Selectively performing man in the middle decryption
First Claim
1. A method performed by data processing apparatus, the method comprising:
- receiving, by an agent on a device within a network, a request to access a resource outside the network;
determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not amply;
establishing a first encrypted connection having endpoints at the device and the agent;
establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats;
sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device;
receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and
decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource.
7 Assignments
0 Petitions
Accused Products
Abstract
An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.
269 Citations
28 Claims
-
1. A method performed by data processing apparatus, the method comprising:
-
receiving, by an agent on a device within a network, a request to access a resource outside the network; determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not amply; establishing a first encrypted connection having endpoints at the device and the agent; establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats; sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device; receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising:
-
receiving, by an agent on a device within a network, a request to access a resource outside the network; determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not apply; establishing a first encrypted connection having endpoints at the device and the agent; establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats; sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device; receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 27, 28)
-
-
21. A system comprising:
-
one or more processors configured to execute computer program instructions; and non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising; receiving, by an agent on a device within a network, a request to access a resource outside the network; determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not apply; establishing a first encrypted connection having endpoints at the device and the agent; establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats; sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device; receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification