Layer-4 transparent secure transport protocol for end-to-end application protection

US 8,295,306 B2
Filed: 04/11/2008
Issued: 10/23/2012
Est. Priority Date: 08/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a service module of a network device, receiving a packet of a network transaction from a client device over a first network;

obtaining policy information from a gateway device via a secure control channel;

analyzing the policy information to determine a security zone classification associated with the packet;

when the security zone classification requires high security for the packet;

encrypting a portion of the packet with an encryption header that contains payload information while maintaining an unencrypted portion of the packet comprising destination address information of the packet such that layer 4 processing can be applied to the packet;

adding to the packet an integrity code that is associated with the payload information to authenticate the packet;

performing layer 2 to layer 4 (layer 2-4) processes on the unencrypted portion of the packet without having to decrypt the encrypted portion of the packet such that the packet maintains a transparent secure transport function; and

evaluating an authorization of the packet to determine whether the packet is eligible to access a server of a data center over a second network based on network characteristics of the packet obtained from the layer 2-4 processes.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing layer 4 transparent secure transport for end-to-end application protection are described herein. According to one embodiment, a packet of a network transaction is received from a client over a first network, where the packet is destined to a server of a data center having a plurality of servers over a second network. The packet includes a payload encrypted without encrypting information needed for a layer 4 of OSI (open system interconnection) layers of network processes. The layer 4 process is performed on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 4 information. Other methods and apparatuses are also described.

Citations

22 Claims

1. A method comprising:
- at a service module of a network device, receiving a packet of a network transaction from a client device over a first network;
  
  obtaining policy information from a gateway device via a secure control channel;
  
  analyzing the policy information to determine a security zone classification associated with the packet;
  
  when the security zone classification requires high security for the packet;
  
  encrypting a portion of the packet with an encryption header that contains payload information while maintaining an unencrypted portion of the packet comprising destination address information of the packet such that layer 4 processing can be applied to the packet;
  
  adding to the packet an integrity code that is associated with the payload information to authenticate the packet;
  
  performing layer 2 to layer 4 (layer 2-4) processes on the unencrypted portion of the packet without having to decrypt the encrypted portion of the packet such that the packet maintains a transparent secure transport function; and
  
  evaluating an authorization of the packet to determine whether the packet is eligible to access a server of a data center over a second network based on network characteristics of the packet obtained from the layer 2-4 processes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein performing the layer 2-4 processes comprises performing a layer 4 access control process for transparent secure transport of the packet to determine whether the packet is eligible to access the server over the second network based on unencrypted layer 4 information.
  - 3. The method of claim 1, wherein evaluating the authorization comprises determining whether the packet is eligible to access the server when the second network is an internal network of an organization associated with the data center.
  - 4. The method of claim 1, wherein receiving comprises receiving the packet such that at least an Internet Protocol (IP) header containing a destination IP address and a Transport Control Protocol (TCP) header containing a destination TCP port of the packet is not encrypted and remains unchanged while the payload information of the packet is encrypted.
  - 5. The method of claim 1, wherein receiving comprises receiving the packet that is encrypted by a security agent of the client device, wherein the security agent encrypts at least the payload information of the packet without encrypting information in the packet needed for the layer 2-4 process.
  - 6. The method of claim 5, further comprising:
    - at the service module, receiving information of the security agent over the first network in response to a request from the client device to initiate a network connection; and
      
      transmitting a plurality of security parameters to the client device over the secure control channel for a policy associated with the client device.
  - 7. The method of claim 6, further comprising:
    - establishing a secure control channel with the security agent over the first network in response to a request received from the security agent; and
      
      negotiating the security parameters with the agent over the secure control channel.
  - 8. The method of claim 7, further comprising:
    - trapping network traffic if the network traffic requires a security service based on the policy associated with the client device;
      
      receiving the packet with the encrypted payload information of the network traffic that has been encrypted using the security parameters if the network traffic requires a security service; and
      
      performing layer 3 to layer 4 (layer 3-4) processes on unencrypted information of the packet.
  - 9. The method of claim 1, wherein receiving comprises receiving the packet at the service module of the network device that is a security gateway between the client device and a plurality of servers of the data center.
  - 10. The method of claim 8, wherein receiving comprises receiving the packet over the first network that is an external network such that the network traffic is encapsulated within a secure tunnel over the first network which is terminated at the network element to recover packets with the encrypted payload and unencrypted information from the layer 3 to layer 4 (layer 3-4) processes.
  - 11. The method of claim 1, and further comprising obtaining network characteristics of the packet from the layer 2-4 processing of the packet, wherein evaluating the authorization of the packet comprises determining comprises determining whether the packet is eligible to access the server based on the network characteristics that comprise one or more of client device attributes, network environment attributes and protocol and resource attributes.

