[go: up one dir, main page]

HK1140883B - Systems and methods for application-based interception and authorization of ssl/vpn traffic - Google Patents

Systems and methods for application-based interception and authorization of ssl/vpn traffic Download PDF

Info

Publication number
HK1140883B
HK1140883B HK10107195.6A HK10107195A HK1140883B HK 1140883 B HK1140883 B HK 1140883B HK 10107195 A HK10107195 A HK 10107195A HK 1140883 B HK1140883 B HK 1140883B
Authority
HK
Hong Kong
Prior art keywords
application
network
client
appliance
agent
Prior art date
Application number
HK10107195.6A
Other languages
Chinese (zh)
Other versions
HK1140883A1 (en
Inventor
A‧穆立克
C‧温卡塔拉曼
何军晓
S‧南琼达斯瓦米
J‧哈里斯
A‧索尼
Original Assignee
思杰系统有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/462,321 external-priority patent/US8495181B2/en
Priority claimed from US11/462,329 external-priority patent/US8869262B2/en
Application filed by 思杰系统有限公司 filed Critical 思杰系统有限公司
Priority claimed from PCT/US2007/075035 external-priority patent/WO2008017011A2/en
Publication of HK1140883A1 publication Critical patent/HK1140883A1/en
Publication of HK1140883B publication Critical patent/HK1140883B/en

Links

Description

System and method for application-based interception and authorization of SSL/VPN traffic
Technical Field
The present invention relates generally to secure data communications networks and, more particularly, to a system and method for increasing the security of a data communications network by intercepting and authorizing SSL/VPN data communications on a finer-grained basis.
Background
Virtual private networks provide users of client computers with secure access to remote resources while on a public network. Many virtual private networks use network devices to provide secure connections to clients. For example, a user may access resources including applications, web sites, and files by connecting to a network device that manages multiple virtual private network connections. In many examples, an agent associated with the client identifies network communications intended for the virtual private network based on an address used to send the communications.
However, this technique has many drawbacks. Since all traffic corresponding to the address range is sent to the virtual private network, a robust authorization policy must be established to filter out appropriate virtual private network traffic and traffic that should not be sent over the virtual private network, whether correctly sent to the network or not. This strategy is difficult to establish and difficult to maintain. Also, since a malicious user can use data traffic with the correct address range to create a hazard to the data center that the virtual private network is intended to protect, all data center to virtual private network generic routes (whether or not appropriate) can pose a security risk.
It is therefore desirable to provide systems and methods for routing data in a virtual private network environment with finer granularity than subnet identification.
Disclosure of Invention
In one aspect, the present invention relates to a method for intercepting client-to-destination communications on a virtual private network. The decision to intercept is based on a network destination description of the application authorized to access via the virtual private network. An agent executing on a client intercepts a network communication of the client. The proxy provides a virtual private network connection from the first network to the second network. The agent determines that the destination specified by the intercepted communication corresponds to a network identifier and port of a network destination description of an application on a second network authorized to be accessed via the virtual private network. In response to this determination, the agent sends the intercepted communication.
In some embodiments, the agent determines that the network communication does not correspond to the network destination description of the application and sends the intercepted network communication via the first network. In other embodiments, the agent determines that the network communication does not correspond to the network destination description of the application and discards the intercepted network communication. In still other embodiments, the proxy determines that the client's network identifier and port correspond to the source internet protocol address and source port of the application's network destination description. In still other embodiments, the agent determines that the type of protocol that the network communication is formatted corresponds to the protocol specified by the network destination description of the application. In still other embodiments, the agent determines not to intercept second network communications on a client destined to a second application that is not authorized to access the second network via the virtual private network connection. In some such embodiments, the agent intercepts network communications transparent to one of the application or the user of the client.
In another aspect, the invention relates to a method for providing, by a device, a level of access to a resource via a virtual private network connection by an application on a client. The decision to allow or deny the level of access is based on the identity of the application. The appliance intercepts a request by an application of a client on a first network to access a resource on a second network via a virtual private network connection. Based on the identification of the application, the device identifies the application and associates the intercepted request with an authorization policy. The device uses the authorization policy and the identification of the application to determine whether to allow or deny the application access to the resource.
In some embodiments, the agent sends the name of the application to the device. In another such embodiment, the name of the application is used as an identifier of the application. In other embodiments, the proxy establishes a virtual private network connection to the second network via the device. In still other embodiments, the authorization policy specifies the name of the application and the authorization to access or deny a level of access. In some such embodiments, the device associates the authorization policy of the application with the user of the client. In other such embodiments, the device identifies the authorization policy of the application based on the user of the client.
