Layer-4 transparent secure transport protocol for end-to-end application protection
First Claim
1. A method comprising:
- at a service module of a network device, receiving a packet of a network transaction from a client device over a first network;
obtaining policy information from a gateway device via a secure control channel;
analyzing the policy information to determine a security zone classification associated with the packet;
when the security zone classification requires high security for the packet;
encrypting a portion of the packet with an encryption header that contains payload information while maintaining an unencrypted portion of the packet comprising destination address information of the packet such that layer 4 processing can be applied to the packet;
adding to the packet an integrity code that is associated with the payload information to authenticate the packet;
performing layer 2 to layer 4 (layer 2-4) processes on the unencrypted portion of the packet without having to decrypt the encrypted portion of the packet such that the packet maintains a transparent secure transport function; and
evaluating an authorization of the packet to determine whether the packet is eligible to access a server of a data center over a second network based on network characteristics of the packet obtained from the layer 2-4 processes.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for providing layer 4 transparent secure transport for end-to-end application protection are described herein. According to one embodiment, a packet of a network transaction is received from a client over a first network, where the packet is destined to a server of a data center having a plurality of servers over a second network. The packet includes a payload encrypted without encrypting information needed for a layer 4 of OSI (open system interconnection) layers of network processes. The layer 4 process is performed on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 4 information. Other methods and apparatuses are also described.
-
Citations
22 Claims
-
1. A method comprising:
-
at a service module of a network device, receiving a packet of a network transaction from a client device over a first network; obtaining policy information from a gateway device via a secure control channel; analyzing the policy information to determine a security zone classification associated with the packet; when the security zone classification requires high security for the packet; encrypting a portion of the packet with an encryption header that contains payload information while maintaining an unencrypted portion of the packet comprising destination address information of the packet such that layer 4 processing can be applied to the packet; adding to the packet an integrity code that is associated with the payload information to authenticate the packet; performing layer 2 to layer 4 (layer 2-4) processes on the unencrypted portion of the packet without having to decrypt the encrypted portion of the packet such that the packet maintains a transparent secure transport function; and evaluating an authorization of the packet to determine whether the packet is eligible to access a server of a data center over a second network based on network characteristics of the packet obtained from the layer 2-4 processes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory machine-readable storage device storing instructions that, when executed by a machine, causes the machine to:
-
receive at a service module of a network device a packet of a network transaction from a client device over a first network; obtain policy information from a gateway device via a secure control channel; analyze the policy information to determine a security zone classification associated with the packet; when the security zone classification requires high security for the packet;
encrypt a portion of the packet with an encryption header that contains payload information while maintaining an unencrypted portion of the packet comprising destination address information of the packet such that layer 4 processing can be applied to the packet;add to the packet an integrity code associated with the payload information to authenticate the packet; perform layer 2-4 processes on the unencrypted portion of the packet without having to decrypt the encrypted portion of the packet such that the packet maintains a transparent secure transport function; and evaluate an authorization of the packet to determine whether the packet is eligible to access a server of a data center over a second network based on network characteristics of the packet obtained from the layer 2-4 processes. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification