SYSTEMS AND METHODS FOR NETWORK FILTERING IN VPN

US 20130298201A1
Filed: 05/03/2013
Published: 11/07/2013
Est. Priority Date: 05/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing network data packet traffic between a mobile device and an enterprise server, comprising:

maintaining a list of authorized applications that are authorized to access the enterprise server;

analyzing a plurality of packets communicated from applications running on the mobile device, andfor each packet of the plurality of packets;

determining an originating application of that packet, comparing the originating application to the list of authorized applications, and transmitting that packet over a VPN to an enterprise server if the originating application is an authorized application.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are systems and methods for managing network packet traffic between a client device and an enterprise server. A list of enterprise-authorized applications is maintained. Data packets, such as TCP and UDP data packets, communicated from applications running on the device are analyzed to determine an originating application corresponding to each packet. The originating application is compared to the list of authorized applications, and a VPN tunnel is created for the packet to access the enterprise server if the corresponding originating application is an authorized application.

167 Citations

40 Claims

1. A method for managing network data packet traffic between a mobile device and an enterprise server, comprising:
- maintaining a list of authorized applications that are authorized to access the enterprise server;
  
  analyzing a plurality of packets communicated from applications running on the mobile device, andfor each packet of the plurality of packets;
  
  determining an originating application of that packet, comparing the originating application to the list of authorized applications, and transmitting that packet over a VPN to an enterprise server if the originating application is an authorized application.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - preventing those packets having an associated originating application that is not on the list of user authorized applications from accessing the enterprise server.
  - 3. The method of claim 1, further comprising:
    - accessing the enterprise server via a single sign on authentication procedure using a secure access manager application on the mobile device.
  - 4. The method of claim 1, further comprising:
    - downloading an authorized application from an enterprise application store accessible by the mobile device.
  - 5. The method of claim 4, further comprising:
    - verifying that the downloaded authorized application is compliant with enterprise policy.

6. A mobile device comprising:
- a user interface for receiving user input,memory which stores a first application that is enterprise authorized and a second application that is unauthorized by the enterprise,an application manager coupled to the user interface and the memory and constructed to facilitate secure access to an enterprise server through an access gateway and a virtual private network, wherein the application manager is operable to determine the originating application for each of a plurality of network data packets, wherein data packets originating from the first application are allowed to be delivered via the virtual private network, and data packets originating from the second application are not allowed to be delivered via the virtual private network.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The mobile device of claim 6, further including a secure data container for storing data associated with the first application.
  - 8. The mobile device of claim 6, further including an unsecure data container for storing data associated with the second application.
  - 9. The mobile device of claim 6, further wherein the first application is a secure wrapped application.
  - 10. The mobile device of claim 6, further wherein the first application is a dual mode application including an enterprise authorized mode and an enterprise unauthorized mode, such that data packets originating from the first application are not allowed to access the enterprise server when the first application is operating in the enterprise unauthorized mode.

11. A method for managing packet traffic between a client device and an enterprise server, comprising:
- (a) maintaining a list of authorized applications of the enterprise server;
  
  (b) receiving a plurality of packets, wherein each packet includes associated routing data; and
  
  (c) for each packet;
  
  (i) matching the routing data to an entry in a set of active network connection indicators, the set provided by an operating system of the client device, (ii) determining an associated application ID of the matching entry, (iii) determining whether the associated application ID corresponds to an authorized application, and (iv) creating a VPN tunnel for the packet only if the associated application ID corresponds to an authorized application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 12. The method of claim 11, further comprising preventing VPN tunneling for those packets having an associated application ID that corresponds to an unauthorized application.
  - 13. The method of claim 11, wherein the associated routing data comprises a source port number.
  - 14. The method of claim 11, wherein the at least one of a set of active network connection indicators includes at least one of a set of active TCP connection indicators and a set of active UDP connection indicators.
  - 15. The method of claim 14, wherein the at least one of a set of active TCP connection indicators and a set of active UDP connection indicators comprises at least one of a set of /proc/net/tcp, /proc/net/tcp6, proc/net/udp, and proc/net/udp6 interface indicators.
  - 16. The method of claim 11, wherein the receiving step comprises intercepting a plurality of packets by a client agent of the client device.
  - 17. The method of claim 16, further comprising:
    - associating a timestamp with each intercepted packet;
      
      placing each timestamped packet in a queue;
      
      acquiring a source port key map of a current set of active packet connection indicators at each of a plurality of times; and
      
      selecting each timestamped packet from the queue in turn to perform a matching step, wherein the matching step comprises associating the selected timestamped packet with a corresponding source port key map having an associated timestamp that is later than the timestamp of the selected timestamped packet.
  - 18. The method of claim 17, further comprising providing the selected timestamped packet access to a non-VPN connection if the associated ID is not on the authorized applications list.
  - 19. The method of claim 17, wherein the associated routing data includes a source port number for the matching step and a destination IP address and a destination port number for determining a destination for each timestamped packet.
  - 20. The method of claim 17, wherein the packets are TCP packets and the set of active connection indicators include at least one of a set of /proc/net/tcp, /proc/net/tcp6 interface indicators.
  - 21. The method of claim 20, further comprising:
    - preventing those packets having an associated originating application that is not on the list of user authorized applications from accessing the enterprise server.
  - 22. The method of claim 20, further comprising:
    - accessing the enterprise server via a single sign on authentication procedure using a secure access manager application on the mobile device.
  - 23. The method of claim 20, further comprising:
    - downloading an authorized application from an enterprise application store accessible by the mobile device.
  - 24. The method of claim 23, further comprising:
    - verifying that the downloaded authorized application is compliant with enterprise policy.

