first node identification
packet with a
further node identifier assigned to the first node, the further node
identifier obtained from
the pre-loaded second configuration file on the second node, processor, or
computing
device.
[00531] Certain embodiments may provide, for example, a method for authorized
network communication. In certain embodiments, for example, the method may
comprise: establishing a communication pathway between a first processor node
and a
second processor node, processor, or computing device. In certain embodiments,
for
example, the method may comprise comparing a second node identification code
obtained from a second node identification packet against a second node
expected
value. In certain embodiments, for example, the method may comprise further
comparing a first node identification code obtained from a first node
identification packet
against a first node expected value. In certain embodiments, for example, the
method
may comprise transmitting, after the comparing and further comparing,
application data
via the communication pathway.
[00532] A. In certain embodiments, for example, the first processor node may
execute the comparing. In certain embodiments, for example, the second
processor
node may execute the further comparing. In certain embodiments, for example,
the
comparing and further comparing may follow the establishing. In certain
embodiments,
for example, the transmitting may be executed only after the comparing and
further
comparing.
214
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00533] B. In certain embodiments, for example, the communication pathway may
be
encrypted. In certain embodiments, for example, the first node identification
code may
be encrypted in the first node identification packet with a first single-use
encryption key;
and/or the second node identification code is encrypted in the second node
identification
packet with a second single-use encryption key.
[00534] C. In certain embodiments, for example, the first node identification
code
and/or the second node identification code may be nonpublic. In certain
embodiments,
for example, the first node identification code and/or the second node
identification code
may be a shared secret. In certain embodiments, for example, the second node
expected value may be pre-provisioned on the first processor node; and/or the
first node
expected value may be pre-provisioned on the second processor node, processor,
or
computing device.
[00535] D. In certain embodiments, for example, the first node identification
packet
may comprise a higher-than-OSI layer three header, the a higher-than-OSI layer
three
header comprising a packet type indicator, the packet type indicator
interpretable by
network security software to alert the network security software to expect the
first node
identification code. In certain embodiments, for example, the second node
identification
packet may comprise a higher-than-OSI layer three header, the a higher-than-
OSI layer
three header comprising a packet type indicator, the packet type indicator
interpretable
by network security software to alert the network security software to expect
the second
node identification code.
[00536] E. In certain embodiments, for example, the first node identification
packet
and the second node identification packet may be received via the
communication
pathway. In certain embodiments, for example, the first node identification
packet and
the second node identification packet may be received via the network. In
certain
embodiments, for example, the first node identification packet and the second
node
identification packet may not be received via the communication pathway.
[00537] Certain embodiments may provide, for example, a method for authorized
network communication. In certain embodiments, for example, the method may
comprise: i) establishing a communication pathway between a first processor
node and a
second processor node; ii) comparing a second node identification code
obtained from a
second node identification packet against a second node expected value; iii)
further
comparing a first node identification code obtained from a first node
identification packet
against a first node expected value; and iv) transmitting, after the comparing
and further
comparing, application data via the communication pathway.
215
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00538] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: forming a communication
pathway between a source computing device and a destination computing device,
comprising: comparing a destination computing device nonpublic identification
code
obtained from the destination computing device with a destination computing
device pre-
established value. In certain embodiments, for example, the destination
computing
device pre-established value may be preprovisioned on the source computing
device.
[00539] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: forming a communication
pathway between a source computing device and a destination computing device,
comprising: comparing a destination computing device nonpublic identification
code
obtained from the destination computing device with a destination computing
device pre-
established value.
[00540] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
216
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: forming a communication
pathway between a source computing device and a destination computing device.
In
certain embodiments, for example, the forming a communication pathway may
comprise
comparing a destination computing device nonpublic identification code
obtained from
the destination computing device via the network with a destination computing
device
pre-established value. In certain embodiments, for example, the forming a
communication pathway may comprise further comparing a source computing device
nonpublic identification code obtained from the source computing device via
the network
to a source computing device pre-established value.
[00541] A. In certain embodiments, for example, the comparing and the further
comparing may be performed independently. In certain embodiments, for example,
the
comparing and the further comparing may be performed sequentially. In certain
embodiments, for example, the further comparing may not be performed until
after the
comparing is performed. In certain embodiments, for example, the comparing may
not
be performed until after the further comparing is performed. In certain
embodiments, for
example, the comparing and the further comparing may be performed
asynchronously.
In certain embodiments, for example, the comparing and the further comparing
may be
performed in a predetermined sequence.
[00542] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: forming a communication
pathway between a source computing device and a destination computing device,
comprising: a) comparing a destination computing device nonpublic
identification code
217
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
obtained from the destination computing device via the network with a
destination
computing device pre-established value; and b) comparing a source computing
device
nonpublic identification code obtained from the source computing device via
the network
to a source computing device pre-established value.
[00543] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: forming a communication
pathway between a source computing device and a destination computing device.
In
certain embodiments, for example, the forming a communication pathway may
comprise
comparing a destination computing device nonpublic identification code
obtained from
the destination computing device via the network with a destination computing
device
pre-established value. In certain embodiments, for example, the forming a
communication pathway may comprise further comparing a source computing device
nonpublic identification code obtained from the source computing device via
the network
to a source computing device pre-established value. In certain embodiments,
for
example, the forming a communication pathway may comprise additionally
comparing
user-application identifiers and a payload data-type identifiers exchanged
between the
source and destination computing devices with predefined authorization codes.
[00544] A. In certain embodiments, for example, the comparing, further
comparing,
and additionally comparing may be performed independently. In certain
embodiments,
for example, the comparing, further comparing, and additionally comparing may
be
performed sequentially. In certain embodiments, for example, the further
comparing may
not be performed until after the comparing is performed. In certain
embodiments, for
example, the comparing may not be performed until after the further comparing
is
performed, and the additionally comparing may not be performed until after the
further
comparing is performed. In certain embodiments, for example, the comparing,
further
comparing, and additionally comparing may be performed asynchronously. In
certain
218
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
embodiments, for example, the comparing, further comparing, and additionally
comparing may be performed in a predetermined sequence.
[00545] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: forming a communication
pathway between a source computing device and a destination computing device,
comprising: a) comparing a destination computing device nonpublic
identification code
obtained from the destination computing device via the network with a
destination
computing device pre-established value; b) comparing a source computing device
nonpublic identification code obtained from the source computing device via
the network
to a source computing device pre-established value; and c) comparing user-
application
identifiers and a payload data-type identifiers exchanged between the source
and
destination computing devices with predefined authorization codes.
[00546] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: forming a communication
pathway between a source computing device and a destination computing device.
In
certain embodiments, for example, the forming a communication pathway may
comprise
comparing, on the source computing device, a destination computing device
nonpublic
219
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
identification code obtained via the network with a destination computing
device pre-
established value.
[00547] A. In certain embodiments, for example, the destination computing
device
nonpublic identification code may be provided by the destination computing
device. In
certain embodiments, for example, the destination computing device nonpublic
identification code may not be provided by the destination computing device.
In certain
embodiments, for example, the destination computing device nonpublic
identification
code may be provided by a node, the node different from the destination
computing
device.
[00548] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: forming a communication
pathway between a source computing device and a destination computing device,
comprising: comparing, on the source computing device, a destination computing
device
nonpublic identification code obtained via the network with a destination
computing
device pre-established value.
[00549] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: forming a communication
pathway between a source computing device and a destination computing device.
In
220
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
certain embodiments, for example, the forming a communication pathway may
comprise
comparing, on the source computing device, a destination computing device
nonpublic
identification code obtained from the destination computing device with a
destination
computing device pre-established value. In certain embodiments, for example,
the
forming a communication pathway may comprise comparing, on the destination
computing device, a source computing device nonpublic identification code
obtained
from the source computing device to a source computing device pre-established
value.
[00550] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: forming a communication
pathway between a source computing device and a destination computing device,
comprising: a) comparing, on the source computing device, a destination
computing
device nonpublic identification code obtained from the destination computing
device with
a destination computing device pre-established value; and b) comparing, on the
destination computing device, a source computing device nonpublic
identification code
obtained from the source computing device to a source computing device pre-
established value.
[00551] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: forming a communication
221
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
pathway between a source computing device and a destination computing device.
In
certain embodiments, for example, the forming a communication pathway may
comprise
comparing, at the source computing device, a destination computing device
nonpublic
identification code obtained from a destination node packet with a destination
node pre-
established value.
[00552] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: forming a communication
pathway between a source computing device and a destination computing device,
comprising: comparing, at the source computing device, a destination computing
device
nonpublic identification code obtained from a destination node packet with a
destination
node pre-established value.
[00553] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
computing
device (for example a computing device executing an operating system (for
example a
Linux operating system, a Linux-based operating system, a real time operating
system, a
mini-operating system, an edge device operating system, and/or an open source
operating system)) to enable and/or cause the computing device to perform
communication management operations. In certain embodiments, for example, the
communication management operations may comprise: establishing authorized
communication pathways for port-to-port network communications among the
plurality of
computing devices. In certain embodiments, for example, the establishing
authorized
communication pathways may comprise intercepting a network connection request
from
a source port, the request having an associated destination port number. In
certain
embodiments, for example, the establishing authorized communication pathways
may
222
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
comprise verifying that the source port is authorized to communicate with a
destination
port having the associated destination port number. In certain embodiments,
for
example, the establishing authorized communication pathways may comprise
authorizing a communication pathway between a source computing device hosting
the
source port and a destination computing device hosting the destination port
prior to any
transmission of application data between the source computing device and the
destination computing device via the communication pathway. In certain
embodiments,
for example, the authorizing may comprise comparing, on the source computing
device,
a destination computing device nonpublic identification code to a destination
computing
device expected value, the destination computing device nonpublic
identification code
obtained from a destination computing device identification packet. In certain
embodiments, for example, the authorizing may comprise further comparing, on
the
destination computing device, a source computing device nonpublic
identification code to
a source computing device expected value, the source computing device
nonpublic
identification code obtained from a source computing device identification
packet.
[00554] A. In certain embodiments, for example, the destination computing
device
identification packet and/or the source computing device identification packet
may be
received via the network. In certain embodiments, for example, the destination
computing device identification packet and/or the source computing device
identification
packet may be received via the communication pathway.
[00555] B. In certain embodiments, for example, the destination computing
device
expected value may be pre-provisioned on the source computing device. In
certain
embodiments, for example, the source computing device expected value may be
pre-
provisioned on the destination computing device.
[00556] C. In certain embodiments, for example, the comparing and/or the
further
comparing may be enabled by a kernel of the computing device. In certain
embodiments, for example, the computer-readable program code may be executable
(or
compilable, linkable, and/or loadable to be executable) by a computing device
executing
an operating system (for example a Linux operating system, a Linux-based
operating
system, a real time operating system, a mini-operating system, an edge device
operating
system, and/or an open source operating system).
[00557] D. In certain embodiments, for example, the communication management
operations may comprise: inserting the source computing device nonpublic
identification
code into a higher-than-OSI layer three portion of the source computing device
identification packet. In certain embodiments, for example, the communication
management operations may comprise: inserting the source computing device
nonpublic
223
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
identification code into a higher-than-OSI layer four portion of the source
computing
device identification packet. In certain embodiments, for example, the
communication
management operations may comprise: inserting the source computing device
nonpublic
identification code into a payload portion of the source computing device
identification
packet. In certain embodiments, for example, the communication management
operations may comprise: inserting the destination computing device nonpublic
identification code into a higher-than-OSI layer three portion of the
destination computing
device identification packet. In certain embodiments, for example, the
communication
management operations may comprise: inserting the destination computing device
nonpublic identification code into a higher-than-OSI layer four portion of the
destination
computing device identification packet. In certain embodiments, for example,
the
communication management operations may comprise: inserting the destination
computing device nonpublic identification code into a payload portion of the
destination
computing device identification packet.
[00558] E. In certain embodiments, for example, the communication management
operations may comprise: encrypting the source computing device nonpublic
identification code and inserting the encrypted source computing device
nonpublic
identification code into the source computing device identification packet. In
certain
embodiments, for example, the source computing device nonpublic identification
code
may be encrypted with a single-use cryptographic key. In certain embodiments,
for
example, the communication management operations may comprise: encrypting the
destination computing device nonpublic identification code and inserting the
encrypted
destination computing device nonpublic identification code into the
destination computing
device identification packet. In certain embodiments, for example, the
destination
computing device nonpublic identification code is encrypted with a single-use
cryptographic key.
[00559] F. In certain embodiments, for example, the communication pathway
between the source computing device and the destination computing device may
be
established prior to the authorizing.
[00560] G. In certain embodiments, for example, the communication management
operations may comprise: requesting negotiation of the communication pathway,
the
requesting comprising sending a connection request packet comprising the
associated
destination port number.
[00561] H. In certain embodiments, for example, the communication management
operations may comprise: establishing authorized encrypted communication
pathways
224
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
for all port-to-port network communications among the plurality of networked
processor
nodes.
[00562] I. In certain embodiments, for example, the communication management
operations may comprise: comparing user-application identifiers and a payload
data-type
identifiers exchanged between the source and destination computing devices
with
predefined authorization codes.
