Reducing network configuration complexity with transparent virtual private networks

US 7,305,705 B2
Filed: 06/30/2003
Issued: 12/04/2007
Est. Priority Date: 06/30/2003
Status: Expired due to Fees

First Claim

Patent Images

1. In a private network comprising a resource and a firewall, which acts as a gateway by controlling client desired access to the private network resource, a method of establishing a connection to the private network resource while balancing authentication processing requirements between a client and the firewall to mutually guard against denial of service attacks, the method comprising steps for:

receiving an assertion from the client that the client has credentials appropriate for accessing the private network resource;

initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall;

for each of the series plurality of authentication transactions between the client and the firewall, using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including;

sending a challenge to the client, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer;

receiving a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and

verifying whether or not the answer included in the response the correct answer to the challenge; and

when an acceptable level of probability that the client actually possesses the asserted credentials is reached based on a plurality of correct answers, the firewall granting the client access to the private network resource through the firewall for processing of the asserted credentials.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall acts as a transparent gateway to a server within a private network by initiating an unsolicited challenge to a client to provide authentication credentials. After receiving the client'"'"'s credentials, the firewall verifies the authentication credentials and establishes a secure channel for accessing the server. Data destined for the server from the client may be forwarded through the firewall using the secure channel. The firewall may sign, or otherwise indicate that data forwarded to the server is from a client that the firewall has authenticated. The firewall also may provide some level of authentication to the client. While connected to the server, the client may access other servers external to the private network without having the data associated with the other servers pass through the private network. The firewall reduces configuration information that a client otherwise must maintain to access various private network servers.

49 Citations

View as Search Results

36 Claims

1. In a private network comprising a resource and a firewall, which acts as a gateway by controlling client desired access to the private network resource, a method of establishing a connection to the private network resource while balancing authentication processing requirements between a client and the firewall to mutually guard against denial of service attacks, the method comprising steps for:
- receiving an assertion from the client that the client has credentials appropriate for accessing the private network resource;
  
  initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall;
  
  for each of the series plurality of authentication transactions between the client and the firewall, using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including;
  
  sending a challenge to the client, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer;
  
  receiving a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and
  
  verifying whether or not the answer included in the response the correct answer to the challenge; and
  
  when an acceptable level of probability that the client actually possesses the asserted credentials is reached based on a plurality of correct answers, the firewall granting the client access to the private network resource through the firewall for processing of the asserted credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the answers are related to at least one of a user'"'"'s name, client'"'"'s IP address, password, passport, smart-card or credit card number.
  - 3. The method of claim 1, wherein a challenge is a question, and wherein one or more client credentials received is an answer to the question.
  - 4. The method of claim 1, wherein once the client is granted access to the private network resource the only data passed through the firewall from the client are those packets of data destined to the private network resource.
  - 5. The method of claim 1, wherein the step for granting includes the act of:
    - establishing an authenticated channel between the firewall and the private network resource, wherein the authenticated channel is established through signing the data from the firewall.
  - 6. The method of claim 5, further comprising the act of:
    - discarding any unsigned packets of data received by the private network resource.
  - 7. The method of claim 1, wherein the private network resource is one of a host, gateway or server.
  - 8. The method of claim 1, wherein the client is a second firewall.
  - 9. The method of claim 1, further comprising the act of:
    - establishing a connection with another resource of a separate private network while simultaneously maintaining a secured channel between the firewall and the client.
  - 10. The method of claim 1, further comprising the act of:
    - establishing a connection with another private network resource while simultaneously maintaining a secured channel between the firewall and the client.
  - 11. The method as recited in claim 1, wherein the step for initiating a plurality of authentication transactions between the client and the firewall comprises an act of initiating a sequence of exchanges of an interactive proof protocol.
  - 12. The method as recited in claim 1, wherein for each of the plurality of authentication transactions sending a challenge to the client comprises sending a challenge that includes:
    - a portion of a prior response received from the client; and
      
      a plurality of random questions, correct answers to the random questions obtainable by the client if the client actually possesses the asserted credentials.

13. In a private network comprising a resource and a firewall, which acts as a gateway by controlling client desired access to the private network resource, a physical recordable-type computer readable media carrying computer executable instructions that implement a method of establishing a connection to the private network resource while balancing authentication processing requirements between a client and the firewall to mutually guard against denial of service attacks, the method comprising steps for:
- receiving an assertion from the client that the client has credentials appropriate for accessing the private network resource;
  
  initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall;
  
  for each of the plurality of authentication transactions between the client and the firewall, using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including;
  
  sending a challenge to the client, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer;
  
  receiving a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and
  
  verifying whether or not the answer included in the response the correct answer to the challenge; and
  
