The present disclosure relates to providing secure network communications in virtual private network environments.
Network devices may communicate with each other along data paths in a network. As the network topology grows and more network devices are added to the network, secure and reliable communications between the network devices may be desired. In this regard, virtual private networks (VPNs) may be established in the network that include some of these network devices to ensure secure communications between the network devices. For example, a company or business may enable a VPN within its network, and a public network (e.g., the Internet) may be used to route communications between a remote device and devices within the company's VPN. Thus, remote devices can use “virtual” connections via a public network to connect and exchange secure communications with devices within a VPN. These communications can also be encrypted so that devices that are not authenticated or otherwise allowed to access the VPN are unable to decrypt and access the communications.
Techniques are provided hereinafter for enabling a virtual private network (VPN) using a bidirectional, full duplex transport channel configured to send and receive application layer data packets. The techniques may be embodied as a method, an apparatus or a computer readable media that is operable to perform the method. At a source network device that hosts a VPN client, the VPN client is configured to interface with a bidirectional, full duplex transport channel that is configured to send and receive Open Systems Interconnection application layer data packets. The VPN client is also configured with a virtual network interface that operates to virtually link the VPN client with the transport channel.
The techniques described hereinafter relate to enabling secure, bidirectional, application layer communications between network devices within a virtual private network (VPN). As will become apparent hereinafter, in one example, the techniques are particularly relevant for enabling a user to access devices and applications hosted by devices in a VPN remotely via the user's computing device (e.g., laptop, desktop computer, mobile device, tablet, etc.). The user is able to access the network devices and applications in the VPN via a public network (e.g., the Internet). As a result, the user is able to send and receive application layer communications via the user's computing device to the network devices across a single bidirectional communication link. For example, the user may launch an application (e.g., a web browser, a mobile device application, etc.) on a mobile device, and upon proper authentication, the user may be able to access the network devices remotely that are present within a VPN across a single bidirectional communication link. In one scenario, the user may be an employee who is “telecommuting” or “working remotely” and is accessing network devices or applications hosted by network devices in a VPN hosted by an employer's central servers.
Alternatively, in another example, the techniques in the present application are relevant for enabling two network sites to communicate with each other over a VPN in order to enable access devices and applications remotely and bidirectionally across a single communication link. For example, an enterprise may have several branch offices that are located in different locations. The network devices and servers in one branch office may use the techniques described hereinafter to send and receive secure, application layer communications with network devices and servers in another branch office across a single bidirectional communication link. For convenience, it should be appreciated that the descriptions hereinafter of communications between a remote network device and network devices and applications of a site at a different location are called “node-to-site” communications, while descriptions hereinafter of communications between one network site and another network site are called “site-to-site” communications. The techniques described hereinafter enable secure, bidirectional, application layer VPN communications between network devices in both node-to-site contexts and site-to-site contexts using, for example, WebSocket technology (described in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 6455) together with Network Tunnel (“TUN”) and Network Tap (“TAP”) technology.
Reference is now made to
The network server device 104 “serves” or manages a plurality of site nodes, shown at reference numerals 110(1)-110(n), via an internal network (e.g., an intranet) at the location of, or remote from, the network server device 104. The internal network at the site of the network server device 104 is shown at reference numeral 112. For example, the network server device 104 may be a server that manages a plurality of computing devices, software applications, etc. that are represented by the site nodes 110(1)-110(n). Thus, the site nodes 110(1)-110(n) are said to reside “behind” the network server device 104. In one example, some of the site nodes may represent physical computing devices while other site nodes may represent applications hosted in, e.g., software of physical computing devices. For example, site node 110(1) may represent a physical computer that is managed by the network server device 104, and site node 110(2) may represent an application (e.g., a word processing application, spreadsheet application, etc.) hosted by a physical computer at the host site.
In general, the remote network device 102, which resides in a local client network 114, exchanges communications with the network server device 104, which resides in a host site network 116, in order to access applications hosted or represented by one or more of the site nodes 110(1)-110(n) residing behind the network server device 104 according to the techniques described hereinafter. In order for the remote network device 102 to connect securely with site nodes 110(1)-110(n) at the host site network 116 via the network server device 104, a VPN may be established that includes the remote network device 102, the network server device 104 and one or more of the site nodes 110(1)-110(n) managed by the network server device 104. In other words, if the remote network device 102 is granted access rights to site nodes 110(1) and 110(2), but not site nodes 110(3) and 100(n), the VPN will include remote network device 102, network server device 104 and site nodes 110(1) and 110(2) (and if applicable, physical devices that host the site nodes 110(1) and 110(2)). It should be appreciated that any combination of site nodes and other network devices may comprise the VPN. Thus, even though the remote network device 102 is located remotely relative to the network server device 104 and the site nodes 110(1)-110(n), the remote network device 102 can access the network server device 104 and the appropriate site nodes 110(1)-110(n) via the VPN. In an example, an employee who is telecommuting with his or her place of employment may be able to access the various applications hosted/represented by the site nodes in the VPN at the host site.
The network device 102 can utilize its connection to the public network 108 (Internet) to connect to the VPN that includes the network server device 104 and the appropriate site nodes. For example, the remote network device 102 may be a wireless or mobile network device that is configured to connect with the Internet via a wireless or broadband service (e.g., 3G, 4G LTE, Wi-Fi®, etc.) and may launch application software 118 (e.g., a mobile phone application or web browser stored in software of the network device 102) to connect a VPN client 120 hosted by the remote network device 102 to the network server device 104 over the Internet. It should be appreciated that the network device 102 may host multiple VPN clients (e.g., in one or more virtual machines hosted by the network device 102) to initiate multiple VPN connections with the network server device 104 and the site nodes 110(1)-110(n).
In one example, the remote network device 102 (at the instruction of a user) may launch the application software 118, which may be, e.g., a web browser, mobile application or remote desktop client application to join the VPN. Upon doing so, the user of the remote network device 102 may be prompted to enter authentication information. For example, the user may enter a user name and password. The remote network device 102 then exchanges encrypted communications over the Internet with the network server device 104 in order to authenticate and confirm its eligibility with the network server device 104 to access the VPN. Ultimately, upon the remote network device 102 authenticating with the network server device 104 for access to the VPN, the remote network device 102 and the network server device 104 can exchange secure communications across a single bidirectional communication link. These secure communications may be application layer communications in accordance with the Open Systems Interconnection (OSI) layer 7 standard.
The WebSocket endpoints 124 and 126 in the remote network device 102 and the network server device 104 enable secure, bidirectional communications between the devices across the Internet via a single link (e.g., a single TCP link). Traditionally, if these devices are not configured with WebSocket endpoints, when the remote network device 102 and the network server 104 exchange communications with each other, the communications are exchanged over multiple half-duplex (or “one way”) TCP communication links. That is, if the remote network device 102 were to communicate with the network server device 104 without either device being “WebSocket enabled,” the communication from the remote network device 102 would be sent to the network server device 104 along a first half-duplex TCP communication link that would route communications only in one direction from the remote network device 102 to the network server device 104. Likewise, if the network server device 104 responds to the communication from the remote network device 102, the network server device 104 would send the response communications to the remote network device 102 along a second half-duplex TCP communication link that would route communications only in one direction from the network server device 104 to the remote network device 102. Thus, when the remote network device 102 is not configured with the WebSocket endpoint 124 and when the network server device 104 is not configured with the WebSocket endpoint 126, communications exchanged between the remote network device 102 and the network server device 104 are exchanged over a plurality of half-duplex TCP communication links. The number of these TCP communication links and requirement for multiple TCP ports to create the TCP links complicates the network topology between the remote network device 102 and the network server device 104 and limits the scalability of the network 100 when other network devices attempt to communicate with the network server device 104 via the Internet.
Thus, the WebSocket standard, as described by IETF RFC 6455 offers a solution to simplify the network topology by moving away from the traditional request-response communications across multiple half-duplex TCP links in traditional environments (e.g., Hyper Text Transfer Protocol (HTTP) and Secure HTTP (HTTPS) communications). That is, once a WebSocket connection is established between the remote network device 102 and the network server device 104, WebSocket data payloads can be sent between the devices in a full-duplex (“two way”) mode with minimal framing. For example, when the remote network device 102 and the network server device 104 are configured with corresponding WebSocket clients 124 and 126, communications between the remote network device 102 and the network server device 104 can be exchanged across a single TCP link in both directions.
It should be appreciated that though WebSocket enables bidirectional communications between the remote network device 102 and the network server device 104, the bidirectional communications terminate at the remote network device 102 and the network server device 104. Thus, in order for the remote network device 102 to exchange bidirectional communications securely with the one or more site nodes 110(1)-110(n) that reside behind the network server device 104, a VPN must be established that includes the remote network device 102, the network server device 104 and the relevant site nodes. The establishment of the VPN, in connection with WebSocket enables these secure bidirectional communications.
As stated above, the remote network device 102 may utilize its connection to the Internet to connect to a VPN that includes the network server device 104 and one or more of the site nodes hosted by the network server device 104. For example, the remote network device 102 may want to exchange communications securely with the network server device 104 and one or more of the site nodes hosted by the network server device 104. It may be desirable for these communications to be encrypted, such that an unauthorized party or malicious third-party entity cannot snoop or otherwise detect and decrypt the communications between the remote network device 102 and the network device 104. Thus, by connecting using a VPN via the Internet, the remote network device 102 can ensure that its communications with the network server device 104 are secure while maintaining ease of access by connecting via the publically available network (Internet). As stated above, the remote network device 102 and the network server device 104 are WebSocket enabled devices, and thus, the communications between these devices via the Internet can be exchanged via the bidirectional communication link (“bidirectional WebSocket Tunnel) 106.
The remote network device 102 and the network server device 104 are configured to exchange communications in accordance with the OSI layer protocols. For example, existing network topologies are configured to enable network devices to exchange OSI layer 3 (“layer 3”) and OSI layer 4 (“layer 4”) communications via a WebSocket communication link to join or connect to a VPN. For example, for layer 3 communications, existing implementations allow for Internet Protocol (IP) Security (IPSec) communications to be sent between network devices across a WebSocket communication link within a VPN. Likewise, for layer 4 communications, existing implementations allow for Secure Socket Layer (SSL) communications to be sent between network devices across a WebSocket communication link within a VPN. The IPSec implementation for layer 3 communications and SSL implementation for layer 4 communications are commonly understood in the art.
These existing layer 3 and layer 4 solutions, however, do not extend to communications exchanged at OSI layer 7 (“layer 7”) within a VPN using a WebSocket communication link. Layer 7 communications are commonly referred to as “application layer” communications. That is, though the existing solutions described above contemplate layer 3 and layer 4 communications exchanged via a WebSocket channel in a VPN, these solutions (or any other solutions heretofore contemplated) do not enable network devices in a VPN to exchange layer 7 communications with each other using a WebSocket link. Additionally, the existing layer 3 and layer 4 solutions lack resilience, since each network device participating in the layer 3 and/or layer 4 communication exchange needs to have a corresponding layer 3 and/or layer 4 processing modules installed (in hardware and/or software components). Thus, for example, IPSec solutions for exchanging layer 3 communications between network devices in a VPN via a WebSocket link are not effective if the network devices participating in the layer 3 communications do not have corresponding IPSec modules installed. Likewise, SSL solutions for exchange layer 4 communications between network devices in a VPN via a WebSocket link are not effective if the network devices participating in the layer 4 communications do not have corresponding SSL modules installed.
The techniques described herein alleviate these deficiencies by providing a mechanism for network devices in a VPN to exchange application (layer 7) communications with each other via a WebSocket communication link. Thus, the layer 7 communications described by the instant techniques are transmitted securely (by virtue of being authenticated and exchanged in the VPN, as described hereinafter) and bidirectionally (by virtue of being exchanged across the WebSocket communication link). Ultimately, these techniques, for example, allow a user to launch an application on a remote network device to connect to a site network server in order to exchange secure application layer communications in a VPN bidirectionally across a single communication link. This is beneficial, for example, in optimizing the communications exchanges between the network devices in the VPN, since communications that are sent in the application layer are exchanged as “messages” (or strings of bytes) as opposed to individual bytes themselves.
In order to enable application layer communications to be sent between the remote network device 102 and the network server device 104, the remote network device 102 and the network server device 102 are configured with TUN virtual network interface modules (shown at 122 and 128, respectively). The TUN virtual network interfaces 122 and 128 are modules that are available from operating systems such as Windows™, iOS™, UNIX™ and Linux. The TUN virtual network interfaces 122 and 128 function as virtual network ports that enable application programs to write packets as if they were writing to a physical network interface. That is, for the remote network device 102, the TUN virtual network interface 122 acts as a bridge between the VPN client 120 and the WebSocket endpoint 124. Likewise, for the network server device 104, the TUN virtual network interface 128 acts as a bridge between the gateway router/reverse proxy 130 (which allows access to one or more site nodes in a VPN, as described hereinafter) and the WebSocket endpoint 126. It should be appreciated that the TUN virtual network interfaces 122 and 128 may also be network tap (“TAP”) interfaces that operate similarly to the TUN virtual network interfaces 122 and 128 in order to enable application programs to write packets from VPN modules (e.g., the VPN client 120 in the remote network device 120 and the gateway router/reverse proxy 130 in the network server device 104) to WebSocket endpoints. Thus, network TUN/network TAP modules that are already present on the operating systems of the remote network device 102 and the network server device 104 can be leveraged with the WebSocket endpoints to enable secure, bidirectional, application layer (layer 7) communications between the devices in the VPN.
