WO2008017011A3 - Systems and methods for application-based interception and authorization of ssl/vpn traffic - Google Patents

Systems and methods for application-based interception and authorization of ssl/vpn traffic Download PDF

Info

Publication number
WO2008017011A3
WO2008017011A3 PCT/US2007/075035 US2007075035W WO2008017011A3 WO 2008017011 A3 WO2008017011 A3 WO 2008017011A3 US 2007075035 W US2007075035 W US 2007075035W WO 2008017011 A3 WO2008017011 A3 WO 2008017011A3
Authority
WO
WIPO (PCT)
Prior art keywords
application
client
communication
agent
virtual private
Prior art date
Application number
PCT/US2007/075035
Other languages
French (fr)
Other versions
WO2008017011A2 (en
Inventor
Amarnath Mullick
Charu Venkatraman
Junxiao He
Shashi Nanjundaswami
James Harris
Ajay Soni
Original Assignee
Citrix Systems Inc
Amarnath Mullick
Charu Venkatraman
Junxiao He
Shashi Nanjundaswami
James Harris
Ajay Soni
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/462,321 external-priority patent/US8495181B2/en
Priority claimed from US11/462,329 external-priority patent/US8869262B2/en
Application filed by Citrix Systems Inc, Amarnath Mullick, Charu Venkatraman, Junxiao He, Shashi Nanjundaswami, James Harris, Ajay Soni filed Critical Citrix Systems Inc
Priority to CN200780037175.8A priority Critical patent/CN101636998B/en
Priority to AU2007281166A priority patent/AU2007281166B2/en
Publication of WO2008017011A2 publication Critical patent/WO2008017011A2/en
Publication of WO2008017011A3 publication Critical patent/WO2008017011A3/en
Priority to HK10107195.6A priority patent/HK1140883A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Abstract

A method for intercepting, by an agent of a client, communications from the client to be transmitted via a virtual private network connection includes the step of intercepting communications based on identification of an application from which the communication originates. The agent receives information identifying a first application. The agent determines a network communication transmitted by the client originates from the first application and intercepts that communication. The agent transmits the intercepted communication via the virtual private network connection. Another method is described for allowing or denying, by an appliance, access to a resource by an application on a client via a virtual private network connection includes basing the decision to allow or deny access on identification of the application. The appliance associates with the intercepted request an authorization policy based on the identity of the application. The appliance determines, using the authorization policy and the identity of the application, to either allow or deny access by the application to the resource.
PCT/US2007/075035 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of ssl/vpn traffic WO2008017011A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN200780037175.8A CN101636998B (en) 2006-08-03 2007-08-02 Systems and methods for application based interception ssi/vpn traffic
AU2007281166A AU2007281166B2 (en) 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of SSL/VPN traffic
HK10107195.6A HK1140883A1 (en) 2006-08-03 2010-07-27 Systems and methods for application-based interception and authorization of ssl/vpn traffic

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US11/462,321 US8495181B2 (en) 2006-08-03 2006-08-03 Systems and methods for application based interception SSI/VPN traffic
US11/462,329 2006-08-03
US11/462,321 2006-08-03
US11/462,329 US8869262B2 (en) 2006-08-03 2006-08-03 Systems and methods for application based interception of SSL/VPN traffic

Publications (2)

Publication Number Publication Date
WO2008017011A2 WO2008017011A2 (en) 2008-02-07
WO2008017011A3 true WO2008017011A3 (en) 2008-07-03

Family

ID=38904791

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/075035 WO2008017011A2 (en) 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of ssl/vpn traffic

Country Status (4)

Country Link
CN (1) CN103384250B (en)
AU (1) AU2007281166B2 (en)
HK (1) HK1140883A1 (en)
WO (1) WO2008017011A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729543B (en) * 2009-12-04 2012-10-03 同济大学 Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9237168B2 (en) * 2012-05-17 2016-01-12 Cisco Technology, Inc. Transport layer security traffic control using service name identification
CN104092691A (en) * 2014-07-15 2014-10-08 北京奇虎科技有限公司 Implementation method for implementing root-authority-free networking firewall and client-side
CN104144126B (en) * 2014-08-19 2018-01-23 北京奇虎科技有限公司 Method and system, the client of flow optimization are realized by image procossing
US9560078B2 (en) * 2015-02-04 2017-01-31 Intel Corporation Technologies for scalable security architecture of virtualized networks
CN105049431B (en) * 2015-06-30 2019-02-15 深信服科技股份有限公司 Data access control method and device
CN109150751B (en) * 2017-06-16 2022-05-27 阿里巴巴集团控股有限公司 Network control method and device
CN109951575B (en) * 2017-12-20 2022-06-10 新智数字科技有限公司 Method and system for intercepting specified domain name
CN109543470A (en) * 2018-11-01 2019-03-29 郑州云海信息技术有限公司 A kind of storage equipment security access method and system
JP2022086597A (en) * 2020-11-30 2022-06-09 シャープ株式会社 Information processing device, control method, and program

