NAT access control with IPSec

US 7,925,693 B2
Filed: 01/26/2007
Issued: 04/12/2011
Est. Priority Date: 01/24/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system that provides access to remote resources that utilize Internet Protocol Security (IPSec) protocol comprising:

a processing unit programmed to execute;

a gateway component acting as a network address translator for a connection between a client and an intended destination hosting a desired remote resource, wherein acting as a network address translator comprises receiving from the client a connection request and packets to be transmitted to the intended destination; and

a security component that receives information regarding the connection request from the gateway component and determines whether packets from the client to the intended destination should be secured, the security component providing a response to the gateway component indicating whether the intended destination requires security,wherein the gateway component, upon receiving data, determines whether the data comprises a connection request and,when the data comprises a connection request, transmits at least information regarding the connection request to the security component and, when the response from the security component indicates that the intended destination requires security, establishes a secure connection to the intended destination and stores a record corresponding to the secure connection, andwhen the data comprises a packet to be transmitted to the intended destination that is not a connection request, determines whether the packet corresponds to a previously-established secure connection for which the gateway component has a record and, when the packet corresponds to a previously-established secure connection, without transmitting the packet to the security component, secures the packet received from the client in accordance with a security policy for the intended destination for the previously-established secure connection and transmits a secured packet to the intended destination.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture that can provide for improved network content filtering is described herein. In particular, access to remote resources can be controlled by a remote mechanism. In accordance therewith, a gateway can seamlessly and/or transparently redirect packets from a client that are meant for an intended destination to an access control component. The access control component can determine whether the client has access to the resources requested. In addition, the gateway can provide IPSec features on behalf to the client.

86 Citations

View as Search Results

20 Claims

1. A system that provides access to remote resources that utilize Internet Protocol Security (IPSec) protocol comprising:
- a processing unit programmed to execute;
  
  a gateway component acting as a network address translator for a connection between a client and an intended destination hosting a desired remote resource, wherein acting as a network address translator comprises receiving from the client a connection request and packets to be transmitted to the intended destination; and
  
  a security component that receives information regarding the connection request from the gateway component and determines whether packets from the client to the intended destination should be secured, the security component providing a response to the gateway component indicating whether the intended destination requires security,wherein the gateway component, upon receiving data, determines whether the data comprises a connection request and,when the data comprises a connection request, transmits at least information regarding the connection request to the security component and, when the response from the security component indicates that the intended destination requires security, establishes a secure connection to the intended destination and stores a record corresponding to the secure connection, andwhen the data comprises a packet to be transmitted to the intended destination that is not a connection request, determines whether the packet corresponds to a previously-established secure connection for which the gateway component has a record and, when the packet corresponds to a previously-established secure connection, without transmitting the packet to the security component, secures the packet received from the client in accordance with a security policy for the intended destination for the previously-established secure connection and transmits a secured packet to the intended destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein the secured packet is a packet secured and/or authenticated by way of an IPSec policy that is the security policy for the intended destination.
  - 3. The system of claim 1, wherein the gateway component receives IPSec information from the security component regarding at least one of the client or the intended destination.
  - 4. The system of claim 1, wherein the gateway component establishes the secure connection by establishing an IPSec connection session with the intended destination on behalf of the client.
  - 5. The system of claim 4, wherein the gateway component employs a credential associated with at least one of the client or a user of the client to establish the IPSec connection session.
  - 6. The system of claim 4, wherein the gateway component secures subsequent packets from the client for the duration of the IPSec connection session as the subsequent packets are received, the subsequent packets being received after the second time.
  - 7. The system of claim 6, wherein the gateway component secures the packets by way of IPSec transport mode.
  - 8. The system of claim 6, wherein the gateway component secures the packets by way of IPSec tunnel mode.
  - 9. The system of claim 1, wherein:
    - the connection request received from the client comprises at least one data packet comprising connection setup information and a destination address, andthe destination address is an Internet Protocol (IP) address corresponding to an intended destination server.
  - 10. The system of claim 9, wherein the gateway component receives the at least one data packet, rewrites the destination address, and redirects the data packet to the security component.
  - 11. The system of claim 10, wherein the gateway component redirects the entirety of the at least one data packet.
  - 12. The system of claim 9, wherein the at least one data packet comprising connection setup information is at least one handshaking packet for establishing a connection according to the Transmission Control Protocol (TCP).
  - 13. The system of claim 1, wherein the security component reviews at least a portion of the connection request received by the gateway component from the client to determine whether the intended destination requires security.
  - 14. The system of claim 13, wherein the security component reviews the at least a portion of the connection request by redirecting the connection request to a security server and receives the response indicating whether the intended destination requires security from the server.
  - 15. The system of claim 14, wherein the gateway component redirects the connection request to the security component to determine whether the intended destination requires the packet to be secured and does not redirect the packet to the security component.
  - 16. The system of claim 1, wherein the response indicating whether the intended destination requires security indicates the security policy for the intended destination.
  - 17. The system of claim 1, wherein the gateway component receives the connection request from the client at a first time and receives the packets at a second time, later than the first time, andthe gateway component, when the packets are received at the second time, secures the packet and transmits the secured packet to the intended destination using the secure connection without communicating to the security component regarding the packet.

18. A method for facilitating IPSec support in a controlled access environment, comprising:
- receiving at a network address translator at a first time a connection request and at a second time, later than the first time, an unsecured packet from a client, the connection request and the unsecured packet being intended for an intended destination hosting a desired remote resource, wherein the receiving comprises, upon receiving data, determining whether the data comprises a connection request;
  
  when data is determined to comprise a connection request, redirecting the connection request to a security server for determining whether the intended destination for the packet utilizes an IPSec policy;
  
  receiving a response from the security server indicating whether the intended destination utilizes an IPSec policy and, when the intended destination utilizes an IPSec policy, indicating a particular IPSec policy used by the intended destination;
  
  when the response from the security server indicates that the intended destination utilizes an IPSec policy;
  
  establishing a secure connection between the intended destination and the network address translator according to the particular IPSec policy and storing on the network address translator a record corresponding to the secure connection;
  
  when the unsecured packet that is not a connection request is received at the second time, on the network address translator determining whether the unsecured packet corresponds to a previously-established secure connection for which a record is stored on the network address translator and, when the unsecured packet corresponds to a previously-established secure connection, on the network address translator securing the unsecured packet in accordance with the particular IPSec policy to create a secured packet; and
  
  transmitting the secured packet to the intended destination over the secure connection; and
  
  when the response indicates that the intended destination does not utilize an IPSec policy and when the unsecured packet is received at the second time, transmitting the unsecured packet to the intended destination.

19. An apparatus to operate a network address translator to facilitate IPSec support in a controlled access environment comprising:
- at least one processor programmed to act as;
  
  a first component to operate network address translator to receive at a first time a connection request and at a second time, later than the first time, an unsecured packet from a client that is not a connection request, wherein the the first component, upon receiving data, determines whether the data comprises a connection request;
  
  a second component to ascertain whether an intended destination for the connection request and the unsecured packet employs an IPSec protocol, wherein the second component receives a connection request from the first component when the data is determined by the first component to comprise a connection request;
  
  a third component to determine whether the unsecured packet that is not a connection request corresponds to a previously-established secure connection for which a record is stored and, when the unsecured packet corresponds to a previously-established secure connection, to encrypt the unsecured packet that is not a connection request in accordance with the IPSec protocol to create a secured packet, when it is ascertained that the intended destination employs an IPSec protocol; and
  
  a fourth component to operate the network address translator to establish an IPSec connection session to the intended destination and, when the unsecured packet is received at the second time, to transmit the secured packet on behalf of the client, when it is ascertained that the intended destination employs an IPSec protocol.
- View Dependent Claims (20)
- - 20. The computer-implemented system of claim 19, wherein the second component comprises a fifth component to transmit the connection request to a security server and a sixth component to receive a response from the security server indicating whether the intended destination employs an IPSec protocol and, if the intended destination employs an IPSec policy, to indicate a particular IPSec policy used by the intended destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zhigu Holdings Limited
Original Assignee
Microsoft Corporation
Inventors
Lamb, Richard, Guzovsky, Eduard, Swander, Brian
Primary Examiner(s)
Moore; Ian N
Assistant Examiner(s)
Cheney; Bobae K

Application Number

US11/627,510
Publication Number

US 20070124489A1
Time in Patent Office

1,537 Days
Field of Search

726 2- 25, 709201-203, 709217-219
US Class Current

709/203
CPC Class Codes

H04L 61/2557   Translation policies or rules

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0478   applying multiple layers of...

H04L 63/168   above the transport layer

NAT access control with IPSec

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

NAT access control with IPSec

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others