Virtual private network access control

US 9,584,523 B2
Filed: 10/30/2012
Issued: 02/28/2017
Est. Priority Date: 10/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for virtual private network (VPN) access control, the method comprising:

receiving a request from an application on a user device to access a remote computer network asset;

determining, by a processor on the user device, an authorization of the application to access the remote computer network asset based on a policy;

in response to a determination, on the user device, that the application is authorized to access the remote computer network asset;

setting a VPN connection between the user device and a remote computer network including the remote computer network asset, and routing traffic from the application to the remote computer network asset via the VPN; and

in response to a determination, on the user device, that the application is not authorized to access the remote computer network asset, routing traffic from the requesting application directly to a destination server different than the remote computer network asset via a network different than the remote computer network for execution of the application by the destination server, allowing the requesting application to perform functions without breaching the remote computer network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to an example, a method for virtual private network (VPN) access control includes receiving a request from an application on a user device to access a remote computer network asset, and determining, by a processor, an authorization of the application to access the remote computer network asset based on a policy. In response to a determination that the application is authorized to access the remote computer network asset, the method includes setting a VPN connection between the user device and a remote computer network including the remote computer network asset, and routing traffic from the application to the remote computer network asset via the VPN. In response to a determination that the application is not authorized to access the remote computer network asset, the method includes routing traffic from the application to a network different than the remote computer network.

Citations

19 Claims

1. A method for virtual private network (VPN) access control, the method comprising:
- receiving a request from an application on a user device to access a remote computer network asset;
  
  determining, by a processor on the user device, an authorization of the application to access the remote computer network asset based on a policy;
  
  in response to a determination, on the user device, that the application is authorized to access the remote computer network asset;
  
  setting a VPN connection between the user device and a remote computer network including the remote computer network asset, and routing traffic from the application to the remote computer network asset via the VPN; and
  
  in response to a determination, on the user device, that the application is not authorized to access the remote computer network asset, routing traffic from the requesting application directly to a destination server different than the remote computer network asset via a network different than the remote computer network for execution of the application by the destination server, allowing the requesting application to perform functions without breaching the remote computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the application is one of a legacy application executed natively on the user device, a web application executed on a browser, and a virtual machine (VM) application executed on a VM on the user device.
  - 3. The method of claim 1, wherein the remote computer network asset is an enterprise network asset.
  - 4. The method of claim 1, further comprising:
    - receiving a provisioned list of remote computer network assets that are authorized to be accessed by applications on the user device; and
      
      storing the provisioned list of authorized remote computer network assets in the policy on the user device.
  - 5. The method of claim 1, wherein determining the authorization of the application to access the remote computer network asset further comprises:
    - determining an authorization of the user device to access the remote computer network asset.
  - 6. The method of claim 1, wherein determining the authorization of the application to access the remote computer network asset further comprises:
    - comparing an application identification (ID) for the application to authorized application IDs for applications authorized to access the remote computer network asset;
      
      in response to the application ID matching one of the authorized application IDs, indicating the application as being authentic; and
      
      in response to the application ID not matching one of the authorized application IDs, indicating the application as being unauthentic.
  - 7. The method of claim 6, wherein the application ID is hashed.
  - 8. The method of claim 6, wherein the application ID is non-hashed and includes authentication credentials that include a hashed password.
  - 9. The method of claim 1, wherein the policy is stored in a policy repository on the user device.
  - 10. The method of claim 1, wherein routing traffic from the application to the destination server different than the remote computer network asset via the network different than the remote computer network further comprises:
    - routing traffic from the application to the destination server that includes an internet server via Internet.
  - 11. The method of claim 1, further comprising:
    - selecting the policy based on a capability of the application.
  - 12. The method of claim 1, further comprising:
    - selecting the policy based on a capability of the user device.
  - 13. The method of claim 1, further comprising:
    - selecting the policy based on an organizational position of a user of the user device in an enterprise including the remote computer network asset.
  - 14. The method of claim 1, further comprising:
    - updating an initial version of the policy based on an authenticity of credentials of a user of the user device in an enterprise including the remote computer network asset; and
      
      using the updated version of the policy to determine the authorization of the application to access the remote computer network asset.

15. A user device comprising:
- a memory storing machine readable instructions to;
  
  receive a request from an application on the user device to access a remote computer network asset;
  
  determine, on the user device, an authorization of the application to access the remote computer network asset based on a policy on the user device;
  
  in response to a determination, on the user device, that the application is authorized to access the remote computer network asset, route traffic from the application to the remote computer network asset via a virtual private network (VPN); and
  
  in response to a determination, on the user device, that the application is not authorized to access the remote computer network asset, route traffic from the requesting application directly to a destination server different than the remote computer network asset via Internet for execution of the application by the destination server, allowing the requesting application to perform functions without breaching the remote computer network; and
  
  a processor to implement the machine readable instructions.
- View Dependent Claims (16, 17)
- - 16. The user device of claim 15, further comprising machine readable instructions to:
    - receive a provisioned list of remote computer network assets that are authorized to be accessed by applications on the user device; and
      
      store the provisioned list of authorized remote computer network assets in the policy on the user device.
  - 17. The user device of claim 15, further comprising machine readable instructions to:
    - compare an application identification (ID) for the application to authorized application IDs for applications authorized to access the remote computer network asset;
      
      in response to the application ID matching one of the authorized application IDs, indicate the application as being authentic; and
      
      in response to the application ID not matching one of the authorized application IDs, indicate the application as being unauthentic.

18. A non-transitory computer readable medium having stored thereon machine readable instructions for virtual private network (VPN) access control, the machine readable instructions when executed cause a computer system to:
- receive a request from an application on a user device to access a remote computer network asset;
  
  determine, by a processor on the user device, an authorization of the user device to access the remote computer network asset based on a policy;
  
  in response to a determination, on the user device, that the user device is authorized to access the remote computer network asset, route traffic from the application to the remote computer network asset via a VPN; and
  
  in response to a determination, on the user device, that the user device is not authorized to access the remote computer network asset, route traffic from the requesting application directly to a destination server different than the remote computer network asset via Internet for execution of the application by the destination server, allowing the requesting application to perform functions without breaching the remote computer network.
- View Dependent Claims (19)
- - 19. The non-transitory computer readable medium of claim 18, the machine readable instructions that when executed further cause the computer system to:
    - compare an application identification (ID) for the application to authorized application IDs for applications authorized to access the remote computer network asset;
      
      in response to the application ID matching one of the authorized application IDs, indicate the application as being authentic; and
      
      in response to the application ID not matching one of the authorized application IDs, indicate the application as being unauthentic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Marchezi, Humberto Cardoso, Schulze, Paul Gerhard, Santhiveeran, Soma Sundaram, Pires, Jose Paulo Xavier, Moreira, Ricardo Bueno
Primary Examiner(s)
Lazaro, David
Assistant Examiner(s)
Ye, Zi

Application Number

US13/664,211
Publication Number

US 20140122716A1
Time in Patent Office

1,582 Days
Field of Search

709/225, 709/229, 709/223, 726/15, 726/4, 713/153, 713/168, 713/183
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

Virtual private network access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private network access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links