Application-specific network-layer virtual private network connections
First Claim
1. A method comprising:
- establishing a network-layer (Layer
3) virtual private network (VPN) tunnel from a client device to a gateway device, wherein the network-layer VPN tunnel is defined by a network address of an adapter of the client device and a network address of the gateway device;
receiving, with a module on a client device, application-layer data to be sent to a server device from an application executing on the client device;
before forming one or more network-layer packets including the received application-layer data, determining, with the module, on an application-by-application basis based on the application from which the application-layer data was received, whether to send the application-layer data through the network-layer VPN tunnel; and
sending, with the client device, the one or more network-layer packets including the application-layer data through the network-layer VPN tunnel based on the determination.
12 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for providing secure communication of network traffic from specific applications operating on a client device to a server device using a network-layer virtual private network (VPN). For example, a module on a client device may intercept network traffic from an application executing on the client device. The module may then determine whether to send the application-layer data through a network-layer VPN tunnel from the client device to a gateway device. This network-layer VPN tunnel may be defined by a network address of a physical adapter of the client device and a network address of the VPN gateway. In other words, there may be no need for the interposition of a VPN proxy on the client device. The module makes this determination on an application-by-application basis. The client device then forwards the application-layer data through the VPN tunnel based on the determination.
122 Citations
26 Claims
-
1. A method comprising:
-
establishing a network-layer (Layer
3) virtual private network (VPN) tunnel from a client device to a gateway device, wherein the network-layer VPN tunnel is defined by a network address of an adapter of the client device and a network address of the gateway device;receiving, with a module on a client device, application-layer data to be sent to a server device from an application executing on the client device; before forming one or more network-layer packets including the received application-layer data, determining, with the module, on an application-by-application basis based on the application from which the application-layer data was received, whether to send the application-layer data through the network-layer VPN tunnel; and sending, with the client device, the one or more network-layer packets including the application-layer data through the network-layer VPN tunnel based on the determination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 11, 12, 13, 26)
-
-
8. A method comprising:
-
establishing a network-layer (Layer
3) virtual private network (VPN) tunnel from a client device to a gateway device, wherein the network-layer VPN tunnel is defined by a network address of an adapter of the client device and a network address of the gateway device;receiving application security information that identifies an application executing on the client device and specifies that the client device should route network traffic from the application through the VPN tunnel; receiving, with a module on the client device, application-layer data to be sent to a server device from an application executing on the client device; determining, on an application-by-application basis based on the application from which the application-layer data was received, whether to send the application-layer data through the network-layer VPN tunnel, comprising; intercepting, with the module, a request from the application to an operating system, wherein the request is a request to establish a transport-layer connection; determining whether the application security information specifies that application-layer data from the particular application is to be routed through the VPN tunnel; and updating a network layer (Layer
3) data structure with the module to provide information for a transport layer connection for use by a Layer 3 VPN module when subsequently sending the application-layer data as network layer data;receiving, with the VPN module, a request to send a transport-layer segment from the application using a network-layer protocol; determining whether transport-layer information of the transport-layer segment corresponds to the transport-layer information provided to the VPN module; and generating a network-layer packet for the transport-layer segment, comprising; encapsulating the transport-layer segment within a network-layer packet; and encapsulating the network-layer packet within a secure network-layer packet having the address of the gateway device as a destination address; and sending, with the client device, the application-layer data through the network-layer VPN tunnel based on the determination of whether to send the application-layer data through the network-layer VPN tunnel. - View Dependent Claims (9, 10)
-
-
14. A network device comprising:
-
a VPN manager to establish a network-layer VPN tunnel from the network device to a gateway device, wherein the network-layer VPN tunnel is defined by a network address of an adapter of the network device and a network address of the gateway device; an Application Traffic Identifier (ATI) subsystem to intercept application-layer data to be sent to a server device from an application executing on the network device, wherein the ATI subsystem determines, before forming one or more network-layer packets including the received application-layer data, on an application-by-application basis whether to send the application-layer data through the network-layer VPN tunnel; and a Layer 3 VPN subsystem responsive to the ATI subsystem, wherein the Layer 3 VPN subsystem sends the one or more network-layer packets including the application-layer data through the network-layer VPN tunnel based on the determination. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory computer-readable storage medium comprising instructions, the instructions causing a programmable processor of a client device to:
-
establish a network-layer virtual private network (VPN) tunnel from the client device to a gateway device, wherein the network-layer VPN tunnel is defined by a network address of an adapter of the client device and a network address of the gateway device; receive, with a module on the client device, network traffic to a server device from an application executing on the client device; before forming one or more network-layer packets including the received application-layer data, determine, with the module, whether to send the application-layer data through the network-layer VPN tunnel on an application-by-application basis; and send the one or more network-layer packets including the application-layer data through the network-layer VPN tunnel based on the determination.
-
Specification