Secure sockets layer proxy architecture
First Claim
1. A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers, comprising:
- (a) establishing an open communications session between the intermediary device and the client via an open network;
(b) negotiating a secure communications session with the client;
(c) establishing an open communications session with said one of said plurality of servers via a secure network;
(d) receiving encrypted application data from the client via the secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer above a packet level of a network stack of the client;
(e) decrypting the encrypted application data;
(f) forwarding the decrypted application data to the server via the secure network;
(g) receiving application data from the server via the secure network;
(h) encrypting the application data; and
(i) sending encrypted application data to the client,wherein the steps (e) and (f) are performed at the packet level of a network stack of the intermediate device without processing the application data with an application layer of the network stack of the intermediate device.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers. In one aspect, the method comprises: establishing an open communications session between the intermediary device and the client via an open network; negotiating a secure communications session with the client; establishing an open communications session with said one of said plurality of servers via a secure network; receiving encrypted data from the client via the secure communications session; decrypting encrypted application data; forwarding decrypted application data to the server via the secure network; receiving application data from the server via the secure network; encrypting the application data; and sending encrypted application data to the client. In a further aspect, an apparatus including a network interface communicating with the public network and the secure network at least one processor, programmable dynamic memory addressable by the processor, and a communications channel coupling the processor, memory and the network communications interface is provided. The apparatus further includes a proxy TCP communications engine, a proxy SSL communications engine, a server TCP communications engine; and a packet data encryption and decryption engine.
-
Citations
30 Claims
-
1. A method for secure communications between a client and one of a plurality of servers performed on an intermediary device coupled to the client and said plurality of servers, comprising:
-
(a) establishing an open communications session between the intermediary device and the client via an open network; (b) negotiating a secure communications session with the client; (c) establishing an open communications session with said one of said plurality of servers via a secure network; (d) receiving encrypted application data from the client via the secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer above a packet level of a network stack of the client; (e) decrypting the encrypted application data; (f) forwarding the decrypted application data to the server via the secure network; (g) receiving application data from the server via the secure network; (h) encrypting the application data; and (i) sending encrypted application data to the client, wherein the steps (e) and (f) are performed at the packet level of a network stack of the intermediate device without processing the application data with an application layer of the network stack of the intermediate device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus coupled to a public network and a secure network, communicating with at least one client via the public network and communicating with one of a plurality of servers via the secure network, comprising:
-
a network interface communicating with the public network and the secure network; at least one processor; programmable dynamic memory addressable by the processor; a communications channel coupling the processor, memory and network communications interface; a proxy TCP communications engine; a proxy SSL communications engine; a server TCP communications engine; and a packet data encryption and decryption engine, wherein the proxy SSL communications engine and the server TCP communications engine decrypt encrypted application data from the client at packet level within a network stack of the apparatus, and wherein the proxy SSL communications engine and the server TCP communications engine forward the decrypted application data to the one of the plurality of servers without processing the application data with an application layer of the network stack of the apparatus, wherein the encrypted application data was encrypted by the client at a layer above a packet level within a network stack of the client. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method of providing secure communications between a plurality of customer devices and an enterprise, comprising:
-
providing a device enabled for secure communication with the customer devices and having an IP address of the enterprise; receiving with an intermediate device communications directed to the enterprise in secure protocol, wherein the secure protocol provides encrypted application data that was encrypted by one of the customer devices at a session layer above a packet level within a network stack of the customer device; decrypting data packets of the secure protocol to provide decrypted packet data at the packet-level of a network stack of the intermediate device; bypassing the application layer of the network stack of the intermediate device and forwarding the decrypted packet data from the intermediate device to at least one server of the enterprise without processing the decrypted packet data with the application layer; receiving application data from a secure server of the enterprise; encrypting the application data received from the enterprise; and forwarding encrypted application data to the customer device. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
-
30. A method for secure communications between a client device and one of a plurality of servers performed on an intermediary device coupled to the client device and said plurality of servers, comprising:
-
(a) establishing an open communications session between the intermediary device and the client device via an open network; (b) negotiating a secure communications session between the intermediary device and the client device; (c) establishing an open communications session between the intermediary device and said one of said plurality of servers via a secure network; (d) receiving encrypted application data from the client device via the secure communications session, wherein the encrypted application data was encrypted by the client device by encrypting application data at a session layer or above within a network stack of the client; (e) decrypting the encrypted application data; (f) bypassing an application layer of a network stack of the intermediate device and forwarding the decrypted application data from the intermediate device to the server via the secure network without processing the decrypted application data with the application layer; (g) receiving application data from the server via the secure network; (h) encrypting the application data; (i) sending encrypted application data to the client device; (j) detecting a communications anomaly in a communications session between the client device and the intermediary device; and (k) passing TCP data between the client device and the server through the intermediary device.
-
Specification