Authentication of tunneled connections
First Claim
1. A Secure tunnel communications method, comprising;
- establishing a first connection from an inner agent to an outer agent comprising;
initiating a first TCP connection from the inner agent to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent,negotiating a first SSL/TLS session between the inner agent and the outer agent over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, andapplying the first SSL/TLS session between the inner agent and the outer agent over the first TCP connection;
establishing a second connection from a client to the outer agent comprising;
initiating a second TCP connection from the client to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent, and wherein the client and outer agent each reside on devices separated by a network,negotiating a second SSL/TLS session between the client and the outer agent over the second TCP connection when the outer agent certificate is presented by the outer agent to the client, andapplying the second SSL/TLS session between the client and the outer agent over the second TCP connection;
negotiating a third SSL/TLS session between the client and the inner agent; and
applying the third SSL/TLS session between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session,wherein negotiating the second SSL/TLS session comprises authenticating the client, by the outer agent,wherein the outer agent implements an outer agent authentication policy,wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent,wherein the client presents the certificate possessed by the client to the outer agent, andwherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agent,wherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises;
implementing, by the inner agent, an inner agent authentication policy;
presenting, by the client, the certificate possessed by the client to the inner agent; and
verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are described for authentication of tunneled connections. A method includes establishing a first connection (CIO) from an inner agent to an outer agent including making a first TCP connection from the inner agent to the outer agent, negotiating a first SSL/TLS session (SSLSessionIO) between the inner agent and the outer agent over the first TCP connection and applying the second SSL/TLS session (SSLSessionIO) between the inner agent and the outer agent over the first TCP connection; establishing a second connection (CCO) from a client and the outer agent including making a second TCP connection from the client to the outer agent, negotiating a second SSL/TLS session (SSLSessionCO) between the client and the outer agent over the second TCP connection and applying the second SSL/TLS session (SSLSessionCO) between the client and the outer agent over the second TCP connection; and then negotiating a third SSL/TLS session (SSLSessionCI) between the client and the inner agent via both the first SSL/TLS session (SSLSessionIO) and the second SSL/TLS session (SSLSessionCO) and applying the third SSL/TLS session (SSLSessionCI) between the client and the inner agent layered over both the first SSL/TLS session (SSLSessionIO) and the second SSL/TLS session (SSLSessionCO), wherein negotiating the second SSL/TLS session (SSLSessionCO) includes verifying at the outer agent that the client possesses a certificate signed with a certificate associated with the inner agent.
114 Citations
15 Claims
-
1. A Secure tunnel communications method, comprising;
-
establishing a first connection from an inner agent to an outer agent comprising; initiating a first TCP connection from the inner agent to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent, negotiating a first SSL/TLS session between the inner agent and the outer agent over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, and applying the first SSL/TLS session between the inner agent and the outer agent over the first TCP connection; establishing a second connection from a client to the outer agent comprising; initiating a second TCP connection from the client to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent, and wherein the client and outer agent each reside on devices separated by a network, negotiating a second SSL/TLS session between the client and the outer agent over the second TCP connection when the outer agent certificate is presented by the outer agent to the client, and applying the second SSL/TLS session between the client and the outer agent over the second TCP connection; negotiating a third SSL/TLS session between the client and the inner agent; and applying the third SSL/TLS session between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session, wherein negotiating the second SSL/TLS session comprises authenticating the client, by the outer agent, wherein the outer agent implements an outer agent authentication policy, wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent, wherein the client presents the certificate possessed by the client to the outer agent, and wherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agent, wherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises; implementing, by the inner agent, an inner agent authentication policy; presenting, by the client, the certificate possessed by the client to the inner agent; and verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer readable medium, comprising software instructions executable by a processor to perform a method, the method comprising:
-
establishing a first connection from an inner agent to an outer agent comprising; initiating a first TCP connection from the inner agent to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent, negotiating a first SSL/TLS session between the inner agent and the outer agent over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, and applying the first SSL/TLS session between the inner agent and the outer agent over the first TCP connection; establishing a second connection from a client to the outer agent comprising; initiating a second TCP connection from the client to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent, negotiating a second SSL/TLS session between the client and the outer agent over the second TCP connection when the outer agent certificate is presented by the outer agent to the client, and applying the second SSL/TLS session between the client and the outer agent over the second TCP connection; negotiating a third SSL/TLS session between the client and the inner agent; and applying the third SSL/TLS session between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session, wherein negotiating the second SSL/TLS session comprises authenticating the client by the outer agent, wherein the outer agent implements an outer agent authentication policy, wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent, wherein the client presents the certificate possessed by the client to the outer agent, and wherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agent wherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises; implementing, by the inner agent, an inner agent authentication policy; presenting, by the client, the certificate possessed by the client to the inner agent; and verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent.
-
-
15. A secure tunnel communications system, comprising:
-
an inner agent; an outer agent coupled to the inner agent, wherein the inner agent initiates a first TCP connection to the outer agent over an inner firewall, wherein the inner firewall only allows connections to be initiated by the inner agent to the outer agent, wherein the inner agent and outer agent negotiate a first SSL/TLS session over the first TCP connection when an outer agent certificate is presented by the outer agent to the inner agent, and wherein the first SSL/TLS session is applied between the inner agent and outer agent over the first TCP connection; and a client coupled to the outer agent, wherein the client initiates a second TCP connection to the outer agent over a client firewall, wherein the client firewall only allows connections to be initiated by the client to the outer agent, and wherein the client and outer agent each reside on devices separated by a network, wherein the client and outer agent negotiate a second SSL/TLS session over the second TCP connection when an outer agent certificate is presented by the outer agent to the client, wherein negotiating the second SSL/TLS session comprises authenticating the client, by the outer agent, wherein the outer agent implements an outer agent authentication policy, wherein the client possesses a certificate signed with a certificate key associated with a shared certificate possessed by the outer agent and inner agent, wherein the client presents the certificate possessed by the client to the outer agent, and wherein the outer agent verifies the certificate possessed by the client using the shared certificate possessed by the outer agent, wherein the first SSL/TLS session is applied between the client and the outer agent over the second TCP connection, wherein the client and inner agent negotiate a third SSL/TLS session via both the first SSL/TLS session and the second SSL/TLS session wherein the third SSL/TLS session is applied between the client and the inner agent layered over both the first SSL/TLS session and the second SSL/TLS session and, wherein negotiating the third SSL/TLS session comprises authenticating the third SSL/TLS session at the inner agent, wherein authenticating the third SSL/TLS session comprises; implementing, by the inner agent, an inner agent authentication policy; presenting, by the client the certificate possessed by the client to the inner agent; and verifying, by the inner agent, the certificate possessed by the client using the shared certificate possessed by the inner agent.
-
Specification