The use of the TUN/TAP network modules enables a WebSocket VPN solution to be deployed as a “user space” application with very little kernel support when compared to existing solutions like IPSec. Specifically, the use of the TUN/TAP network modules enables the WebSocket VPN solution for mobile platforms that do not have native support for VPNs. It also allows as-needed use of scarce resources on mobile devices with the ability to remove VPN applications when not needed. The smaller footprint of WebSocket VPN clients compared to other VPN solutions expands their reach into a wide range of mobile devices for use in end-to-end applications that benefit from the bidirectional initiation of transactions in a secure, wide-area environment. Examples of such end-to-end applications are interactive gaming, industrial monitoring and control, enterprise resource management and mobile worker connectivity.
The use of the TUN/TAP modules together with the WebSocket endpoints also removes potential security administration roadblocks that may be present in layer 3 and layer 4 WebSocket VPN solutions. For example, in some layer 3 and layer 4 WebSocket VPN solutions, configurations need to be enabled on each network device to allow outgoing IPsec traffic to well-defined destinations. The layer 7 WebSocket VPN solution described hereinafter does not have such requirements.
As stated above, in order to effectuate the secure communications between the remote network device 102 and the network server device 104, a VPN is established between the remote network device 102 and the network server device 104. For example, when the remote network device 102 launches its VPN client 120 join the VPN via the Internet 108, the remote network device 102 exchanges authentication information of the VPN client 120 with the network server device 104. For example, the remote network device 102 provides the network server device 104 with a user name and password of the VPN client 120, and this information may be mapped by the network server device 104 to a VPN address associated with the VPN client 120. This mapping, for example, may comprise a table or list of site nodes that are included in the VPN that the VPN client 120 is attempting to access. For example, the VPN client 120 may have access to some but not all of the site nodes 110(1)-110(n), and the VPN address management database 132 maintains a list of the site nodes that are accessible by certain VPN addresses. The network server device 104, for example, may store VPN address information of several VPN clients (hosted by the remote network device or other network devices) in the VPN address management database 132, and upon receiving the authentication information from the remote network device 102 that is associated with the VPN client 120, the VPN address management database 132 may instruct the gateway router/reverse proxy 130 to allow access to one or more allowable site nodes. In one example, the gateway router/reverse proxy 130 may provide access to a pre-configured list of site nodes in the VPN hosting site 116 or may be a general purpose router that provides unrestricted access to the site nodes. Thus, by exchanging authentication information with the network server device 104, the remote network device 102 is granted access to one or more of the site nodes 110(1)-110(n) that it is allowed to access in the VPN.
In an example implementation of the node-to-site VPN communications exchanged along a bidirectional transport channel, the remote network device 102 may be a web-enabled mobile phone (e.g., an iPhone™) in communication with a cellular network. The mobile phone has a mobile application that a user has previously downloaded. The application allows the user to access the remote-office applications (directory servers, application servers, etc.) over a connection with a public Wi-Fi™ hotspot or home Wi-Fi™ subscription. The user launches the application on the mobile phone (e.g., by pressing an icon representing the application on the screen of the mobile phone), and upon doing so, the mobile phone triggers an on-demand VPN feature. The mobile phone, thus, exchanges layer 7 communications via the WebSocket VPN tunnel 106 to establish a VPN connection with a WebSocket gateway using, e.g., a certificate-based authentication. Thus, the user of the mobile phone is able to access the remote-office applications.
