Patent Application
20240291803
The present disclosure relates generally to virtual private networks and, more particularly (although not necessarily exclusively), to implementing zero trust support for secure networks via a modified virtual private network.
A Virtual Private Network (VPN) can be used to establish a secure connection between a computing device and a private network. The computing device may be required to authenticate with the VPN, using a VPN client, to access the private network. The VPN client can be a software application running on the computing device that can facilitate communication between the computing device and a VPN server. The VPN can enable the computing device to send and receive data across public networks as if the computing device was directly connected to the private network by rerouting the data through the VPN server. After being rerouted, the data can appear to come from the VPN server rather than the computing device, thereby creating the secure connection. Additionally, the data can be encrypted to further improve the secure connection.
A virtual private network (VPN) can be used to control client device access to a network. For instance, after the client device has accessed the network via the VPN, connection to the VPN can automatically authorize the client device to access all resources (e.g., software applications) on the network. Therefore, in the case of a security breach of the VPN by a malicious entity, the malicious entity can move laterally within the network (i.e., access all or most of the software applications on the network accessible via the VPN). In contrast, Zero Trust is a framework for securing network architecture in which implicit trust of client devices can be limited. For example, implicit trust can be limited by requiring frequent verification of the client devices before and during a timeframe in which the client devices are accessing software applications. Thus, in the case of a security breach by a malicious entity, implementation of Zero Trust can limit lateral movement of the malicious entity within the network. However, the implementation of Zero Trust may require expensive modification of software applications. The software applications may be limited or prevented from executing normal tasks, such as storing data, while the software applications are being modified. This may increase latency or otherwise negatively impact the functioning of the network. Additionally, modification of the software applications can cause loss or corruption of data. It may also be difficult or impossible to modify certain applications to implement zero trust. For example, legacy applications can be difficult or impossible to modify due to being built on outdated operating systems or outdated hardware platforms. Therefore, there can be a need to improve security for network resources without requiring modification of the resources.
Some examples of the present disclosure can overcome one or more of the abovementioned problems via a modified VPN that can implement zero trust support for a computing environment. For example, the VPN can be controlling access between a client device and a set of software applications operating in the computing environment. A VPN client operating on the client device can provide a connection tunnel for each software application in the set of software applications. The client device can, via each connection tunnel, be permitted to access only a corresponding software application. In this way, zero trust support can be implemented to secure the computing environment. The zero trust support can include the modified VPN providing minimal trust for the client device during access to the computing environment. For example, frequent verification of the client device can be performed by requiring the client device to provide authentication credentials to the VPN server to establish each connection tunnel prior to accessing a software application. Additionally, in the case of a security breach by a malicious entity to one of the connection tunnels, the locked connection tunnels can limit lateral movement of the malicious entity in the computing environment. The malicious entity may only be able to access the single software application connected via its connection tunnel. The VPN server may block the malicious entity from accessing all other software applications in the computing environment. Moreover, modifying the VPN to lock connection tunnels can reduce latency for the computing environment by providing an alternative to performing time consuming and computationally expensive modifications on the set of software applications. The modification of the VPN to improve security can also prevent loss of data, corruption of data, or other undesirable effects of modifying the software applications.
In a particular example, a VPN server can control access to a private network, such as an intranet, on which multiple software applications are executing. The software applications can be protected by a firewall. The VPN server can control access to the private network by allowing or denying access for client devices attempting to pass through the firewall. The client devices may include a VPN client that can communicate with the VPN server. For example, the VPN server may receive a first access request from a VPN client for a database in the private network. The database can be protected by the firewall. The first access request can include a username and password for authenticating the client device. The VPN server can authenticate the first access request by determining that the username and password are valid authorization credentials. In response, the VPN server can allow the VPN client to establish a first connection tunnel between the client device and the database. The first connection tunnel can enable the client device to bypass the firewall and access the database.
The VPN server can further restrict access for the client device to the client device from accessing other software applications via the first connection tunnel. For example, the VPN server may deny a second access request for a second software application, such as a word processing application, transmitted by the VPN client via the first connection tunnel. The VPN sever may further determine that the word processing application requires an additional authentication mechanism that was not required by the database. For example, access to the word processing application can require a one-time password (OTP). The VPN server may determine that the additional authentication mechanism is required based on an active directory. The active directory can contain important information associated with the private network, such as authentication requirements for each of the multiple software applications. Thus, the VPN server can determine that the OTP is required for the word processing application based on the information in the active directory and transmit an authentication request to the VPN client for the OTP.