In yet another aspect, the present invention relates to a method of intercepting, by a client agent, communications from a client sent via a virtual private network connection. The interception is based on an identification of an application from which the communication originated. The agent receives information identifying a first application. The agent determines that the network communication sent by the client originates from the first application and intercepts the communication. The agent sends the intercepted communication via the virtual private network connection.
The details of various embodiments of the invention are set forth in the accompanying drawings and the description below.
Drawings
These and other objects, aspects, features and advantages of the present invention will become more apparent and better understood with reference to the following detailed description when taken in conjunction with the accompanying drawings, wherein: FIG. 1A is a block diagram of an embodiment of a network environment for a client to access a server through a device; FIG. 1B is a block diagram of an embodiment of an environment for transferring a computing environment from a server to a client through a device; FIGS. 1C and 1D are block diagrams of embodiments of computing devices; FIG. 2A is a block diagram of an embodiment of an apparatus for handling communications between a client and a server; FIG. 2B is a block diagram of another embodiment of an apparatus for optimizing, accelerating, load balancing, and routing communications between a client and a server; FIG. 3 is a block diagram of an embodiment in which a client communicates with a server through a device; FIG. 4 is a block diagram of an embodiment of a client-side fine-grained interception mechanism; FIG. 5 is a block diagram depicting the steps of an embodiment of a method of implementing a client-side fine-grained interception technique; and FIG. 6 is a flow diagram of steps for implementing an embodiment of a method for providing by a device a level of access through an application based on an identification of the application.
The features and advantages of the present invention will become more apparent from the detailed description set forth below when taken in conjunction with the drawings in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements.
Detailed Description
A、Network and computing environment
Before discussing specific embodiments of systems and methods for devices and/or clients, it may be helpful to discuss the network and computing environment configured in such embodiments. Referring now to FIG. 1A, an embodiment of a network environment is described. In general, a network environment includes one or more clients 102a-102n (also generally referred to as local machines 102, or clients 102) in communication with one or more servers 106a-106n (also generally referred to as servers 106, or remote machines 106) over one or more networks 104, 104' (generally referred to as networks 104). In some embodiments, the client 102 communicates with the server 106 through the appliance 200.
Although FIG. 1A shows the network 104 and the network 104' between the client 102 and the server 106, the client 102 and the server 106 may be on the same network 104. The networks 104 and 104' may be the same type of network or different types of networks. Network 104 and/or network 104 'may be a Local Area Network (LAN) (e.g., a company's intranet), a Metropolitan Area Network (MAN), or a Wide Area Network (WAN) (e.g., the internet or world wide web). In one embodiment, the network 104' may be a private network and the network 104 may be a public network. In some embodiments, the network 104 may be a private network and the network 104 "may be a public network. In another embodiment, both networks 104 and 104' may be proprietary networks. In some embodiments, the client 102 may be located in a corporate branch office, communicating over a network 104 through a WAN connection with a server 106 located at a corporate data center.
The networks 104 and/or 104' may be any type and/or form of network and may include any of the following: point-to-point networks, broadcast networks, wide area networks, local area networks, telecommunications networks, data communication networks, computer networks, ATM (asynchronous transfer mode) networks, SONET (synchronous optical network) networks, SDH (synchronous digital hierarchy) networks, wireless networks and wired networks. In some embodiments, the network 104 may include a wireless link, such as an infrared channel or satellite band. The topology of the networks 104 and/or 104' may be a bus, star, or ring network topology. The networks 104 and/or 104' and the network topology may be any such networks or network topologies known to those of ordinary skill in the art that may support the operations described herein.
As shown in fig. 1A, a device 200 (also referred to herein as an interface unit 200 or gateway 200) is shown between networks 104 and 104'. In some embodiments, the appliance 200 may be located on the network 104. For example, a branch office of a company may deploy the appliance 200 in the branch office. In other embodiments, the appliance 200 may be located on the network 104'. For example, the appliance 200 may be located in a company's data center. In yet another embodiment, multiple appliances 200 may be deployed on the network 104. In some embodiments, multiple appliances 200 may be deployed on the network 104'. In one embodiment, a first appliance 200 communicates with a second appliance 200'. In other embodiments, the appliance 200, as a client 102, may be part of any client 102 or server 106 located on the same or different networks 104, 104'. One or more appliances 200 may be located at any point in a network or network communication path between a client 102 and a server 106.
