The prevent invention generally relates to network security. More specifically, the present invention relates to Virtual Private Networks and deep packet inspection.
Tunnel based VPN traffic has been limited to simple layer 3 and layer 4 security policy semantics. Previously, these semantics have not been capable of providing specific network resource level security policy founding layers 5 through 7 of the open systems interconnection (OSI) reference model. There is a need in the art for providing a more secure VPN connection.
A secure VPN connection is provided based on user identify and a hardware identifier. A client application on client device may establish a VPN connection with a VPN gateway using a request that includes user identification and an equipment identifier. The equipment identifier is an unmutable number that is retrieved from a hardware component of the client device. If the user identifier and hardware identifier are registered, the secure VPN connection is established. If the hardware identifier is not registered with the VPN gateway, the connection may be denied. In some instances, a connection may be established with an unregistered equipment ID based on VPN connection settings.
In an embodiment, a method for establishing a connection begins with receiving a client access request from a client. A client hardware identifier may be compared to a list of hardware identifiers. A level of access may be provided based on the hardware identifier.
In the seven layer Open Systems Interconnection (OSI) model of computer networking, several layers of encapsulation exist for a single packet. The layers include a first physical layer, a second data link layer, a third network layer, a fourth transport layer, a fifth session layer, a sixth presentation layer, and a seventh application layer. Hence, the model has layers of encapsulation within a single packet.
Embodiments of the present invention perform deep packet (layers 5-7) inspection on the data traveling through layer 3 VPN. The deep packet inspection through a VPN gateway is performed for the purposes of enforcing network resource access control policies. Such policies include but are not limited to URL level access control enforcement of web traffic and single sign on of specified web resources.
In some embodiments, the present invention extends the policy enforcement previously available for web proxy access methods and applies it to layer 3 packets flowing through VPN channels. With these extensions, a common security policy is possible that is enforceable between VPN proxied access and VPN tunneled access. This invention provides equivalent security policy to tunnel based VPN access without comprising the inherent performance, scalability and application compatibility advantages tunnel based VPNs have over their proxy based VPN counterparts.
Payload data of all packets flowing through a VPN tunnel are inspected. The present technology acts upon security policies including but limited to read only access, no access, and read/write access to network resources found embedded in the payload. The primary purpose of this invention is to enforce network resource security policy of all VPN tunnel traffic flowing through a VPN gateway device. URL access control is enforced within a layer 3 VPN. Single sign-on capabilities are applied to a web service which is transparently being applied to web transactions flowing through a layer 3 VPN.
Network 115 may be a public network, private network, WAN, LAN, intranet, the Internet, a cellular voice network, a cellular data network, and any combination of these networks. Network 115 may send and facilitate communication between client device 110 and VPN gateway server 120. In some embodiments, network 115 may include one or more wireless communication networks and components, such as a cellular, Wi-Fi, Bluetooth, or other wireless communication mechanism.
VPN gateway server 120 may communicate with network 115 and private network 125. VPN gateway server 120 may be implemented as a network server and/or application server which communicates with the Internet. Server 120 may process requests for a secure VPN request. For example, VPN gateway server 120 may receive and process VPN connection requests from client device 110.
Private network 125 may be an intranet or other private network, for example a private network maintained by a business. Computing devices 130, 135 and 140 may be accessible to client device 100 through a secure VPN connection established via VPN gateway server 120.
Data store 215 may be used to store and track the state of a VPN session. Information from data store 215 may be displayed in a management console to allow administrators to observe and manage the state of their VPN appliance.
Authentication data store 220 may contain equipment identifiers and may be accessed from policy server 210. Though data store 220 is illustrated as implemented within an appliance which implements gateway server 120, authentication data store 220 can also be implemented external to the appliance. The data stored in authentication data store 220 may include user identifiers, time stamps related to requests, operations and level of the access allowed for user identifiers, and other data. In some embodiments, a user identifier may be correlated such that a VPN connection requires a user identifier.
The present system may determine required application level information by “spoofing” or sending a requests and other information to an originator from a tunnel server and TCP splicing module at step 320. An access request is then sent with application information to a policy server at step 325. The session is then allowed or proxied based on the access request results at step 330. The session may be allowed up to the next application-level request, or proxied to either generate a user-facing service denial message or handle the entire stream for single sign-on purposes. In the event that parsing the application-level payload stream fails, then processing continues with a TCP/IP level access request as if the stream had not matched the scan list initially.