In response to the authentication request, the VPN client can transmit a third access request to the VPN server that includes the OTP. The VPN server can authenticate the third access request based on the OTP. The VPN server can further authorize the VPN client to establish a second connection tunnel between the client device and the word processing application, through which the client device can access the word processing application. Consequently, in the particular example, the VPN server can provide two connection tunnels to provide separate, secure access to two of the multiple software applications. Each connection tunnel may only provide access to its particular software application. The VPN serve may allow additional connection tunnels to be provided in response subsequent access requests transmitted by the VPN client for the remainder of the multiple software applications.
Illustrative examples are given to introduce the reader to the general subject matter discussed herein and are not intended to limit the scope of the disclosed concepts. The following sections describe various additional features and examples with reference to the drawings in which like numerals indicate like elements, and directional descriptions are used to describe the illustrative aspects, but, like the illustrative aspects, should not be used to limit the present disclosure.
In an example, the VPN server 102 can receive a first access request 112a for a first software application 106a from the VPN client 104. The VPN client 104 can transmit the first access request 112a on behalf of the client device 105. The first access request 112a can include authentication credentials, such as a username and password, for the VPN server 102. The VPN server 102 can authenticate the first access request 112a based on the authentication credentials.
For example, the VPN server 102 can be communicatively coupled to or can include an active directory 120. The active directory 120 may include sets of authentication credentials 122a-b that can be used to authenticate with the VPN server 102, with connection tunnels 110a-b, with the software applications 106a-b, or a combination thereof. Therefore, the VPN server 102 may authenticate the first access request 112a by accessing the active directory 120. Then, the VPN server 102 may verify that the authentication credentials received from the VPN client 104 in the first access request 112a are included in a first set of authentication credentials 122a. The first set of authentication credentials 122a may be authentication credentials that the client device 105 can use to authenticate with the VPN server 102 for access to the first software application 106a.
As a result of the authentication, the VPN server 102 can authorize the VPN client 104 to generate a first connection tunnel 110a between the client device 105 and the first software application 106a. Alternatively, the VPN server 102 may generate the first connection tunnel 110a. The client device 105 can use the first connection tunnel 110a to access the first software application 106a. For example, the client device 105 can bypass the firewall 108 via the first connection tunnel 110a to transmit data packets, requests, or more to the first software application 106a.
The VPN server 102 can also restrict access for the client device 105 with respect to the first connection tunnel 110a. For example, the VPN server 102 may prevent the client device 105 from accessing other applications 106, such as a second software application 106b, via the first connection tunnel 110a. Therefore, the VPN server 102 may deny a second access request 112b for the second software application 106b transmitted by the VPN client 104 on behalf of the client device 105 via the first connection tunnel 110a. In another example, the VPN server 102 may deny an access request for the first software application 106a if the access request was not transmitted via the first connection tunnel 110a.
After denying the second access request 112b, the VPN server 102 may determine that access to the second software application 106b requires different or additional authentication credentials compared to the first software application 106a. For example, the second software application 106b may have higher security requirements than the first software application and therefore can require multi-factor authentication (e.g., the username and password and a one-time password (OTP)). In another example, the second software application 106b can require different authentication credentials, such as a second username and password that can be specific to the second software application 106b.
In some examples, the VPN server 102 may access the active directory 120 to determine which authentication credentials are required for the second software application 106b. The VPN server 102 can then transmit an indication of the required authentication credentials to the client device 105. For example, a second set of authentication credentials 122b in the active directory 120 may indicate that after access to the VPN server 102 is established, access to the second software application 106b can require the second username and password. As a result, the VPN server 102 may transmit a first authentication request 114a to the VPN client 104. The first authentication request 114a can prompt a user of the client device 105 to transmit another access request with the second username and password via the VPN client 104.