  when an acceptable level of probability that the client actually possess the asserted credentials is reached based on a plurality of correct answers, the firewall granting the client access to the private network resource through the firewall for processing of the credentials.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein the credentials are related to at least one of a user'"'"'s name, client'"'"'s IP address, password, passport, smart-card or credit card number.
  - 15. The method of claim 13, wherein a challenge is a question, and wherein one or more client credentials received is an answer to the question.
  - 16. The method of claim 13, wherein once the client is granted access to the private network resource the only data passed through the firewall from the client are those packets of data destined to the private network resource.
  - 17. The method of claim 13, wherein the step for granting includes the act of:
    - establishing an authenticated channel between the firewall and the private network resource, wherein the authenticated channel is established through signing the data from the firewall.
  - 18. The method of claim 17, further comprising the act of:
    - discarding any unsigned packets of data received by the private network resource.
  - 19. The method of claim 13, wherein the private network resource is one of a host, gateway or server.
  - 20. The method of claim 13, wherein the client is a second firewall.
  - 21. The method of claim 13, further comprising the act of:
    - establishing a connection with another resource of a separate private network while simultaneously maintaining a secured channel between the firewall and the client.
  - 22. The method of claim 13, further comprising the act of:
    - establishing a connection with another private network resource while simultaneously maintaining a secured channel between the firewall and the client.
  - 23. The method as recited in claim 13, wherein the step for initiating a plurality of authentication transactions between the client and the firewall comprises an act of initiating a sequence of exchanges of an interactive proof protocol.
  - 24. The method as recited in claim 13, wherein for each of the plurality of authentication transactions sending a challenge to the client comprises sending a challenge that includes:
    - a portion of a prior response received from the client; and
      
      a plurality of random questions, correct answers to the random questions obtainable by the client if the client actually possesses the asserted credentials.

25. In a private network comprising a server and a firewall, which acts as a gateway by controlling access to the server, a method of providing access to the server through the firewall without a client knowing about the firewall, the method comprising the acts of:
- receiving at the firewall, an access request from the client that is directed to the server because the client does not know that the firewall operates as a gateway for the server;
  
  generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall;
  
  initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall;
  
  for each of the plurality of authentication transactions between the client and the firewall, the firewall using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including;
  
  the firewall sending a request for the client to authenticate to the firewall, the request including the one or more firewall authentication credentials so that the client knows of the level of trust between the server and the firewall without having to make a separate request and further including a challenge, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer;
  
  receiving at the firewall, one or more authentication credentials from the client and a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and
  
  the firewall verifying the one or more client authentication credentials and whether or not the answer included in the response the correct answer to the challenge; and
  
  thereafter, allowing the client to access the server through the firewall for processing of the authentication credentials.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. A method as recited in claim 25, further comprising the acts of:
    - establishing a secure connection between the firewall and the server; and
      
      forwarding data received from the client to the server over the secure connection.
  - 27. A method as recited in claim 25, further comprising an acts of:
    - receiving at the firewall data from the client;
      
      the firewall signing the received data; and
      
      the firewall forwarding the signed data to the server.
  - 28. A method as recited in claim 25, wherein the server comprises a host or a gateway.
  - 29. A method as recited in claim 25, wherein the client comprises another firewall.
  - 30. A method as recited in claim 25, wherein the client maintains a separate connection with another server, and wherein only data intended for the private network passes through the firewall.
  - 31. A method as recited in claim 30, wherein the other server is part of a separate and distinct virtual private network.
  - 32. A method as recited in claim 25, wherein the act of generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall comprises an act of the firewall accessing a private key for the server and using private key to encrypt a portion of data, and further comprising:
    - an act of including the encrypted portion of data in the request, the encrypted portion of data for use by the client to authenticate the firewall such that the client can use the corresponding public key to decrypt the portion of data and thereby infer that the server trusts the firewall.
  - 33. The method as recited in claim 25, wherein the act of generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall comprises an act of generating one or more credentials that permit the firewall to unilaterally authenticate with the client such that the client does not need to have further communications with the firewall to authenticate the firewall.

34. In a private network comprising a server and a firewall, which acts as a gateway by controlling access to the server, a physical recordable-type computer readable media carrying computer executable instructions that implement a method of providing access to the server through the firewall without a client knowing about the firewall, the method comprising the acts of:
- receiving at the firewall, an access request from the client that is directed to the server because the client does not know that the firewall operates as a gateway for the server;
  
  generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall;
  
  initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall;
  
  for each of the plurality of authentication transactions between the client and the firewall, the firewall using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including;
  
  the firewall sending a request for the client to authenticate to the firewall, the request including the one or more firewall authentication credentials so that the client knows of the level of trust between the server and the firewall without having to make a separate request and further including a challenge, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer;
  
  receiving at the firewall, one or more authentication credentials from the client and a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and
  
  the firewall verifying the one or more client authentication credentials and whether or not the answer included in the response the correct answer to the challenge; and
  
  thereafter, allowing the client to access the server through the firewall for processing of the authentication credentials.
- View Dependent Claims (35, 36)
- - 35. A method as recited in claim 34, wherein the act of generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall comprises an act of the firewall accessing a private key for the server and using private key to encrypt a portion of data, and further comprising:
    - an act of including the encrypted portion of data in the request, the encrypted portion of data for use by the client to authenticate the firewall such that the client can use the corresponding public key to decrypt the portion of data and thereby infer that the server trusts the firewall.
  - 36. The method as recited in claim 34, wherein the act of generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall comprises an act of generating one or more credentials that permit the firewall to unilaterally authenticate with the client such that the client does not need to have further communications with the firewall to authenticate the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Huitema, Christian, Shelest, Art
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Cervetti; David Garcia

Application Number

US10/611,832
Publication Number

US 20040268121A1
Time in Patent Office

1,618 Days
Field of Search

713/156, 726/15, 726/11
US Class Current

726/15
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/1458   Denial of Service

H04L 63/166   at the transport layer

H04L 9/3218   using proof of knowledge, e...

Reducing network configuration complexity with transparent virtual private networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Reducing network configuration complexity with transparent virtual private networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links