Content inspection in secure networks

US 20050050362A1
Filed: 08/03/2004
Published: 03/03/2005
Est. Priority Date: 08/13/2003
Status: Active Grant

First Claim

Patent Images

1. A secure access system connecting at least one client of an internal network with at least one remote server of an external network, said system comprising:

an internal gateway communicating with said at least one client;

an external gateway communicating with said at least one remote server;

an internal encryption terminator establishing a secure connection with said at least one client and impersonating said at least one remote server, decrypting encrypted requests coming from said at least one client and encrypting clear replies going to said at least one client; and

an external encryption initiator aiding in establishing a secure connection with said at least one remote server, encrypting clear requests going to said at least one remote server and decrypting encrypted replies coming from said at least one remote server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure access system is used to connect an internal network, such as a private LAN, to an external network, such as the Internet. The system is provided with internal and external gateways, for connecting to the respective networks, as well as an inspection evaluator, content inspector, internal certificate authority, internal SSL terminator and external SSL initiator. Packets routed through the access system are inspected before they are forwarded from one gateway to the other, except those packets of designated users of the internal network which are directly forwarded without inspection. Encrypted packets received by the access system are decrypted, inspected, and then re-encrypted before they are forwarded.

199 Citations

40 Claims

1. A secure access system connecting at least one client of an internal network with at least one remote server of an external network, said system comprising:
- an internal gateway communicating with said at least one client;
  
  an external gateway communicating with said at least one remote server;
  
  an internal encryption terminator establishing a secure connection with said at least one client and impersonating said at least one remote server, decrypting encrypted requests coming from said at least one client and encrypting clear replies going to said at least one client; and
  
  an external encryption initiator aiding in establishing a secure connection with said at least one remote server, encrypting clear requests going to said at least one remote server and decrypting encrypted replies coming from said at least one remote server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A secure access system as per claim 1, wherein said system further comprises an internal certificate authority that authorizes said impersonation.
  - 3. A secure access system as per claim 1, wherein said system further comprises a content inspection unit inspecting clear requests and replies before they are forwarded to either the internal or external gateway.
  - 4. A secure access system as per claim 1, wherein said system comprises multiple instances of any of said internal gateway, said external gateway, said internal encryption terminator, and said external encryption initiator, and said system further comprises an intelligent network switch that distributes network packets based on the availability and load of each instance.
  - 5. A secure access system as per claim 1, wherein said system maintains a traffic policy table holding traffic classification attributes to manage flow of network traffic by identifying clear and encrypted traffic.
  - 6. A secure access system as per claim 5, wherein said traffic policy table comprises any of the following attributes:
    - physical ports, internal network addresses, external network addresses, destination port numbers, and type of action.
  - 7. A secure access system as per claim 1, wherein said system maintains a session table having information associated with communication between said at least one client and said at least one remote server, said session table being used in future routing network packets.
  - 8. A secure access system as per claim 7, wherein said session table comprises any of the following entries:
    - source IP address, destination IP address, source port number, destination port number, inspection status, and encryption status.
  - 9. A secure access system as per claim 1, wherein said encrypted requests and replies are communicated between said at least one client and said at least one remote server via the secure sockets layer (SSL/TLS) protocol.
  - 10. A secure access system as per claim 1, wherein said external network is the Internet.
  - 11. A secure access system as per claim 1, wherein said internal network is a private LAN.
  - 12. A secure access system as per claim 1, wherein said system maintains an inspection rule table and determines whether packets need to be forwarded immediately, blocked completely, or whether packets require full content inspection.
  - 13. A secure access system as per claim 12, wherein said inspection rule table comprises any of the following entries:
    - source network addresses, destination network addresses, URL, file type, parameter field name, parameter field value, and action.

14. A secure access system connecting an internal network to an external network, said system comprising:
- an internal gateway communicating with said at least one client;
  
  an external gateway communicating with said at least one remote server;
  
  an internal encryption terminator establishing a secure connection with said at least one client and impersonating said at least one remote server, decrypting encrypted requests coming from said at least one client and encrypting clear replies going to said at least one client;
  
  an external encryption initiator aiding in establishing a secure connection with said at least one remote server, encrypting clear requests going to said at least one remote server and decrypting encrypted replies coming from said at least one remote server; and
  