In response, the VPN client 104 can transmit a third access request 112c for the second software application 106b that includes the second username and password. The VPN server 102 can authenticate the third access request 112c based on the second username and password. After authentication, the VPN client 104 can provide a second connection tunnel 110b between the client device 105 and the second software application 106b. The VPN server 102 can permit the client device 105 to access the second software application 106b through the second connection tunnel 110b. The VPN server 102 can further restrict access for the client device 105 to other software applications, such as to the first software application 106a, from the second connection tunnel 110b.
For example, the VPN server 102 may deny a fourth access request 112d for the first software application 106a received from the VPN client 104 via the second connection tunnel 110b. The VPN server 102 may then transmit a second authentication request 114b to the VPN client 104 in response to the fourth access request 112d. In an example, the second authentication request 114b may cause the VPN client 104 to automatically retransmit authentication credentials for the first software application 106a included in the fourth access request 112d via the first connection tunnel 110a. In another example, the second authentication request 114b can notify the user of the denial. The second authentication request 114b may prompt the user to transmit another access request for the first software application 106a to the VPN server 102 via the VPN client 104.
In some examples, the active directory 120 can include a mapping 118 that associates software applications 106 accessible via the VPN server 102 to connection tunnels 110 through which the software applications 106 can be accessed. Each connection tunnel 110 can be associated with one or more of the software applications 106. In an example, the VPN server 102 may provide one connection tunnel for a set of software applications that can be accessed using certain authentication credentials or that have the same or similar security requirements. Additionally, the VPN server 102 can update the active directory 120 when connection tunnels are established or changed. For example, the VPN server 102 can update the active directory 120 to include the first connection tunnel 110a by mapping the first software application 106a to the first connection tunnel 110a and to include the second connection tunnel 110b by mapping the second software application 106b to the second connection tunnel 110b.
Therefore, the active directory 120 can be used to track and manage access to software applications via connection tunnels, and in doing so, can improve the efficiency of the VPN server 102 in providing access for the client device 105 to the computing environment 103. For example, the VPN server 102 may detect that a particular software application is not accessible via a particular connection tunnel based on the mapping 118 provided by the active directory 120. In another example, the VPN server 102 may detect that authentication credentials included in an access request cannot be used to access a particular software application based on the sets of authentication credentials 122a-b provided by the active directory 120.
In some examples, the VPN server 102 may generate, based on authentication credentials included an access request, a token 116 for the client device 105. The token 116 can be used by the client device 105 to access a set of connection tunnels 124. The set of connection tunnels 124 may be associated with a set of software applications 126 that each have the same or similar security requirements or authentication requirements. Once the client device 105 has been authorized to access one of the software applications in the set of software applications 126 via one of the set of connection tunnels 124, the VPN server 102 may grant the token 116 to the client device 105. The token 116 can indicate to the VPN server 102 that the client device 105 is authorized to access any of the software applications in the set of software applications 126 using their associated connection tunnel in the set of connection tunnels 124. This can reduce a number of times that the VPN client 104 transmits authentication credentials and establishes connection tunnels 110, which can reduce latency associated with accessing the computing environment 103.
Although
The processor 203 can include one processor or multiple processors. Non-limiting examples of the processor 203 include a Field-Programmable Gate Array (FPGA), an application-specific integrated circuit (ASIC), and a microprocessor. The processor 203 can execute instructions 207 stored in the memory 205 to perform operations. In some examples, the instructions 207 can include processor-specific instructions generated by a compiler or an interpreter from code written in any suitable computer-programming language, such as C, C++, C#, Java, Python, or any combination of these.
The memory 205 can include one memory device or multiple memory devices. The memory 205 can be non-volatile and may include any type of memory device that retains stored information when powered off. Non-limiting examples of the memory 205 include electrically erasable and programmable read-only memory (EEPROM), flash memory, or any other type of non-volatile memory. At least some of the memory 205 includes a non-transitory computer-readable medium from which the processor 203 can read instructions 207. A computer-readable medium can include electronic, optical, magnetic, or other storage devices capable of providing the processor 203 with the instructions 207 or other program code. Non-limiting examples of a computer-readable medium include magnetic disk(s), memory chip(s), ROM, random-access memory (RAM), an ASIC, a configured processor, and optical storage.