Reference is now made to
As described above, the site-to-site topology in
Reference is now made to
The VPN hub 310 has a VPN management module 314 that is linked to a VPN management portal 316 that is used to appropriately configure the VPN hub 310. For example, the VPN hub 310 provides the necessary routing for “inner” intra-net packets (e.g., IP packets). Organizations may create and manage their own hub-and-spoke VPN with an intermediate service provider network acting as the hub. It should be appreciated that the node-to-site network 100 of
Reference is now made to
At reference numeral 406, the VPN client 120 hosted by the remote network device 102 sends a VPN access request message to the WebSocket endpoint 124 of the remote network device 102. The WebSocket endpoint 124 of the remote network device 102 sends the VPN access request message, at reference numeral 408, to the WebSocket endpoint 126 of the network server device 104. The message is sent, for example, over the communication link 106 described in connection with
At 418, the client application software 118 (e.g., a web browser or mobile application) sends layer 7 protocol frames to the VPN client 120. The VPN client 120, at 420, sends inner IP packets that encapsulate the layer 7 protocol frames to the TUN virtual network interface 122. At 422, the TUN virtual network interface 122 sends the inner IP packets to the WebSocket endpoint 124. The WebSocket endpoint 124 encapsulates the inner IP packets into WebSocket/TCP/IP outer packets at 424, and at 426 sends the encapsulated packets to the WebSocket endpoint 126 of the network server device 104. At 428, the WebSocket endpoint 126 de-encapsulates the WebSocket/TCP/IP packet and at 430 sends the inner IP packets to the TUN virtual network interface 128. The TUN virtual network interface 128 sends the inner IP packets to the gateway router/reverse proxy 130, which routes the packet at 434 to an application hosted by a site node 110 (e.g., one of the site nodes 110(1)-110(n) described in connection with
In response to receiving the inner IP packets, the site node 110 sends a response communication to the VPN client 120. To accomplish this, as shown in
Reference is made to
Reference is now made to
Reference is now made to
Reference is now made to
The memory 806 may comprise read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible (non-transitory) memory storage devices. The memory 806 stores software instructions for the application layer packet exchange process logic 808. Additionally, the memory stores software instructions for the application software 118, VPN client 120, TUN virtual network interface 122 and WebSocket endpoint 124, as described above. Thus, in general, the memory 806 may comprise one or more computer readable storage media (e.g., a memory storage device) encoded with software comprising computer executable instructions and when the software is executed (e.g., by the processor 804) it is operable to perform the operations described for the application layer packet exchange process logic 808.
The application layer packet exchange process logic 808 may take any of a variety of forms, so as to be encoded in one or more tangible computer readable memory media or storage device for execution, such as fixed logic or programmable logic (e.g., software/computer instructions executed by a processor), and the processor 804 may be an ASIC that comprises fixed digital logic, or a combination thereof.
For example, the processor 804 may be embodied by digital logic gates in a fixed or programmable digital logic integrated circuit, which digital logic gates are configured to perform the application layer packet exchange process logic 808. In general, the application layer packet exchange process logic 808 may be embodied in one or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to perform the operations described hereinafter.
Reference is now made to
It should be appreciated that the techniques described above in connection with all embodiments may be performed by one or more computer readable storage media that is encoded with software comprising computer executable instructions to perform the methods and steps described herein. For example, the operations performed by the remote network device 102 and the network server device 104 may be performed by one or more computer or machine readable storage media (non-transitory) or device executed by a processor and comprising software, hardware or a combination of software and hardware to perform the techniques described herein.
In summary, a method is provided comprising: at a source network device that hosts a virtual private network client, configuring the virtual private network client to interface with a bidirectional, full duplex transport channel configured to send and receive Open Systems Interconnection application layer data packets; and configuring the virtual private network client with a virtual network interface that operates to virtually link the virtual private network client with the transport channel.
In addition, one or more computer readable storage media is provided that is encoded with software comprising computer executable instructions and when the software is executed operable to: configure a virtual private network client to interface with a bidirectional, full duplex transport channel configured to send and receive Open Systems Interconnection application layer data packets; and configure the virtual private network client with a virtual network interface that operates to virtually link the virtual private network client with the transport channel.
Furthermore, an apparatus is provided comprising: a network interface unit; a memory; and a processor coupled to the network interface unit and the memory and configured to: configure a virtual private network client to interface with a bidirectional, full duplex transport channel configured to send and receive Open Systems Interconnection application layer data packets; and configure the virtual private network client with a virtual network interface that operates to virtually link the virtual private network client with the transport channel.
The above description is intended by way of example only. Various modifications and structural changes may be made therein without departing from the scope of the concepts described herein and within the scope and range of equivalents of the claims.
Number | Name | Date | Kind |
---|---|---|---|
8095786 | Kshirsagar | Jan 2012 | B1 |
8180901 | Bagepalli et al. | May 2012 | B2 |
8295306 | Bagepalli et al. | Oct 2012 | B2 |
20070150946 | Hanberger | Jun 2007 | A1 |
20090138962 | Nagy et al. | May 2009 | A1 |
20120066489 | Ozaki et al. | Mar 2012 | A1 |
20120278878 | Barkie et al. | Nov 2012 | A1 |
20130340067 | Lindteigen | Dec 2013 | A1 |
Entry |
---|
Doraswamy et al., IPSec—The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Chapter 2, 2003, Prentice Hall, 2nd Edition, pp. 59-81. |
Fette et al., RFC 6455—The WebSocket Protocol, 2011. |
Number | Date | Country | |
---|---|---|---|
20140237585 A1 | Aug 2014 | US |