Facilitating a secure 3 party network session by a network device

US 10,027,761 B2
Filed: 09/18/2015
Issued: 07/17/2018
Est. Priority Date: 05/03/2013
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating a three party transmission control protocol (TCP) connection by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:

collecting, by the network device, application server information from an application server;

receiving, at the network device, a SYN packet from a client device over a network, the SYN packet comprising identifying information for the client device and a request to establish a TCP session with the application server;

based on the SYN packet received from the client device, determining, by the network device, that the client device is a trusted source for the network;

checking server load of the application server to determine if the SYN packet is to be accepted, wherein the checking the server load of the application server includes determining whether the application server is to;

decline to process the SYN packet oraccept the SYN packet and continue processing the SYN packet depending on the server load;

generating, by the network device, based on the application server information of the application server, information to authenticate the client device to the application server directly as the trusted source for the network;

transmitting, by the network device, a SYN/ACK packet to the client device, the SYN/ACK packet comprising the information to authenticate the client device to the application server directly as the trusted source for the network, wherein the network device comprises a translation layer to embed, into a header of the SYN/ACK packet, processing information needed for data packets from the client device to match with processing information needed for the application server to process the data packets from the client device; and

receiving information at the network device from the application server, the information relating to the TCP session established between the application server and the client device based on;

an acknowledgement (ACK) packet received at the application server from the client device, wherein the ACK packet includes the information to authenticate the client device to the application server as the trusted source for the network received by the client device in the SYN/ACK packet; and

retrieval, by the application server, of the application server information from the information to authenticate the client device received by the application server in the ACK packet from the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Facilitation of secure network traffic over an application session by an application delivery controller is provided herein. In some examples, a network device receives a TCP SYN packet from a client device, to establish a TCP connection. The network device transmits a SYN/ACK packet to the client device, including a SYN cookie with identifying information to authenticate the client device to the application as a trusted source for the network. The client device then returns an ACK packet directly to the application server to establish the TCP connection.

492 Citations

19 Claims

1. A method for facilitating a three party transmission control protocol (TCP) connection by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising:
- collecting, by the network device, application server information from an application server;
  
  receiving, at the network device, a SYN packet from a client device over a network, the SYN packet comprising identifying information for the client device and a request to establish a TCP session with the application server;
  
  based on the SYN packet received from the client device, determining, by the network device, that the client device is a trusted source for the network;
  
  checking server load of the application server to determine if the SYN packet is to be accepted, wherein the checking the server load of the application server includes determining whether the application server is to;
  
  decline to process the SYN packet oraccept the SYN packet and continue processing the SYN packet depending on the server load;
  
  generating, by the network device, based on the application server information of the application server, information to authenticate the client device to the application server directly as the trusted source for the network;
  
  transmitting, by the network device, a SYN/ACK packet to the client device, the SYN/ACK packet comprising the information to authenticate the client device to the application server directly as the trusted source for the network, wherein the network device comprises a translation layer to embed, into a header of the SYN/ACK packet, processing information needed for data packets from the client device to match with processing information needed for the application server to process the data packets from the client device; and
  
  receiving information at the network device from the application server, the information relating to the TCP session established between the application server and the client device based on;
  
  an acknowledgement (ACK) packet received at the application server from the client device, wherein the ACK packet includes the information to authenticate the client device to the application server as the trusted source for the network received by the client device in the SYN/ACK packet; and
  
  retrieval, by the application server, of the application server information from the information to authenticate the client device received by the application server in the ACK packet from the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, the network device comprising an application delivery controller, firewall, network switch, network router, network computer, remote access server, or virtual private network (VPN) gateway.
  - 3. The method of claim 1, wherein the network device determines if the client device is the trusted source for the network further at least by:
    - extracting a destination network address from the SYN packet from the client device; and
      
      matching the extracted destination network address to a network address of the application server.
  - 4. The method of claim 3, wherein the network device determines that the client device is the trusted source for the network using the SYN packet received from the client device further at least by:
    - retrieving the application server information if the destination network address in the SYN packet matches the network address of the application server;
      
      generating a SYN cookie using TCP options in the application server information or pre-set TCP options;
      
      creating the SYN/ACK packet using the SYN cookie; and
      
      sending the SYN/ACK packet to the client device.
  - 5. The method of claim 4, the TCP options comprising a maximum segment size, a window scale, and a selective acknowledgement message, wherein the selective acknowledgement message is used for selective retransmission of individual data packets that were not received by the application server.
  - 6. The method of claim 1, the server load comprising CPU load, network module load, number of TCP sessions, application load, and an indication to accept or to decline SYN requests.
  - 7. The method of claim 1, further comprising receiving at the application server the ACK packet from the client device forwarded by the data network to the application server when a destination network address of the ACK packet matches the application server.
  - 8. The method of claim 1, further comprising receiving at the application server the ACK packet from the client device comprising:
    - forwarding the ACK packet by the network device when the network device receives the ACK packet; and
      
