Transparent secure socket layer

US 8,549,157 B2
Filed: 04/23/2007
Issued: 10/01/2013
Est. Priority Date: 04/23/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a first network interface operable to connect to at least one non-configured client;

a second network interface operable to connect to at least one network resource; and

a transparent proxy module executing on one or more hardware processors, the one or more hardware processors comprising a part of a computerized system and operable to intercept a request for a secured connection from a first non-configured client of the at least one non-configured clients to a first network resource of the at least one network resources, and to provide a proxy connection between the first non-configured client and the first network resource by establishing a secure encrypted connection to the first non-configured client and establishing a secure encrypted connection to the first network resource such that data may be securely passed between the first non-configured client and the first network resource;

the transparent proxy module further operable to provide a proper secure connection certificate to the first non-configured client by determining a common name of the first network resource and providing the common name of the first network resource in a certificate used to establish a secure encrypted connection to the first non-configured client such that the first non-configured client recognizes the common name in the certificate as associated with the first network resource;

a policy module operable to determine whether a connection from the first non-configured client to the first network resource violates a security and usage policy;

the transparent proxy module further operable to provide a proper certificate even when the intercepted request violates the security and usage policy; and

the transparent proxy module further operable to selectively provide a proxy connection between only those non-configured clients and network resources that do not violate a security and usage policy.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems, apparatus, and methods include an apparatus comprising a transparent proxy coupled to a plurality of non-configured clients and coupled to one or more servers, the transparent proxy operable to intercept a request for a secured connection to a first server of the one or more servers, the request from a first non-configured client of the plurality of non-configured clients and including a server name indication extension, and to supply a proper certificate to the first non-configured client including the server name indication extension as a common name in the proper certificate.

Citations

14 Claims

1. An apparatus, comprising:
- a first network interface operable to connect to at least one non-configured client;
  
  a second network interface operable to connect to at least one network resource; and
  
  a transparent proxy module executing on one or more hardware processors, the one or more hardware processors comprising a part of a computerized system and operable to intercept a request for a secured connection from a first non-configured client of the at least one non-configured clients to a first network resource of the at least one network resources, and to provide a proxy connection between the first non-configured client and the first network resource by establishing a secure encrypted connection to the first non-configured client and establishing a secure encrypted connection to the first network resource such that data may be securely passed between the first non-configured client and the first network resource;
  
  the transparent proxy module further operable to provide a proper secure connection certificate to the first non-configured client by determining a common name of the first network resource and providing the common name of the first network resource in a certificate used to establish a secure encrypted connection to the first non-configured client such that the first non-configured client recognizes the common name in the certificate as associated with the first network resource;
  
  a policy module operable to determine whether a connection from the first non-configured client to the first network resource violates a security and usage policy;
  
  the transparent proxy module further operable to provide a proper certificate even when the intercepted request violates the security and usage policy; and
  
  the transparent proxy module further operable to selectively provide a proxy connection between only those non-configured clients and network resources that do not violate a security and usage policy.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein the transparent proxy module is further operable to extract the common name of the first network resource from a server name indication extension in a message from the first non-configured client, and to include the extracted common name in the certificate returned to the first non-configured client.
  - 3. The apparatus of claim 2, wherein the transparent proxy module is further operable to determine that the common name of the first network resource is not provided in a server name indication extension, and use an IP address of the first network resource to determine the common name for the resource.
  - 4. The apparatus of claim 3, wherein using an IP address of the first network resource to determine the common name for the resource comprises performing a reverse domain name system lookup of the IP address of the first network resource to obtain the common name for the first network resource.
  - 5. The apparatus of claim 1, wherein the first network resource comprises a server.

6. A method, comprising:
- intercepting a request for a secured connection from a first non-configured client of at least one non-configured clients to a first network resource of at least one network resources;
  
  determining whether a connection from the first non-configured client to the first network resource violates a security and usage policy;
  
  providing a proper secure connection certificate to the first client by determining a common name of the first network resource and providing the common name of the first network resource in a certificate used to establish a secure encrypted connection to the first non-configured client such that the first non-configured client recognizes the common name in the certificate as associated with the first network resource; and
  
  providing a proxy connection between the first non-configured client and the first network resource by establishing a secure encrypted connection to the first non-configured client and establishing a secure encrypted connection to the first network resource such that data may be securely passed between the first non-configured client and the first network resource;
  
  wherein a proper certificate is provided even when the intercepted request violates the security and usage policy and the proxy connection is established only for requests that do not violate;
  
  wherein at least one of the intercepting a request, providing a proper secure connection certificate, and providing a proxy connection is performed via one or more processes executing on one or more hardware processors, the one or more hardware processors comprising part of one or more computerized systems communicatively coupled via a communication network, andextracting the common name of the first network resource from a security certificate obtained from the first network resource.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, further comprising:
    - extracting the common name of the first network resource from a server name indication extension in a message from the first non-configured client; and
      
      including the extracted common name in the certificate returned to the first non-configured client.
  - 8. The method of claim 7, further comprising:
    - determining that the common name of the first network resource is not provided in a server name indication extension; and
      
      determining the common name for the first network resource using an IP address of the first network resource.
  - 9. The method of claim 8, wherein using an IP address of the first network resource to determine the common name for the first network resource comprises performing a reverse domain name system lookup of the IP address of the first network resource to obtain the common name for the first network resource.
  - 10. The method of claim 6, wherein the first network resource comprises a server.

11. A non-transitory machine-readable medium with instructions stored thereon, the instructions when executed operable to cause one or more processors of a computerized system to:
- intercept a request for a secured connection from a first non-configured client of at least one non-configured clients to a first network resource of at least one network resources;
  
  determine whether a connection from the first non-configured client to the first network resource violates a security and usage policy;
  
  provide a proper secure connection certificate to the first non-configured client by determining a common name of the first network resource and providing the common name of the first network resource in a certificate used to establish a secure encrypted connection to the first non-configured client such that the first non-configured client recognizes the common name in the certificate as associated with the first network resource; and
  
  provide a proxy connection between the first non-configured client and the first network resource by establishing a secure encrypted connection to the first non-configured client and establishing a secure encrypted connection to the first network resource such that data may be securely passed between the first non-configured client and the first network resource;
  
  wherein a proper certificate is provided even when the intercepted request violates the security and usage policy and the proxy connection is established only for requests that do not violate, and to extract the common name of the first network resource from a security certificate obtained from the first network resource.
- View Dependent Claims (12, 13, 14)
- - 12. The machine-readable medium of claim 11, further comprising instructions to cause the one or more processors to:
    - extract the common name of the first network resource from a server name indication extension in a message from the first non-configured client; and
      
      include the extracted common name in the certificate returned to the first non-configured client.
  - 13. The machine-readable medium of claim 11, further comprising instructions to cause the one or more processors to:
    - determine that the common name of the first network resource is not provided in a server name indication extension; and
      
      determine the common name for the first network resource using an IP address of the first network resource.
  - 14. The machine-readable medium of claim 11, wherein using an IP address of the first network resource to determine the common name for the resource comprises performing a reverse domain name system lookup of the IP address of the first network resource to obtain the common name for the first network resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Schnellbaecher, Jan F.
Primary Examiner(s)
ALGIBHAH, HAMZA N

Application Number

US11/738,834
Publication Number

US 20080263215A1
Time in Patent Office

2,353 Days
Field of Search

709/229
US Class Current

709/229
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

Transparent secure socket layer

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent secure socket layer

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links