Selectively performing man in the middle decryption

US 9,294,450 B2
Filed: 09/03/2015
Issued: 03/22/2016
Est. Priority Date: 05/08/2013
Status: Active Grant

First Claim

Patent Images

1. A device comprising:

memory for storing machine instructions, an agent, and an operating system;

a transceiver configured to enable the device to communicate with a policy manager on a first network, and one or more resources; and

a processor for executing machine instructions stored in the memory, wherein execution of the machine instructions causes the device to perform operations including the following;

alternately performing either (a) or (b) depending on whether the device is hosted on the first network or on a second network other than the first network;

(a) if a device is hosted on a first network;

(i) receiving, by an agent on the device, a first request to access a resource outside the first network, wherein the first request is transmitted from an operating system of the device to the agent without being transmitted outside of the device;

(ii) transmitting, by the agent on the device, a first policy request to a policy manager hosted on the first network in response to the agent'"'"'s receiving the first request, wherein the first policy request is routed from the agent on the device to the policy manager hosted on the first network without leaving the first network;

(iii) receiving, by the agent on the device, a first policy response from the policy manager, the first policy response instructing the agent to monitor communication between the device and the resource;

(iv) establishing, by the agent on the device, a first encrypted connection between the device'"'"'s operating system and the agent such that communication traffic of the first encrypted connection is not transmitted outside the device;

(v) establishing, by the agent on the device, a second encrypted connection between the agent on the device and the resource such that communication traffic of the second encrypted connection enters and exits the first network at a gateway of the first network; and

(vi) monitoring, by the agent on the device, communication between the device'"'"'s operating system and the resource;

wherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises;

receiving, from the device'"'"'s operating system, first encrypted communication traffic from the first encrypted connection;

decrypting the first encrypted communication traffic into first decrypted communication traffic;

inspecting the first decrypted communication traffic;

encrypting the first decrypted communication traffic into second encrypted communication traffic; and

transmitting, to the resource, the second encrypted communication traffic on the second encrypted connection and(b) alternatively, if the device is hosted on a second network other than the first network;

(i) receiving, by the agent on the device, a second request to access the resource, wherein the request is transmitted from the operating system of the device to the agent without being transmitted outside of the device;

(ii) transmitting, by the agent on the device, a second policy request to the policy manager hosted on the first network in response to the agent'"'"'s receiving the second request, wherein the second policy request is routed from the second network to the first network in order to reach the policy manager on the first network;

(iii) receiving, by the agent on the device, a second policy response from the policy manager, the policy response instructing the agent to monitor communication between the device and the resource;

(iv) establishing, by the agent on the device, a third encrypted connection between the device'"'"'s operating system and the agent such that communication traffic of the third encrypted connection is not transmitted outside the device;

(v) establishing, by the agent on the device, a fourth encrypted connection between the agent and the resource such that communication traffic of the fourth encrypted connection is routed between the agent on the device and the resource without being routed to the first network; and

(vi) monitoring, by the agent, communication between the device'"'"'s operating system and the resourcewherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises;

receiving, from the device'"'"'s operating system, third encrypted communication traffic from the third encrypted connection;

decrypting the third encrypted communication traffic into second decrypted communication traffic;

inspecting the second decrypted communication traffic;

encrypting the second decrypted communication traffic into fourth encrypted communication traffic; and

transmitting, to the resource, the fourth encrypted communication traffic on the fourth encrypted connection.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Citations

12 Claims

1. A device comprising:
- memory for storing machine instructions, an agent, and an operating system;
  
  a transceiver configured to enable the device to communicate with a policy manager on a first network, and one or more resources; and
  
  a processor for executing machine instructions stored in the memory, wherein execution of the machine instructions causes the device to perform operations including the following;
  
  alternately performing either (a) or (b) depending on whether the device is hosted on the first network or on a second network other than the first network;
  
  (a) if a device is hosted on a first network;
  
  (i) receiving, by an agent on the device, a first request to access a resource outside the first network, wherein the first request is transmitted from an operating system of the device to the agent without being transmitted outside of the device;
  
  (ii) transmitting, by the agent on the device, a first policy request to a policy manager hosted on the first network in response to the agent'"'"'s receiving the first request, wherein the first policy request is routed from the agent on the device to the policy manager hosted on the first network without leaving the first network;
  
  (iii) receiving, by the agent on the device, a first policy response from the policy manager, the first policy response instructing the agent to monitor communication between the device and the resource;
  
  (iv) establishing, by the agent on the device, a first encrypted connection between the device'"'"'s operating system and the agent such that communication traffic of the first encrypted connection is not transmitted outside the device;
  
  (v) establishing, by the agent on the device, a second encrypted connection between the agent on the device and the resource such that communication traffic of the second encrypted connection enters and exits the first network at a gateway of the first network; and
  