25. A method for managing data packet traffic between a client device and an enterprise server, the method comprising:
- (a) maintaining a list of authorized applications of the enterprise server;
  
  (b) receiving a plurality of packets, wherein each packet includes associated routing data; and
  
  (c) for each packet;
  
  (i) matching the routing data to an entry in at least one of a set of active TCP connection indicators and a set of active UDP connection indicators, the set provided by an operating system of the client device, (ii) determining an associated uid of the matching entry, (iii) determining whether the associated uid corresponds to an authorized application, and (iv) providing the packet with access to a VPN connection between the client device and an enterprise server only if the associated uid corresponds to an authorized application.

26. A method for managing traffic between a client device and an enterprise server, comprising:
- maintaining a list of authorized applications of the enterprise server;
  
  wherein each list entry is in the form of an application ID corresponding to an authorized application;
  
  receiving a plurality of UDP packets, wherein each UDP packet includes associated routing data;
  
  creating a table, wherein each table entry comprises associated routing data and is categorized as one of a negative type and a positive type, andfor each received packet, comparing its associated routing data to the table to determine if a match exists, such that(i) if a matching table entry exists which is categorized as a negative type, then denying the packet access to a VPN connection;
  
  (ii) if a matching table entry exists which is categorized as a positive type, then providing the packet access to a VPN connection; and
  
  (iii) if no matching table entry exists, then matching the routing data to an entry in a set of active UDP connection indicators, the set provided by an operating system of the client device, determining an associated application ID of the matching entry of the set, determining whether that associated application ID is on the authorized applications list, and providing the packet with a VPN connection if that associated application ID is on the authorized applications list, and otherwise adding the packet routing data to the table as a negative type entry.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The method of claim 26, wherein negative type entries each have an associated purge time and the negative type entries are deleted from the table when the associated purge time has elapsed.
  - 28. The method of claim 26 wherein positive type entries each have an associate purge time and the positive type entries are deleted from the table when the associated purge time has elapsed.
  - 29. The method of claim 26, further comprising providing the packet with a non-VPN connection if the associated application ID is not on the authorized applications list.
  - 30. The method of claim 26, wherein the associated routing data includes a source port number, a destination IP address, and a destination port number.
  - 31. The method of claim 26, wherein the set of active UDP connection indicators include at least one of a set of proc/net/udp and proc/net/udp6 interface indicators.
  - 32. The method of claim 26, further comprising:
    - accessing the enterprise server via a single sign on authentication procedure using a secure access manager application on the mobile device.
  - 33. The method of claim 26, further comprising:
    - downloading an authorized application from an enterprise application store accessible by the mobile device.
  - 34. The method of claim 33, further comprising:
    - verifying that the downloaded authorized application is compliant with enterprise policy.

35. A method for managing traffic between a client device and an enterprise server, comprising:
- intercepting a plurality of SYN TCP packets by a client agent of the client device, wherein each packet includes a routing data comprising a source port number, a destination IP address, and a destination port number,associating a timestamp with each intercepted packet and placing each timestamped packet in a queue,acquiring a source port key map with an associated timestamp for each of a series of times, wherein the source port key map is a snapshot of active TCP connections of the client device from /proc/net/tcp and /proc/net/tcp6 lists and provides a mapping of source port numbers and associated uids at the time of the timestamp,selecting each packet from the queue in turn to determine whether the selected packet is associated with an authorized or an unauthorized application, wherein the determination occurs by associating the selected packet with a corresponding source port key map having an associated timestamp that is later than the timestamp of the selected packet, searching the corresponding source port key map for an entry with the same source port ID and determining an associated uid for that entry and thus for the selected packet, and determining whether the uid associated with the selected packet is on the list, andcreating a VPN tunnel for only those packets determined to be associated with an authorized application.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The method of claim 35, further comprising:
    - preventing those packets determined to be associated with an unauthorized application from accessing the enterprise server.
  - 37. The method of claim 35, further comprising:
    - accessing the enterprise server via a single sign on authentication procedure.
  - 38. The method of claim 36, further comprising:
    - downloading an authorized application from an enterprise application store accessible by the mobile device.
  - 39. The method of claim 38, further comprising:
    - verifying that the downloaded authorized application is compliant with enterprise policy.

40. A computer readable medium containing program instructions, wherein execution of the program instructions by one or more processors of a client device causes the one or more processors to carry out the steps of:
- (a) establishing a VPN between the client device and the enterprise server;
  
  (b) maintaining a list of authorized applications of the enterprise server;
  
  (c) receiving a plurality of packets, wherein each packet includes associated routing data; and
  
  (d) for each packet;
  
  (i) matching the routing data to an entry in at least one of a set of active TCP connection indicators and a set of active UDP connection indicators, the set provided by an operating system of the client device, (ii) determining an associated uid of the matching entry, (iii) determining whether the associated uid corresponds to an authorized application, and (iv) providing the packet with access to the VPN connection only if the associated uid corresponds to an authorized application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kumar, Krishna, Aravindakshan, Vipin, Kummur, Anand

Granted Patent

US 8,990,901 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 9/45533   Hypervisors; Virtual machin...

H04L 43/50   Testing arrangements

H04L 61/00   Network arrangements, proto...

H04L 61/4511   using domain name system [DNS]

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 67/06   specially adapted for file ...

H04L 69/164   Adaptation or special uses ...

H04L 69/24   Negotiation of communicatio...

SYSTEMS AND METHODS FOR NETWORK FILTERING IN VPN

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

167 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR NETWORK FILTERING IN VPN

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links