Selectively performing man in the middle decryption

US 9,021,575 B2
Filed: 05/08/2013
Issued: 04/28/2015
Est. Priority Date: 05/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method performed by data processing apparatus, the method comprising:

receiving, by an agent on a device within a network, a request to access a resource outside the network;

determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not amply;

establishing a first encrypted connection having endpoints at the device and the agent;

establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats;

sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device;

receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and

decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

269 Citations

28 Claims

1. A method performed by data processing apparatus, the method comprising:
- receiving, by an agent on a device within a network, a request to access a resource outside the network;
  
  determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not amply;
  
  establishing a first encrypted connection having endpoints at the device and the agent;
  
  establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats;
  
  sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device;
  
  receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and
  
  decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the device and the network appliance are subject to the same administrative control.
  - 3. The method of claim 1, wherein decrypting and inspecting the encrypted communication traffic includes blocking the encrypted communication traffic.
  - 4. The method of claim 1, wherein the request to access the resource is a Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) GET or POST request.
  - 5. The method of claim 1, the method further comprising:
    - receiving, by the agent, a second request to access a second resource outside the network;
      
      determining that the second resource is on the whitelist; and
      
      causing the establishment, responsive to determining that the second resource is on the whitelist, a third encrypted connection between the device and the second resource to facilitate encrypted communication traffic between the device and the second resource.
  - 6. The method of claim 1, the method further comprising:
    - removing the device from the network;
      
      receiving, by the agent, a third request to access a third resource outside the network;
      
      establishing a fourth encrypted connection between the device and the agent, and a fifth encrypted connection between the agent and the third resource, to facilitate encrypted communication traffic between the device and the third resource;
      
      sending, by the agent in response to receiving the third request to access the resource, a third policy request to the network appliance, the request specifying the third resource;
      
      receiving, by the agent and from the network appliance, a third policy response indicating that the third resource is associated with one or more security policies of the network;
      
      andselectively decrypting and inspecting the encrypted communication traffic passing between the device and the third resource depending on the security policies.
  - 7. The method of claim 1, wherein the agent is a driver installed in a protocol stack of the device.
  - 8. The method of claim 1, wherein the agent is configured to receive requests to access resources from a plurality of applications of the device.
  - 9. The method of claim 1, wherein actions for the agent to apply include dropping at least some of the encrypted communication traffic passing between the device and the resource.
  - 10. The method of claim 1, wherein the first encrypted connection and the second encrypted connection are of different types.
  - 11. The method of claim 1, wherein the session key for the first encrypted connection is different than the session key for the second encrypted connection.
  - 12. The method of claim 1, wherein decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource comprises:
    - receiving, on the first encrypted connection, first traffic that is addressed to the resource and that is encrypted into a first encrypted form;
      
      decrypting the first traffic;
      
      encrypting the first traffic into a second encrypted form;
      
      transmitting, on the second encrypted connection, the first traffic in the second encrypted form;
      
      receiving, on the second encrypted connection, second traffic that is addressed to the device and that is encrypted into a third encrypted form;
      
      decrypting the second traffic;
      
      encrypting the second traffic into a fourth encrypted form; and
      
      transmitting, on the first encrypted connection, the first traffic in the fourth encrypted form.

13. A non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising:
- receiving, by an agent on a device within a network, a request to access a resource outside the network;
  
  determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not apply;
  
  establishing a first encrypted connection having endpoints at the device and the agent;
  
  establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats;
  
  sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device;
  
  receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and
  
  decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 27, 28)
- - 14. The computer storage media of claim 13, wherein the device and the network appliance are subject to the same administrative control.
  - 15. The computer storage media of claim 13, wherein decrypting and inspecting the encrypted communication traffic includes blocking the encrypted communication traffic.
  - 16. The computer storage media of claim 13, wherein the request to access the resource is a Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) GET or POST request.
  - 17. The computer storage media of claim 13, the operations further comprising:
    - receiving, by the agent, a second request to access a second resource outside the network;
      
      determining that the second resource is on the whitelist; and
      
      causing the establishment, responsive to determining that the second resource is on the whitelist, a third encrypted connection between the device and the second resource to facilitate encrypted communication traffic between the device and the second resource.
  - 18. The computer storage media of claim 13, the operations further comprising:
    - removing the device from the network;
      
      receiving, by the agent, a third request to access a third resource outside the network;
      
      establishing a fourth encrypted connection between the device and the agent, and a fifth encrypted connection between the agent and the third resource, to facilitate encrypted communication traffic between the device and the third resource;
      
      sending, by the agent in response to receiving the third request to access the resource, a third policy request to the network appliance, the request specifying the third resource;
      
      receiving, by the agent and from the network appliance, a third policy response indicating that the third resource is associated with one or more security policies of the network;
      
      andselectively decrypting and inspecting the encrypted communication traffic passing between the device and the third resource depending on the security policies.
  - 19. The computer storage media of claim 13, wherein the agent is a driver installed in a protocol stack of the device.
  - 20. The computer storage media of claim 13, wherein the agent is configured to receive requests to access resources from a plurality of applications of the device.
  - 27. The system of claim 17, wherein the agent is a driver installed in a protocol stack of the device.
  - 28. The system of claim 17, wherein the agent is configured to receive requests to access resources from a plurality of applications of the device.

21. A system comprising:
- one or more processors configured to execute computer program instructions; and
  
  non-transitory computer storage media encoded with computer program instructions that, when executed by one or more processors, cause a computer device to perform operations comprising;
  
  receiving, by an agent on a device within a network, a request to access a resource outside the network;
  
  determining that the resource is not on a whitelist that lists resources for which man-in-the-middle analysis should not apply;
  
  establishing a first encrypted connection having endpoints at the device and the agent;
  
  establishing, after the first encrypted connection is established, a second encrypted connection having endpoints at the agent and the resource, wherein the first encrypted connection and the second encrypted connection facilitate encrypted communication traffic between the device and the resource and wherein the first encrypted connection and the second encrypted connection are in different formats;
  
  sending, by the agent in response to receiving the request to access the resource, a policy request to a network appliance within the network, the request specifying the resource, wherein the network appliance is different than the device;
  
  receiving, by the agent and from the network appliance, a policy response indicating that the resource is associated with one or more security policies of the network, wherein the security policies of the network include instructions for actions for the agent to apply to the encrypted communication traffic passing between the device and the resource, wherein the security policies of the network are policies designed to apply to traffic associated with a class of resources outside of the network; and
  
  decrypting and inspecting at least some of the encrypted communication traffic passing between the device and the resource.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system of claim 21, wherein the device and the network appliance are subject to the same administrative control.
  - 23. The system of claim 21, wherein decrypting and inspecting the encrypted communication traffic includes blocking the encrypted communication traffic.
  - 24. The system of claim 21, wherein the request to access the resource is a Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) GET or POST request.
  - 25. The system of claim 21, the operations further comprising:
    - receiving, by the agent, a second request to access a second resource outside the network;
      
      determining that the second resource is on the whitelist; and
      
      causing the establishment, responsive to determining that the second resource is on the whitelist, a third encrypted connection between the device and the second resource to facilitate encrypted communication traffic between the device and the second resource.
  - 26. The system of claim 21, wherein the operations further comprising:
    - removing the device from the network;
      
      receiving, by the agent, a third request to access a third resource outside the network;
      
      establishing a fourth encrypted connection between the device and the agent, and a fifth encrypted connection between the agent and the third resource, to facilitate encrypted communication traffic between the device and the third resource;
      
      sending, by the agent in response to receiving the third request to access the resource, a third policy request to the network appliance, the request specifying the third resource;
      
      receiving, by the agent and from the network appliance, a third policy response indicating that the third resource is associated with one or more security policies of the network; and
      
      selectively decrypting and inspecting the encrypted communication traffic passing between the device and the third resource depending on the security policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US13/890,146
Publication Number

US 20140337613A1
Time in Patent Office

720 Days
Field of Search

380/28, 726/11, 726 22- 24, 726/12, 726/13, 713/153, 713/189
US Class Current

726/12
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

H04L 63/306   intercepting packet switche...

H04L 67/02   based on web technology, e....

H04L 9/321   involving a third party or ...

Selectively performing man in the middle decryption

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

269 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Selectively performing man in the middle decryption

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others