Systems and methods for application-specific access to virtual private networks

US 9,143,481 B2
Filed: 06/06/2013
Issued: 09/22/2015
Est. Priority Date: 06/06/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating, by an application executing on a device, a request for a network data flow to a private network;

comparing identification information associated with the application against a set of rules stored on the memory, wherein the set of rules identifies conditions for the application to be authorized to access the private network;

diverting the network data flow to a virtual private network (VPN) tunnel as opposed to entering a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack;

determining if the application specifies a destination by hostname;

resolving the hostname for the destination at VPN plugin in response to the application specified hostname;

opening a flow divert socket for application data to flow between the application and a data transportation component of the device in response to the application not specifying the destination by hostname or after successfully resolving the hostname for the destination host;

establishing a connection for the network data flow upon the identification information satisfying the identified conditions for the application to access the private network; and

directing, by the data transportation component, the network data flow directly to the private network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are systems and methods utilizing application-specific access to a virtual private network (“VPN”). A method may comprise receiving, from an application executing on a device, a request for a network data flow to a private network, comparing identification information associated with the application against a set of rules stored on a memory of the device, wherein the set of rules identifies conditions for the application to be authorized to access the private network, and establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the private network.

27 Citations

View as Search Results

18 Claims

1. A method, comprising:
- generating, by an application executing on a device, a request for a network data flow to a private network;
  
  comparing identification information associated with the application against a set of rules stored on the memory, wherein the set of rules identifies conditions for the application to be authorized to access the private network;
  
  diverting the network data flow to a virtual private network (VPN) tunnel as opposed to entering a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack;
  
  determining if the application specifies a destination by hostname;
  
  resolving the hostname for the destination at VPN plugin in response to the application specified hostname;
  
  opening a flow divert socket for application data to flow between the application and a data transportation component of the device in response to the application not specifying the destination by hostname or after successfully resolving the hostname for the destination host;
  
  establishing a connection for the network data flow upon the identification information satisfying the identified conditions for the application to access the private network; and
  
  directing, by the data transportation component, the network data flow directly to the private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - communicating application data between the private network and the application over the connection.
  - 3. The method of claim 1, further comprising:
    - receiving a destination host name from the application;
      
      providing the destination host name to a data transportation component; and
      
      resolving the destination host name at the data transportation component based on the set of rules.
  - 4. The method of claim 1, wherein the set of rules includes one of a signing identifier identifying the application allowed to access the private network and a designated requirements identifying the application allowed to access the private network.
  - 5. The method of claim 1, wherein the flow divert socket involves a socket filter that places the network flow data in a receive buffer accessible to the application.
  - 6. The method of claim 1, wherein the connection involves a TCP connection object that sets a socket option indicating that the network flow data will be tunneled over the connection.
  - 7. The method of claim 2, wherein each packet of the application data traverses a network stack only a single time before being communicated to the private network.

8. A device, comprising:
- a memory storing a plurality of rules; and
  
  a processor coupled to the memory and configured to;
  
  receive a request for a network data flow to a private network from an application executing on the device;
  
  compare identification information associated with the application against a set of rules of the plurality of rules stored on the device, wherein the set of rules identifies conditions for the application to be authorized to access the private network;
  
  divert the network data flow to a virtual private network (VPN) tunnel as opposed to enter a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack;
  
  determine if the application specifies a destination by hostname;
  
  resolve the hostname for the destination at VPN plugin in response to the application specified hostname;
  
  open a flow divert socket for application data to flow between the application and a data transportation component of the device in response to the application not specifying the destination by hostname or after successfully resolving the hostname for the destination host;
  
  establish a connection for the network data flow upon the identification information satisfying the identified conditions for the application to access the private network; and
  
  direct, by the data transportation component, the network data flow directly to the private network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The device of claim 8, wherein the processor is further configured to perform:
    - communicating application data between the private network and the application over the connection.
  - 10. The device of claim 8, wherein the processor is further configured to perform:
    - receiving a destination host name from the application;
      
      providing the destination host name to a data transportation component; and
      
      resolving the destination host name at the data transportation component based on the set of rules.
  - 11. The device of claim 8, wherein the set of rules includes one of a signing identifier identifying the application allowed to access the private network and a designated requirements identifying the application allowed to access the private network.
  - 12. The device of claim 8, wherein the flow divert socket includes a socket filter placing the network flow data in a receive buffer accessible to the application.
  - 13. The device of claim 8, wherein the connection is a TCP connection object that sets a socket option indicating that the network flow data will be tunneled over the connection.
  - 14. The device of claim 9, wherein each packet of the application data traverses a network stack only a single time before being communicated to the private network.

15. A non-transitory computer readable storage medium with an executable program stored thereon and executed by a processor to cause the processor to perform a set of actions, the actions comprising:
- receiving, from an application executing on a device, a request for a network data flow to a private network;
  
  comparing identification information associated with the application against a set of rules stored on the memory, wherein the set of rules identifies conditions for the application to be authorized to access the private network;
  
  diverting the network data flow to a virtual private network (VPN) tunnel as opposed to entering a Transport Connection Protocol (TCP)/Internet Protocol (IP) stack;
  
  determining if the application specifies a destination by hostname;
  
  resolving the hostname for the destination at VPN plugin in response to the application specified hostname;
  
  opening a flow divert socket for application data to flow between the application and a data transportation component of the device in response to the application not specifying the destination by hostname or after successfully resolving the hostname for the destination host;
  
  establishing a connection for the network data flow upon the identification information satisfying the identified conditions for the application to access the private network; and
  
  directing, by the data transportation component, the network data flow directly to the private network.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory computer readable storage medium of claim 15, wherein the actions further include:
    - communicating application data between the private network and the application over the connection.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein the actions further include:
    - receiving a destination host name from the application;
      
      providing the destination host name to a data transportation component; and
      
      resolving the destination host name at the data transportation component based on the set of rules.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein each packet of the application data traverses a network stack only a single time before being communicated to the private network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Wood, James P.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US13/911,789
Publication Number

US 20140366081A1
Time in Patent Office

838 Days
Field of Search

726/3, 726 13- 15
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/10   for controlling access to d...

H04L 63/164   at the network layer

Systems and methods for application-specific access to virtual private networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for application-specific access to virtual private networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links