Patent Grant
9237168
The present disclosure relates generally to computer networks, and more particularly, to communications between two network nodes.
Generally, modern networks are set up with proxy devices, such as firewalls, to apply policy decisions to the traffic that flows across a network boundary. In order to apply these policy decisions, the firewalls may inspect the network traffic, making a shallow inspection by only viewing packet headers, or performing deep packet inspection by viewing the underlying packet data. With unsecured network transmissions it is possible for the firewalls to immediately view the network packets in their entirety, and therefore, the firewalls are able to apply policy decisions to network traffic prior to allowing any portion of the messages through the firewall.
As more network traffic is being sent securely (e.g., using encryption techniques), it is no longer possible for the firewall to view the network traffic in its entirety without first decrypting the messages. Additionally, in certain encryption protocols, a firewall is not be able to determine even basic information, such as the desired uniform resource locator (URL) for the message, without decrypting the message. In order to complete the decryption process, the firewall will often need to allow certain messages or a limited number of packets, for example, to pass through the firewall before any policy decision is applied to the traffic. Decryption of network traffic at the firewall requires resource intensive operations to be performed by the firewall. Furthermore, since networks are used for carrying traffic for sensitive transactions such as financial transactions, rules and regulations are being put into place which restrict firewalls from decrypting certain sensitive traffic.
Overview
According to the techniques described herein, a handshaking procedure for a secure communication between a first device and a second device is intercepted at a proxy device. Identification information associated with the second device is extracted from an initial message of the handshaking procedure. A policy is applied to communications between the first device and second device based on the identification information.
Example Embodiments
Reference is first made to
Traffic 150 maybe sent between network devices using communication protocols such as the Transmission Control Protocol/Internet Protocol (TCP/IP), User Datagram Protocol (UDP), Asynchronous Transfer Mode (ATM) protocol, Frame Relay Protocol, Internet Packet Exchange (IPX) protocol, and other protocols now known or hereinafter developed.
As indicated in
Examples of server name based traffic control implementations may include intercepting at a proxy 120 traffic 150 that includes or has associated therewith a handshaking procedure for a secure communication between a client 110 and a server 130. Identification information associated with the server 130 is extracted from an initial message of the handshaking procedure. A policy is applied to communications between the client 110 and the server 130 based on the identification information.
Upon intercepting the initial message of the handshaking procedure, the procedure continues to step 230 in which the proxy device 120 extracts from the initial message identification information associated with the server 130. According to example embodiments, the identification information can take different forms. In one example, the initial message of the handshaking procedure comprises a “ClientHello” message of the Transport Layer Security (TLS) handshaking procedure. According to this example, the proxy device 120 may extract the Server Name Indication (SNI) extension from the ClientHello message. As discussed in more detail below, the SNI is generally not used for security purposes or to apply policy decisions, but instead is used to distinguish between multiple Domain Name System (DNS) hostnames that are virtually hosted on a single server.
Based on the identification information extracted in step 230, the proxy device 120 applies a policy to the communications in step 240. According to different examples, the basis for the application of the policy decision can take many forms. According to one example, the identification information may identify the server 130 by name, and the policy decision may be applied based on the name of the server 130. For example, the identification information may be compared against a “blacklist” database of servers to which connections should be blocked. Accordingly, the proxy device 120 would block all further communications between the client device, e.g., client device 110a, and the server 130.
According to other examples, the identification information may be indicative of an application type for traffic for a communication session between the client and server. For example, the identification information may indicate that the data to be used for a banking or other financial services operation. Other examples of applications may include Voice over IP (VoIP) applications, streaming video, social networking, photosharing, and other applications known to those skilled in the art.
In still other forms, the application of the policy may be based on the reputation of the server 130. Reputation information associated with servers is accumulated over time from communication sessions between clients and servers. For example, the identification information may indicate that the particular server that the client is attempting to connect to has a reputation of, for example, hosting spyware or malware. Accordingly, the proxy 120 may apply a policy decision that is different than the policy decision that would be applied to a server 130 that has a benign reputation.
According to yet other examples, the application of the policy decision may be based on the category of the server 130 or the content served by the server 130. Examples of categories may include education, entertainment, financial data and services, gambling, games, government, illegal or questionable material, news and media, and other categories known to those skilled in the art. Some categories of servers may be readily allowed while others are regulated or denied.
The policy decision itself can take many forms. For example, the policy decision can result in the handshaking procedure being aborted at the proxy device 120 before any messages are sent to the server 130 and certainly before any content from the server 130 reaches the client. In another example, the application of the policy decision can result in future traffic between the client 110 and server 130 passing through the proxy device 120 without any decryption and/or re-encryption taking place at the proxy device 120. In yet another example, the application of the policy decision results in future communications being decrypted at the proxy device 120 and then being re-encrypted at the proxy device 120 for transfer between the client 110 and the server 130.