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5987611A (en) * 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
WO2002079949A2 (en) * 2001-03-30 2002-10-10 Netscreen Technologies, Inc. Internet security system
EP1418730A2 (en) * 2002-11-06 2004-05-12 AT&T Corp. Virtual private network crossovers based on certificates
US20050265351A1 (en) * 2004-05-27 2005-12-01 Hewlett-Packard Development Company, L.P. Network administration
US20060005240A1 (en) * 2004-06-30 2006-01-05 Prabakar Sundarrajan System and method for establishing a virtual private network
EP1641215A2 (en) * 2004-09-28 2006-03-29 Layer 7 Technologies, Inc. System and method for bridging identities in a service oriented architecture
US7096495B1 (en) * 2000-03-31 2006-08-22 Intel Corporation Network session management

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7260599B2 (en) * 2003-03-07 2007-08-21 Hyperspace Communications, Inc. Supporting the exchange of data by distributed applications
US8572249B2 (en) * 2003-12-10 2013-10-29 Aventail Llc Network appliance for balancing load and platform services
US7818781B2 (en) * 2004-10-01 2010-10-19 Microsoft Corporation Behavior blocking access control
US20060130135A1 (en) * 2004-12-10 2006-06-15 Alcatel Virtual private network connection methods and systems

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5987611A (en) * 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US7096495B1 (en) * 2000-03-31 2006-08-22 Intel Corporation Network session management
WO2002079949A2 (en) * 2001-03-30 2002-10-10 Netscreen Technologies, Inc. Internet security system
EP1418730A2 (en) * 2002-11-06 2004-05-12 AT&T Corp. Virtual private network crossovers based on certificates
US20050265351A1 (en) * 2004-05-27 2005-12-01 Hewlett-Packard Development Company, L.P. Network administration
US20060005240A1 (en) * 2004-06-30 2006-01-05 Prabakar Sundarrajan System and method for establishing a virtual private network
EP1641215A2 (en) * 2004-09-28 2006-03-29 Layer 7 Technologies, Inc. System and method for bridging identities in a service oriented architecture

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729543B (en) * 2009-12-04 2012-10-03 同济大学 Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology

Also Published As

Publication number Publication date
CN103384250A (en) 2013-11-06
CN103384250B (en) 2017-04-26
AU2007281166B2 (en) 2011-12-15
WO2008017011A2 (en) 2008-02-07
HK1140883A1 (en) 2010-10-22
AU2007281166A1 (en) 2008-02-07

Similar Documents

Publication Publication Date Title
WO2008017011A3 (en) Systems and methods for application-based interception and authorization of ssl/vpn traffic
CN111490993B (en) Application access control security system and method
US10630725B2 (en) Identity-based internet protocol networking
US10154067B2 (en) Network application security policy enforcement
US11190489B2 (en) Methods and systems for establishing a connection between a first device and a second device across a software-defined perimeter
US11070591B2 (en) Distributed network application security policy enforcement
EP2850770B1 (en) Transport layer security traffic control using service name identification
JP2022084588A (en) Platform for computing at mobile edge
WO2006004725A3 (en) System and method for establishing a virtual private network
CN105100095A (en) Secure interaction method and apparatus for mobile terminal application program
US20090113517A1 (en) Security state aware firewall
WO2007042826A3 (en) Remote access to resources
US20220103515A1 (en) Split tunneling based on content type to exclude certain network traffic from a tunnel
CN104539598A (en) Tor-improved safety anonymous network communication system and method
WO2013018028A3 (en) Authentication policy enforcement
WO2010021954A3 (en) System and method for a wpan firewall
EP2706717A1 (en) Method and devices for registering a client to a server
WO2017208079A3 (en) Method and system for improving network security
EP2974355A2 (en) A device, a system and a related method for dynamic traffic mirroring and policy, and the determination of applications running on a network
KR101214613B1 (en) Security method and security system based on proxy for identifying connector credibly
YAN et al. Study on security of 5G and satellite converged communication network
RU2008109223A (en) ENSURING AN AGREED ACCESS TO THE FIREWALL WITH INFORMATION ON THE APPLICATION
Alenezi et al. On Virtualization and Security-Awareness Performance Analysis in 5G Cellular Networks.
CN106686583A (en) Method and device for safe communication in WiFi environment
JP4950705B2 (en) Communication control system and communication control method

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780037175.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07813683

Country of ref document: EP

Kind code of ref document: A2

WWE Wipo information: entry into national phase

Ref document number: 2007281166

Country of ref document: AU

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2007281166

Country of ref document: AU

Date of ref document: 20070802

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07813683

Country of ref document: EP

Kind code of ref document: A2