12. A non-transitory machine-readable storage device storing instructions that, when executed by a machine, causes the machine to:
- receive at a service module of a network device a packet of a network transaction from a client device over a first network;
  
  obtain policy information from a gateway device via a secure control channel;
  
  analyze the policy information to determine a security zone classification associated with the packet;
  
  when the security zone classification requires high security for the packet;
  
  encrypt a portion of the packet with an encryption header that contains payload information while maintaining an unencrypted portion of the packet comprising destination address information of the packet such that layer 4 processing can be applied to the packet;
  
  add to the packet an integrity code associated with the payload information to authenticate the packet;
  
  perform layer 2-4 processes on the unencrypted portion of the packet without having to decrypt the encrypted portion of the packet such that the packet maintains a transparent secure transport function; and
  
  evaluate an authorization of the packet to determine whether the packet is eligible to access a server of a data center over a second network based on network characteristics of the packet obtained from the layer 2-4 processes.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The non-transitory machine-readable storage device of claim 12, wherein the instructions that cause the machine to perform the layer 2-4 processes comprise instructions that cause the machine to perform a layer 4 access control process for transparent secure transport of the packet to determine whether the packet is eligible to access the server over the second network based on the unencrypted layer 4 information.
  - 14. The non-transitory machine-readable storage device of claim 12, wherein the instructions that cause the machine to evaluate the authorization of the packet comprise instructions that cause the machine to determine whether the packet is eligible to access the server when the second network is an internal network of an organization associated with the data center.
  - 15. The non-transitory machine-readable storage device of claim 12, wherein the instructions that cause the machine to receive the packet comprise instructions that cause the machine to receive the packet such that at least an Internet Protocol (IP) header containing a destination IP address and a Transport Control Protocol (TCP) header containing a destination TCP port of the packet is not encrypted and remains unchanged while the payload information of the packet is encrypted.
  - 16. The non-transitory machine-readable storage device of claim 12, wherein the instructions that cause the machine to receive the packet comprise instructions that cause the machine to receive the packet that is encrypted by a security agent of the client device, wherein the security agent encrypts at least the payload information of the packet without encrypting information in the packet needed for the layer 2-4 process.
  - 17. The non-transitory machine-readable storage device of claim 16 further comprising instructions that cause the machine to:
    - receive information of the security agent over the first network in response to a request from the client device to initiate a network connection; and
      
      transmit a plurality of security parameters to the client device over the secure control channel for a policy associated with the client device.
  - 18. The non-transitory machine-readable storage device of claim 17 further comprising instructions that cause the machine to:
    - establish a secure control channel with the security agent over the first network in response to a request received from the security agent; and
      
      negotiate the security parameters with the agent over the secure control channel.
  - 19. The non-transitory machine-readable storage device of claim 18 further comprising instructions that cause the machine to:
    - trap network traffic if the network traffic requires a security service based on the policy associated with the client device;
      
      receive the packet with the encrypted payload information of the network traffic that has been encrypted using the security parameters if the network traffic requires a security service; and
      
      perform layer 3 to layer 4 (layer 3-4) processes on unencrypted information of the network traffic.
  - 20. The non-transitory machine-readable storage device of claim 19, wherein the instructions that cause the machine to receive the packet comprise instructions that cause the machine to receive the packet over the first network that is an external network such that the network traffic is encapsulated within a secure tunnel over the first network which is terminated at the network element to recover packets with an encrypted payload and unencrypted information from the layer 3 to layer 4 (layer 3-4) processes.
  - 21. The non-transitory machine-readable storage device of claim 12, wherein the instructions that cause the machine to receive the packet comprise instructions that cause the machine to receive the packet at the service module of the network device that is a security gateway between the client device and a plurality of servers of the data center.
  - 22. The non-transitory machine-readable storage device of claim 12, and further comprising instructions that caused the processor to obtain network characteristics of the packet from the layer 2-4 processing of the packet, and wherein the instructions that cause the processor to evaluate the authorization of the packet comprise instructions that cause the processor to determine whether the packet is eligible to access the server based on the network characteristics that comprise one or more of client device attributes, network environment attributes and protocol and resource attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bagepalli, Nagaraj, Gandhi, Prashant, Patra, Abhijit, Prabhu, Kirti, Thakar, Anant
Primary Examiner(s)
Ly, Anh-Vu
Assistant Examiner(s)
ONAMUTI, GBEMILEKE J

Application Number

US12/101,862
Publication Number

US 20090059957A1
Time in Patent Office

1,656 Days
Field of Search

380/257, 380/255, 713/201, 713/153, 386/94, 719/321, 370/469
US Class Current

370/469
CPC Class Codes

H04L 47/20   Traffic policing

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/321   Interlayer communication pr...

H04L 9/3242   involving keyed hash functi...

Y10T 70/5827   Axially movable clutch

Layer-4 transparent secure transport protocol for end-to-end application protection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Layer-4 transparent secure transport protocol for end-to-end application protection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links