SYSTEMS AND METHODS FOR NETWORK FILTERING IN VPN
First Claim
1. A method for managing network data packet traffic between a mobile device and an enterprise server, comprising:
- maintaining a list of authorized applications that are authorized to access the enterprise server;
analyzing a plurality of packets communicated from applications running on the mobile device, andfor each packet of the plurality of packets;
determining an originating application of that packet, comparing the originating application to the list of authorized applications, and transmitting that packet over a VPN to an enterprise server if the originating application is an authorized application.
7 Assignments
0 Petitions
Accused Products
Abstract
Described are systems and methods for managing network packet traffic between a client device and an enterprise server. A list of enterprise-authorized applications is maintained. Data packets, such as TCP and UDP data packets, communicated from applications running on the device are analyzed to determine an originating application corresponding to each packet. The originating application is compared to the list of authorized applications, and a VPN tunnel is created for the packet to access the enterprise server if the corresponding originating application is an authorized application.
167 Citations
40 Claims
-
1. A method for managing network data packet traffic between a mobile device and an enterprise server, comprising:
-
maintaining a list of authorized applications that are authorized to access the enterprise server; analyzing a plurality of packets communicated from applications running on the mobile device, and for each packet of the plurality of packets;
determining an originating application of that packet, comparing the originating application to the list of authorized applications, and transmitting that packet over a VPN to an enterprise server if the originating application is an authorized application. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A mobile device comprising:
-
a user interface for receiving user input, memory which stores a first application that is enterprise authorized and a second application that is unauthorized by the enterprise, an application manager coupled to the user interface and the memory and constructed to facilitate secure access to an enterprise server through an access gateway and a virtual private network, wherein the application manager is operable to determine the originating application for each of a plurality of network data packets, wherein data packets originating from the first application are allowed to be delivered via the virtual private network, and data packets originating from the second application are not allowed to be delivered via the virtual private network. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for managing packet traffic between a client device and an enterprise server, comprising:
-
(a) maintaining a list of authorized applications of the enterprise server; (b) receiving a plurality of packets, wherein each packet includes associated routing data; and (c) for each packet;
(i) matching the routing data to an entry in a set of active network connection indicators, the set provided by an operating system of the client device, (ii) determining an associated application ID of the matching entry, (iii) determining whether the associated application ID corresponds to an authorized application, and (iv) creating a VPN tunnel for the packet only if the associated application ID corresponds to an authorized application. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for managing data packet traffic between a client device and an enterprise server, the method comprising:
-
(a) maintaining a list of authorized applications of the enterprise server; (b) receiving a plurality of packets, wherein each packet includes associated routing data; and (c) for each packet;
(i) matching the routing data to an entry in at least one of a set of active TCP connection indicators and a set of active UDP connection indicators, the set provided by an operating system of the client device, (ii) determining an associated uid of the matching entry, (iii) determining whether the associated uid corresponds to an authorized application, and (iv) providing the packet with access to a VPN connection between the client device and an enterprise server only if the associated uid corresponds to an authorized application.
-
-
26. A method for managing traffic between a client device and an enterprise server, comprising:
-
maintaining a list of authorized applications of the enterprise server;
wherein each list entry is in the form of an application ID corresponding to an authorized application;receiving a plurality of UDP packets, wherein each UDP packet includes associated routing data; creating a table, wherein each table entry comprises associated routing data and is categorized as one of a negative type and a positive type, and for each received packet, comparing its associated routing data to the table to determine if a match exists, such that (i) if a matching table entry exists which is categorized as a negative type, then denying the packet access to a VPN connection; (ii) if a matching table entry exists which is categorized as a positive type, then providing the packet access to a VPN connection; and (iii) if no matching table entry exists, then matching the routing data to an entry in a set of active UDP connection indicators, the set provided by an operating system of the client device, determining an associated application ID of the matching entry of the set, determining whether that associated application ID is on the authorized applications list, and providing the packet with a VPN connection if that associated application ID is on the authorized applications list, and otherwise adding the packet routing data to the table as a negative type entry. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A method for managing traffic between a client device and an enterprise server, comprising:
-
intercepting a plurality of SYN TCP packets by a client agent of the client device, wherein each packet includes a routing data comprising a source port number, a destination IP address, and a destination port number, associating a timestamp with each intercepted packet and placing each timestamped packet in a queue, acquiring a source port key map with an associated timestamp for each of a series of times, wherein the source port key map is a snapshot of active TCP connections of the client device from /proc/net/tcp and /proc/net/tcp6 lists and provides a mapping of source port numbers and associated uids at the time of the timestamp, selecting each packet from the queue in turn to determine whether the selected packet is associated with an authorized or an unauthorized application, wherein the determination occurs by associating the selected packet with a corresponding source port key map having an associated timestamp that is later than the timestamp of the selected packet, searching the corresponding source port key map for an entry with the same source port ID and determining an associated uid for that entry and thus for the selected packet, and determining whether the uid associated with the selected packet is on the list, and creating a VPN tunnel for only those packets determined to be associated with an authorized application. - View Dependent Claims (36, 37, 38, 39)
-
-
40. A computer readable medium containing program instructions, wherein execution of the program instructions by one or more processors of a client device causes the one or more processors to carry out the steps of:
-
(a) establishing a VPN between the client device and the enterprise server; (b) maintaining a list of authorized applications of the enterprise server; (c) receiving a plurality of packets, wherein each packet includes associated routing data; and (d) for each packet;
(i) matching the routing data to an entry in at least one of a set of active TCP connection indicators and a set of active UDP connection indicators, the set provided by an operating system of the client device, (ii) determining an associated uid of the matching entry, (iii) determining whether the associated uid corresponds to an authorized application, and (iv) providing the packet with access to the VPN connection only if the associated uid corresponds to an authorized application.
-
Specification