      matching a destination network address of the ACK packet to the application server.
  - 9. The method of claim 1, wherein the client device is authenticated to the application as the trusted source for the network by:
    - extracting a SYN cookie from the ACK packet if the ACK packet does not match any existing sessions in the application server, the SYN cookie generated by the network device and transmitted by the network device to the client device in the SYN/ACK packet; and
      
      verifying the client device based on at least one TCP option in the application server information in the SYN cookie.
  - 10. The method of claim 1, wherein the receiving information at the network device from the application server comprises receiving information about the server load of the application server.

11. A network gateway system, comprising:
- a plurality of processors;
  
  a memory communicatively coupled to the plurality of processors, the memory storing instructions executable by at least one of the plurality of processors to perform a method comprising;
  
  collecting, by a network device, application server information from an application server;
  
  receiving, at the network device, a SYN packet from a client device over a network, the SYN packet comprising identifying information for the client device and a request to establish a transmission control protocol (TCP) session with the application server;
  
  based on the SYN packet received from the client device, determining, by the network device, that the client device is a trusted source for the network;
  
  checking server load of the application server to determine if the SYN packet is to be accepted, wherein the checking the server load of the application server includes determining whether the application server is to;
  
  decline to process the SYN packet oraccept the SYN packet and continue processing the SYN packet depending on the server load;
  
  generating, by the network device, based on the application server information of the application server, information to authenticate the client device to the application server directly as the trusted source for the network;
  
  transmitting, by the network device, a SYN/ACK packet to the client device, the SYN/ACK packet comprising the information to authenticate the client device to the application server directly as the trusted source for the network, wherein the network device comprises a translation layer to embed, into a header of the SYN/ACK packet, processing information needed for data packets from the client device to match with processing information needed for the application server to process the data packets from the client device; and
  
  receiving information at the network device from the application server, the information relating to the TCP session established between the application server and the client device based on;
  
  an acknowledgement (ACK) packet received at the application server from the client device, wherein the ACK packet includes the information to authenticate the client device to the application server as the trusted source for the network received by the client device in the SYN/ACK packet; and
  
  retrieval, by the application server, of the application server information from the information to authenticate the client device received by the application server in the ACK packet from the client device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the network device comprises an application delivery controller, firewall, network switch, network router, network computer, remote access server, or virtual private network (VPN) gateway.
  - 13. The system of claim 11, the network device determines if the client device is the trusted source for the network using the SYN packet further at least by:
    - extracting a destination network address from the SYN packet from the client device; and
      
      matching extracted destination network address to a network address of the application server.
  - 14. The system of claim 13, wherein the network device determines that the client device is the trusted source for the network using the SYN packet received from the client device further at least by:
    - retrieving the application server information if the destination network address in the SYN packet matches a network address of the application server;
      
      generating a SYN cookie using TCP options in the application server information or pre-set TCP options;
      
      creating the SYN/ACK packet using the SYN cookie; and
      
      sending the SYN/ACK packet to the client device.
  - 15. The system of claim 14, the TCP options comprising a maximum segment size, a window scale, and a selective acknowledgement message, wherein the selective acknowledgement message is used for selective retransmission of individual data packets that were not received by the application server.
  - 16. The system of claim 11, the server load comprising CPU load, network module load, number of TCP sessions, application load, and an indication to accept or to decline SYN requests.
  - 17. The system of claim 11, wherein the application server receives the ACK packet from the client device by the data network forwarding the ACK packet to the application server when a destination network address of the ACK packet matches the application server.
  - 18. The system of claim 11, wherein the application server receives the ACK packet from the client device by:
    - the network device forwarding the ACK packet to the application server when the network device receives the ACK packet from the client device; and
      
      matching a destination network address of the ACK packet to the application server.
  - 19. The system of claim 11, wherein the application server verifies the client device is authenticated as the trusted source for the network by:
    - extracting a SYN cookie from the ACK packet if the ACK packet does not match any existing sessions in the application server, the SYN cookie generated by the network device and transmitted by the network device to the client device in the SYN/ACK packet; and
      
      verifying the client device based on at least one TCP option in the application server information in the SYN cookie.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Jalan, Rajkumar, Kamat, Gurudeep
Primary Examiner(s)
Book, Phyllis A

Application Number

US14/859,129
Publication Number

US 20160014126A1
Time in Patent Office

1,033 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0892   by using authentication-aut...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 67/141   Setup of application sessio...

Facilitating a secure 3 party network session by a network device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

492 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Facilitating a secure 3 party network session by a network device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

492 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others