Selectively performing man in the middle decryption
First Claim
1. A system comprising:
- a network hosting a policy manager and a first plurality of clients each of the first plurality of client comprising an agent; and
a second plurality of clients, each of the second plurality of clients external to the network and communicably coupled with the policy manager, wherein each of the second plurality of clients comprises an agent;
the policy manager configured to;
receive, from each of the agents of the first plurality of clients and from each of the agents of the second plurality of clients, policy requests; and
return, responsive to receiving the policy, a corresponding policy response indicating a policy;
wherein the agents are configured to;
receive, from the agent'"'"'s client, a resource request;
responsive to receiving the resource request, send to the policy manager the policy requests;
receive, from the policy manager, the corresponding policy responses; and
apply, to the agent'"'"'s client, the policy indicated by the corresponding policy response to the resource request;
wherein to apply the policy indicated by the corresponding policy response to the resource request, the agent is further configured to;
receive first encrypted communication traffic from a first encrypted connection;
decrypt the first encrypted communication traffic into first decrypted communication traffic;
inspect the first decrypted communication traffic;
encrypt the first decrypted communication traffic into second encrypted communication traffic;
transmit, to the agent'"'"'s client, the second encrypted communication traffic on a second encrypted connection;
receive third encrypted communication traffic from the agent'"'"'s client on the second encrypted connection;
decrypt the third encrypted communication traffic into second decrypted communication traffic;
inspect the second decrypted communication traffic;
encrypt the second decrypted communication traffic into fourth encrypted communication traffic; and
send the fourth encrypted communication traffic on the first encrypted connection.
7 Assignments
0 Petitions
Accused Products
Abstract
An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.
-
Citations
10 Claims
-
1. A system comprising:
-
a network hosting a policy manager and a first plurality of clients each of the first plurality of client comprising an agent; and a second plurality of clients, each of the second plurality of clients external to the network and communicably coupled with the policy manager, wherein each of the second plurality of clients comprises an agent; the policy manager configured to; receive, from each of the agents of the first plurality of clients and from each of the agents of the second plurality of clients, policy requests; and return, responsive to receiving the policy, a corresponding policy response indicating a policy; wherein the agents are configured to; receive, from the agent'"'"'s client, a resource request; responsive to receiving the resource request, send to the policy manager the policy requests; receive, from the policy manager, the corresponding policy responses; and apply, to the agent'"'"'s client, the policy indicated by the corresponding policy response to the resource request; wherein to apply the policy indicated by the corresponding policy response to the resource request, the agent is further configured to; receive first encrypted communication traffic from a first encrypted connection; decrypt the first encrypted communication traffic into first decrypted communication traffic; inspect the first decrypted communication traffic; encrypt the first decrypted communication traffic into second encrypted communication traffic; transmit, to the agent'"'"'s client, the second encrypted communication traffic on a second encrypted connection; receive third encrypted communication traffic from the agent'"'"'s client on the second encrypted connection; decrypt the third encrypted communication traffic into second decrypted communication traffic; inspect the second decrypted communication traffic; encrypt the second decrypted communication traffic into fourth encrypted communication traffic; and send the fourth encrypted communication traffic on the first encrypted connection. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method performed by data processing apparatus, the method comprising:
-
receiving, by a policy manager, policy requests from a first plurality of clients wherein each of the clients comprises an agent, at least a first plurality of the clients being hosted on a network that hosts the policy manager, at least a second plurality of clients being external to the network and communicably coupled with the policy manager, wherein the policy manager is configured to receive, from each of the agents of the first plurality of clients and from each of the agents of the second plurality of clients, other policy requests, and each of the agents are configured to; receive, from the agent'"'"'s client, a resource request; responsive to receiving the resource request, send to the policy manager the policy request; receive, from the policy manager, a corresponding policy response; and apply, to the agent'"'"'s client, a policy indicated by the corresponding policy response to the resource request; and returning, by the policy manager, the corresponding policy response indicating the policy; wherein to apply the policy indicated by the corresponding policy response to the resource request, each of the agents are configured to; receive first encrypted communication traffic from a first encrypted connection; decrypt the first encrypted communication traffic into first decrypted communication traffic; inspect the first decrypted communication traffic; encrypt the first decrypted communication traffic into second encrypted communication traffic; transmit, to the agent'"'"'s client, the second encrypted communication traffic on a second encrypted connection; receive third encrypted communication traffic from the agent'"'"'s client on the second encrypted connection; decrypt the third encrypted communication traffic into second decrypted communication traffic; inspect the second decrypted communication traffic; encrypt the second decrypted communication traffic into fourth encrypted communication traffic; and send the fourth encrypted communication traffic on the first encrypted connection. - View Dependent Claims (7, 8, 9, 10)
-
Specification