Systems and methods for protecting network devices

US 9,853,947 B2
Filed: 08/17/2015
Issued: 12/26/2017
Est. Priority Date: 10/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a computer system implementing a gateway to a private network, a request from a client device for a network tunnel between the client device and a network device in the private network;

authenticating the client device by the computer system;

receiving, from an authentication server in communication with the computer system, a client access list that includes a list of network devices the client device is allowed to communicate with, wherein the authenticating the client device includes the computer system verifying a digital signature in the client access list via a signature key shared between the gateway and the authentication server;

in response to the digital signature being correct, verifying, by the computer system, that the network device in the private network is part of the list of network devices the client device is allowed to communicate with; and

establishing, by the computer system, the network tunnel between the client device and the network device in the private network through the gateway.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure help protect network devices from unauthorized access. Among other things, embodiments of the disclosure allow full access to application servers and other network devices that a client is allowed to access, while preventing all access (or even knowledge) of network devices the client is not allowed to access.

132 Citations

19 Claims

1. A computer-implemented method comprising:
- receiving, by a computer system implementing a gateway to a private network, a request from a client device for a network tunnel between the client device and a network device in the private network;
  
  authenticating the client device by the computer system;
  
  receiving, from an authentication server in communication with the computer system, a client access list that includes a list of network devices the client device is allowed to communicate with, wherein the authenticating the client device includes the computer system verifying a digital signature in the client access list via a signature key shared between the gateway and the authentication server;
  
  in response to the digital signature being correct, verifying, by the computer system, that the network device in the private network is part of the list of network devices the client device is allowed to communicate with; and
  
  establishing, by the computer system, the network tunnel between the client device and the network device in the private network through the gateway.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the network device in the private network includes an application server providing a service.
  - 3. The method of claim 2, wherein application server includes one or more of:
    - a mail server providing a mail service;
      
      a file server providing networked data storage; and
      
      a web server providing hosting services.
  - 4. The method of claim 1, wherein the network device in the private network includes one or more of a router and a switch providing administrator access.
  - 5. The method of claim 1, wherein the computer system further implements a firewall for selectively blocking and allowing network traffic between the client device and the network device in the private network.
  - 6. The method of claim 5, wherein the firewall blocks all network traffic between the client device and the network device in the private network by default.
  - 7. The method of claim 5, further comprising:
    - obtaining, by the computer system, a firewall rule for allowing network access between the client device and the network device in the private network; and
      
      configuring the firewall based on the firewall rule.
  - 8. The method of claim 7, wherein the firewall rule is included in the client access list.
  - 9. The method of claim 1, wherein establishing the network tunnel between the client device and the network device in the private network includes establishing a virtual private network.
  - 10. The method of claim 1, wherein the client access list is readable, but not alterable, by the client.
  - 11. The method of claim 1, further comprising receiving, by the computer system from the authentication server, a client tunnel list that includes information for establishing the networking tunnel.
  - 12. The method of claim 11, wherein the client tunnel list is only received from the authentication server in response to a successful authentication of the client device, and is not received otherwise.
  - 13. The method of claim 11, wherein the client tunnel list includes a destination Internet protocol address and a destination port number of the gateway.
  - 14. The method of claim 1, wherein the client access list includes a first selection of network devices and a second selection of network devices, the second selection of network devices having enhanced authentication requirements relative to the first selection of network devices.
  - 15. The method of claim 14, wherein the enhanced authentication requirements include a requirement selected from the group consisting of:
    - a requirement that all patches need to be applied to an operating system on the client;
      
      a requirement that an up-to-date virus scanner must be running on the client; and
      
      a requirement that the client is not attempting to access the network device on the private network via a public wireless network.
  - 16. The method of claim 14, wherein the enhanced authentication requirements include a requirement that a user of the client device provide an authentication credential selected from the group consisting of:
    - a fingerprint scan;
      
      an iris scan; and
      
      a key generated by an external key generator.
  - 17. The method of claim 1, further comprising:
    - receiving, by the computer system, client status information from the client; and
      
      breaking the network tunnel in response to a failure to receive the client status information from the client at a regular time interval or in response to the client status information failing to correspond to predefined requirements for the client.

18. A non-transitory, computer-readable medium storing instructions that, when executed, cause a computer system implementing a gateway to a private network to:
- receive a request from a client device for a network tunnel between the client device and a network device in the private network;
  
  authenticate the client device;
  
  receive, from an authentication server in communication with the computer system, a client access list that includes a list of network devices the client device is allowed to communicate with, wherein the authenticating of the client device includes the computer system verifying a digital signature in the client access list via a signature key shared between the gateway and the authentication server;
  
  in response to the digital signature being correct, verify that the network device in the private network is part of the list of network devices the client device is allowed to communicate with; and
  
  establish the network tunnel between the client device and the network device in the private network through the gateway.

19. A computer system implementing a gateway, the computer system comprising:
- a processor; and
  
  a non-transitory memory in communication with the processor and storing instructions that, when executed by the processor, cause the computer system to;
  
  receive a request from a client device for a network tunnel between the client device and a network device in the private network;
  
  authenticate the client device;
  
  receive, from an authentication server in communication with the computer system, a client access list that includes a list of network devices the client device is allowed to communicate with, wherein the authenticating of the client device includes the computer system verifying a digital signature in the client access list via a signature key shared between the gateway and the authentication server;
  
  in response to the digital signature being correct, verify that the network device in the private network is part of the list of network devices the client device is allowed to communicate with; and
  
  establish the network tunnel between the client device and the network device in the private network through the gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Original Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Inventors
Glazemakers, Kurt, Hamilton, Malcolm, Berberoglu, Gokhan
Primary Examiner(s)
Schwartz, Darren B

Application Number

US14/828,357
Publication Number

US 20160099916A1
Time in Patent Office

862 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Systems and methods for protecting network devices

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for protecting network devices

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links