Verification of server name in a proxy device for connection requests made using domain names

US 10,326,730 B2
Filed: 06/27/2016
Issued: 06/18/2019
Est. Priority Date: 06/27/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by a proxy device of an enterprise network, a domain name server query sent by a client located within the enterprise network to a domain name server located outside of the enterprise network;

obtaining, by the proxy device, a domain name server result sent by the domain name server in response to the domain name server query, the domain name server result including a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address;

caching, by the proxy device, the domain name server result in a domain name cache;

obtaining, by the proxy device, a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address;

comparing, by the proxy device, the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the proxy device to enable malicious network traffic to enter the enterprise network through the proxy device, wherein comparing includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name; and

applying, by the proxy device, one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are presented herein for a proxy device to verify that the server name listed in a connection request message is the name of the server at the IP address listed in the connection request message. The proxy device obtains a domain name server query sent by a client to a domain name server and then obtains a domain name server result that is sent by the domain name server. The proxy device may cache the data of the domain name server result. The proxy device may obtain a connection request message sent by the client seeking a connection with a server, and then compare the connection request message to the cached domain name server result. Finally, the proxy device may apply one or more policies to the connection request message based on the comparison between the connection request message and the domain name server result.

29 Citations

20 Claims

1. A method comprising:
- obtaining, by a proxy device of an enterprise network, a domain name server query sent by a client located within the enterprise network to a domain name server located outside of the enterprise network;
  
  obtaining, by the proxy device, a domain name server result sent by the domain name server in response to the domain name server query, the domain name server result including a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address;
  
  caching, by the proxy device, the domain name server result in a domain name cache;
  
  obtaining, by the proxy device, a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address;
  
  comparing, by the proxy device, the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the proxy device to enable malicious network traffic to enter the enterprise network through the proxy device, wherein comparing includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name; and
  
  applying, by the proxy device, one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the comparing is performed when the connection request message from the client is received within a predetermined time interval from which the domain name server query is received from the client.
  - 3. The method of claim 1, wherein the connection request message is a Transport Layer Security client hello message, and the comparing comprises comparing content of a server name identification field of the client hello message and destination address of the client hello message with the domain name server result.
  - 4. The method of claim 1, wherein the domain name cache is local to the proxy device, or is cloud-based.
  - 5. The method of claim 1, wherein the domain name server query includes the domain name and a third IP address, the third IP address being an IP address of the client within the enterprise network.
  - 6. The method of claim 5, wherein the domain name server result further includes the third IP address.
  - 7. The method of claim 1, further comprising:
    - verifying the domain name with a server side certificate received from the server when establishing the connection between the client and the server.

8. An apparatus comprising:
- a network interface unit configured to enable network communications;
  
  a memory; and
  
  a processor configured to;
  
  obtain a domain name server query sent by a client located within an enterprise network to a domain name server located outside of the enterprise network,obtain a domain name server result sent by the domain name server in response to the domain name server query, wherein the domain name server result includes a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address,cache the domain name server result in a domain name cache,obtain a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address,compare the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the apparatus to enable malicious network traffic to enter the enterprise network through the apparatus, wherein the compare includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name, andapply one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the comparing is performed when the connection request message from the client is received within a predetermined time interval from which the domain name server query is received from the client.
  - 10. The apparatus of claim 8, wherein the connection request message is a Transport Layer Security client hello message, and the compare comprises comparing content of a server name identification field of the client hello message and destination address of the client hello message with the domain name server result.
  - 11. The apparatus of claim 8, wherein the domain name cache is local to the proxy device or is cloud-based.
  - 12. The apparatus of claim 8, wherein the domain name server query includes the domain name and a third IP address, the third IP address being an IP address of the client within the enterprise network.
  - 13. The apparatus of claim 12, wherein the domain name server result further includes the third IP address.
  - 14. The apparatus of claim 8, wherein the processor is further configured to:
    - verify the domain name with a server side certificate received from the server when establishing the connection between the client and the server.

15. One or more non-transitory computer readable storage media of a proxy server in communication with user devices of an enterprise network, the computer readable storage media being encoded with software comprising computer executable instructions, and when the software is executed, operable to:
- obtain a domain name server query sent by a client located within the enterprise network to a domain name server located outside of the enterprise network;
  
  obtain a domain name server result sent by the domain name server in response to the domain name server query, the domain name server result including a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address;
  
  cache the domain name server result in a domain name cache;
  
  obtain a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address;
  
  compare the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the proxy server to enable malicious network traffic to enter the enterprise network through the proxy server, wherein the compare includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name; and
  
  apply one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer readable storage media of claim 15, wherein the comparing is performed when the connection request message from the client is received within a predetermined time interval from which the domain name server query is received from the client.
  - 17. The computer readable storage media of claim 15, wherein the connection request message is a Transport Layer Security client hello message, and the compare comprises comparing content of a server name identification field of the client hello message and destination address of the client hello message with the domain name server result.
  - 18. The computer readable storage media of claim 15, wherein the domain name cache is local to the proxy device or is cloud-based.
  - 19. The computer readable storage media of claim 15, wherein the domain name server query includes the domain name and a third IP address, the third IP address being an IP address of the client within the enterprise network.
  - 20. The computer readable storage media of claim 19, wherein the domain name server result further includes the third IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gautam, Venkatesh N., Le, Meixing
Primary Examiner(s)
Wang, Liang Che A
Assistant Examiner(s)
Aguiar, Johnny B

Application Number

US15/193,863
Publication Number

US 20170374017A1
Time in Patent Office

1,086 Days
Field of Search

709213, 709219, 709224, 709225, 709229, 726 2, 726 22, 726 23
US Class Current
CPC Class Codes

H04L 2101/668   Internet protocol [IP] addr...

H04L 61/4511   using domain name system [DNS]

H04L 63/0281   Proxies

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

H04L 67/561   Adding application-function...

H04L 67/568   Storing data temporarily at...

Verification of server name in a proxy device for connection requests made using domain names

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Verification of server name in a proxy device for connection requests made using domain names

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links