Secure proxy

US 9,660,998 B1
Filed: 10/02/2015
Issued: 05/23/2017
Est. Priority Date: 09/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

maintaining, at a secure proxy server within a trusted environment, a set of policies including requirements for providing communication with computing resources outside the trusted environment;

maintaining a set of network addresses associated with a plurality of computing resources, the set of network addresses continuously updated to include network addresses currently associated with the plurality of computing resources;

receiving, from an application, a request to access a computing resource at an endpoint outside of the trusted environment;

identifying a subset of the set of policies relevant to the application based at least in part on a network protocol layer to which the computing resource belongs, the subset of policies including;

a set of criteria including an indication of data fields specific to the network protocol layer; and

a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are satisfied;

identifying, from the set of network addresses, a subset of network addresses currently associated with the computing resource that excludes the endpoint, the subset of network addresses identified in accordance with the subset of policies;

determining an authorized network address of the subset of network addresses to be used in communicating with the computing resource, the authorized network address being one that has been validated using the set of policies;

establishing a network connection with the computing resource at the authorized network address;

routing information between the computing resource and the application via the established network connection, the information being subjected to the set of policies; and

performing at least one action of the set of actions based at least in part on a condition related to the data fields of the set of criteria being met by the information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided herein to enable secure proxying of network traffic between trusted and untrusted environments. In particular, a secure proxy may be provided that includes a set of policies. The policies may be applicable to various network protocol layers (e.g., an application layer), network traffic types, and/or endpoint resolution. The set of policies may be used to inspect, restrict and/or modify traffic between the trusted and untrusted environment to ensure data and network security. A proxy device may use the set of policies, for example, to obtain current service-related information (such as the list of IP addresses) currently associated with a computing resource requested by an application. Such endpoint information may be used, in turn, to update a white list.

Citations

20 Claims

1. A computer-implemented method, comprising:
- maintaining, at a secure proxy server within a trusted environment, a set of policies including requirements for providing communication with computing resources outside the trusted environment;
  
  maintaining a set of network addresses associated with a plurality of computing resources, the set of network addresses continuously updated to include network addresses currently associated with the plurality of computing resources;
  
  receiving, from an application, a request to access a computing resource at an endpoint outside of the trusted environment;
  
  identifying a subset of the set of policies relevant to the application based at least in part on a network protocol layer to which the computing resource belongs, the subset of policies including;
  
  a set of criteria including an indication of data fields specific to the network protocol layer; and
  
  a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are satisfied;
  
  identifying, from the set of network addresses, a subset of network addresses currently associated with the computing resource that excludes the endpoint, the subset of network addresses identified in accordance with the subset of policies;
  
  determining an authorized network address of the subset of network addresses to be used in communicating with the computing resource, the authorized network address being one that has been validated using the set of policies;
  
  establishing a network connection with the computing resource at the authorized network address;
  
  routing information between the computing resource and the application via the established network connection, the information being subjected to the set of policies; and
  
  performing at least one action of the set of actions based at least in part on a condition related to the data fields of the set of criteria being met by the information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the set of network addresses associated with the plurality of computing resources comprises a whitelist of network addresses.
  - 3. The computer-implemented method of claim 2, further comprising:
    - querying one or more domain name system servers to identify a current list of network addresses;
      
      validating the list of current network addresses according to the set of policies; and
      
      updating the whitelist of network addresses to include validated network addresses of the list of current network addresses.
  - 4. The computer-implemented method of claim 3, wherein the one or more domain name system servers is at least two different domain name system servers;
    - validating the list of current network addresses according to the set of policies comprises comparing a first list of network addresses received from a first domain name system server to a second list of network addresses received from a second domain name system server; and
      
      updating the whitelist of network addresses to include validated network addresses of the list of network addresses comprises adding network addresses that appear in both the first list of network addresses and the second list of network addresses to the whitelist.
  - 5. The computer-implemented method of claim 1, wherein determining the authorized network address of the subset of network addresses comprises selecting a network address based on one or more attributes of a server located at the network address.
  - 6. The computer-implemented method of claim 5, wherein the one or more attributes is one of bandwidth, capacity, geographic region, security, or availability.

7. A secure proxy device comprising:
- one or more processors;
  
  one or more security layers configured to enforce a set of policies on network traffic passing through the one or more security layers, the set of policies including;
  
  a set of criteria including an indication of data fields specific to the one or more security layers; and
  
  a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are met; and
  
  memory, including instructions executable by the one or more processors to cause the secure proxy device to at least;
  
  receive a set of network addresses associated with a plurality of computing resources, the network addresses periodically updated;
  
  generate a subset of the set of network addresses to include network addresses of the set of network addresses validated in accordance with the set of policies;
  
  receive, from an application, a request to access a computing resource of the plurality of computing resources;
  
  determine, based at least in part on the set of policies, a valid network address from the subset of the set of network addresses;
  
  establish a communication session with the computing resource at the valid network address; and
  
  relay network traffic between the application and the computing resource through the one or more security layers; and
  
  perform at least one action of the set of actions on the network traffic upon determining that conditions related to the indicated data fields of the set of criteria are met.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The system of claim 7, wherein the computing resource is a computing platform providing at least one of an operating system, a web server, a database management service, or a programming language execution environment.
  - 9. The system of claim 7, wherein at least one action of the set of actions included in the set of policies is an action to conform data in network traffic to schema definitions or protocols.
  - 10. The system of claim 7, wherein the one or more security layers are configured to encrypt, decrypt, or authenticate network traffic according to the set of policies.
  - 11. The system of claim 10, wherein at least one piece of information necessary to encrypt, decrypt, or authenticate network traffic is provided by the application.
  - 12. The system of claim 11, wherein the at least one piece of information is one of an encryption key, a decryption key, or credentials.
  - 13. The system of claim 7, wherein at least a subset of the set of policies are specific to the application.
  - 14. The system of claim 7, wherein at least a subset of the set of policies are specific to a client from which the request was received.

15. A non-transitory computer readable medium storing specific computer-executable instructions that, when executed with a processor, cause a computer system to at least:
- receive, with respect to a number of computing resources located in an untrusted computing environment, a set of current network addresses, the set of current network addresses being periodically updated;
  
  receive, from an application, a request to interact with a computing resource of the number of computing resources;
  
  determine a set of policies relevant to the computing resource based at least in part on a network protocol layer to which the computing resource belongs, the set of policies including;
  
  a set of criteria including an indication of data fields specific to the network protocol layer; and
  
  a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are met;
  
  verify a subset of the set of current network addresses are in compliance with the set of policies;
  
  identify a network address in the subset of the set of current network addresses associated with the computing resource that is different from the endpoint;
  
  establish a connection with the computing resource at the network address;
  
  relay information between the application and the computing resource via the established connection; and
  
  perform, according to the set of policies, at least one action of the set of actions on the information relayed between the application and the computing resource.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable medium of claim 15, wherein the computing resource is a computing infrastructure providing at least one of data storage, load balancing, virtual local area network, or a data center.
  - 17. The non-transitory computer readable medium of claim 15, wherein the at least one action comprises formatting the information to conform to a schema associated with the computing resource.
  - 18. The non-transitory computer readable medium of claim 15, wherein the at least one action comprises validating the network address of information relayed from the application to the computing resource.
  - 19. The non-transitory computer readable medium of claim 15, wherein the at least one action comprises validating a type of at least one data field of the data fields specific to the network protocol layer of information relayed from the application to computing resource.
  - 20. The non-transitory computer readable medium of claim 15, wherein the set of policies include configuration files stored as one or more formats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sethi, Tushaar
Primary Examiner(s)
Moorthy, Aravind

Application Number

US14/874,022
Time in Patent Office

599 Days
Field of Search

726 1, 726 4, 726 12, 713161, 713162, 713168
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

H04L 67/141   Setup of application sessio...

Secure proxy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure proxy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links