[00563] J. In certain embodiments, for example, the comparing and the further
comparing may be performed independently. In certain embodiments, for example,
the
comparing and the further comparing may be performed sequentially. In certain
embodiments, for example, the further comparing may not be performed until
after the
comparing is performed. In certain embodiments, for example, the comparing may
not
be performed until after the further comparing is performed. In certain
embodiments, for
example, the comparing and the further comparing may be performed
asynchronously.
In certain embodiments, for example, the comparing and the further comparing
may be
performed in a predetermined sequence.
[00564] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: establishing authorized
communication pathways for port-to-port network communications among the
plurality of
computing devices, comprising: i) intercepting, via a network, a network
connection
request from a source port, the request having an associated destination port
number; ii)
verifying that the source port is authorized to communicate with a destination
port having
the associated destination port number; and iii) authorizing a communication
pathway
between a source computing device hosting the source port and a destination
computing
device hosting the destination port prior to any transmission of application
data between
the source computing device and the destination computing device via the
communication pathway, comprising: a) comparing, on the source computing
device, a
destination computing device nonpublic identification code to a destination
computing
device expected value, the destination computing device nonpublic
identification code
225
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
obtained from a destination computing device identification packet; and b)
further
comparing, on the destination computing device, a source computing device
nonpublic
identification code to a source computing device expected value, the source
computing
device nonpublic identification code obtained from a source computing device
identification packet.
[00565] Certain embodiments may provide, for example, a method for secure
communication between applications on two nodes. In certain embodiments, for
example, the method may comprise intercepting, at a first node, a network
connection
request from a resident first user-application to send data to a destination
port on a
second node, processor, or computing device. In certain embodiments, for
example, the
method may comprise consulting a first local policy on the first node to
verify that the first
user-application is authorized to send data to the destination port. In
certain
embodiments, for example, the method may comprise verifying, at the second
node, that
the connection request is authorized by the first local policy for the
destination port.
[00566] A. In certain embodiments, for example, the method may further
comprise
transmitting an encrypted identifier for the first local policy from the first
node to the
second node, processor, or computing device.
[00567] B. In certain embodiments, for example, the verifying may comprise
consulting the first local policy and a second local policy, the second local
policy
consulted to verify that a second user application is authorized to receive
the data at the
destination port. In certain embodiments, for example, the first local policy
may comprise
an n-tuple filter. In certain embodiments, for example, the first local policy
may comprise
a port-to-port mapping of authorized connection between the first node and the
second
node, processor, or computing device. In certain embodiments, for example, the
authorized port-to-port mapping may comprise an authorized first user-
application
identifier, an identifier for a second user application authorized to receive
the data at the
destination port authorized, and a data type identifier.
[00568] Certain embodiments may provide, for example, a method for secure
communication between applications on two nodes, comprising: i) intercepting,
at a first
node, a network connection request from a resident first user-application to
send data to
a destination port on a second node; ii) consulting a first local policy on
the first node to
verify that the first user-application is authorized to send data to the
destination port; and
iii) verifying, at the second node, that the connection request is authorized
by the first
local policy for the destination port.
[00569] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices. In certain
embodiments,
226
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
compilable, linkable, and/or loadable to be executable) by a computing device
(for
example a computing device executing an operating system (for example a Linux
operating system, a Linux-based operating system, a real time operating
system, a mini-
operating system, an edge device operating system, and/or an open source
operating
system)) to enable and/or cause the computing device to perform communication
management operations. In certain embodiments, for example, the communication
management operations may comprise performing communication processing
functions
on all port-to-network communications of the plurality of processor nodes. In
certain
embodiments, for example, the communication processing functions may comprise
receiving data packets from a user-application source port, the data packets
having
payloads and associated destination port numbers. In certain embodiments, for
example, the communication processing functions may comprise assembling packet
segments for all received data packets from the user-application, the packet
segments
comprising one of the payloads, an associated user-application identifier, and
a payload
data type descriptor.
[00570] A. In certain embodiments, for example, the communication processing
functions may comprise verifying that the source ports are authorized to
communicate
with ports having the associated destination port numbers.
[00571] B. In certain embodiments, for example, the communication processing
functions may comprise requesting transmission of network packets to the
network, each
one of the network packets comprising a port number of one of the associated
destination port numbers and one of the assembled packet segments.
[00572] C. In certain embodiments, for example, the communication processing
functions may comprise requesting transmission of network packets to the
network
through encrypted communication pathways.
[00573] D. In certain embodiments, for example, each one of the encrypted
communication pathways may have a one-to-one correspondence with one of the
associated destination port numbers.
[00574] E. In certain embodiments, for example, the receiving may occur in a
kernel
of the computing device.
[00575] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
227
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device (for example
a
computing device executing an operating system (for example a Linux operating
system,
a Linux-based operating system, a real time operating system, a mini-operating
system,
an edge device operating system, and/or an open source operating system)) to
enable
and/or cause the computing device to perform communication management
operations,
the communication management operations comprising: performing communication
processing functions on all port-to-network communications of the plurality of
processor
nodes, the performing communication processing functions comprising: i)
receiving data
packets from a user-application source port, the data packets having payloads
and
associated destination port numbers; and ii) assembling packet segments for
all received
data packets from the user-application, the packet segments comprising one of
the
payloads, an associated user-application identifier, and a payload data type
descriptor.
[00576] Certain embodiments may provide, for example, a distributed method to
manage communications between plural nodes coupled to a network. In certain
embodiments, for example, the distributed method may comprise authorizing port-
to-port
connections, comprising: obtaining port numbers, node identifiers, user-
application
identifiers, and payload data type descriptors from pre-provisioned
configuration files
present on at least two computing devices of the plural computing devices. In
certain
embodiments, for example, the distributed method may comprise restricting
network
communications to and from at least one of the at least two computing devices
to the
authorized port-to-port connections.
[00577] Certain embodiments may provide, for example, a distributed method to
manage communications between plural nodes coupled to a network, comprising:
i)
authorizing port-to-port connections, comprising: obtaining port numbers, node
identifiers, user-application identifiers, and payload data type descriptors
from pre-
provisioned configuration files present on at least two computing devices of
the plural
computing devices; and ii) restricting network communications to and from at
least one of
the at least two computing devices to the authorized port-to-port connections.
[00578] Certain embodiments may provide, for example, a method for secure
network
communication, comprising: i) selecting, from a preconfigured, exclusive list
of
authorized data pathways, a dedicated data pathway extending from a source
port on a
first node to a destination port on a second node, the selected data pathway
characterized by a tunnel port number exclusive to the destination port; ii)
instantiating a
network tunnel extending from the first node to a tunnel port present on the
second node,
the tunnel port having the selected tunnel port number; iii) prior to
transmitting any data
228
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
from the source port to the destination port: verifying, at the first node,
that a first n-tuple
received from the network tunnel matches an expected value based on the tunnel
port
number, the first n-tuple comprising: a nonpublic device code for the second
node, a
user associated with the destination port, an application associated with the
destination
port, and a data protocol descriptor; and iv) prior to passing a network
packet to the
destination port: verifying, at the second node, that an second n-tuple
obtained from the
network packet matches an expected value based on the tunnel port number, the
second
n-tuple comprising: a user associated with the source port, an application
associated
with the source port, and the data protocol descriptor.
[00579] Certain embodiments may provide, for example, a method for secure
network
communication, comprising: i) selecting, from a preconfigured, exclusive list
of
authorized data pathways, a dedicated data pathway extending from a source
port on a
first node to a destination port on a second node; ii) instantiating a network
tunnel for
exclusive use by the dedicated data path, the network tunnel extending from
the first
node to the second node; iii) prior to transmitting any data through the
network tunnel,
verifying that the first node, the second node, a user associated with the
source port, an
application associated with the source port, a user associated with the
destination port,
an application associated with the destination port, and a data protocol of
the data match
parameters of the dedicated data path; followed by iv) prior to passing a
network packet
to the destination port: verifying, at the second node, that the user
associated with the
source port, the application associated with the source port, and the data
protocol
descriptor match parameters of the dedicated data pathway.
[00580] Certain embodiments may provide, for example, a method of securely
transmitting data, comprising: i) prior to transmitting data packets via a
dedicated data
pathway extending from a source port on a first node to a destination port on
a second
node, receiving a series of codes at the first node via the dedicated data
path; ii)
verifying that the received codes include expected codes for the data path,
the expected
codes associated with the second node, a specified data type, and an owner of
the
destination port; iii) verifying that the data packets contain expected codes
associated
with the specified data type and an owner of the source port; followed by iv)
passing the
data packets to the destination port.
[00581] Certain embodiments may provide, for example, a method of securely
transmitting data, comprising: i) establishing a dedicated data pathway
between a source
port on a first node and a destination port on a second node, the destination
port
associated with an executing user-application configured to receive a
specified data
type; ii) receiving a series of codes at the first node via the dedicated data
path; iii)
229
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
verifying that the received series of codes include expected codes associated
with the
second node, the specified data type, and the user-application; followed by
iv)
transmitting data packets via the dedicated data pathway to the second node;
v) further
verifying that the transmitted data packets contain expected codes associated
with the
specified data type and an owner of the source port; followed by vi) passing
the
transmitted data packets to the destination port. In certain embodiments, for
example,
the transmitted data packets may be exclusive of the destination port number.
[00582] Certain embodiments may provide, for example, a method of securely
transmitting data, comprising: i) assembling data packets at a first node,
each one of the
data packets comprising: a) plural identifiers encoded in metadata; and b)
payload
obtained from a user-application executing on the source node; ii) passing the
assembled data packets to a second node via a dedicated data pathway, the data
pathway comprising a source port associated with the user-application; iii)
verifying that
the metadata identifies a data type and a user-application expected based on a
destination port associated with the destination address of the data packets;
followed by
iv) passing the data packets to the destination port. In certain embodiments,
for
example, the assembled data packets passed to the second node may be exclusive
of
the destination port number.
[00583] Certain embodiments may provide, for example, a method for secure
communication. In certain embodiments, for example, the method may comprise
receiving a first network packet from a first user-application, the first
network packet
comprising a destination port number and a payload. In certain embodiments,
for
example, the method may comprise forming a second network packet comprising
the
payload, the second network packet not comprising the destination port number.
In
certain embodiments, for example, the method may comprise transmitting the
second
network packet via a machine-to-machine network. In certain embodiments, for
example, the method may comprise processing the transmitted second network
packet
to form a third packet comprising the destination port number and the payload.
In certain
embodiments, for example, the method may comprise transmitting the payload to
a
second user-application, the second user-application having a destination port
assigned
thereto, the destination port number assigned to the destination port.
[00584] Certain embodiments may provide, for example, a method for secure
communication, comprising: i) receiving a first network packet from a first
user-
application, the first network packet comprising a destination port number and
a payload;
ii) forming a second network packet comprising the payload, the second network
packet
not comprising the destination port number; iii) transmitting the second
network packet
230
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
via a machine-to-machine network; and iv) processing the transmitted second
network
packet to form a third packet comprising the destination port number and the
payload.
[00585] Certain embodiments of the presently disclosed methods, systems,
products,
communication management operations, software, middleware, computing
infrastructure
and/or apparatus may provide, for example, improvements to existing computing
technology for packet-based network communications. Internet protocols allow
open
access for computer users to remotely access other computers and information
stores
easily from any access point, resulting in many points of attack for malware.
While
security layers have been added on top of this core architecture, modern
malware
exploits gaps in these layers through flaws in software and imperfect trust
relationships
between communicating devices. The improvements of the present disclosure
include
the following embodiments.
[00586] Certain embodiments may provide, for example, a method for network
communication between a first computing device and a second computing device
and
comprising establishing a communication pathway between a first software port
of the
first computing device and a second software port of the second computing
device
according to UDP or TCP, the improvement comprising: i) sending a nonpublic
first
identification code for the first computing device to the second software port
via the
established communication pathway; ii) receiving, in response to the sending,
a
nonpublic second identification code for the second computing device at the
first
software port; and iii) comparing the nonpublic second identification code
with a pre-
established value for the second computing device.
[00587] Certain embodiments may provide, for example, a method for network
communication comprising establishing communication pathways according to UDP
or
TCP, the improvement comprising: i) intercepting network connection requests
having
associated destination port numbers; ii) identifying predefined communication
port
numbers, comprising identifying at least one predefined communication port
number for
each associated destination port number of the associated destination port
numbers; iii)
sending UDP or TCP connection request packets comprising the predefined
communication port numbers, each one of the communication pathways having a
one-to-
one correspondence with one of the predefined communication port numbers; and
iv)
authorizing the communication pathways, comprising comparing computing device
identifiers, user-application identifiers, and payload data-type identifiers
received the
communication pathways with predefined authorization codes.
[00588] Certain embodiments may provide, for example, a method for network
communication comprising establishing communication pathways according to UDP
or
231
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
TOP, the improvement comprising: i) intercepting network connection requests
from
source ports, the requests having associated destination port numbers; ii)
verifying that
the source ports are authorized to communicate with ports having the
associated
destination port numbers; iii) sending a UDP or TOP connection request packets
comprising the associated destination port numbers; and iv) authorizing the
communication pathways, comprising comparing computing device identifiers,
user-
application identifiers, and payload data-type identifiers received from the
communication
pathways with predefined authorization codes.
[00589] Certain embodiments may provide, for example, a method for network
communication comprising transmitting UDP or TOP network packets through
communication pathways, the improvement comprising: i) receiving data packets
having
payloads and associated destination port numbers; ii) identifying predefined
port
numbers, each one of the predefined port numbers having a one-to-one
correspondence
with one of the associated destination port numbers; iii) assembling packet
segments,
each one of the packet segments comprising one of the payloads, an associated
user-
application identifier, and a payload data type descriptor; and iv) requesting
transmission
of UDP or TOP network packets through the communication pathways, each one of
the
network packets comprising a port number of one of the predefined port numbers
and
one of the assembled packet segments, each one of the communication pathways
having a one-to-one correspondence with one of the predefined port numbers.
[00590] Certain embodiments may provide, for example, a method for network
communication comprising receiving UDP or TOP network packets from
communication
pathways, the improvement comprising: i) obtaining destination port numbers,
metadata,
and payloads associated with UDP or TOP network packets; ii) identifying
predefined
authorization codes associated with the destination port numbers, each one of
the
predefined authorization codes comprising a predefined user-application
identifier and a
predefined payload data-type identifier associated with one of the destination
port
numbers; iii) authorizing the network packets, comprising: comparing at least
a portion of
the metadata with the predefined authorization codes; and iv) requesting
transmission of
payloads from the authorized network packets to destinations referenced by the
destination port numbers.
[00591] Certain embodiments may provide, for example, a method for network
communication between a first computing device and a second computing device
and
comprising establishing a communication pathway between a first software port
of the
first computing device and a second software port of the second computing
device
according to UDP or TOP, the improvement comprising: one or more of the
methods,
232
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
systems, products, communication management operations, software, middleware,
computing infrastructure and/or apparatus of any of the embodiments disclosed
herein.
[00592] Certain embodiments, for example, may comprise a product for securing
communications of a plurality of networked computing devices. In certain
embodiments,
for example, the product may comprise a non-transitory computer-readable
storage
medium having computer-readable program code embodied therein. In certain
embodiments, for example, the computer-readable program code may be executable
(or
program code compilable, linkable, and/or loadable to be executable) by a
first
computing device (for example a computing device executing an operating system
(for
example a Linux operating system, a Linux-based operating system, a real time
operating system, a mini-operating system, an edge device operating system,
and/or an
open source operating system)) to enable and/or cause the first computing
device to
perform communication management operations. In certain embodiments, for
example,
the communications management operations may comprise receiving a first
network
packet from a first user-application, the first network packet comprising a
destination port
number and a payload. In certain embodiments, for example, the communications
management operations may comprise forming a second network packet comprising
the
payload, the second network packet not comprising the destination port number.
In
certain embodiments, for example, the communications management operations may
comprise transmitting the second network packet to network security software
on a
second computing device. In certain embodiments, for example, the
communications
management operations may comprise confirming that the network security
software is
preconfigured to transmit the payload to a second user-application on the
second
computing device, the second user-application having a destination port
assigned
thereto, the destination port number assigned to the destination port.
[00593] A. In certain embodiments, for example, the first user-application may
be
resident on the first computing device. In certain embodiments, for example,
the network
security software may obtain the destination port number from a preprovisioned
file, the
preprovisioned file resident on nonvolatile storage media in communication
with the
second computing device.
[00594] Certain embodiments may provide, for example, a product for managing
communications of a plurality of networked computing devices, the product
comprising a
non-transitory computer-readable storage medium having computer-readable
program
code embodied therein, the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a first computing device
executing an
operating system (for example a Linux operating system, a Linux-based
operating
233
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
system, a real time operating system, a mini-operating system, an edge device
operating
system, and/or an open source operating system) to enable and/or cause the
first
computing device to perform communication management operations, the
communication management operations comprising: i) receiving a first network
packet
from a first user-application, the first network packet comprising a
destination port
number and a payload; ii) forming a second network packet comprising the
payload, the
second network packet not comprising the destination port number; iii)
transmitting the
second network packet to network security software on a second computing
device; and
iv) confirming that the network security software is preconfigured to transmit
the payload
to a second user-application on the second computing device, the second user-
application having a destination port assigned thereto, the destination port
number
assigned to the destination port.
[00595] A. In any of the products disclosed herein for use on a computing
device (for
example products for managing communications), the product or a portion
thereof may
be distributed separately (for example on separate non-transitory computer-
readable
storage media) from at least a portion (for example all) of an operating
system or kernel
running (or to be run) on the computing device. In certain embodiments, for
example,
the product or a portion thereof may be installed separately from at least a
portion (for
example all) of an operating system or kernel running (or to be run) on the
computing
device. In certain embodiments, for example, the product or a portion thereof
may be
compiled separately from at least a portion (for example all) of an operating
system or
kernel running (or to be run) on the computing device. In certain embodiments,
for
example, the product or a portion thereof is linked separately from at least a
portion (for
example all) of an operating system or kernel running on the computing device.
In
certain embodiments, computer-readable program code executable (or compilable,
linkable, and/or loadable to be executable) by a computing device to perform
one or
more of the communication management operations and/or processing functions
disclosed herein (for example one or more of the establishing, performing,
intercepting,
identifying, requesting, authorizing, verifying, receiving, assembling,
requesting
transmission, encrypting, decrypting, inserting, translating, comparing,
further comparing,
additionally comparing, obtaining, negotiating, identifying, or forming
operations or
functions disclosed herein) are distributed on separate non-transitory
computer-readable
storage media from computer-readable program code executable (or compilable,
linkable, and/or loadable to be executable) by the computing device to perform
the other
of the communication management operations and/or processing functions. In
certain
embodiments, for example, the computer-readable program code executable (or
234
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
compilable, linkable, and/or loadable to be executable) by a computing device
to perform
the intercepting may be distributed on separate non-transitory computer-
readable
storage media from the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by the computing device to perform
other
communication management operations and/or processing functions disclosed
herein.
[00596] B. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform the intercepting and/or the receiving operations or
functions on a
computing device may be distributed separately (for example on separate non-
transitory
computer-readable storage media) from computer-readable program code
executable (or
compilable, linkable, and/or loadable to be executable) by the computing
device to
perform one or more of the identifying, authorizing, verifying, assembling,
encrypting,
decrypting, inserting, translating, comparing, further comparing, additionally
comparing,
obtaining, negotiating, identifying, and forming operations or functions. In
certain
embodiments, for example, computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to perform
the
intercepting and/or the receiving operations or functions may be installed
separately from
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by the computing device to perform one or more of the
identifying,
authorizing, verifying, assembling, encrypting, decrypting, inserting,
translating,
comparing, further comparing, additionally comparing, obtaining, negotiating,
identifying,
and forming operations or functions. In certain embodiments, for example,
computer-
readable program code executable (or compilable, linkable, and/or loadable to
be
executable) by a computing device to perform the intercepting and/or the
receiving
operations or functions may be compiled separately from computer-readable
program
code executable (or compilable, linkable, and/or loadable to be executable) by
the
computing device to perform one or more of the identifying, authorizing,
verifying,
assembling, encrypting, decrypting, inserting, translating, comparing, further
comparing,
additionally comparing, obtaining, negotiating, identifying, and forming
operations or
functions. In certain embodiments, for example, the computer-readable program
code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform intercepting and/or the receiving operations or function may
be linked
separately from computer-readable program code executable (or compilable,
linkable,
and/or loadable to be executable) by the computing device to perform one or
more of the
identifying, authorizing, verifying, assembling, encrypting, decrypting,
inserting,
235
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
translating, comparing, further comparing, additionally comparing, obtaining,
negotiating,
identifying, and forming operations or functions.
