LAYER-4 TRANSPARENT SECURE TRANSPORT PROTOCOL FOR END-TO-END APPLICATION PROTECTION

US 20090059957A1
Filed: 04/11/2008
Published: 03/05/2009
Est. Priority Date: 08/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method performed by a network element, the method comprising:

receiving a packet of a network transaction from a client over a first network, the packet destined to a server of a data center having a plurality of servers over a second network, wherein the packet includes a payload encrypted without encrypting information needed for at least layer 2 to layer (layer 2-4) of an OSI (open system interconnection) layers of network processes; and

performing the layer 2-4 process on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 2-4 information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing layer 4 transparent secure transport for end-to-end application protection are described herein. According to one embodiment, a packet of a network transaction is received from a client over a first network, where the packet is destined to a server of a data center having a plurality of servers over a second network. The packet includes a payload encrypted without encrypting information needed for a layer 4 of OSI (open system interconnection) layers of network processes. The layer 4 process is performed on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 4 information. Other methods and apparatuses are also described.

121 Citations

View as Search Results

20 Claims

1. A method performed by a network element, the method comprising:
- receiving a packet of a network transaction from a client over a first network, the packet destined to a server of a data center having a plurality of servers over a second network, wherein the packet includes a payload encrypted without encrypting information needed for at least layer 2 to layer (layer 2-4) of an OSI (open system interconnection) layers of network processes; and
  
  performing the layer 2-4 process on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 2-4 information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the layer 2-4 process comprises a layer 4 access control process to determine whether the client is eligible to access the destined server over the second network.
  - 3. The method of claim 1, wherein the second network is an internal network of an organization associated with the data center.
  - 4. The method of claim 1, wherein at least a destination IP (Internet protocol) address and a destination TCP (transport control protocol) port of the packet is not encrypted while the payload of the packet is encrypted.
  - 5. The method of claim 1, wherein the packet is encrypted by an agent of the client, wherein the agent encrypts at least the payload of the packet without encrypting the information needed for the layer 2-4 process.
  - 6. The method of claim 5, further comprising:
    - in response to a request from the client to initiate a network connection, transmitting the agent to the client over the first network to be installed at the client; and
      
      transmitting to the client over the secure control channel a policy associated with the client.
  - 7. The method of claim 6, further comprising:
    - establishing a secure control channel with the agent over the first network in response to a request received from the agent; and
      
      negotiating a set of security parameters with the agent over the secure control channel.
  - 8. The method of claim 7, further comprising:
    - in response to network traffic from an application of the client, the agent transparently trapping the network traffic if the network traffic requires a security service based on the policy; and
      
      encrypting a payload of the network traffic using the set of security parameters if the network traffic requires a security service, wherein layer 3 to layer 4 (layer 3-4) related information of the network traffic is unencrypted.
  - 9. The method of claim 1, wherein the network element is a security gateway of the data center, and wherein in order to access a server of the data center over the second network, each client of the first network has to go through the network element.
  - 10. The method of claim 9, wherein the first network is an external network, and wherein the network traffic is encapsulated within a secured tunnel over the first network which is terminated at the network element to recover packets that have payload encrypted and layer 3-4 information unencrypted.

11. A machine-readable medium having instructions stored therein, which when executed by a machine, cause the machine to perform a method, the method comprising:
- receiving a packet of a network transaction from a client over a first network, the packet destined to a server of a data center having a plurality of servers over a second network, wherein the packet includes a payload encrypted without encrypting information needed for at least layer 2 to layer 4 (layer 2-4) of an OSI (open system interconnection) layers of network processes; and
  
  performing the layer 2-4 process on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 2-4 information.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The machine-readable medium of claim 11, wherein the layer 2-4 process comprises a layer 4 access control process to determine whether the client is eligible to access the destined server over the second network.
  - 13. The machine-readable medium of claim 11, wherein the second network is an internal network of an organization associated with the data center.
  - 14. The machine-readable medium of claim 11, wherein at least a destination IP (Internet protocol) address and a destination TCP (transport control protocol) port of the packet is not encrypted while the payload of the packet is encrypted.
  - 15. The machine-readable medium of claim 11, wherein the packet is encrypted by an agent of the client, wherein the agent encrypts at least the payload of the packet without encrypting the information needed for the layer 2-4 process.
  - 16. The machine-readable medium of claim 15, wherein the method further comprises:
    - in response to a request from the client to initiate a network connection, transmitting the agent to the client over the first network to be installed at the client; and
      
      transmitting to the client over the secure control channel a policy associated with the client.
  - 17. The machine-readable medium of claim 16, wherein the method further comprises:
    - establishing a secure control channel with the agent over the first network in response to a request received from the agent; and
      
      negotiating a set of security parameters with the agent over the secure control channel.
  - 18. The machine-readable medium of claim 17, wherein the method further comprises:
    - in response to network traffic from an application of the client, the agent transparently trapping the network traffic if the network traffic requires a security service based on the policy; and
      
      encrypting a payload of the network traffic using the set of security parameters if the network traffic requires a security service, wherein layer 3 to layer 4 (layer 3-4) related information of the network traffic is unencrypted.
  - 19. The machine-readable medium of claim 11, wherein the network element is a security gateway of the data center, and wherein in order to access a server of the data center over the second network, each client of the first network has to go through the network element.
  - 20. The machine-readable medium of claim 19, wherein the first network is an external network, and wherein the network traffic is encapsulated within a secured tunnel over the first network which is terminated at the network element to recover packets that have payload encrypted and layer 3-4 information unencrypted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Rohati Systems, Inc. (Cisco Systems, Inc.)
Inventors
Patra, Abhijit, Prabhu, Kirti, Thakar, Anant, Bagepalli, Nagaraj, Gandhi, Prashant

Granted Patent

US 8,295,306 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/469
CPC Class Codes

H04L 47/20   Traffic policing

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/321   Interlayer communication pr...

H04L 9/3242   involving keyed hash functi...

Y10T 70/5827   Axially movable clutch

LAYER-4 TRANSPARENT SECURE TRANSPORT PROTOCOL FOR END-TO-END APPLICATION PROTECTION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

LAYER-4 TRANSPARENT SECURE TRANSPORT PROTOCOL FOR END-TO-END APPLICATION PROTECTION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links