The procedure 200 ends at 250.
Reference is now made to
The proxy device 120 makes a query 360a based on the server identification information to a database 340. The database 340 may be part of the proxy device 120 or external to the proxy device 120. As depicted in
A comparison is made between the server identification information extracted from the initial message and the information stored in database 340. A result of the comparison is returned via response message 360b. Based on the results of the comparison, the proxy device 120 applies a policy decision 365 to any further communications between the client 110 and the server 130.
While some examples base the application of the policy on a comparison with a single database, other examples may apply the policy based on a combination of comparisons with two or more of the databases. For example, while a comparison with the reputation database 341b may determine whether or not the communication session should be allowed, the application database 341c may be used to determine whether or not the subsequent communications between the client 110 and the server 130 should be decrypted at the proxy 120. It may also be the case that the results of the comparisons with more than one database are balanced to determine the appropriate policy to apply. For example, financial services communications may be prohibited from being decrypted by proxy devices. Accordingly, even if a reputation or category comparison would indicate that the communication session should be decrypted at the proxy 120, the legal requirement that financial services data cannot be decrypted by the proxy 120 would result in communications continuing without decryption by the proxy 120.
As depicted in
Reference is now made to
Turning now to
With regards to the examples depicted in
Reference is now made to
The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname the client is attempting to connect to during the handshaking procedure. Specifically, it is present in the ClientHello message 600 to assist with name-based virtual hosting. Name-based virtual hosting allows multiple DNS hostnames to be hosted on a single server on the same IP address. In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished. In order to present the client with the appropriate certificate, it is useful for the server to know which hostname the client is attempting to reach before completion of the handshaking procedure.
With reference back to
Memory 840 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible (e.g., non-transitory) memory storage devices. The processor 820 is, for example, a microprocessor or microcontroller that executes instructions for the proxy device logic. Thus, in general, the memory 840 may comprise one or more tangible (non-transitory) computer readable storage media (e.g., a memory device) encoded with software comprising computer executable instructions and when the software is executed (by the processor 820), and in particular firewall services software 842, it is operable to perform the operations described herein in connection with
There are several advantages to the traffic control techniques described herein. For example, by intercepting the initial message of a handshaking procedure, important network resources can be conserved. As depicted in
Furthermore, because the communication session between a client and server can be denied prior to any substantive communications between the client 110 and the server 130, resources that would otherwise be needed to terminate the established connection can be conserved.
In summary, a method, apparatus and computer readable tangible storage media are provided to perform the traffic control techniques described herein. In apparatus form, an apparatus is provided that comprises a processor, at least one network interface unit configured to transmit and receive messages over a network and a memory. The processor is configured to intercept an initial message of a handshaking procedure for a secure communication session between a first device and a second device, extract from the initial message identification information associated with the second device, and apply a policy to communications between the first device and the second device based on the identification information.
In computer readable tangible storage media form, instructions are encoded on a computer readable tangible storage media that, when executed by a processor, cause the processor to intercept at a proxy device an initial message of a handshaking procedure for a secure communication session between a first device and a second device. The instructions further cause the processor to extract from the initial message identification information associated with the second device, and to apply a policy to communications between the first device and the second device based on the identification information.
The above description is intended by way of example only.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7519834 | Dondeti et al. | Apr 2009 | B1 |
| 7624142 | Jungck | Nov 2009 | B2 |
| 8117335 | Maes | Feb 2012 | B2 |
| 8161547 | Jennings et al. | Apr 2012 | B1 |
| 8190879 | Wang | May 2012 | B2 |
| 8316429 | Long et al. | Nov 2012 | B2 |
| 8327128 | Prince et al. | Dec 2012 | B1 |
| 8473744 | Shelest et al. | Jun 2013 | B2 |
| 8543805 | Ovsiannikov | Sep 2013 | B2 |
| 8638795 | Jackowski et al. | Jan 2014 | B2 |
| 8738902 | Yoo et al. | May 2014 | B2 |
| 20040015725 | Boneh et al. | Jan 2004 | A1 |
| 20070136801 | Le et al. | Jun 2007 | A1 |
| 20080028443 | Adelman et al. | Jan 2008 | A1 |
| 20080126794 | Wang et al. | May 2008 | A1 |
| 20090157708 | Bandini et al. | Jun 2009 | A1 |
| 20100306816 | McGrew et al. | Dec 2010 | A1 |
| 20110289581 | Gourevitch et al. | Nov 2011 | A1 |
| 20120084423 | McGleenon | Apr 2012 | A1 |
| Entry |
|---|
| International Search Report and Written Opinion in counterpart International application No. PCT/US2013/041097, mailed Aug. 28, 2013, 11 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20130312054 A1 | Nov 2013 | US |