In one embodiment, the system may include a plurality of logical grouping servers 106. In these embodiments, the logical grouping of servers may be referred to as a server farm 38. In some of these embodiments, the servers 106 may be geographically dispersed. In some cases, the group 38 may be managed as a single entity. In other embodiments, the server farm 38 includes a plurality of server farms 38. In one embodiment, a server farm executes one or more applications representing one or more clients 102.
The servers 106 in each farm 38 may be heterogeneous. That is, one or more servers 106 may operate according to one type of operating system platform (e.g., WINDOWS NT manufactured by MICROSOFT CORPORATION, Redmond, Washington), while one or more other servers 106 may operate according to another type of operating system platform (e.g., Unix or Linux). The servers 106 of each farm 38 need not be physically proximate to another server 106 within the same farm 38. Thus, the groups of servers 106 logically grouped as a farm 38 may be interconnected using a Wide Area Network (WAN) connection or a Medium Area Network (MAN) connection. For example, the group 38 may include servers 106 physically located on different lands or in different areas, countries, states, cities, campuses, or rooms of the lands. If the servers 106 are connected using a Local Area Network (LAN) connection or some form of direct connection, the speed of data transfer between the servers 106 in the farm 38 will increase.
Server 106 may refer to a file server, an application server, a web server, a proxy server, or a gateway server. In some embodiments, the server 106 may have the capability to operate as an application server or a master application server. In one embodiment, the server 106 may include an active directory. The clients 102 may also be referred to as client nodes or endpoints. In some embodiments, the client 102 has the ability to operate as a client node that seeks access to applications on a server and also as an application server that provides access to hosted applications for other clients 102a-102 n.
In some embodiments, the client 102 communicates with the server 106. In one embodiment, the client 102 may communicate directly with one of the servers 106 in the farm 38. In another embodiment, the client 102 executes a program neighborhood application to communicate with the servers 106 within the farm 38. In yet another embodiment, the server 106 provides the functionality of a master node. In some embodiments, clients 102 communicate with servers 106 in farm 38 over network 104. Through the network 104, the client 102 may, for example, request execution of various applications hosted by the servers 106a-106n in the farm 38 and receive output of application execution results for display. In some embodiments, only the master node provides the functionality required to identify and provide address information associated with the server 106' hosting the requested application.
In one embodiment, the server 106 provides the functionality of a network (Web) server. In another embodiment, the server 106a receives a request from the client 102, forwards the request to a second server 106b and responds to the request by the client 102 with a response to the request from the server 106 b. In yet another embodiment, the server 106 obtains an enumeration of applications available to the client 102 and address information associated with the server 106 ', the server 106' hosting the application identified by the enumeration of applications. In yet another embodiment, the server 106 presents a response to the request of the client 102 using a web interface. In one embodiment, the client 102 communicates directly with the server 106 to access the identified application. In another embodiment, the client 102 receives application output data, such as display data, that is generated by execution of an application identified on the server 106.
Turning now to FIG. 1B, a network environment for transporting and/or operating a computing environment on a client 102 is illustrated. In some embodiments, the server 106 includes an application delivery system 190 for delivering computing environments or applications and/or data files to one or more clients 102. In general, a client 10 communicates with a server 106 through a network 104, 104' and appliance 200. For example, the client 102 may reside in a remote office of a company, such as a branch office, and the server 106 may reside in a corporate data center. The client 102 includes a client agent 120 and a computing environment 15. The computing environment 15 may execute or operate an application for accessing, processing, or using data files. The computing environment 15, applications, and/or data files may be transmitted through the appliance 200 and/or the server 106.
In some embodiments, the appliance 200 accelerates the transfer of the computing environment 15, or any portion thereof, to the client 102. In one embodiment, the appliance 200 accelerates the transfer of the computing environment 15 through the application transfer system 190. For example, embodiments described herein may be used to accelerate the transfer of streaming applications and data files that an application may process from a central corporate data center to a remote user location (e.g., a corporate branch office). In another embodiment, the appliance 200 accelerates transport layer traffic between the client 102 and the server 106. The appliance 200 may provide acceleration techniques for accelerating any transport layer payload from the server 106 to the client 102, such as: 1) transport layer connection pooling, 2) transport layer connection multiplexing, 3) transmission control protocol buffering, 4) compression, and 5) caching. In some embodiments, the appliance 200 provides load balancing of the servers 106 in response to requests from the clients 102. In other embodiments, the appliance 200 acts as a proxy or access server to provide access to one or more servers 106. In another embodiment, the appliance 200 provides a secure virtual private network connection, such as an SSL VPN connection, from the first network 104 of the client 102 to the second network 104' of the server 106. In still other embodiments, the appliance 200 provides application firewall security, control, and management of connections and communications between the client 102 and the server 106.
In some embodiments, the application delivery management system 190 provides an application delivery technique to deliver the computing environment to the user's desktop (remote or otherwise) based on multiple execution methods and based on any authentication and authorization policies applied through the policy engine 195. Using these techniques, a remote user may obtain a computing environment from any network connected device 100 and access applications and data files stored by a server. In one embodiment, the application delivery system 190 may reside on or execute on the server 106. In another embodiment, the application delivery system 190 may reside on or execute on multiple servers 106a-106 n. In some embodiments, the application delivery system 190 may execute within the server farm 38. In one embodiment, the server 106 executing the application delivery system 190 may also store or provide applications and data files. In another embodiment, a first set of one or more servers 106 may execute the application delivery system 190, and a different server 106n may store or provide application and data files. In some embodiments, each application delivery system 190, application, and data file may reside or be located on different servers. In yet another embodiment, any portion of the application delivery system 190 may reside, execute, or be stored or distributed to the appliance 200 or multiple appliances.
The client 102 may include a computing environment 15 for executing applications that use or process data files. The client 102 may request applications and data files from the server 106 via the networks 104, 104' and the appliance 200. In one embodiment, the appliance 200 may forward a request from the client 102 to the server 106. For example, the client 102 may not have locally stored or locally accessible applications and data files. In response to the request, the application delivery system 190 and/or the server 106 may deliver the application and the data file to the client 102. For example, in one embodiment, the server 106 may send applications in an application stream to operate in the computing environment 15 on the client 102.
In some embodiments, shouldThe delivery system 190 includes CitrixAccess Suite from Citrix Systems, IncTMSuch as MetaFrame or Citrix Presentation ServerTMAnd/or any of those manufactured by Microsoft CorporationWindows Terminal Services. In one embodiment, the application delivery system 190 may deliver one or more applications to the client 102 or user via a remote display protocol or via other means based on remote or server computing. In another embodiment, the application delivery system 190 may deliver one or more applications to a client or user through streaming of the applications.
In one embodiment, the application delivery system 190 includes a policy engine 195 for controlling and managing access to application execution methods, selection, and delivery of applications. In some embodiments, the policy engine 195 determines one or more applications that a user or client 102 may access. In another embodiment, the policy engine 195 determines how the application should be delivered to the user or client 102, e.g., executing a method. In some embodiments, the application delivery system 190 provides a plurality of delivery technologies from which to select a method of application execution, such as server-based computing, streaming, or locally delivering an application to the client 120 for local execution.
In one embodiment, the client 102 requests execution of an application and the application delivery system 190, including the server 106, selects a method of executing the application. In some embodiments, the server 106 receives the credentials from the client 102. In another embodiment, the server 106 receives a request for an enumeration of available applications from the client 102. In one embodiment, in response to the request or receipt of the certificate, the application delivery system 190 enumerates a plurality of application programs available to the client 102. The application delivery system 190 receives the request to execute the enumerated application. The application delivery system 190 selects one of a predetermined number of methods to execute the enumerated application, for example, in response to a policy of a policy engine. The application delivery system 190 may select a method of executing the application such that the client 102 receives application output data generated by executing the application program on the server 106. The application delivery system 190 may select a method of executing the application such that the local machine 10 locally executes the application program after retrieving the plurality of application files including the application. In yet another embodiment, the application delivery system 190 may select a method of executing the application to stream the application to the client 102 over the network 104.
The client 102 may execute, operate, or otherwise provide an application, which may be any type and/or form of software, program, or executable instructions such as any type and/or form of web browser, web-based client, client-server application, thin client computing client, ActiveX control, or Java program, or any other type and/or form of executable instructions that may execute on the client 102. In some embodiments, the application may be a server-based or remote-based application executing on the server 106 on behalf of the client 102. In one embodiment, the server 106 may display output to the client 102 using any thin client or remote display protocol, such as the Independent Computing Architecture (ICA) protocol developed by CitriXSystems, Inc. of Florida, Fort Lauderdale, or the Remote Desktop Protocol (RDP) developed by Microsoft corporation of Washington, Redmond. The application may use any type of protocol, and it may be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client. In other embodiments, the application includes any type of software that involves VoIP communications, such as soft IP telephony. In a further embodiment, the application comprises any application involving real-time data communication, such as an application for streaming video and/or audio.