In some embodiments, when the application is handed off to the web proxy server, the connection identifier of the session used by the tunnel is passed along to the proxy server to allow the web proxy server to make policy server requests that return exactly the same results as those made by the tunnel server. In embodiments, the tunnel server may not destroy this connection identifier as the tunnel server will continue to use that identifier as well for the lifetime of the user's tunnel connection.
The components shown in
Mass storage device 430, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 410. Mass storage device 430 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 410.
Portable storage device 440 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, to input and output data and code to and from the computer system 400 of
Input devices 460 provide a portion of a user interface. Input devices 460 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. Additionally, the system 400 as shown in
Display system 470 may include a liquid crystal display (LCD) or other suitable display device. Display system 470 receives textual and graphical information, and processes the information for output to the display device.
Peripherals 480 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 480 may include a modem or a router.
The components contained in the computer system 400 of
The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen in order to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claims appended hereto.
This application is a continuation and claims the priority benefit of U.S. patent application Ser. No. 13/773,475 filed Feb. 21, 2013, which claims the priority benefit of U.S. provisional patent application 61/601,318 filed Feb. 21, 2012, the disclosures of which are incorporated herein by reference.
Number | Name | Date | Kind |
---|---|---|---|
5414833 | Hershey et al. | May 1995 | A |
5796942 | Esben | Aug 1998 | A |
5945933 | Kalkstein | Aug 1999 | A |
6088803 | Tso et al. | Jul 2000 | A |
6108782 | Fletcher et al. | Aug 2000 | A |
6119236 | Shipley | Sep 2000 | A |
6178448 | Gray et al. | Jan 2001 | B1 |
6219706 | Fan et al. | Apr 2001 | B1 |
6449723 | Elgressy et al. | Sep 2002 | B1 |
6789203 | Belissent | Sep 2004 | B1 |
6851061 | Holland et al. | Feb 2005 | B1 |
7058821 | Parekh et al. | Jun 2006 | B1 |
7134143 | Stellenberg et al. | Nov 2006 | B2 |
7152164 | Loukas | Dec 2006 | B1 |
7185368 | Copeland | Feb 2007 | B2 |
7304996 | Swenson et al. | Dec 2007 | B1 |
7849502 | Bloch et al. | Dec 2010 | B1 |
7881199 | Krstulich | Feb 2011 | B2 |
8189468 | Bugenhagen | May 2012 | B2 |
8339959 | Moisand | Dec 2012 | B1 |
9191327 | Shieh | Nov 2015 | B2 |
10432587 | Work | Sep 2019 | B2 |
20040165588 | Pandya | Aug 2004 | A1 |
20050185647 | Rao | Aug 2005 | A1 |
20060120374 | Yoshimoto | Jun 2006 | A1 |
20060229896 | Rosen | Oct 2006 | A1 |
20070153798 | Krsstulich | Jul 2007 | A1 |
20090254967 | J. | Oct 2009 | A1 |
20100037311 | He et al. | Feb 2010 | A1 |
20100223458 | McGrew | Sep 2010 | A1 |
20110286466 | Ge | Nov 2011 | A1 |
20120005476 | Wei et al. | Jan 2012 | A1 |
20120036244 | Ramachandra | Feb 2012 | A1 |
20120096548 | Riordan | Apr 2012 | A1 |
20120144019 | Zhu et al. | Jun 2012 | A1 |
20120173694 | Yan | Jul 2012 | A1 |
20130014246 | Larson | Jan 2013 | A1 |
20130219486 | Work | Aug 2013 | A1 |
20200106747 | Work | Apr 2020 | A1 |
Number | Date | Country |
---|---|---|
1972096 | Dec 2006 | EP |
2007082 | Jun 2007 | EP |
1853013 | Nov 2007 | EP |
2225663 | Nov 2008 | EP |
2568730 | Dec 2010 | EP |
Entry |
---|
Cascarano, N., Ciminiera, L., & Risso, F. (2011). Optimizing deep packet inspection for high-speed traffic analysis. Journal of Network and Systems Management, 19(1), 7-31. doi:http://dx.doi.org/10.1007/s10922-010-9181-x (Year: 2011). |
U.S. Appl. No. 13/773,475; Final Office Action dated Apr. 16, 2015. |
U.S. Appl. No. 13/773,475; Office Action dated Oct. 2, 2014. |
U.S. Appl. No. 13/773,475; Final Office Action dated Jun. 16, 2014. |
U.S. Appl. No. 13/773,475; Office Action dated Mar. 14, 2014. |
Number | Date | Country | |
---|---|---|---|
20200106747 A1 | Apr 2020 | US |
Number | Date | Country | |
---|---|---|---|
61601318 | Feb 2012 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 13773475 | Feb 2013 | US |
Child | 16590253 | US |