Reducing network configuration complexity with transparent virtual private networks
First Claim
1. In a private network comprising a resource and a firewall, which acts as a gateway by controlling client desired access to the private network resource, a method of establishing a connection to the private network resource while balancing authentication processing requirements between a client and the firewall to mutually guard against denial of service attacks, the method comprising steps for:
- receiving an assertion from the client that the client has credentials appropriate for accessing the private network resource;
initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall;
for each of the series plurality of authentication transactions between the client and the firewall, using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including;
sending a challenge to the client, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer;
receiving a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and
verifying whether or not the answer included in the response the correct answer to the challenge; and
when an acceptable level of probability that the client actually possesses the asserted credentials is reached based on a plurality of correct answers, the firewall granting the client access to the private network resource through the firewall for processing of the asserted credentials.
2 Assignments
0 Petitions
Accused Products
Abstract
A firewall acts as a transparent gateway to a server within a private network by initiating an unsolicited challenge to a client to provide authentication credentials. After receiving the client'"'"'s credentials, the firewall verifies the authentication credentials and establishes a secure channel for accessing the server. Data destined for the server from the client may be forwarded through the firewall using the secure channel. The firewall may sign, or otherwise indicate that data forwarded to the server is from a client that the firewall has authenticated. The firewall also may provide some level of authentication to the client. While connected to the server, the client may access other servers external to the private network without having the data associated with the other servers pass through the private network. The firewall reduces configuration information that a client otherwise must maintain to access various private network servers.
49 Citations
36 Claims
-
1. In a private network comprising a resource and a firewall, which acts as a gateway by controlling client desired access to the private network resource, a method of establishing a connection to the private network resource while balancing authentication processing requirements between a client and the firewall to mutually guard against denial of service attacks, the method comprising steps for:
-
receiving an assertion from the client that the client has credentials appropriate for accessing the private network resource; initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall; for each of the series plurality of authentication transactions between the client and the firewall, using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including; sending a challenge to the client, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer; receiving a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and verifying whether or not the answer included in the response the correct answer to the challenge; and when an acceptable level of probability that the client actually possesses the asserted credentials is reached based on a plurality of correct answers, the firewall granting the client access to the private network resource through the firewall for processing of the asserted credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. In a private network comprising a resource and a firewall, which acts as a gateway by controlling client desired access to the private network resource, a physical recordable-type computer readable media carrying computer executable instructions that implement a method of establishing a connection to the private network resource while balancing authentication processing requirements between a client and the firewall to mutually guard against denial of service attacks, the method comprising steps for:
-
receiving an assertion from the client that the client has credentials appropriate for accessing the private network resource; initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall; for each of the plurality of authentication transactions between the client and the firewall, using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including; sending a challenge to the client, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer; receiving a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and verifying whether or not the answer included in the response the correct answer to the challenge; and when an acceptable level of probability that the client actually possess the asserted credentials is reached based on a plurality of correct answers, the firewall granting the client access to the private network resource through the firewall for processing of the credentials. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. In a private network comprising a server and a firewall, which acts as a gateway by controlling access to the server, a method of providing access to the server through the firewall without a client knowing about the firewall, the method comprising the acts of:
-
receiving at the firewall, an access request from the client that is directed to the server because the client does not know that the firewall operates as a gateway for the server; generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall; initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall; for each of the plurality of authentication transactions between the client and the firewall, the firewall using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including; the firewall sending a request for the client to authenticate to the firewall, the request including the one or more firewall authentication credentials so that the client knows of the level of trust between the server and the firewall without having to make a separate request and further including a challenge, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer; receiving at the firewall, one or more authentication credentials from the client and a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and the firewall verifying the one or more client authentication credentials and whether or not the answer included in the response the correct answer to the challenge; and thereafter, allowing the client to access the server through the firewall for processing of the authentication credentials. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. In a private network comprising a server and a firewall, which acts as a gateway by controlling access to the server, a physical recordable-type computer readable media carrying computer executable instructions that implement a method of providing access to the server through the firewall without a client knowing about the firewall, the method comprising the acts of:
-
receiving at the firewall, an access request from the client that is directed to the server because the client does not know that the firewall operates as a gateway for the server; generating one or more authentication credentials at the firewall that demonstrate a level of trust between the server and the firewall; initiating a plurality of authentication transactions between the client and the firewall, the plurality of authentication transactions designed to impose commensurable processing burdens on the client requesting access to the private network resource and the firewall operating as a gateway for the private network to mitigate the potential of a client performing a denial of service attack against the private network, wherein the client initially is unaware that the firewall operates as a gateway for the private network, and wherein successful completion of each authentication transaction incrementally increases a level of trust between the client and the firewall; for each of the plurality of authentication transactions between the client and the firewall, the firewall using a zero-knowledge proof to challenge the client for credentials, the zero-knowledge proof including; the firewall sending a request for the client to authenticate to the firewall, the request including the one or more firewall authentication credentials so that the client knows of the level of trust between the server and the firewall without having to make a separate request and further including a challenge, the correct answer to the challenge obtainable from the asserted credentials without having to arrange the credentials according to a specified layout and without even having to divulge the asserted credentials such that if the client actually possesses the asserted credentials the client can generate the correct answer; receiving at the firewall, one or more authentication credentials from the client and a response from the client including an answer to the challenge, the answer including at least some measure of proof that the client has credentials and that the client'"'"'s credentials are correct; and the firewall verifying the one or more client authentication credentials and whether or not the answer included in the response the correct answer to the challenge; and thereafter, allowing the client to access the server through the firewall for processing of the authentication credentials. - View Dependent Claims (35, 36)
-
Specification