Systems and methods for application based interception of SSL/VPN traffic
First Claim
1. A method for an appliance to allow or deny a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the method comprising the steps of:
- (a) establishing, by an appliance providing access to a second network, a virtual private network connection between a client on a first network and the appliance, the client having a routing table;
(b) receiving, by the appliance from an agent of the client, via the virtual private network connection, an identifier of an application on the client responsive to a determination that the routing table includes the identifier of the application, the agent intercepting messages from the application to transmit via the virtual private network connection responsive to the determination;
(c) associating, by the appliance, with the virtual private network connection an authorization policy of a plurality of policies based on the identifier of the application;
(d) receiving, by an appliance from the agent, a request from the application on the client to access a resource on the second network; and
(e) determining, by the appliance, from the authorization policy associated with the virtual private network connection to one of allow or deny access to the second network over the virtual private network connection by the application to the resource based on the identifier of the application.
7 Assignments
0 Petitions
Accused Products
Abstract
A method for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance intercepts a request from an application on a client on a first network to access via a virtual private network connection a resource on a second network. The appliance identifies the application and associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.
122 Citations
26 Claims
-
1. A method for an appliance to allow or deny a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the method comprising the steps of:
-
(a) establishing, by an appliance providing access to a second network, a virtual private network connection between a client on a first network and the appliance, the client having a routing table; (b) receiving, by the appliance from an agent of the client, via the virtual private network connection, an identifier of an application on the client responsive to a determination that the routing table includes the identifier of the application, the agent intercepting messages from the application to transmit via the virtual private network connection responsive to the determination; (c) associating, by the appliance, with the virtual private network connection an authorization policy of a plurality of policies based on the identifier of the application; (d) receiving, by an appliance from the agent, a request from the application on the client to access a resource on the second network; and (e) determining, by the appliance, from the authorization policy associated with the virtual private network connection to one of allow or deny access to the second network over the virtual private network connection by the application to the resource based on the identifier of the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for allowing or denying a level of access by an application on a client to a resource via a virtual private network connection based on identification of the application, the system comprising:
-
a means for establishing, by an appliance providing access to a second network, a virtual private network connection between a client on a first network and the appliance, the client having a routing table; a means for receiving, by the appliance from an agent of the client, via the virtual private network connection, an identifier of an application on the client responsive to a determination that the routing table includes the identifier of the application, the agent intercepting messages from the application to transmit via the virtual private network connection responsive to the determination; a means for associating, by the appliance, with the virtual private network connection an authorization policy of a plurality of policies based on the identifier of the application; a means for receiving, by an appliance from the agent, a request from the application on the client to access a resource on the second network; and a means for determining, by the appliance, from the authorization policy associated with the virtual private network connection to one of allow or deny access to the second network over the virtual private network connection by the application to the resource based on the identifier of the application. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification