Secure proxy
First Claim
1. A computer-implemented method, comprising:
- maintaining, at a secure proxy server within a trusted environment, a set of policies including requirements for providing communication with computing resources outside the trusted environment;
maintaining a set of network addresses associated with a plurality of computing resources, the set of network addresses continuously updated to include network addresses currently associated with the plurality of computing resources;
receiving, from an application, a request to access a computing resource at an endpoint outside of the trusted environment;
identifying a subset of the set of policies relevant to the application based at least in part on a network protocol layer to which the computing resource belongs, the subset of policies including;
a set of criteria including an indication of data fields specific to the network protocol layer; and
a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are satisfied;
identifying, from the set of network addresses, a subset of network addresses currently associated with the computing resource that excludes the endpoint, the subset of network addresses identified in accordance with the subset of policies;
determining an authorized network address of the subset of network addresses to be used in communicating with the computing resource, the authorized network address being one that has been validated using the set of policies;
establishing a network connection with the computing resource at the authorized network address;
routing information between the computing resource and the application via the established network connection, the information being subjected to the set of policies; and
performing at least one action of the set of actions based at least in part on a condition related to the data fields of the set of criteria being met by the information.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems are provided herein to enable secure proxying of network traffic between trusted and untrusted environments. In particular, a secure proxy may be provided that includes a set of policies. The policies may be applicable to various network protocol layers (e.g., an application layer), network traffic types, and/or endpoint resolution. The set of policies may be used to inspect, restrict and/or modify traffic between the trusted and untrusted environment to ensure data and network security. A proxy device may use the set of policies, for example, to obtain current service-related information (such as the list of IP addresses) currently associated with a computing resource requested by an application. Such endpoint information may be used, in turn, to update a white list.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
maintaining, at a secure proxy server within a trusted environment, a set of policies including requirements for providing communication with computing resources outside the trusted environment; maintaining a set of network addresses associated with a plurality of computing resources, the set of network addresses continuously updated to include network addresses currently associated with the plurality of computing resources; receiving, from an application, a request to access a computing resource at an endpoint outside of the trusted environment; identifying a subset of the set of policies relevant to the application based at least in part on a network protocol layer to which the computing resource belongs, the subset of policies including; a set of criteria including an indication of data fields specific to the network protocol layer; and a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are satisfied; identifying, from the set of network addresses, a subset of network addresses currently associated with the computing resource that excludes the endpoint, the subset of network addresses identified in accordance with the subset of policies; determining an authorized network address of the subset of network addresses to be used in communicating with the computing resource, the authorized network address being one that has been validated using the set of policies; establishing a network connection with the computing resource at the authorized network address; routing information between the computing resource and the application via the established network connection, the information being subjected to the set of policies; and performing at least one action of the set of actions based at least in part on a condition related to the data fields of the set of criteria being met by the information. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A secure proxy device comprising:
-
one or more processors; one or more security layers configured to enforce a set of policies on network traffic passing through the one or more security layers, the set of policies including; a set of criteria including an indication of data fields specific to the one or more security layers; and a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are met; and memory, including instructions executable by the one or more processors to cause the secure proxy device to at least; receive a set of network addresses associated with a plurality of computing resources, the network addresses periodically updated; generate a subset of the set of network addresses to include network addresses of the set of network addresses validated in accordance with the set of policies; receive, from an application, a request to access a computing resource of the plurality of computing resources; determine, based at least in part on the set of policies, a valid network address from the subset of the set of network addresses; establish a communication session with the computing resource at the valid network address; and relay network traffic between the application and the computing resource through the one or more security layers; and perform at least one action of the set of actions on the network traffic upon determining that conditions related to the indicated data fields of the set of criteria are met. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium storing specific computer-executable instructions that, when executed with a processor, cause a computer system to at least:
-
receive, with respect to a number of computing resources located in an untrusted computing environment, a set of current network addresses, the set of current network addresses being periodically updated; receive, from an application, a request to interact with a computing resource of the number of computing resources; determine a set of policies relevant to the computing resource based at least in part on a network protocol layer to which the computing resource belongs, the set of policies including; a set of criteria including an indication of data fields specific to the network protocol layer; and a set of actions to be performed when conditions related to the indicated data fields of the set of criteria are met; verify a subset of the set of current network addresses are in compliance with the set of policies; identify a network address in the subset of the set of current network addresses associated with the computing resource that is different from the endpoint; establish a connection with the computing resource at the network address; relay information between the application and the computing resource via the established connection; and perform, according to the set of policies, at least one action of the set of actions on the information relayed between the application and the computing resource. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification