Verification of server name in a proxy device for connection requests made using domain names
First Claim
1. A method comprising:
- obtaining, by a proxy device of an enterprise network, a domain name server query sent by a client located within the enterprise network to a domain name server located outside of the enterprise network;
obtaining, by the proxy device, a domain name server result sent by the domain name server in response to the domain name server query, the domain name server result including a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address;
caching, by the proxy device, the domain name server result in a domain name cache;
obtaining, by the proxy device, a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address;
comparing, by the proxy device, the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the proxy device to enable malicious network traffic to enter the enterprise network through the proxy device, wherein comparing includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name; and
applying, by the proxy device, one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are presented herein for a proxy device to verify that the server name listed in a connection request message is the name of the server at the IP address listed in the connection request message. The proxy device obtains a domain name server query sent by a client to a domain name server and then obtains a domain name server result that is sent by the domain name server. The proxy device may cache the data of the domain name server result. The proxy device may obtain a connection request message sent by the client seeking a connection with a server, and then compare the connection request message to the cached domain name server result. Finally, the proxy device may apply one or more policies to the connection request message based on the comparison between the connection request message and the domain name server result.
29 Citations
20 Claims
-
1. A method comprising:
-
obtaining, by a proxy device of an enterprise network, a domain name server query sent by a client located within the enterprise network to a domain name server located outside of the enterprise network; obtaining, by the proxy device, a domain name server result sent by the domain name server in response to the domain name server query, the domain name server result including a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address; caching, by the proxy device, the domain name server result in a domain name cache; obtaining, by the proxy device, a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address; comparing, by the proxy device, the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the proxy device to enable malicious network traffic to enter the enterprise network through the proxy device, wherein comparing includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name; and applying, by the proxy device, one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a network interface unit configured to enable network communications; a memory; and a processor configured to; obtain a domain name server query sent by a client located within an enterprise network to a domain name server located outside of the enterprise network, obtain a domain name server result sent by the domain name server in response to the domain name server query, wherein the domain name server result includes a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address, cache the domain name server result in a domain name cache, obtain a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address, compare the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the apparatus to enable malicious network traffic to enter the enterprise network through the apparatus, wherein the compare includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name, and apply one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer readable storage media of a proxy server in communication with user devices of an enterprise network, the computer readable storage media being encoded with software comprising computer executable instructions, and when the software is executed, operable to:
-
obtain a domain name server query sent by a client located within the enterprise network to a domain name server located outside of the enterprise network; obtain a domain name server result sent by the domain name server in response to the domain name server query, the domain name server result including a domain name queried by the domain name server query and a corresponding first Internet Protocol (IP) address; cache the domain name server result in a domain name cache; obtain a connection request message sent by the client seeking a connection with a server located outside of the enterprise network, the connection request message including a server name and a second IP address; compare the connection request message to the domain name server result to detect if the client within the enterprise network altered the server name of the connection request message in an attempt to deceive the proxy server to enable malicious network traffic to enter the enterprise network through the proxy server, wherein the compare includes determining, when the second IP address matches the first IP address, whether the server name matches the domain name; and apply one or more policies to the connection request message based on whether or not the client altered the server name in the connection request message, the one or more policies including establishing a connection between the client and the server when the server name matches the domain name or disallowing the connection between the client and the server when the server name does not match the domain name. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification