Apparatus and method of securing network communications

US 10,298,616 B2
Filed: 05/26/2016
Issued: 05/21/2019
Est. Priority Date: 05/26/2016
Status: Active Grant

First Claim

Patent Images

1. A method of securing session communications between a first network and a second network, the first network having a first encryption device configured to normally encrypt session communications between the first network and the second network, the method comprising:

initiating a given session of communication between the first network and the second network, wherein the given session is a stateful session, the stateful session ensuring that each session packet of the given session packets travels from the first network to the second network by following a given path, the given path including a particular set of nodes;

receiving, at the first network, given session packets of the given session between the first and second networks, the given session packets including an initial encrypted given session packet having protocol data relating to a given encryption protocol;

determining that at least one of the received given session packets is encrypted (“

encrypted given session packet”

), the given session involving a Layer 7 application that encrypted the at least one encrypted given session packet, wherein determining comprises reading the protocol data relating to the given encryption protocol in the initial encrypted given session packet;

overriding the normal encryption configuration to permit communication of the given session to the second network without further encrypting at least some of the encrypted given session packets; and

controlling, in response to determining, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and/or method secures session communications between a first network (having a first encryption device configured to encrypt at least some session communications from the first network to the second network) and a second network. The apparatus and/or method receive, at the first network, given session packets of a given session between the first and second networks, and determine that at least one of the received given session packets is encrypted (“encrypted given session packet”). The given session involves a Layer 7 application that encrypted the at least one encrypted given session packet. Next, the apparatus and/or method controls, in response to determining that the given session packet is encrypted, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets. Preferably, the first encryption device encrypts none of the given session packets.

74 Citations

19 Claims

1. A method of securing session communications between a first network and a second network, the first network having a first encryption device configured to normally encrypt session communications between the first network and the second network, the method comprising:
- initiating a given session of communication between the first network and the second network, wherein the given session is a stateful session, the stateful session ensuring that each session packet of the given session packets travels from the first network to the second network by following a given path, the given path including a particular set of nodes;
  
  receiving, at the first network, given session packets of the given session between the first and second networks, the given session packets including an initial encrypted given session packet having protocol data relating to a given encryption protocol;
  
  determining that at least one of the received given session packets is encrypted (“
  
  encrypted given session packet”
  
  ), the given session involving a Layer 7 application that encrypted the at least one encrypted given session packet, wherein determining comprises reading the protocol data relating to the given encryption protocol in the initial encrypted given session packet;
  
  overriding the normal encryption configuration to permit communication of the given session to the second network without further encrypting at least some of the encrypted given session packets; and
  
  controlling, in response to determining, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as defined by claim 1 wherein controlling the first encryption device comprises preventing double encryption of the at least one encrypted given session packet.
  - 3. The method as defined by claim 1 wherein the first encryption device comprises an edge router.
  - 4. The method as defined by claim 1 wherein the second network has a second encryption device to encrypt communication from the second network to the first network, the method further comprising:
    - in response to determining that at least one of the received session packets is encrypted, controlling the second encryption device to permit communication of the given session to the first network without further encrypting at least some of the encrypted given session packets.
  - 5. The method as defined by claim 1 wherein the encrypted given session packets comply with at least one of IPSec or Transport Layer Security.
  - 6. The method as defined by claim 1 wherein the encrypted given session packets have a header having encryption information, further wherein determining comprises:
    - locating and reading the encryption information in the header.
  - 7. The method as defined by claim 1 wherein the at least one encrypted given session packet was received from the second network.
  - 8. The method as defined by claim 1 wherein the Layer 7 application executes on at least one device in the first network.

9. An apparatus for securing session communications between a first network and a second network, the first network having a first encryption device configured to normally encrypt communications between the first network and the second network, the apparatus comprising:
- an interface for receiving from a Layer 7 application, at the first network, given session packets of a given session between the first and second networks, wherein the given session is a stateful session, the stateful session ensuring that each session packet of the given session packets travels from the first network to the second network by following a given path, the given path including a particular set of nodes, the encrypted given session packets comprising an initial encrypted given session packet having protocol data relating to the given encryption protocol;
  
  a parser operatively coupled with the interface, the parser being configured to determine, by reading the protocol data relating to the given encryption protocol in the initial encrypted given session packet, if at least one of the received given session packets is encrypted; and
  
  a controller operatively coupled with the parser, the controller being configured to override the normal encryption configuration to permit communication of the given session to the second network without further encrypting at least some of the encrypted given session packets, and the controller being configured to control, in response to the parser determining, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus as defined by claim 9 wherein the interface, parser, and controller are part of the first encryption device.
  - 11. The apparatus as defined by claim 9 wherein the first encryption device comprises an edge router.
  - 12. The apparatus as defined by claim 9 wherein the encrypted given session packets comply with at least one of IPSec or Transport Layer Security.
  - 13. The apparatus as defined by claim 9 wherein the received given session packets include a header, the parser being configured to determine if the header includes prescribed encryption information in the header.
  - 14. The apparatus as defined by claim 9 wherein the at least one encrypted given session packet was received from the second network.

15. A computer program product for use on a computer system for securing session communications between a first network and a second network, the first network having a first encryption device configured to normally encrypt communications between the first network and the second network, the computer program product comprising a tangible, non-transient computer usable medium having computer readable program code thereon, the computer readable program code comprising:
- program code for detecting initiation of a given communication session between the first network and the second network, the given session involving a Layer 7 application that encrypts an initial given session packet (“
  
  initial encrypted given session packet”
  
  ), wherein the given session is a stateful session, the stateful session ensuring that each session packet of the given session travels from the first network to the second network by following a given path, the given path including a particular set of nodes;
  
  program code for receiving the initial encrypted given session packet having protocol data relating to a given encryption protocol after detecting initiation;
  
  program code for determining, by reading the protocol data relating to the given encryption protocol in the initial encrypted given session packet, that the initial encrypted given session packet,program code for overriding the normal encryption configuration, to permit communication of the given session to the second network without further encrypting at least some of the encrypted given session packets; and
  
  program code for controlling, in response to determining, the first encryption device to permit communication of the given session with the second network without further encrypting a plurality of the encrypted given session packets.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product as defined by claim 15 wherein the first encryption device comprises an edge router.
  - 17. The computer program product as defined by claim 15 wherein the second network has a second encryption device to encrypt communication from the second network to the first network, the computer program product further comprising:
    - program code for controlling, in response to determining that at least one of the received session packets is encrypted, the second encryption device to permit communication of the given session to the first network without further encrypting at least some of the encrypted given session packets.
  - 18. The computer program product as defined by claim 15 wherein the encrypted given session packets have a header with encryption information, further wherein the program code for determining comprises:
    - program code for locating and reading the encryption information in the header.
  - 19. The computer program product as defined by claim 15 wherein the at least one encrypted given session packet was received from the second network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Original Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Inventors
Kumar, Prashant, MeLampy, Patrick J., Timmons, Patrick
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/165,211
Publication Number

US 20170346854A1
Time in Patent Office

1,090 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04W 12/02   Protecting privacy or anony...

Apparatus and method of securing network communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method of securing network communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links