Systems and methods of fine grained interception of network communications on a virtual private network

US 7,843,912 B2
Filed: 08/03/2006
Issued: 11/30/2010
Est. Priority Date: 08/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for intercepting a communication of a client to a destination on a virtual private network based on a network destination description of an application authorized to be accessed via the virtual private network, the method comprising the steps of:

(a) receiving, by an agent of a client on a first network, a routing table comprising a network destination description of an application authorized for access as a destination on a second network via a virtual private network;

(b) intercepting, by the agent, a network communication of the client, the agent establishing a virtual private network connection via an appliance from the first network to the second network;

(c) determining, by the agent, that the network communication identifies a destination with a network identifier and a port that matches the network destination description of the application authorized for access as a destination on the second network via the virtual private network; and

(d) transmitting, by the agent in response to the identification of the authorized application, the network communication via the virtual private network connection.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for intercepting communication of a client to a destination on a virtual private network includes an agent executing on the client that intercepts a network communication of the client. The agent provides a virtual private network connection from a first network to a second network. The decision to intercept is based on a network destination description or an identification of an application authorized to be accessed via the virtual private network. In one case, the agent determines that a destination specified by the intercepted communication corresponds to a network identifier and a port of a network destination description of an application on the second network authorized for access via the virtual private network. In response to this determination, the agent transmits the intercepted communication.

105 Citations

View as Search Results

23 Claims

1. A method for intercepting a communication of a client to a destination on a virtual private network based on a network destination description of an application authorized to be accessed via the virtual private network, the method comprising the steps of:
- (a) receiving, by an agent of a client on a first network, a routing table comprising a network destination description of an application authorized for access as a destination on a second network via a virtual private network;
  
  (b) intercepting, by the agent, a network communication of the client, the agent establishing a virtual private network connection via an appliance from the first network to the second network;
  
  (c) determining, by the agent, that the network communication identifies a destination with a network identifier and a port that matches the network destination description of the application authorized for access as a destination on the second network via the virtual private network; and
  
  (d) transmitting, by the agent in response to the identification of the authorized application, the network communication via the virtual private network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, comprising determining, by the agent, the network communication does not correspond to the network destination description of the application, and transmitting the network communication via the first network.
  - 3. The method of claim 1, comprising determining, by the agent, the network communication does not correspond to the network destination description of the application, and dropping the network communication.
  - 4. The method of claim 1, wherein the network destination description comprises one of an internet protocol address and netmask, a single internet protocol address, or an internet protocol address range associated with the application.
  - 5. The method of claim 1, wherein the network identifier comprises a host name of a computing device hosting the application.
  - 6. The method of claim 1, comprising determining, by the agent, the network identifier and the port of the client corresponds to a source internet protocol address and a source port of the network destination description of the application.
  - 7. The method of claim 1, comprising determining, by the agent, a type of protocol of the network communication corresponds to a protocol specified by the network destination description of the application.
  - 8. The method of claim 1, comprising determining, by the agent, not to intercept a second network communication of the client destined to a second application not authorized for access to the second network via the virtual private network connection.
  - 9. The method of claim 1, wherein step (a) comprises intercepting, by the agent, transparently to one of the application or a user of the client.
  - 10. The method of claim 1, comprising receiving, by the agent, the network destination description from the appliance.

11. A system for intercepting a communication of a client to a destination on a virtual private network based on a network destination description of an application authorized to be accessed via the virtual private network, the system comprising:
- a means for receiving, by agent of a client on a first network, a routing table comprising a network destination description of an application authorized for access as a destination on a second network via a virtual private network;
  
  a means for intercepting, by the agent, a network communication of the client, the agent establishing a virtual private network connection via an appliance from the first network to the second network;
  
  a means for determining, by the agent, that the network communication identifies a destination with a network identifier and a port that matches the network destination description of the application authorized for access as a destination on the second network via the virtual private network; and
  
  a means for transmitting, by the agent in response to the identification of the authorized application, the network communication via the virtual private network connection.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, comprising a means for determining, by the agent, the network communication does not correspond to the network destination description of the application, and transmitting the network communication via the first network.
  - 13. The system of claim 11, comprising a means for determining, by the agent, the network communication does not correspond to the network destination description of the application, and dropping the network communication.
  - 14. The system of claim 11, wherein the network destination description comprises one of an internet protocol address and netmask, a single internet protocol address, or an internet protocol address range associated with the application.
  - 15. The system of claim 11, wherein the network identifier comprises a host name of a computing device hosting the application.
  - 16. The system of claim 11, comprising a means for determining, by the agent, the network identifier and the port of the client corresponds to a source internet protocol address and a source port of the network destination description of the application.
  - 17. The system of claim 11, comprising a means for determining, by the agent, a type of protocol of the network communication corresponds to a protocol specified by the network destination description of the application.
  - 18. The system of claim 11, comprising a means for determining, by the agent, not to intercept a second network communication of the client destined to a second application not authorized for access to the second network via the virtual private network connection.
  - 19. The system of claim 11, comprising a means for intercepting, by the agent, transparently to one of the application or a user of the client.
  - 20. The system of claim 11, comprising a means for receiving, by the agent, the network destination description from the appliance.

21. A method for intercepting a communication of a client to a destination on a virtual private network (VPN) based on a network destination description of an application authorized for access as a destination via the VPN, the method comprising the steps of:
- (a) establishing, by an agent of a client on a first network, a VPN connection from the first network via an appliance to a second network;
  
  (b) receiving, by the agent, a routing table comprising a network destination description of an application authorized for access as a destination on the second network;
  
  (c) intercepting, by the agent, a first network communication of the client;
  
  (d) determining, by the agent, that the first network communication identifies a destination with a network identifier and a port that matches the network destination description in the routing table corresponding to the application authorized for access as a destination on the second network;
  
  (e) transmitting, by the agent in response to the identification of the authorized application, the first network communication via the VPN connection;
  
  (f) intercepting, by the agent, a second network communication of the client;
  
  (g) determining, by the agent, that the second network communication identifies a destination with a network identifier and a port that does not match the network destination description in the routing table corresponding to the application authorized for access as a destination on the second network; and
  
  (h) determining, by the agent in response to the identification of the non-matching application, not to transmit the second network communication via the VPN connection.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further comprising dropping the second network communication.
  - 23. The method of claim 21, further comprising allowing the second network communication to pass via a network stack of the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Nanjundaswamy, Shashi, Venkatraman, Charu, Mullick, Amarnath, Soni, Ajay, Harris, James, He, Junxiao
Primary Examiner(s)
Pham; Chi H
Assistant Examiner(s)
Mohebbi; Kouroush

Application Number

US11/462,312
Publication Number

US 20080031235A1
Time in Patent Office

1,580 Days
Field of Search

370/392, 370/389, 370/409, 370/401, 370/329, 370/341, 370/328, 370/338, 370/231, 370/395, 709/224, 709/225, 709/202, 709/203, 709/249, 709/223, 709/250, 709/226, 709/227, 709/235, 726/11, 726/12, 726/13, 726/14, 726/15
US Class Current

370/389
CPC Class Codes

H04L 12/4679   Arrangements for the regist...

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Systems and methods of fine grained interception of network communications on a virtual private network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of fine grained interception of network communications on a virtual private network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links