The processor 203 can execute instructions 207 to cause the processor 203 to receive, from a Virtual Private Network (VPN) client 204 executing on a client device 201, a first access request 208a for a first software application 212a in a computing environment that is accessible via a VPN server 202. The first access request 208a can include authentication credentials 210 for the VPN server 202. The processor 203 can further authenticate the first access request 208a based on the authentication credentials 210. The processor 203 can provide a first connection tunnel 214 between the client device 201 and the first software application 212a. The client device 201 can be configured to access the first software application 212a via the first connection tunnel 214. In response to providing the first connection tunnel 214, the processor 203 can further deny a second access request 208b for a second software application 212b in the computing environment. The second access request 208b can be received from the VPN client 204 via the first connection tunnel 214 and the second software application 214b can be accessible via the VPN server 202.
At block 302, the processor 203 can receive, from a VPN client 104 executing on a client device 105, a first access request 112a for a first software application 106a accessible via a VPN server 102, the first access request 112a comprising authentication credentials for the VPN server 102. The first software application 106a and a second software application 106b can be executing in a computing environment 103. In an example, the first software application 106a can be a legacy application and the authentication credentials can include a username and password. The legacy application can be a relatively old software application that was created based on outdated technology. Because the legacy application is outdated, it may be difficult or impossible to modify the legacy application for implementing Zero Trust to secure the computing environment 103. For example, modifying the legacy application may require extensive updates to the computing environment 103, such as updates to an operating system associated with the computing environment 103. Therefore, implementing the zero trust support via modification of the VPN can be a more efficient technique for securing the computing environment 103.
At block 304, the processor 203 can authenticate the first access request 112a based on the authentication credentials. To authenticate the first access request 112a, the processor 203 may access an active directory 120 that that contains important information associated with the computing environment 103, such as authentication credentials that can be used to access the first software application 106a. The processor 203 may verify, based on the active directory 120, that the authentication credentials in the first access request 112a can be used for accessing the first software application 106a.
At block 306, the processor 203 can, in response to authenticating the first access request 112a, provide a first connection tunnel 110a between the client device 105 and the first software application 106a. The client device 105 can then access the first software application 106a via the first connection tunnel 110a. The processor 203 can also restrict access such that the first connection tunnel 110a may only be used to access the first software application 106a. Therefore, a second software application 106b, which can be a second legacy application included in the computing environment 103, may not be accessible using the first connection tunnel 110a. Additionally, by providing the first connection tunnel 110a and restricting access, security of the first software application 106a can be improved by modifying the VPN rather than modifying the first software application 106a.
Additionally, after verification of the authentication credentials and upon providing the first connection tunnel 110a, the processor 203 may generate a token 116. The token 116 can be used to access a set of connection tunnels 124 that may include the first connection tunnel 110a and a third connection tunnel. The third connection tunnel can be associated with a third software application that has the same or similar authentication requirements as the first software application 106a.
At block 308, the processor 203 can, in response to providing the first connection tunnel 110a, deny a second access request 112b for a second software application 106b received from the client device 105 via the first connection tunnel 110a, the second software application 106b being accessible via the VPN server 102. The second access request 112b can include the token 116. The second access request 112b can be denied because the second software application 106b is not associated with the first or third connection tunnels. The second access request 112b can also be denied because of the restriction of the first connection tunnel 110a that prevents the client device 105 from accessing the second software application 106b from the first connection tunnel 110a.
The processor 203 may further determine that access to the second software application 106b requires additional authentication compared to the first software application 106a. For example, the second software application 106b may require an OTP in addition to the username and password. As a result, the processor 203 can transmit a first authentication request 114a to the VPN client 104 for the OTP. Then, the VPN client 104 can transmit a third access request 112c for the second software application 106b that includes the OTP. The processor 203 can authenticate the third access request 112c based on the OTP. After authentication, the processor 203 can provide a second connection tunnel 110b between the client device 105 and the second software application 106b through which the client device 105 can access the second software application 106b. Moreover, in response to providing the second connection tunnel 110b, the processor 203 may deny a fourth access request 112d for the first software application 106a received from the VPN client 104 via the second connection tunnel 110b.
The foregoing description of certain examples, including illustrated examples, has been presented only for the purpose of illustration and description and is not intended to be exhaustive or to limit the disclosure to the precise forms disclosed. Numerous modifications, adaptations, and uses thereof will be apparent to those skilled in the art without departing from the scope of the disclosure.
