METHOD AND APPARATUS FOR RESOURCE LOCATOR IDENTIFIER REWRITE

US 20080256611A1
Filed: 06/20/2008
Published: 10/16/2008
Est. Priority Date: 12/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method in a network security device comprising:

receiving from a resource host over a non-secure hypertext transfer protocol (HTTP) session a response to a request received from a client over a secure HTTP session, wherein the response includes a uniform resource locator (URL) that is supposed to be for a resource host, but the URL does not designate a secure resource access protocol and the resource host requires the secure resource access protocol;

locating the URL in the response;

modifying the URL to designate the secure resource access protocol; and

transmitting the response via the secure resource access protocol session to the client.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for resource locator identifier rewrite have been presented. A security device receives from a resource host over a non-secure hypertext transfer protocol (HTTP) session a response to a request received from a client over a secure HTTP session. The response includes a uniform resource locator (URL) that is supposed to be for a resource host, but the URL does not designate a secure resource access protocol and the resource host requires the secure resource access protocol. The URL is located in the response and modified to designate the secure resource access protocol. After modification, the response is transmitted via the secure resource access protocol session to the client.

13 Citations

View as Search Results

23 Claims

1. A method in a network security device comprising:
- receiving from a resource host over a non-secure hypertext transfer protocol (HTTP) session a response to a request received from a client over a secure HTTP session, wherein the response includes a uniform resource locator (URL) that is supposed to be for a resource host, but the URL does not designate a secure resource access protocol and the resource host requires the secure resource access protocol;
  
  locating the URL in the response;
  
  modifying the URL to designate the secure resource access protocol; and
  
  transmitting the response via the secure resource access protocol session to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the URL is located and modified if the response includes a header “
    - Content-Encoding;
      
      ”
      
      .
  - 3. The method of claim 1 further comprising ensuring that the response and/or the request does not indicate support of persistent connection.
  - 4. The method of claim 3 wherein ensuring that the response and/or the request does not indicate support of persistent connection comprises:
    - downgrading the version of HTTP indicated in the header; and
      
      indicating in connection close by either modifying a connection field in the header or inserting a new field in the header.
  - 5. The method of claim 1 wherein the URL is located and modified if the response has a content type of text and transmitting the response without locating and modifying the URL if the content type is not text.
  - 6. The method of claim 1 further comprising ensuring that the response and/or the request does not indicate support of chunked transfer encoding.
  - 7. The method of claim 6 wherein ensuring that the response and/or the request does not indicate support of chunked transfer encoding comprises downgrading the version of HTTP indicated in the header.
  - 8. The method of claim 1 further comprising modifying the request to indicate that the requesting client does not support chunked transfer encoding while preserving persistent connection and chunked transfer encoding in the response if the client supports persistent connection and chunked transfer encoding.
  - 9. The method of claim 1 further comprising modifying the response to prevent the client from using the content length indicated in the response.

10. A network security device comprising:
- a set of one or more processors to perform security operations;
  
  a set of one or more interfaces coupled with the set of processors;
  
  a ring buffer to store message data;
  
  a resource access protocol module coupled with the set of processors, the resource access protocol module to,load message data for individual resource access protocol sessions into different buffers of the ring buffer;
  
  scan message data to locate resource locator identifiers (RLI),for each located RLI, determine if the located RLI indicates a resource access protocol that should govern a request for a resource indicated by the located RLI, andfor each located RLI that does not indicate the resource access protocol, rewriting the located RLI to indicate the resource access protocol,parse boundaries of the message data;
  
  transmit via one of the set of interfaces the response with transport layer information that indicates a port corresponding to the resource access protocol.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The network security device of claim 10, wherein the resource access protocol module includes a buffer daemon and a scan and parse daemon.
  - 12. The network security device of claim 10, further comprising a storage device to store a configuration file that indicates a set of one or more resource hosts and their corresponding appropriate request governing resource access protocol.
  - 13. The network security device of claim 10, further comprising the resource access protocol module to flush one of the buffers in the ring buffer up to a partial RLI and load the one buffer with message data in addition to the partial RLI.
  - 14. The network security device of claim 10, further comprising the resource access protocol module to create a chunk with message data from one of the buffers in the ring buffer, wherein the message data includes a plurality of complete RLIs.

15. A machine-readable medium that provides instructions, executable by a set of one or more processors in a network security device to cause said set of processors to perform operations comprising:
- receiving from a resource host over a non-secure hypertext transfer protocol (HTTP) session a response to a request received from a client over a secure HTTP session, wherein the response includes a uniform resource locator (URL) that is supposed to be for a resource host, but the URL does not designate a secure resource access protocol and the resource host requires the secure resource access protocol;
  
  locating the URL in the response;
  
  modifying the URL to designate the secure resource access protocol; and
  
  transmitting the response via the secure resource access protocol session to the client.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The machine-readable medium of claim 15, wherein the URL is located and modified if the response includes a header “
    - Content-Encoding;
      
      ”
      
      .
  - 17. The machine-readable medium of claim 15, wherein the operations further comprise ensuring that the response and/or the request does not indicate support of persistent connection.
  - 18. The machine-readable medium of claim 17, wherein ensuring that the response and/or the request does not indicate support of persistent connection comprises:
    - downgrading the version of HTTP indicated in the header; and
      
      indicating in connection close by either modifying a connection field in the header or inserting a new field in the header.
  - 19. The machine-readable medium of claim 15, wherein the URL is located and modified if the response has a content type of text and transmitting the response without locating and modifying the URL if the content type is not text.
  - 20. The machine-readable medium of claim 15, wherein the operations further comprise ensuring that the response and/or the request does not indicate support of chunked transfer encoding.
  - 21. The machine-readable medium of claim 20, wherein ensuring that the response and/or the request does not indicate support of chunked transfer encoding comprises downgrading the version of HTTP indicated in the header.
  - 22. The machine-readable medium of claim 15, wherein the operations further comprise modifying the request to indicate that the requesting client does not support chunked transfer encoding while preserving persistent connection and chunked transfer encoding in the response if the client supports persistent connection and chunked transfer encoding.
  - 23. The machine-readable medium of claim 15, wherein the operations further comprise modifying the response to prevent the client from using the content length indicated in the response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Levy, Joseph H., Chen, Zhong, Telehowski, David M., Nguyen, Huy Minh, Gmuender, John E., Massing, Michael B.

Granted Patent

US 7,752,336 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/30   Managing network names, e.g...

H04L 61/301   Name conversion

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/561   Adding application-function...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

METHOD AND APPARATUS FOR RESOURCE LOCATOR IDENTIFIER REWRITE

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR RESOURCE LOCATOR IDENTIFIER REWRITE

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links