Network access using secure tunnel

US 20050273849A1
Filed: 03/11/2005
Published: 12/08/2005
Est. Priority Date: 03/11/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for accessing a network comprising:

routing a message from a client application on a client to an adapter installed as a kernel space component on the client;

routing the message from the adapter to a server-proxy installed as a user space component on the client;

encapsulating the message for transportation to a remote server on a private network;

routing the encapsulated message from the server-proxy to an IP stack, for transmission to the remote server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security platform connected to a private network permits access to the private network from a public network (such as the Internet) through a variety of mechanisms. A reverse proxy system operating as part of the security platform provides access to web-enabled applications from a browser connected to the public network. The reverse proxy rewrites requests and responses so that the browser directs requests to the reverse proxy, from which the requests can be directed to the appropriate server on the public network or the private network. Responses come back to the reverse proxy, and are then forwarded to the browser. An SSL tunneling system permits fat clients to access the private network through an SSL connection. The SSL tunneling system employs a server component operating on the security platform and components downloaded to the client computer from the security platform. The client components include a control component operating in a browser window, a server-proxy component that sets up secure communications with the private network, and an adapter component between the server-proxy and the fat client. The adapter component operates in kernel space. Data is directed from the fat client to the adapter, and then forwarded to the server-proxy; data from the server-proxy is directed to the adapter, and then forwarded to the fat client. Security is provided through the use of multiple authentication realms, each of which provides a set of authentication stages for authenticating users and providing client integrity validation.

Citations

21 Claims

1. A method for accessing a network comprising:
- routing a message from a client application on a client to an adapter installed as a kernel space component on the client;
  
  routing the message from the adapter to a server-proxy installed as a user space component on the client;
  
  encapsulating the message for transportation to a remote server on a private network;
  
  routing the encapsulated message from the server-proxy to an IP stack, for transmission to the remote server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, further comprising:
    - routing a received message at the IP stack to the server-proxy;
      
      removing encapsulation from the received message;
      
      routing the received message from the server-proxy to the adapter; and
      
      routing the message from the adapter to the client application.
  - 3. The method according to claim 1, wherein encapsulating the message for transportation to a remote server includes encapsulating packets of the message within PPP frames.
  - 4. The method according to claim 3, wherein encapsulating the message for transportation to a remote server further includes securing the encapsulated packets using SSL.
  - 5. The method according to claim 1, further comprising:
    - prior to routing a message from the client application on the client to the adapter, receiving an HTML page having an archive file having a current server-proxy and a current adapter;
      
      if the client does not already have the current server-proxy, installing the current server-proxy; and
      
      if the client does not already have the current adapter, installing the current adapter.
  - 6. The method according to claim 1, further comprising prompting a user before routing the encapsulated message to the IP stack.
  - 7. The method according to claim 1, further comprising receiving from the remote server a set of subnets that a user can access, and updating a routing table to direct traffic intended for any of the subnets to be routed through the adapter.
  - 8. The method according to claim 1, further comprising receiving from the remote server information for updating a routing table to direct outgoing traffic to be routed through the adapter.
  - 9. The method according to claim 1, wherein routing the message from the client application includes routing the message to the adapter if a destination address for the message corresponds to a set of designated addresses and not routing the message to the adapter if the destination address does not correspond to the set of designated addresses.
  - 10. The method according to claim 1, wherein routing the message from the client application includes routing the message to the adapter for forwarding to the private network even if the destination address does not correspond to an address on the private network.
  - 11. The method according to claim 1, further comprising updating a set of proxy server settings for the client to redirect at least some traffic to a proxy server on the private network.
  - 12. The method according to claim 11, wherein updating a set of proxy server settings further includes redirecting at least some traffic to a local proxy server.
  - 13. The method according to claim 1, further comprising redirecting at least some traffic to a proxy server on the private network based on at least a portion of a domain name to which the traffic is directed.
  - 14. The method according to claim 1, further comprising redirecting at least some traffic to a proxy server on the private network based on a subnetwork to which the traffic is directed.
  - 15. The method according to claim 1, further comprising redirecting at least some traffic to a proxy server on the private network based on a protocol for the traffic.

16. A computer program product, residing on a computer-readable medium, for use in accessing a network, the computer program product comprising instructions for causing a computer to:
- install an adapter as a kernel space component on a client; and
  
  install a server-proxy as a user space component on the client;
  
  the adapter being programmed to receive a message from a client application on the client and to route the message to the server-proxy; and
  
  the server-proxy being programmed to encapsulate a message received from the adapter for transportation to a remote server on a private network, and to route the encapsulated message to an EP stack for transmission to the remote server.

17. A method for accessing a network comprising:
- receiving authentication information from a user at a client attempting to access a server on a private network;
  
  if the user is authenticated;
  
  sending to the client a set of subnets that the user can access;
  
  sending to the client an IP address to be used by the client and an 1P address to be used by the server; and
  
  configuring a firewall according to a set of firewall rules for the user.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method according to claim 17, further comprising allocating a PPP interface to traffic between the private network and the user.
  - 19. The method according to claim 18, further comprising configuring the firewall according to a set of firewall rules specific to the PPP interface.
  - 20. The method according to claim 19, wherein the set of firewall rules specific to the PPP interface includes a rule allowing or denying the user access to one or more specific hosts.
  - 21. The method according to claim 19, wherein the set of firewall rules specific to the PPP interface includes a rule allowing or denying the user access to one or more specific sub-networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AEP Networks, Inc. (AEP Networks Ltd.)
Original Assignee
AEP Networks, Inc. (AEP Networks Ltd.)
Inventors
Douglas, C. Paul, Araujo, Kenneth, Heitmueller, Devin

Application Number

US11/077,958
Publication Number

US 20050273849A1
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

Network access using secure tunnel

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Network access using secure tunnel

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links