Tunneling using encryption
First Claim
1. A method for tunneling using encryption, the method comprising:
- receiving a data packet at a first access filter in a first internal network, the data packet sent from a client device in the first internal network, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address;
executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor;
encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted, andadds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; and
sending the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter;
verifies that the data packet is from the first access filter as indicated by the new header, andremoves the new header and decrypts the data packet to obtain the original header based on the verification.
32 Assignments
0 Petitions
Accused Products
Abstract
A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.
174 Citations
19 Claims
-
1. A method for tunneling using encryption, the method comprising:
-
receiving a data packet at a first access filter in a first internal network, the data packet sent from a client device in the first internal network, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address; executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor; encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted, and adds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; and sending the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter; verifies that the data packet is from the first access filter as indicated by the new header, and removes the new header and decrypts the data packet to obtain the original header based on the verification. - View Dependent Claims (2, 3, 4)
-
-
5. A method for tunneling using encryption, the method comprising:
-
receiving an encrypted data packet at a first access filter in a first internal network, the data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a new header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet; and executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor; analyzes identification information associated with the data packet to verify that the data packet is from the second access filter, removes the new header of the data packet and decrypts the data packet based on verification that the data packet is from the second access filter as indicated by the new header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and processes the data packet based on the original header. - View Dependent Claims (6, 7, 8)
-
-
9. A system for tunneling using encryption, the system comprising
a client device in a first internal network; - and
a first access filter in the first internal network, the first access filter comprising; a communication interface that receives a data packet sent from the client device, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address; a processor that executes instructions stored in memory, wherein execution of the instructions by the processor; encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted, adds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; wherein the communication interface sends the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter; verifies that the data packet is from the first access filter as indicated by the new header, and removes the new header and decrypts the data packet to obtain the original header based on the verification. - View Dependent Claims (10, 11, 12, 13)
- and
-
14. A system for tunneling using encryption, the system comprising
a first access filter in a first internal network, the first access filter comprising: -
a communication interface that receives an encrypted data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet; and a processor that executes instructions stored in memory, wherein execution of the instructions by the processor; analyzes identification information associated with the data packet to verify that the data packet is from the second access filter, removes the header of the data packet and decrypts the data packet based on verification that the data packet is from the second access filter as indicated by the header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and processes the data packet based on the original header. - View Dependent Claims (15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for tunneling using encryption, the method comprising:
-
receiving a data packet at a first access filter in a first internal network, the data packet sent from a client device in the first internal network, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address; encrypting the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted; adding a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; and sending the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter; verifies that the data packet is from the first access filter as indicated by the new header, and removes the new header and decrypts the data packet to obtain the original header based on the verification.
-
-
19. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for tunneling using encryption, the method comprising:
-
receiving an encrypted data packet at a first access filter in a first internal network, the data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet; analyzing identification information associated with the data packet to verify that the data packet is from the second access filter; removing the header of the data packet and decrypting the data packet based on verification that the data packet is from the second access filter as indicated by the header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and processing the data packet based on the original header.
-
Specification