One-way proxy system
First Claim
1. A method of operating an inline network appliance that intercepts data traffic flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by a one-way analyzer, comprising:
- receiving data traffic of a given TCP session from the first TCP endpoint with the inline network appliance;
providing the received data traffic from the first TCP endpoint to the analyzer for processing and receiving corresponding processed data traffic from the analyzer;
transmitting the data traffic that has been processed by the analyzer from the inline network appliance to the second TCP endpoint in the same given TCP session;
receiving data traffic in the same given TCP session from the second TCP endpoint at the inline network appliance in the same given TCP session;
modifying TCP acknowledgement numbers in the received data traffic at the inline network appliance in the same given TCP session; and
transmitting the data traffic containing the modified TCP acknowledgement numbers to the first TCP endpoint in the same given TCP session.
3 Assignments
0 Petitions
Accused Products
Abstract
A one-way proxy system is provided that supports one-way analysis of a transport control protocol (TCP) data stream. The one-way proxy system is used to intercept a TCP data link between two respective TCP endpoints. A one-way analyzer such as a one-way content filter, virus scanner, or firewall may be used to analyze a TCP data stream that is intercepted by the one-way proxy system. The one way proxy system preserves TCP options and TCP properties associated with the TCP packets in the TCP data stream, so that an existing TCP session between the TCP endpoints can survive in the event of a hardware bypass operation. The one-way proxy has a low overhead because significant TCP processing of the TCP data stream is only required in one direction.
271 Citations
14 Claims
-
1. A method of operating an inline network appliance that intercepts data traffic flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by a one-way analyzer, comprising:
-
receiving data traffic of a given TCP session from the first TCP endpoint with the inline network appliance;
providing the received data traffic from the first TCP endpoint to the analyzer for processing and receiving corresponding processed data traffic from the analyzer;
transmitting the data traffic that has been processed by the analyzer from the inline network appliance to the second TCP endpoint in the same given TCP session;
receiving data traffic in the same given TCP session from the second TCP endpoint at the inline network appliance in the same given TCP session;
modifying TCP acknowledgement numbers in the received data traffic at the inline network appliance in the same given TCP session; and
transmitting the data traffic containing the modified TCP acknowledgement numbers to the first TCP endpoint in the same given TCP session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An inline network appliance that intercepts data flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by a one-way analyzer, comprising:
-
a TCP receiver that receives data from the first TCP endpoint, validates TCP headers, reorders out-of-order packets, and provides the data to the one-way analyzer;
a TCP transmitter that transmits the data to the second TCP endpoint after processing by the one-way analyzer; and
a TCP adapter that receives data from the second TCP endpoint, modifies TCP packet headers in the data, and transmits the data with the modified TCP packet headers to the first TCP endpoint.
-
-
14. A method for operating an inline network appliance that intercepts data flowing in a single transport control protocol (TCP) session between a first TCP endpoint and a second TCP endpoint for processing by an analyzer so that the TCP session survives in the event of a hardware bypass, wherein the inline network appliance has a hardware bypass switch through which the data is directed when the inline network appliance enters hardware bypass mode, comprising:
-
in establishing the TCP session, receiving a TCP SYN packet for the TCP session from the one of the TCP endpoints;
in establishing the TCP session, transmitting the received TCP SYN packet to the other of the TCP endpoints;
after the TCP session has been established, receiving data from the first TCP endpoint and providing the received data to the analyzer for processing;
retaining the highest time stamp value that has been received in the data from the first TCP endpoint; and
receiving the processed data from the analyzer and transmitting the processed data to the second TCP endpoint in TCP data packets that use the retained time stamp value.
-
Specification