In some embodiments, the server 106 or server farm 38 may be running one or more applications, such as an application providing a thin client computer or remotely displaying a presentation application. In one embodiment, the server 106 or server farm 38 executes as an applicationCitrix Access Suite from Citrix systems, IncTMOf (e.g. MetaFrame or Citrix Presentation Server)TM) And/or developed by Microsoft corporationAny one of the Windows terminal Services. In one embodiment, the application is an ICA client developed by Citrix Systems, Inc. of FortLauderdale, Florida. In other embodiments, the application comprises a Remote Desktop (RDP) client developed by Microsoft corporation of Redmond, Washington. In addition, the server 106 may run an application, which may be an application server providing email services, such as Microsoft Exchange manufactured by Microsoft corporation of Redmond, Washington, or a web or Internet server, or a desktop sharing server, or a collaboration server. In some embodiments, either application may include any type of hosted service or product, such as GoToMeeting offered by Citrix Online Division, located in Santa Barbara, CaliforniaTMWebEx available from WebEx corporation of Santa Clara, CaliforniaTMOr Microsoft Office Live Meeting, available from Microsoft corporation of Redmond, Washington.
The client 102, server 106, and appliance 200 may be deployed and/or executed on any type and form of computing device, such as a computer, network device, or appliance capable of communicating over any type and form of network and performing the operations described herein. FIGS. 1C and 1D depict block diagrams of a computing device 100 for implementing embodiments of a client 102, server 106, or appliance 200. As shown in fig. 1C and 1D, each computing device 100 includes a central processing unit 101, and a main storage unit 122. As shown in FIG. 1C, the computing device 100 may include a virtual display device 124, a keyboard 126, and/or a pointing device 127, such as a mouse. Each computing device 100 also includes other optional components, such as one or more input/output devices 130a-130b (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 101.
The central processing unit 101 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 122. In many embodiments, the central processing unit is provided by a microprocessor unit, such as: manufactured by Intel corporation of Mountain View, California; manufactured by Motorola corporation of IIIinois, Schaumburg; manufactured by Transmeta corporation of Santa Clara, Califirnia; RS/6000 processors manufactured by International Business Machines corporation of New York, White Plains; or by Advanced Micro Devices, Inc. of Sunnyvale, California. Computing device 100 may be based on any of these processors or any other processor capable of operating as described herein.
The main memory unit 122 may be one or more memory chips that can store Data and allow the microprocessor 101 to directly access any memory location, such as Static Random Access Memory (SRAM), Burst SRAM or synchronous Burst SRAM (bsram), Dynamic Random Access Memory (DRAM), Fast Page Mode DRAM (Fast Page Mode) DRAM (fpm DRAM), enhanced DRAM (edram), Extended Data Output (Extended Data Output) ram (edo ram), Extended Data Output (Extended Data Output) DRAM (edo DRAM), Burst Extended Data Output DRAM (bedo DRAM), enhanced DRAM (edram), synchronous SDRAM, JEDEC SRAM, PC100 SDRAM, double Data rate SDRAM (ddr SDRAM), enhanced SDRAM (esdram), synchronous link DRAM (DRAM), direct memory bus DRAM (drdrdrdram), or ferroelectric ram (frame DRAM). The main memory 122 may be based on any of the above-described memory chips or any other available memory chip capable of operating as described herein. In the embodiment shown in FIG. 1C, the processor 101 communicates with main memory 122 via a system bus 150 (described in more detail below). FIG. 1C depicts an embodiment of the computing device 100 in which the processor communicates directly with main memory 122 through a memory port 103. For example, in FIG. 1D, the main memory 122 may be DRDRAM.
FIG. 1D depicts an embodiment in which the main processor 101 communicates directly with the cache memory 140 via a secondary bus, sometimes referred to as a "back-side" bus. In other embodiments, the main processor 101 communicates with the cache memory 140 using the system bus 150. Cache memory 140 has a response time that is typically faster than main memory 122 and is typically provided by SRAM, BSRAM, or EDRAM. In the embodiment shown in FIG. 1C, the processor 101 communicates with various I/O devices 130 over a local system bus 150. Various buses may be used to connect the central processing unit 101 to any of the I/O devices 130, including a VESA VL bus, an ISA bus, an EISA bus, a Micro Channel Architecture (MCA) bus, a PCI-X bus, a PCI-Express bus, or a NuBus. For embodiments in which the I/O device is a video display 124, the processor 101 may use an Advanced Graphics Port (AGP) to communicate with the display 124. FIG. 1D depicts a specific embodiment of the computer 100 in which the host processor 101 communicates directly with the I/O device 130b via HyperTransport, RapidI/O or InfiniBand. FIG. 1D also depicts an embodiment in which the local bus and direct communication are mixed: the processor 101 communicates with the I/O device 130a using a local interconnect bus and communicates directly with the I/O device 130 b.
