Method and apparatus for transparently proxying a connection
First Claim
Patent Images
1. A method of transparently proxying a connection to a protected machine comprising:
- monitoring communication packets directed to the protected machine on a network at a proxy machine, the communication packet having a communication packet source address, a communication packet source port number, a communication packet destination address, and a communication packet destination port number, the proxy machine being located within a communication path of the protected machine for monitoring all packets routed to the protected machine, the communications packet not being addressed to the proxy machine by the originator of the communication packet under any network communication protocol;
determining to intercept the communication packet at the proxy machine based on whether the communication packet destination address and the communication packet destination port number correspond to a protected destination address and a protected destination port number stored in a proxy list;
determining to proxy a proxied connection associated with the communication packet based on the communication packet source address and the communication packet source port number;
terminating a protected connection from the proxy machine to a protected machine, the protected machine corresponding to the communication packet destination address and the communication packet destination port number, each communication sent from the proxy machine to the protected machine having a header in which the source address and the source port number are the same as the communication packet source address and the communication packet source port number; and
forming a response to the communication packet under a network protocol by sending a responsive packet from the proxy machine wherein the responsive packet has a header having a responsive packet source address and a responsive packet source port number wherein the responsive packet source address and the responsive packet source port number are the same as to the communication packet destination source address and the communication packet destination port number;
whereby the proxy machine terminates a protected connection to the protected machine and the proxy machine responds to the communication packet acting on behalf of the protected machine and the proxy machine appears to be the protected machine.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for transparently proxying a connection to a protected machine. The method includes monitoring a communication packet on a network at a proxy machine. The communication packet has a communication packet source address, a communication packet source port number, a communication packet destination address, and a communication packet destination port number. The proxy determines whether to intercept the communication packet based on whether the communication packet destination address and the communication packet destination port number correspond to a protected destination address and a protected destination port number stored in a proxy list. The proxy then determines whether to proxy a proxied connection associated with the communication packet based on the communication packet source address and the communication packet source port number. A protected connection is terminated from the proxy machine to a protected machine. The protected machine corresponds to the communication packet destination address and the communication packet destination port number. A response is formed to the communication packet under a network protocol by sending a responsive packet from the proxy machine. The responsive packet has a header having a responsive packet source address and a responsive packet source port number such that the responsive packet source address and the responsive packet source port number are the same as to the communication packet destination source address and the communication packet destination port number.
149 Citations
23 Claims
-
1. A method of transparently proxying a connection to a protected machine comprising:
-
monitoring communication packets directed to the protected machine on a network at a proxy machine, the communication packet having a communication packet source address, a communication packet source port number, a communication packet destination address, and a communication packet destination port number, the proxy machine being located within a communication path of the protected machine for monitoring all packets routed to the protected machine, the communications packet not being addressed to the proxy machine by the originator of the communication packet under any network communication protocol;
determining to intercept the communication packet at the proxy machine based on whether the communication packet destination address and the communication packet destination port number correspond to a protected destination address and a protected destination port number stored in a proxy list;
determining to proxy a proxied connection associated with the communication packet based on the communication packet source address and the communication packet source port number;
terminating a protected connection from the proxy machine to a protected machine, the protected machine corresponding to the communication packet destination address and the communication packet destination port number, each communication sent from the proxy machine to the protected machine having a header in which the source address and the source port number are the same as the communication packet source address and the communication packet source port number; and
forming a response to the communication packet under a network protocol by sending a responsive packet from the proxy machine wherein the responsive packet has a header having a responsive packet source address and a responsive packet source port number wherein the responsive packet source address and the responsive packet source port number are the same as to the communication packet destination source address and the communication packet destination port number;
whereby the proxy machine terminates a protected connection to the protected machine and the proxy machine responds to the communication packet acting on behalf of the protected machine and the proxy machine appears to be the protected machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 22, 23)
-
-
20. A method of transparently proxying a connection to a protected machine comprising:
-
monitoring a communication packet on a network at a proxy machine, the communication packet having a communication packet source address, a communication packet source port number, a communication packet destination address, and a communication packet destination port number, the communications packet not being addressed to the proxy machine by the originator of the communication packet under any network communication protocol;
determining to intercept the communication packet at the proxy machine based on whether the communication packet destination address and the communication packet destination port number correspond to a protected destination address and a protected destination port number stored in a proxy list;
determining to proxy a proxied connection associated with the communication packet based on the communication packet source address and the communication packet source port number;
terminating a protected connection from the proxy machine to a protected machine, the protected machine corresponding to the communication packet destination address and the communication packet destination port number, each communication sent from the proxy machine to the protected machine having a header in which the source address and the source port number are the same as the communication packet source address and the communication packet source port number;
forming a response to the communication packet under a network protocol by sending a responsive packet from the proxy machine wherein the responsive packet has a header having a responsive packet source address and a responsive packet source port number wherein the responsive packet source address and the responsive packet source port number are the same as to the communication packet destination source address and the communication packet destination port number;
receiving on an outside connection an outside data packet containing outside data from an outside machine, the outside machine being the sender of the communication packet, reading the outside data at the proxy machine, and relaying the outside data to the protected machine via a socket corresponding to the protected connection; and
acknowledging the receipt of the outside data packet at the proxy machine after a protected machine acknowledges receipt of data contained in the outside data packet;
whereby the proxy machine terminates a protected connection to the protected machine and the proxy machine responds to the communication packet acting on behalf of the protected machine and the proxy machine appears to be the protected machine.
-
-
21. A proxy system for proxying a connection from an outside machine to a protected machine comprising:
-
an outside connection stack, the outside connection stack being operative to establish an outside connection to an outside party;
a proxy quad list, the proxy quad list containing a list of proxied connections;
an intercepting controller, the intercepting controller being operative to read incoming data packets, to resolve IP addresses and port numbers to determine whether the data packets correspond to a proxied application based on the proxy quad list; and
a proxy application, the proxy application being operative to determine that a new connection should be added to the quad list and add the new connection to the quad list, the proxy application being configured to establish and maintain a proxy connection to the protected machine by sending communications packets having a header in which the source address and the source port number are the same as the source address and the source port number of the incoming data packets;
wherein a proxied connection is maintained.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
Original AssigneeCisco Technology, Inc. (Cisco Systems, Inc.)
-
InventorsCoile, Brantley W., Howes, Richard A., LeBlanc, William M.
-
Primary Examiner(s)Chin, Wellington
-
Assistant Examiner(s)PHAN, MAN U
-
Application NumberUS08/903,718Time in Patent Office1,916 DaysField of Search370/401, 370/403, 370/94.1, 370/355, 370/88, 370/402, 370/404, 370/405, 395/187.01, 395/188.01, 395/188.02, 395/200, 709/227, 709/203, 709/230, 709/219, 709/224, 709/228US Class Current370/248CPC Class CodesH04L 63/0281 ProxiesH04L 63/08 for authentication of entit...H04L 67/56 Provisioning of proxy servi...H04L 67/568 Storing data temporarily at...H04L 69/16 Implementation or adaptatio...H04L 69/161 Implementation details of T...H04L 69/163 In-band adaptation of TCP d...H04L 9/40 Network security protocols