  an internal certificate authority that authorizes said impersonation without contacting an external certifying authority.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. A secure access system as per claim 14, wherein said system maintains a traffic policy table holding traffic classification attributes to manage flow of network traffic by identifying clear and encrypted traffic.
  - 16. A secure access system as per claim 15, wherein said traffic policy table comprises any of following attributes:
    - physical ports, internal network addresses, external network addresses, destination port numbers, and type of action.
  - 17. A secure access system as per claim 14, wherein said system maintains a session table having information associated with communication between said at least one client and at least one remote server, said session table being used in future routing network packets.
  - 18. A secure access system as per claim 17, wherein said session table comprises any of following entries:
    - source IP address, destination IP address, source port number, destination port number, inspection status, and encryption status.
  - 19. A secure access system as per claim 14, wherein said system comprises multiple instances of said internal gateway, said external gateway, said internal encryption terminator, and said external encryption initiator, and said system further comprises an intelligent network switch that distributes network packets based on the availability and load of each instance.
  - 20. A secure access system as per claim 14, wherein said external network is the Internet.
  - 21. A secure access system as per claim 14, wherein said internal network is a private LAN.
  - 22. A secure access system as per claim 14, wherein said encrypted requests and replies are communicated between said at least one client and said at least one remote server via secure sockets layer (SSL/TLS) protocol.
  - 23. A secure access system as per claim 14, wherein said system maintains an inspection rule table and determines whether packets need to be forwarded immediately, blocked completely, or whether packets require full content inspection.
  - 24. A secure access system as per claim 23, wherein said inspection rule table comprises any of the following entries:
    - source network addresses, destination network addresses, URL, file type, parameter field name, parameter field value and action.

25. A secure access system connecting an internal network to an external network, said system comprising:
- an internal gateway communicating with said at least one client;
  
  an external gateway communicating with said at least one remote server;
  
  an internal encryption terminator establishing a secure connection with said at least one client and impersonating said at least one remote server, decrypting encrypted requests coming from said at least one client and encrypting clear replies going to said at least one client;
  
  an external encryption initiator aiding in establishing a secure connection with said at least one remote server, encrypting clear requests going to said at least one remote server and decrypting encrypted replies coming from said at least one remote server;
  
  an internal certificate authority that authorizes said impersonation without contacting an external certifying authority; and
  
  a content inspection unit inspecting clear requests and replies.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. A secure access system as per claim 25, wherein said system comprises multiple instances of said internal gateway, said external gateway, said internal encryption terminator, said external encryption initiator, said internal certificate authority, and said content inspection unit, and said system further comprises an intelligent network switch that distributes network packets based on the availability and load of each instance.
  - 27. A secure access system as per claim 25, wherein said system maintains a traffic policy table holding traffic classification attributes to manage flow of network traffic by identifying clear and encrypted traffic.
  - 28. A secure access system as per claim 27, wherein said traffic policy table comprises the following attributes:
    - physical ports, internal network address, external network address, destination port numbers, and type of action.
  - 29. A secure access system as per claim 25, wherein said system maintains a session table having information associated with communication between said at least one client and said at least one remote server, said session table being used in future routing network packets.
  - 30. A secure access system as per claim 29, wherein said session table comprises the following entries:
    - source IP address, destination EP address, source port number, destination port number, inspection status, and encryption status.
  - 31. A secure access system as per claim 25, wherein said external network is the Internet.
  - 32. A secure access system as per claim 25, wherein said internal network is a private LAN.
  - 33. A secure access system as per claim 25, wherein said encrypted requests and replies are communicated between said at least one user and said at least one remote server via secure sockets layer (SSL/TLS) protocol.
  - 34. A secure access system as per claim 25, wherein said system maintains an inspection rule table and determines whether packets need be forwarded immediately, blocked completely, or whether packets require full content inspection.
  - 35. A secure access system as per claim 34, wherein said inspection rule table comprises any of the following entries:
    - source network addresses, destination network addresses, URL, file type, parameter field name, parameter field value and action.

36. An article of manufacture comprising a computer media product implementing content inspection in communication sessions between at least one client of an internal network and at least one remote server of an external network, said medium comprising:
- a first module implementing an internal gateway communicating with said at least one client;
  
  a second module implementing an external gateway communicating with said at least one remote server;
  
  a third module implementing an internal encryption terminator aiding in establishing a secure connection with said at least one client and impersonating said at least one remote server, decrypting encrypted requests coming from said at least one client and encrypting clear replies going to said at least one client;
  
  a fourth module implementing an external encryption initiator aiding in establishing a secure connection with said at least one remote server, encrypting clear requests going to said at least one remote server and decrypting encrypted replies coming from said at least one remote sever; and
  
  a fifth module implementing an internal certificate authority that authorizes said impersonation.
- View Dependent Claims (37, 38, 39, 40)
- - 37. An article of manufacture as per claim 36, wherein said medium maintains a traffic policy table holding traffic classification attributes to manage flow of network traffic by identifying clear and encrypted traffic.
  - 38. An article of manufacture as per claim 37, wherein said traffic policy table comprises any of the following attributes:
    - physical ports, internal network addresses, external network addresses, destination port numbers, and type of action.
  - 39. An article of manufacture as per claim 36, wherein said medium maintains a session table having information associated with communication between said at least one client and said at least one remote server, said session table being used in future routing network packets.
  - 40. A secure access system as per claim 39, wherein said session table comprises any of the following attributes:
    - source EP address, destination IP address, source port number, destination port number, inspection status, and encryption status.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
Peles, Amir

Granted Patent

US 7,769,994 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/04 for providing a confidentia...

Content inspection in secure networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

199 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Content inspection in secure networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links