NAT access control with IPSec
First Claim
Patent Images
1. A system that provides access to remote resources that utilize Internet Protocol Security (IPSec) protocol comprising:
- a processing unit programmed to execute;
a gateway component acting as a network address translator for a connection between a client and an intended destination hosting a desired remote resource, wherein acting as a network address translator comprises receiving from the client a connection request and packets to be transmitted to the intended destination; and
a security component that receives information regarding the connection request from the gateway component and determines whether packets from the client to the intended destination should be secured, the security component providing a response to the gateway component indicating whether the intended destination requires security,wherein the gateway component, upon receiving data, determines whether the data comprises a connection request and,when the data comprises a connection request, transmits at least information regarding the connection request to the security component and, when the response from the security component indicates that the intended destination requires security, establishes a secure connection to the intended destination and stores a record corresponding to the secure connection, andwhen the data comprises a packet to be transmitted to the intended destination that is not a connection request, determines whether the packet corresponds to a previously-established secure connection for which the gateway component has a record and, when the packet corresponds to a previously-established secure connection, without transmitting the packet to the security component, secures the packet received from the client in accordance with a security policy for the intended destination for the previously-established secure connection and transmits a secured packet to the intended destination.
3 Assignments
0 Petitions
Accused Products
Abstract
An architecture that can provide for improved network content filtering is described herein. In particular, access to remote resources can be controlled by a remote mechanism. In accordance therewith, a gateway can seamlessly and/or transparently redirect packets from a client that are meant for an intended destination to an access control component. The access control component can determine whether the client has access to the resources requested. In addition, the gateway can provide IPSec features on behalf to the client.
86 Citations
20 Claims
-
1. A system that provides access to remote resources that utilize Internet Protocol Security (IPSec) protocol comprising:
a processing unit programmed to execute; a gateway component acting as a network address translator for a connection between a client and an intended destination hosting a desired remote resource, wherein acting as a network address translator comprises receiving from the client a connection request and packets to be transmitted to the intended destination; and a security component that receives information regarding the connection request from the gateway component and determines whether packets from the client to the intended destination should be secured, the security component providing a response to the gateway component indicating whether the intended destination requires security, wherein the gateway component, upon receiving data, determines whether the data comprises a connection request and, when the data comprises a connection request, transmits at least information regarding the connection request to the security component and, when the response from the security component indicates that the intended destination requires security, establishes a secure connection to the intended destination and stores a record corresponding to the secure connection, and when the data comprises a packet to be transmitted to the intended destination that is not a connection request, determines whether the packet corresponds to a previously-established secure connection for which the gateway component has a record and, when the packet corresponds to a previously-established secure connection, without transmitting the packet to the security component, secures the packet received from the client in accordance with a security policy for the intended destination for the previously-established secure connection and transmits a secured packet to the intended destination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
18. A method for facilitating IPSec support in a controlled access environment, comprising:
-
receiving at a network address translator at a first time a connection request and at a second time, later than the first time, an unsecured packet from a client, the connection request and the unsecured packet being intended for an intended destination hosting a desired remote resource, wherein the receiving comprises, upon receiving data, determining whether the data comprises a connection request; when data is determined to comprise a connection request, redirecting the connection request to a security server for determining whether the intended destination for the packet utilizes an IPSec policy; receiving a response from the security server indicating whether the intended destination utilizes an IPSec policy and, when the intended destination utilizes an IPSec policy, indicating a particular IPSec policy used by the intended destination; when the response from the security server indicates that the intended destination utilizes an IPSec policy; establishing a secure connection between the intended destination and the network address translator according to the particular IPSec policy and storing on the network address translator a record corresponding to the secure connection; when the unsecured packet that is not a connection request is received at the second time, on the network address translator determining whether the unsecured packet corresponds to a previously-established secure connection for which a record is stored on the network address translator and, when the unsecured packet corresponds to a previously-established secure connection, on the network address translator securing the unsecured packet in accordance with the particular IPSec policy to create a secured packet; and transmitting the secured packet to the intended destination over the secure connection; and when the response indicates that the intended destination does not utilize an IPSec policy and when the unsecured packet is received at the second time, transmitting the unsecured packet to the intended destination.
-
-
19. An apparatus to operate a network address translator to facilitate IPSec support in a controlled access environment comprising:
at least one processor programmed to act as; a first component to operate network address translator to receive at a first time a connection request and at a second time, later than the first time, an unsecured packet from a client that is not a connection request, wherein the the first component, upon receiving data, determines whether the data comprises a connection request; a second component to ascertain whether an intended destination for the connection request and the unsecured packet employs an IPSec protocol, wherein the second component receives a connection request from the first component when the data is determined by the first component to comprise a connection request; a third component to determine whether the unsecured packet that is not a connection request corresponds to a previously-established secure connection for which a record is stored and, when the unsecured packet corresponds to a previously-established secure connection, to encrypt the unsecured packet that is not a connection request in accordance with the IPSec protocol to create a secured packet, when it is ascertained that the intended destination employs an IPSec protocol; and a fourth component to operate the network address translator to establish an IPSec connection session to the intended destination and, when the unsecured packet is received at the second time, to transmit the secured packet on behalf of the client, when it is ascertained that the intended destination employs an IPSec protocol. - View Dependent Claims (20)
Specification