[00597] C. In certain embodiments, for example, the computer-readable program
code executable (or compilable, linkable, and/or loadable to be executable) by
a
computing device to perform one or more of the communication management
operations
and/or processing functions disclosed herein may be executable (or compilable,
linkable,
and/or loadable to be executable) in a kernel of the computing device.
[00598] D. In certain embodiments, for example, the computer-readable program
code executable (or compilable, linkable, and/or loadable to be executable) by
a
computing device to perform one or more of the communication management
operations
and/or processing functions disclosed herein may be agnostic as to the
operating system
or kernel running on the computing device. In certain embodiments, for
example,
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to perform one or more of the
communication
management operations and/or processing functions disclosed herein may contain
only
a minimum interface functionality required to communicate with an operating
system or
kernel running on the computing device, and be otherwise agnostic as to the
operating
system or kernel running. In certain further embodiments, for example, the
minimum
interface functionality may comprise a kernel header, a definition file, a
variable
definition, mandatory kernel call, or a combination of two or more of the
foregoing. In
certain further embodiments, for example, the minimum interface functionality
may be
limited to one or more kernel headers, one or more definition files, one or
more variable
definitions, one or more mandatory kernel calls, or a combination of two or
more of the
foregoing. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may be exclusive of any portion of code
of a pre-
existing operating system or kernel executable (or compilable, linkable,
and/or loadable
to be executable) on the computing device. In certain embodiments, for
example,
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to perform one or more of the
communication
management operations and/or processing functions disclosed herein may be
exclusive
of any calls to functions or modules of a pre-existing operating system or
kernel
executable (or compilable, linkable, and/or loadable to be executable) on the
computing
device.
236
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00599] E. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may receive data from an end-user
application
program via an operating system or kernel executable (or compilable, linkable,
and/or
loadable to be executable) on the computing device. In certain embodiments,
for
example, computer-readable program code executable (or compilable, linkable,
and/or
loadable to be executable) by a computing device to perform one or more of the
communication management operations and/or processing functions disclosed
herein
may not receive any further data from an operating system or kernel executable
(or
compilable, linkable, and/or loadable to be executable) on the computing
device. In
certain embodiments, for example, computer-readable program code executable
(or
compilable, linkable, and/or loadable to be executable) by a computing device
to perform
one or more of the communication management operations and/or processing
functions
disclosed herein may not receive any further data from an operating system or
kernel
executable (or compilable, linkable, and/or loadable to be executable) on the
computing
device. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein (for example all of communication
management
operations and/or processing functions disclosed herein) may not share any
address
space (for example kernel address space) with an operating system or kernel
executable
(or compilable, linkable, and/or loadable to be executable) on the computing
device. In
certain embodiments, for example, computer-readable program code executable
(or
compilable, linkable, and/or loadable to be executable) by a computing device
to perform
one or more of the communication management operations and/or processing
functions
disclosed herein may not use and/or manipulate any operating system or kernel
data
structure on the computing device.
[00600] F. In certain embodiments, for example, at least a portion of computer-
readable program code executable (or compilable, linkable, and/or loadable to
be
executable) by a computing device to perform one or more of the communication
management operations and/or processing functions disclosed herein may not be
subject to a copyleft license. In certain embodiments, for example, computer-
readable
program code executable (or compilable, linkable, and/or loadable to be
executable) by a
computing device to perform one or more of the communication management
operations
and/or processing functions disclosed herein may not be subject to a copyleft
license. In
237
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
certain embodiments, for example, computer-readable program code executable
(or
compilable, linkable, and/or loadable to be executable) by a computing device
to perform
one or more of the communication management operations and/or processing
functions
disclosed herein may not be subject to a General Public License (GPL), for
example the
GPL version 1, the GPL version 2, the GPL version 3, a Lesser GPL, or a
modified GPL.
In certain embodiments, for example, computer-readable program code executable
(or
compilable, linkable, and/or loadable to be executable) by a computing device
to perform
one or more of the communication management operations and/or processing
functions
disclosed herein may not be subject to a Berkeley Software Distribution (BSD)
license,
for example a BSD License version 2.0, a Revised BSD License, a New BSD
license, a
Modified BSD License, or an otherwise modified BSD license.
[00601] G. In certain embodiments, for example, at least a portion of the
computer-
readable program code executable (or compilable, linkable, and/or loadable to
be
executable) by a computing device (for example a portion of the computer-
readable
program code executable (or compilable, linkable, and/or loadable to be
executable) by a
computing device that may not be subject to a copyleft license) may be in
communication with (for example may be linked to and/or may exchange data
with)
software that may be subject to a copyleft license (for example software that
may be
subject to the GPL version 2). In certain embodiments, for example, the
software that
may be subject to a copyleft license may be part or all of a kernel or an
operating system
or kernel. In certain embodiments, for example, the software that may be
subject to a
copyleft license may be an operating system (for example a Linux operating
system, a
Linux-based operating system, a real time operating system, a mini-operating
system, an
edge device operating system, and/or an open source operating system) or
kernel. In
certain embodiments, for example, the software that may be subject to a
copyleft license
may be at a boundary (or edge or periphery) of the kernel (for example the
software that
may be subject to a copyleft license may be an API such as a network API). In
certain
embodiments, for example, the software that may be subject to a copyleft
license may be
an interoperability interface (for example an interface for communication
between at least
a portion of a kernel running on the computing device and an application
running on the
computing device.
[00602] H. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may not comprise part of an operating
system or
kernel executable (or compilable, linkable, and/or loadable to be executable)
on the
238
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
computing device. In certain embodiments, for example, computer-readable
program
code executable (or compilable, linkable, and/or loadable to be executable) by
a
computing device to perform one or more of the communication management
operations
and/or processing functions disclosed herein may be executable (or compilable,
linkable,
and/or loadable to be executable) in a kernel of the computing device, for
example in a
privileged processing space, while not comprising part of an operating system
or kernel
executable (or compilable, linkable, and/or loadable to be executable) on the
computing
device. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may be executable (or compilable,
linkable, and/or
loadable to be executable) in an application space of the computing device.
[00603] I. In certain embodiments, for example, a portion of the computer-
readable
program code executable (or compilable, linkable, and/or loadable to be
executable) by a
computing device may be executable (or compilable, linkable, and/or loadable
to be
executable) in a kernel space of the computing device, and a further portion
of the
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device may be executable (or compilable,
linkable, and/or
loadable to be executable) in an application space of the computing device. In
certain
embodiments, for example, a portion of the computer-readable program code
executable
(or compilable, linkable, and/or loadable to be executable) by a computing
device may
be executable (or compilable, linkable, and/or loadable to be executable) in a
kernel
space of the computing device, and a further portion of the computer-readable
program
code executable (or compilable, linkable, and/or loadable to be executable) by
a
computing device may not be executable (or compilable, linkable, and/or
loadable to be
executable) in the kernel space (for example it may be executable in the
application
space or other non-privileged or non-priority executable space).
[00604] J. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform the intercepting and/or the receiving operations or
functions may be
executable (or compilable, linkable, and/or loadable to be executable) in a
kernel space
of the computing device, and computer-readable program code executable (or
compilable, linkable, and/or loadable to be executable) by a computing device
to perform
one or more of the assembling, requesting transmission, encrypting,
decrypting,
inserting, translating, comparing, further comparing, and additionally
comparing
operations or functions may be executable (or compilable, linkable, and/or
loadable to be
239
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
executable) in an application space of the computing device. In certain
embodiments,
for example, computer-readable program code executable (or compilable,
linkable,
and/or loadable to be executable) by a computing device to perform the
intercepting
and/or the receiving operations or functions may be executable (or compilable,
linkable,
and/or loadable to be executable) in a kernel space of the computing device,
and
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to perform one or more of the assembling,
requesting transmission, encrypting, decrypting, inserting, translating,
comparing, further
comparing, and additionally comparing operations or functions may not be
executable (or
compilable, linkable, and/or loadable to be executable) in the kernel space.
[00605] K. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may be a plug-in. In certain
embodiments, for
example, computer-readable program code executable (or compilable, linkable,
and/or
loadable to be executable) by a computing device to perform one or more of the
communication management operations and/or processing functions disclosed
herein
may be present in a library (for example in a dynamic-link library). In
certain
embodiments, for example, computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to perform
one or
more of the communication management operations and/or processing functions
disclosed herein may be a loadable module. In certain embodiments, for
example, the
loadable module may be loaded by a computing device during bootup of the
computing
device. In certain embodiments, for example, the loadable module may be loaded
by a
computing device prior to loading of an operating system (for example may be
loaded by
an initial runtime environment or loaded by a Basic Input/Output System
(BIOS)). In
certain embodiments, for example, the loadable module may be loaded by the
computing
device after bootup of the computing device. In certain embodiments, for
example, the
loadable module may be loaded by the computing device during runtime. In
certain
embodiments, for example, computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to perform
one or
more of the communication management operations and/or processing functions
disclosed herein may be a loadable kernel module. In certain embodiments, for
example, computer-readable program code executable (or compilable, linkable,
and/or
loadable to be executable) by a computing device to perform one or more of the
communication management operations and/or processing functions disclosed
herein
240
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
may be a loadable application module. In certain embodiments, for example,
computer-
readable program code executable (or compilable, linkable, and/or loadable to
be
executable) by a computing device to perform one or more of the communication
management operations and/or processing functions disclosed herein may be a
driver.
[00606] L. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may be dynamically linkable (for example
may be
a dynamically linkable module, such as a dynamically linkable loadable
module). In
certain embodiments, for example, the computer-readable program code may be
dynamically linkable with a kernel (for example with a Linux or Linux-based
kernel). In
certain embodiments, for example, the computer-readable program code may be
dynamically linkable with an operating system or kernel (for example with an
operating
system (for example a Linux operating system, a Linux-based operating system,
a real
time operating system, a mini-operating system, an edge device operating
system,
and/or an open source operating system)). In certain embodiments, for example,
references (for example symbol tables, module names, memory offsets, etc.) to
the
dynamically linkable program code may be stored in a kernel space of the
computing
device. In certain embodiments, for example, references to the dynamically
linkable
program may be stored in an application space of the computing device. In
certain
embodiments, for example, the computer-readable program code may be compiled
separately from an operating system or a kernel to form a kernel loadable
module. In
certain embodiments, for example, the kernel loadable module may be
dynamically
linked with the kernel during runtime on the computing device.
[00607] M. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may be linkable (for example dynamically
or
statically linkable). In certain embodiments, for example, the computer-
readable
program code may be linkable in a kernel (for example with a Linux or Linux-
based
kernel). In certain embodiments, for example, the computer-readable program
code may
be linkable with an operating system (for example with an operating system
(for example
a Linux operating system, a Linux-based operating system, a real time
operating system,
a mini-operating system, an edge device operating system, and/or an open
source
operating system)). In certain embodiments, for example, the computer-readable
program code may be linkable (for example dynamically or statically linkable)
to an
241
CA 03077203 2020-03-26
WO 2019/071126
PCT/US2018/054609
application program. In certain embodiments, for example, the computer-
readable
program code may be linkable (for example dynamically or statically linkable)
to an
interface (for example an interoperability interface). In certain embodiments,
for
example, the computer-readable program code may be linkable (for example
dynamically or statically linkable) to an interface between an application
space of the
computing device and a kernel space of the computing device. In certain
embodiments,
for example, the computer-readable program code may be linkable (for example
dynamically or statically linkable) to an application-to-kernel program
interface (for
example an interface such as Netlink or Netlinks). In certain embodiments, for
example,
computer-readable program code may be linkable (for example dynamically or
statically
linkable) to an application-to-application program interface. In certain
embodiments, for
example, computer-readable program code may be linkable (for example
dynamically or
statically linkable) to a kernel-to-kernel program interface.
[00608] N. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may be a statically linkable module. In
certain
embodiments, for example, computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to perform
one or
more of the communication management operations and/or processing functions
disclosed herein may be a standalone program.
[00609] 0. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform one or more of the communication management operations
and/or
processing functions disclosed herein may be an object file. In certain
embodiments, for
example, computer-readable program code executable (or compilable, linkable,
and/or
loadable to be executable) by a computing device to perform one or more of the
communication management operations and/or processing functions disclosed
herein
may be compilable ASCII code. In certain embodiments, for example, computer-
readable program code executable (or compilable, linkable, and/or loadable to
be
executable) by a computing device to perform one or more of the communication
management operations and/or processing functions disclosed herein may be
compiled.
[00610] P. In certain embodiments, for example, computer-readable program code
executable (or compilable, linkable, and/or loadable to be executable) by a
computing
device to perform intercepting and/or the receiving operations or functions
may be
invoked by one or more modified kernel functions (for example by a modified
network
242
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
API function such as bind() or connect()). In certain embodiments, for
example, the
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to perform intercepting and/or the
receiving
operations or functions may be invoked by one or more modified kernel
functions, and
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to perform one or more of the
identifying,
authorizing, verifying, comparing, further comparing, and additionally
comparing, may be
part or all of a separate executable (or compilable, linkable, and/or loadable
to be
executable) code that communicates, via an inter-program interface (for
example Netlink
or Netlinks), with the computer-readable program code executable (or
compilable,
linkable, and/or loadable to be executable) by a computing device to perform
one or
more of the assembling, encrypting, decrypting, inserting, and translating
operations or
functions. In certain embodiments, for example, the one or more modified
kernel
functions may be licensed under the GPL version 2. In certain further
embodiments, the
computer-readable program code executable (or compilable, linkable, and/or
loadable to
be executable) by a computing device to perform one or more of the
establishing,
performing, intercepting, identifying, requesting, authorizing, verifying,
receiving,
assembling, requesting transmission, encrypting, decrypting, inserting,
translating,
comparing, further comparing, additionally comparing, obtaining, negotiating,
identifying,
forming operations or functions may not be licensed under a GPL or a BSD
license. In
certain embodiments, for example, the modified kernel function may be
statically linked
with an operating system executable (or compilable, linkable, and/or loadable
to be
executable) on the computing device. In certain embodiments, for example, the
modified
kernel function may be dynamically linked with an operating system running on
the
processor.
[00611] Certain embodiments may provide, for example, a computer program
product
comprising a computer readable storage medium having a computer readable
program
stored therein, wherein the computer readable program, when executed on a
computing
device, enables or causes the computing device to perform one or more of the
methods
disclosed herein.
[00612] Certain embodiments may provide, for example, a computer program
product
comprising a computer readable storage medium having a computer readable
program
stored therein, wherein the computer readable program, when executed on a
computing
device, further enables or causes the computing device to perform one or more
of the
methods disclosed herein.
243
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00613] Certain embodiments may provide, for example, a computer program
product
comprising a computer readable storage medium having a computer readable
program
stored therein, wherein the computer readable program, when executed on a
computing
device running a Linux operating system, enables or causes the computing
device to
perform one or more of the methods disclosed herein.
[00614] Certain embodiments may provide, for example, a computer program
product
comprising a computer readable storage medium having a computer readable
program
stored therein, wherein the computer readable program, when executed on a
computing
device running an operating system (for example, Linux), further enables or
causes the
computing device to perform one or more of the methods disclosed herein.
[00615] Certain embodiments may provide, for example, an apparatus,
comprising: a
processor; and a memory coupled to the processor, wherein the memory comprises
instructions which, when executed by the processor, enable or cause the
processor to
perform one or more of the methods disclosed herein.
[00616] Certain embodiments may provide, for example, a system, comprising:
one or
more processors; a memory coupled to said one or more processors, said memory
including a computer useable medium tangibly embodying at least one program of
instructions executable by at least one of said one or more processors to
perform one or
more of the methods disclosed herein.
[00617] Certain embodiments may provide, for example, a computer program
product,
comprising: one or more machine-useable storage media; program instructions
provided
by said one or more media for programming a data processing platform to
perform one
or more of the methods disclosed herein.
[00618] Certain embodiments may provide, for example, an apparatus comprising:
a
host operating system comprising an active kernel and an active container; and
a
processor operable with said active kernel to instantiate instances for active
Kernel
Loadable Modules (KLMs) for servicing said active container, said active KLM's
executable to perform one or more of the methods disclosed herein.
[00619] Certain embodiments may provide, for example, a system, comprising:
one or
more processors; an operating system executing on said one or more processors;
memory coupled to said one or more processors, said memory including a
computer
useable medium tangibly embodying at least one program of instructions
executable by
at least one of said one or more processors to perform operations to perform
one or
more of the methods disclosed herein.
244
CA 03077203 2020-03-26
WO 2019/071126 PCT/US2018/054609
[00620] Certain embodiments may provide, for example, logic encoded on one or
more non-transitory computer readable media for execution and when executed
operable to perform one or more of the methods disclosed herein.
[00621] Certain embodiments may provide, for example, logic encoded on one or
more non-transitory computer readable media for execution on one or more
processors
executing operating system commands, when executed operable to perform one or
more
of the methods disclosed herein.
[00622] Certain embodiments may provide, for example, a readable storage
medium
having a computer readable program stored therein, wherein the computer
readable
program, when executed on a computing device, causes the computing device to
perform one or more of the methods disclosed herein.
[00623] Certain embodiments may provide, for example, a computing device
comprising: a memory containing machine readable medium comprising machine
executable code having stored thereon instructions to perform one or more of
the
methods disclosed herein.
[00624] Certain embodiments may provide, for example, a computer program
product
to perform one or more of the methods disclosed herein, the computer program
product
comprising: one or more computer readable storage media; and program
instructions
stored on the one or more computer readable storage media to perform the one
or more
of the methods disclosed herein.
[00625] Certain embodiments may provide, for example, a non-transitory machine-
readable storage medium comprising instructions to provide enhanced
communication
security of a system comprising a processor operating with a Linux or Linux-
based
operating system, the instructions executable by the processor one or more of
the
methods disclosed herein.
[00626] Certain embodiments may provide, for example, a distributed system,
comprising: i) a first computing device; ii) a first network security file
containing first
parameters, the first network security file resident on the first computing
device; iii) a first
copy of a network security software, at least a portion of the first copy
configured to
operate in a kernel of the first computing device; iv) a second computing
device; v) a
second network security file containing second parameters, the second network
security
file resident on the second computing device; vi) a second copy of the network
security
software, at least a portion of the second copy configured to operate in a
kernel of the
second computing device; and vii) a dedicated port-to-port encrypted
communication
pathway between the first copy and the second copy, the first copy configured
to receive
first codes from the second copy and to compare the first codes with the first
parameters,
245
DEMANDE OU BREVET VOLUMINEUX
LA PRESENTE PARTIE DE CETTE DEMANDE OU CE BREVET COMPREND
PLUS D'UN TOME.
CECI EST LE TOME 1 DE 2
CONTENANT LES PAGES 1 A 245
NOTE : Pour les tomes additionels, veuillez contacter le Bureau canadien des
brevets
JUMBO APPLICATIONS/PATENTS
THIS SECTION OF THE APPLICATION/PATENT CONTAINS MORE THAN ONE
VOLUME
THIS IS VOLUME 1 OF 2
CONTAINING PAGES 1 TO 245
NOTE: For additional volumes, please contact the Canadian Patent Office
NOM DU FICHIER / FILE NAME:
NOTE POUR LE TOME / VOLUME NOTE:
