Securing communication over a network using dynamically assigned proxy servers
First Claim
1. A method for providing secure access to network resources within a server system, comprising:
- changing a proxy for a particular server of the server system over time to prevent an attacker from knowing which proxy server of a plurality of potential proxy servers is acting as the proxy at a given time, including;
at a first time;
assigning a first proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server of the server system; and
unassigning a second proxy server of the plurality of potential proxy servers as the proxy for the particular server system; and
at a second time subsequent to the first time;
assigning a third proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server; and
unassigning the first proxy server as the proxy for the particular server system;
at a third time between the first time and the second time, receiving at the first proxy server a request from a client system to access network applications and resources hosted by the server system;
determining at the first proxy server whether the request includes an encrypted identifier for the client system;
in accordance with a determination that the request includes the encrypted identifier;
determining at the first proxy server whether the client system is authorized to access the requested network applications and resources based on the encrypted identifier;
in accordance with a determination that the client system is authorized to access the requested network application and resources, communicatively coupling the client system to the particular server via the first proxy server; and
in accordance with a determination that the request does not include the encrypted identifier, dropping the request without responding to the client system.
3 Assignments
0 Petitions
Accused Products
Abstract
The various embodiments described herein include methods, devices, and systems for providing secure access to network resources. In one aspect, a method is performed at a trust broker system. The method includes: (1) receiving, from a client system, a request to access network applications and resources hosted by a server system; (2) identifying a domain providing the requested network applications and resources; (3) determining whether the client system is authorized to access the domain; (4) identifying a particular server containing the domain; (5) identifying a proxy server assigned to the particular server; and (6) in accordance with a determination that the client system is authorized to access the domain: (a) transmitting an identification value for the client system to the identified proxy server; and (b) after transmitting the identification value to the identified proxy server, transmitting, to the client system, contact information for connecting to the identified proxy server.
-
Citations
17 Claims
-
1. A method for providing secure access to network resources within a server system, comprising:
-
changing a proxy for a particular server of the server system over time to prevent an attacker from knowing which proxy server of a plurality of potential proxy servers is acting as the proxy at a given time, including; at a first time; assigning a first proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server of the server system; and unassigning a second proxy server of the plurality of potential proxy servers as the proxy for the particular server system; and at a second time subsequent to the first time; assigning a third proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server; and unassigning the first proxy server as the proxy for the particular server system; at a third time between the first time and the second time, receiving at the first proxy server a request from a client system to access network applications and resources hosted by the server system; determining at the first proxy server whether the request includes an encrypted identifier for the client system; in accordance with a determination that the request includes the encrypted identifier; determining at the first proxy server whether the client system is authorized to access the requested network applications and resources based on the encrypted identifier; in accordance with a determination that the client system is authorized to access the requested network application and resources, communicatively coupling the client system to the particular server via the first proxy server; and in accordance with a determination that the request does not include the encrypted identifier, dropping the request without responding to the client system. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computing system, comprising:
-
one or more processors; memory storing one or more programs to be executed by the one or more processors; the one or more programs comprising instructions for; changing a proxy for a particular server of a server system over time to prevent an attacker from knowing which proxy server of a plurality of potential proxy servers is acting as the proxy at a given time, including; at a first time; assigning a first proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server of the server system; and unassigning a second proxy server of the plurality of potential proxy servers as the proxy for the particular server system; and at a second time subsequent to the first time; assigning a third proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server; and unassigning the first proxy server as the proxy for the particular server system; at a third time between the first time and the second time, receiving at the first proxy server a request from a client system to access network applications and resources hosted by the server system; determining at the first proxy server whether the request includes an encrypted identifier for the client system; in accordance with a determination that the request includes the encrypted identifier; determining at the first proxy server whether the client system is authorized to access the requested network applications and resources based on the encrypted identifier; in accordance with a determination that the client system is authorized to access the requested network application and resources, communicatively coupling the client system to the particular server via the first proxy server; and in accordance with a determination that the request does not include the encrypted identifier, dropping the request without responding to the client system. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing one or more programs configured for execution by a computing system, the one or more programs comprising instructions for:
-
changing a proxy for a particular server of a server system over time to prevent an attacker from knowing which proxy server of a plurality of potential proxy servers is acting as the proxy at a given time, including; at a first time; assigning a first proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server of the server system; and unassigning a second proxy server of the plurality of potential proxy servers as the proxy for the particular server system; and at a second time subsequent to the first time; assigning a third proxy server of the plurality of potential proxy servers to temporarily act as the proxy for the particular server; and unassigning the first proxy server as the proxy for the particular server system; at a third time between the first time and the second time, receiving at the first proxy server a request from a client system to access network applications and resources hosted by the server system; determining at the first proxy server whether the request includes an encrypted identifier for the client system; in accordance with a determination that the request includes the encrypted identifier; determining at the first proxy server whether the client system is authorized to access the requested network applications and resources based on the encrypted identifier; in accordance with a determination that the client system is authorized to access the requested network application and resources, communicatively coupling the client system to the particular server via the first proxy server, and in accordance with a determination that the request does not include the encrypted identifier, dropping the request without responding to the client system. - View Dependent Claims (14, 15, 16, 17)
-
Specification