  (vi) monitoring, by the agent on the device, communication between the device'"'"'s operating system and the resource;
  
  wherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises;
  
  receiving, from the device'"'"'s operating system, first encrypted communication traffic from the first encrypted connection;
  
  decrypting the first encrypted communication traffic into first decrypted communication traffic;
  
  inspecting the first decrypted communication traffic;
  
  encrypting the first decrypted communication traffic into second encrypted communication traffic; and
  
  transmitting, to the resource, the second encrypted communication traffic on the second encrypted connection and(b) alternatively, if the device is hosted on a second network other than the first network;
  
  (i) receiving, by the agent on the device, a second request to access the resource, wherein the request is transmitted from the operating system of the device to the agent without being transmitted outside of the device;
  
  (ii) transmitting, by the agent on the device, a second policy request to the policy manager hosted on the first network in response to the agent'"'"'s receiving the second request, wherein the second policy request is routed from the second network to the first network in order to reach the policy manager on the first network;
  
  (iii) receiving, by the agent on the device, a second policy response from the policy manager, the policy response instructing the agent to monitor communication between the device and the resource;
  
  (iv) establishing, by the agent on the device, a third encrypted connection between the device'"'"'s operating system and the agent such that communication traffic of the third encrypted connection is not transmitted outside the device;
  
  (v) establishing, by the agent on the device, a fourth encrypted connection between the agent and the resource such that communication traffic of the fourth encrypted connection is routed between the agent on the device and the resource without being routed to the first network; and
  
  (vi) monitoring, by the agent, communication between the device'"'"'s operating system and the resourcewherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises;
  
  receiving, from the device'"'"'s operating system, third encrypted communication traffic from the third encrypted connection;
  
  decrypting the third encrypted communication traffic into second decrypted communication traffic;
  
  inspecting the second decrypted communication traffic;
  
  encrypting the second decrypted communication traffic into fourth encrypted communication traffic; and
  
  transmitting, to the resource, the fourth encrypted communication traffic on the fourth encrypted connection.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The device of claim 1, the operations further comprising:
    - (a) if the device is hosted on the first network;
      
      (vii) receiving, by the agent on the device, a third request to access a second resource outside the first network, wherein the third request is transmitted from the device'"'"'s operating system to the agent without being transmitted outside of the device;
      
      (viii) transmitting, by the agent on the device, a third policy request to the policy manager hosted on the first network in response to the agent'"'"'s receiving the third request, wherein the third policy request is routed from the agent on the device to the policy manager hosted on the first network without leaving the first network;
      
      (ix) receiving, by the agent on the device, a third policy response from the policy manager, the third policy response instructing the agent not to monitor communication between the device and the second resource; and
      
      (x) allowing, by the agent, the device'"'"'s operating system to establish a fifth encrypted connection between the device'"'"'s operating system and the second resource.
  - 3. The device of claim 1, the operations further comprising:
    - (b) alternatively, if the device is hosted on a second network other than the first network;
      
      (vii) receiving, by the agent on the device, a fourth request to access a second resource outside the first network, wherein the fourth request is transmitted from the device'"'"'s operating system to the agent without being transmitted outside of the device;
      
      (viii) transmitting, by the agent on the device, a fourth policy request to the policy manager hosted on the first network in response to the agent'"'"'s receiving the fourth request, wherein the fourth policy request is routed from the second network to the first network in order to reach the policy manager on the first network;
      
      (ix) receiving, by the agent on the device, a fourth policy response from the policy manager, the fourth policy response instructing the agent not to monitor communication between the device and the second resource; and
      
      (x) allowing, by the agent, the device'"'"'s operating system to establish a sixth encrypted connection between the device'"'"'s operating system and the second resource.
  - 4. The device of claim 1, the operations further comprising:
    - (a) if the device is hosted on the first network;
      
      wherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises blocking at least some of the communication between the device'"'"'s operating system and the resource; and
      
      (b) alternatively, if the device is hosted on a second network other than the first network;
      
      wherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises blocking at least some of the communication between the device'"'"'s operating system and the resource.
  - 5. The device of claim 1, wherein the agent is configured to receive requests from a plurality of applications running on the device'"'"'s operating system.
  - 6. The device of claim 1, wherein the agent is a driver installed in a protocol stack of the device'"'"'s operating system.

7. A device comprising:
- memory for storing machine instructions, an agent, and an operating system;
  
  means for communicating with a policy manager on a first network, and one or more resources; and
  
  a processor for executing machine instructions stored in the memory, wherein execution of the machine instructions causes the device to perform operations including the following;
  
  alternately performing either (a) or (b) depending on whether the device is hosted on the first network or on a second network other than the first network;
  
  (a) if a device is hosted on a first network;
  
  (i) receiving, by an agent on the device, a first request to access a resource outside the first network, wherein the first request is transmitted from an operating system of the device to the agent without being transmitted outside of the device;
  
  (ii) transmitting, by the agent on the device, a first policy request to a policy manager hosted on the first network in response to the agent'"'"'s receiving the first request, wherein the first policy request is routed from the agent on the device to the policy manager hosted on the first network without leaving the first network;
  
  (iii) receiving, by the agent on the device, a first policy response from the policy manager, the first policy response instructing the agent to monitor communication between the device and the resource;
  
  (iv) establishing, by the agent on the device, a first encrypted connection between the device'"'"'s operating system and the agent such that communication traffic of the first encrypted connection is not transmitted outside the device;
  
  (v) establishing, by the agent on the device, a second encrypted connection between the agent on the device and the resource such that communication traffic of the second encrypted connection enters and exits the first network at a gateway of the first network; and
  
  (vi) monitoring, by the agent on the device, communication between the device'"'"'s operating system and the resourcewherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises;
  
  receiving, from the device'"'"'s operating system, first encrypted communication traffic from the first encrypted connection;
  
  decrypting the first encrypted communication traffic into first decrypted communication traffic;
  
  inspecting the first decrypted communication traffic;
  
  encrypting the first decrypted communication traffic into second encrypted communication traffic; and
  
  transmitting, to the resource, the second encrypted communication traffic on the second encrypted connection; and
  
  (b) alternatively, if the device is hosted on a second network other than the first network;
  
  (i) receiving, by the agent on the device, a second request to access the resource, wherein the request is transmitted from the operating system of the device to the agent without being transmitted outside of the device;
  
  (ii) transmitting, by the agent on the device, a second policy request to the policy manager hosted on the first network in response to the agent'"'"'s receiving the second request, wherein the second policy request is routed from the second network to the first network in order to reach the policy manager on the first network;
  
  (iii) receiving, by the agent on the device, a second policy response from the policy manager, the policy response instructing the agent to monitor communication between the device and the resource;
  
  (iv) establishing, by the agent on the device, a third encrypted connection between the device'"'"'s operating system and the agent such that communication traffic of the third encrypted connection is not transmitted outside the device;
  
  (v) establishing, by the agent on the device, a fourth encrypted connection between the agent and the resource such that communication traffic of the fourth encrypted connection is routed between the agent on the device and the resource without being routed to the first network; and
  
  (vi) monitoring, by the agent, communication between the device'"'"'s operating system and the resourcewherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises;
  
  receiving, from the device'"'"'s operating system, third encrypted communication traffic from the third encrypted connection;
  
  decrypting the third encrypted communication traffic into second decrypted communication traffic;
  
  inspecting the second decrypted communication traffic;
  
  encrypting the second decrypted communication traffic into fourth encrypted communication traffic; and
  
  transmitting, to the resource, the fourth encrypted communication traffic on the fourth encrypted connection.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The device of claim 7, the operations further comprising:
    - (a) if the device is hosted on the first network;
      
      (vii) receiving, by the agent on the device, a third request to access a second resource outside the first network, wherein the third request is transmitted from the device'"'"'s operating system to the agent without being transmitted outside of the device;
      
      (viii) transmitting, by the agent on the device, a third policy request to the policy manager hosted on the first network in response to the agent'"'"'s receiving the third request, wherein the third policy request is routed from the agent on the device to the policy manager hosted on the first network without leaving the first network;
      
      (ix) receiving, by the agent on the device, a third policy response from the policy manager, the third policy response instructing the agent not to monitor communication between the device and the second resource; and
      
      (x) allowing, by the agent, the device'"'"'s operating system to establish a fifth encrypted connection between the device'"'"'s operating system and the second resource.
  - 9. The device of claim 7, the operations further comprising:
    - (b) alternatively, if the device is hosted on a second network other than the first network;
      
      (vii) receiving, by the agent on the device, a fourth request to access a second resource outside the first network, wherein the fourth request is transmitted from the device'"'"'s operating system to the agent without being transmitted outside of the device;
      
      (viii) transmitting, by the agent on the device, a fourth policy request to the policy manager hosted on the first network in response to the agent'"'"'s receiving the fourth request, wherein the fourth policy request is routed from the second network to the first network in order to reach the policy manager on the first network;
      
      (ix) receiving, by the agent on the device, a fourth policy response from the policy manager, the fourth policy response instructing the agent not to monitor communication between the device and the second resource; and
      
      (x) allowing, by the agent, the device'"'"'s operating system to establish a sixth encrypted connection between the device'"'"'s operating system and the second resource.
  - 10. The device of claim 7, the operations further comprising:
    - (a) if the device is hosted on the first network;
      
      wherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises blocking at least some of the communication between the device'"'"'s operating system and the resource; and
      
      (b) alternatively, if the device is hosted on a second network other than the first network;
      
      wherein monitoring, by the agent, communication between the device'"'"'s operating system and the resource comprises blocking at least some of the communication between the device'"'"'s operating system and the resource.
  - 11. The device of claim 7, wherein the agent is configured to receive requests from a plurality of applications running on the device'"'"'s operating system.
  - 12. The device of claim 7, wherein the agent is a driver installed in a protocol stack of the device'"'"'s operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US14/845,209
Publication Number

US 20150381584A1
Time in Patent Office

201 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

H04L 63/306   intercepting packet switche...

H04L 67/02   based on web technology, e....

H04L 9/321   involving a third party or ...

Selectively performing man in the middle decryption

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Selectively performing man in the middle decryption

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links