The computer device 100 may support any suitable installation device 116, such as a floppy disk drive for receiving information such as a 3.5 inch, 5.25 inch floppy or ZIP disk, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, USB devices, hard drives, or any other device suitable for installing software, programs (e.g., any of the client agents 120 or portions thereof). The computing device 100 may also include a storage device 128, such as one or more hard disk drives or a random array of independent disks, for storing an operating system and other related software, and for storing application software programs, such as any program related to the client agent 120. Alternatively, any mounting device 116 may be used as the storage device 128. In addition, operating systems and software may run from a bootable medium, such asA bootable CD for GNU/LinuxThe boot CD is available as a GNU/Linux distribution from konppix.
Further, computing device 100 may include a network interface 118 to interface to a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a number of connections, including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T1, T3, 56kb, X.25), broadband connections (e.g., ISDN, frame Relay, ATM), wireless connections, or some combination of any or all of them. The network interface 118 may comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem, or any other device suitable for interfacing the computing device 100 to any type of network capable of communication and performing the operations described herein. Multiple categories of I/O devices 130a-130n are provided in the computing apparatus 100. The input device comprises a keyboard, a mouse, a track pad, a track ball, a microphone and a drawing board. Output devices include video displays, speakers, ink jet printers, laser printers, and dye sublimation (dye-sublimation) printers. As shown in FIG. 1C, the I/O devices may be controlled by an I/O controller 123. The I/O controller may control one or more I/O devices such as a keyboard 126 and a pointing device 127 (e.g., a mouse or optical pen). Further, the I/O devices may also provide storage 128 and/or installation media 116 for the computing device 100. In still other embodiments, the computing device 100 may provide a USB connection for receiving a handheld USB memory device, such as a USB flash drive train device manufactured by Twintech industry, Inc. of Los Alamitos, Calif.
In some embodiments, the computing device 100 may include or be coupled to multiple display devices 124a-124n, which may be of the same or different types and/or forms. For example, any of the I/O devices 130a-130n and/or the I/O controller 123 may include any type and/or form of appropriate hardware, software, or combination of hardware and software to support, enable, or provide for connection and use of the computing device 100 with a plurality of display devices 124a-124 n. For example, the computing device 100 may include any type and/or form of video adapter, video card, driver, and/or library that interfaces, communicates, connects, or uses display devices 124a-124 n. In one embodiment, the video adapter may include multiple connectors to interface with multiple display devices 124a-124 n. In other embodiments, computing device 100 may include multiple video adapters, each connected to one or more of display devices 124a-124 n. In some embodiments, any portion of the operating system of the computing device 100 may be configured to use multiple displays 124a-124 n. In other embodiments, one or more of the display devices 124a-124n may be provided by one or more other computing devices, such as computing devices 100a and 100b connected to computing device 100 over a network. These embodiments may include any type of software designed and constructed to use another computer's display device as the second display device 124a of the computing device 100. Those skilled in the art will recognize and appreciate various different ways and embodiments in which the computing device 100 may be configured to have multiple display devices 124a-124 n.
In further embodiments, the I/O device 130 may be a bridge 170 between the system bus 150 and an external communication bus, such as a USB bus, Apple Desktop bus, RS-232 Serial connection, SCSI bus, FireWire800 bus, Ethernet bus, AppleTalk bus, Gigabit Ethernet bus, asynchronous transfer mode bus, HIPPI bus, SuperHIPPI bus, SerialPlus bus, SCI/LAMP bus, FibreChanel bus, or Serial Attached Small computer System interface bus.
The general purpose computing device 100 depicted in fig. 1C and 1D typically operates under the control of an operating system that controls the scheduling of tasks and access to system resources. Computing device 100 may be running any operating system, for exampleAny version of the Windows operating system, different versions of the Unix and Linux operating systems, Mac for Macintosh computersAny version of the above, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating system for a mobile computing device, or any other operating system that can run on a computing device and perform the operations described herein. Typical operating systems include: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS snt 3.51, WINDOWS NT 4.0, WINDOWS CE, WINDOWS XP manufactured by Microsoft corporation of Washington, Redmond; MacOS, manufactured by Apple computer Inc. of Cupertino, California; OS/2 manufactured by International Business Machines of New York, Armonk; and the freely available operating system Linux, distributed by the Caldera corporation of Utah, Salt Lake City, and any type and form of Unix operating system in addition thereto.
In other embodiments, the computing device 100 may have different processors, operating systems, and input devices that are compatible with the device. For example, in one embodiment, computer 100 is a Treo180, 270, 1060, 600, or 650 smart phone, manufactured by palm corporation. In this embodiment, the Treo smartphone operates under the control of the PalmOS operating system and includes a stylus input device and a five-way guide. Further, the computing device 100 may be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile phone, or any other computer, or other form of computing or telecommunication device capable of communication and having sufficient processor power and memory space to perform the operations described herein.
B、Device architecture
Fig. 2A illustrates one example embodiment of a device 200. The structure of the device 200 in fig. 2A is provided by way of illustration only and is not intended to limit the invention. As shown in FIG. 2, the appliance 200 includes a hardware layer 206 and a software layer divided into a user space 202 and a kernel space 204.
The hardware layer 206 provides the hardware elements on which programs and services within the kernel space 204 and the user space 202 are executed. The hardware layer 206 also provides the structure and elements so that programs and services within the kernel space 204 and the user space 202 transfer data both internally and externally to the appliance 200. As shown in FIG. 2, the hardware layer 206 includes a processing unit 262 for executing software programs and services, a memory 264 for storing software and data, a network port 266 for transmitting and receiving data over the network, and a cryptographic processor 260 for performing cryptographic socket layer processing functions relating to data being transmitted and received over the network. In some embodiments, the central processing unit 262 may perform the functions of the encryption processor 260 in a separate processor. Additionally, hardware layer 206 may include multiple processors for each processing unit 262 and encryption processor 260. Processor 262 may include any of processors 101 described above in connection with fig. 1C and 1D. In some embodiments, the central processing unit 262 may perform the functions of the encryption processor 260 in a separate processor. Additionally, hardware layer 206 may include multiple processors for each processing unit 262 and encryption processor 260. For example, in one embodiment, the device 200 includes a first processor 262 and a second processor 262'. In other embodiments, processor 262 or 262' includes a multicore processor.
Although the hardware layer 206 of the appliance 200 is shown with a cryptographic processor 260, the processor 260 may be a processor that performs functions involving any cryptographic protocol, such as the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. In some embodiments, processor 260 may be a General Purpose Processor (GPP), and in further embodiments, may be executable instructions for performing any security-related protocol processing.
Although the hardware layer 206 of the apparatus 200 is shown with some elements in fig. 2, the hardware portions or components of the apparatus 200 may include any type and form of elements, hardware, or software of a computing device, such as the computing device 100 discussed and illustrated herein in connection with fig. 1C and 1D. In some embodiments, the appliance 200 may comprise a server, gateway, router, switch, bridge, or other type of computing or networking device, and possess any hardware and/or software elements associated therewith.
The operating system of device 200 allocates, manages, or otherwise separates available system memory into kernel space 204 and user space 202. In the example software architecture 200, the operating system may be any type and/or form of Unix operating system, although the invention is not so limited. Likewise, the appliance 200 may be running any operating system, for exampleAny version of the Windows operating system, different versions of the Unix and Linux operating systems, Mac for Macintosh computersAny version of the above, any embedded operating system, any network operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating system for mobile computing devices or network devices, or any other operating system that can run on the apparatus 200 and perform the operations described herein.
Kernel space 204 is reserved for running kernel 230, including any device drivers, kernel extensions, or other kernel-related software. As known to those skilled in the art, the kernel 230 is the core of the operating system and provides access, control, and management of resources and associated hardware elements of the device 104. According to an embodiment of the appliance 200, the kernel space 204 also includes a plurality of network services or processes, sometimes referred to as an integrated cache, working in conjunction with a cache manager 232, the benefits of which are described in further detail herein. Additionally, embodiments of the kernel 230 will depend on the embodiment of the operating system installed, configured, or otherwise used by the appliance 200.
In one embodiment, the appliance 200 includes a network stack 267, such as a TCP/IP based stack, for communicating with the client 102 and/or server 106. In one embodiment, the network stack 267 is used to communicate with a first network, such as network 108, and a second network 110. In some embodiments, the appliance 200 terminates the first transport layer connection, e.g., a TCP connection for the client 102, and establishes a second transport layer connection to the server 106 for use by the client 102, e.g., terminating the second transport layer connection at the appliance 200 and the server 106. The first and second transport layer connections may be established through separate network stacks 267. In other embodiments, the appliance 200 may include multiple network stacks, such as 267 or 267 ', and the first transport layer connection may be established or terminated on one network stack 267 and the second transport layer connection may be established or terminated on a second network stack 267'. For example, one network stack may be used to receive and transmit network packets over a first network and another network stack may be used to receive and transmit network packets over a second network. In one embodiment, the network stack 267 includes a buffer 243 for queuing one or more network packets for transmission by the appliance 200.
As shown in FIG. 2, the kernel space 204 includes a cache manager 232, a high-speed layer 2-7 integrated packet engine 240, an encryption engine 234, a policy engine 236, and multi-protocol compression logic 238. Running these components or processes 232, 240, 234, 236, and 238 in kernel space 204 or kernel mode instead of user space 202 improves the performance of each of these components individually and in combination. Kernel operation means that these components or processes 232, 240, 234, 236 and 238 run in the kernel address space of the operating system of the appliance 200. For example, running the encryption engine 234 in kernel mode improves encryption performance by moving encryption and decryption operations to the kernel, thereby reducing the number of kernel threads and memory in memory space or in kernel mode or threads in user mode. For example, data obtained in kernel mode need not be transferred or copied to a process or thread running in user mode, e.g., from a kernel-level data structure to a user-level data structure. In another aspect, the number of context switches between kernel mode and user mode may also be reduced. Additionally, synchronization among and communication between any of the components or processes 232, 240, 235, 236, and 238 may be performed more efficiently in kernel space 204.
In some embodiments, any portion of the components 232, 240, 234, 236, and 238 may be run or operated in the kernel space 204, while other portions of these components 232, 240, 234, 236, and 238 may be run or operated in the user space 202. In one embodiment, the appliance 200 uses a kernel-level data structure to provide access to any portion of one or more network packets, e.g., a network packet includes a request from a client 10 or a response from a server 106. In some embodiments, the kernel-level data structure is obtained by the packet engine 240 through a transport layer driver interface or filter to the network stack 267. The kernel-level data structure may include any interface and/or data accessible through the kernel space 204 associated with the network stack 267, network traffic or packets received or transmitted by the network stack 267. In other embodiments, any of the components or processes 232, 240, 234, 236, and 238 may use the kernel-level data structure to perform the operations desired by the component or process. In one embodiment, the components 232, 240, 234, 236, and 238 run in kernel mode 204 when a kernel-level data structure is used, while in another embodiment, the components 232, 240, 234, 236, and 238 run in user mode when a kernel-level data structure is used. In some embodiments, the kernel-level data structure may be copied or transferred to a second kernel-level data structure, or any desired user-level data structure.
The cache manager 232 may include software, hardware, or any combination of software and hardware to provide cache access, control, and management of any type and form of content, such as objects or dynamically generated objects served by the origin server 106. The data, objects, or content processed and stored by the cache manager 232 may include data in any format, such as a markup language, or communicated via any protocol. In some embodiments, the cache manager 232 replicates original data stored elsewhere or data previously computed, generated, or transmitted, where the original data may require a longer access time to fetch, compute, or otherwise obtain relative to reading cache elements. Once the data is stored in the cache storage element, future use may be obtained by accessing a copy of the cache rather than recalling or recomputing the original data, thus reducing access time. In some embodiments, the cache storage element nat comprises a data object in the memory 264 of the appliance 200. In other embodiments, the cache storage element may comprise memory having a faster storage time than memory 264. In another embodiment, the cache storage element may comprise any type and form of storage element of device 200, such as part of a hard disk. In some embodiments, the processing unit 262 may provide cache memory for use by the cache manager 232. In yet another embodiment, the cache manager 232 may cache data, objects, or other content using any portion and combination of memory, storage, or processing units.
Additionally, the cache manager 232 includes any logic, functions, rules, or operations for performing any embodiments of the techniques of the appliance 200 described herein. For example, the cache manager 232 includes logic or functionality to invalidate objects based on the expiration of an invalidation time period, or receiving an invalidation command from the client 102 or server 106. In some embodiments, the cache manager 232 may operate as a program, service, process, or task executing in the kernel space 204, and in other embodiments in the user space 202. In one embodiment, a first portion of the cache manager 232 executes within the user space 202 and a second portion executes within the kernel space 204. In some embodiments, the cache manager 232 may include any type of General Purpose Processor (GPP), or any other form of integrated circuit, such as a Field Programmable Gate Array (FPGA), Programmable Logic Device (PLD), or Application Specific Integrated Circuit (ASIC).
The policy engine 236 may include, for example, a smart statistics engine or other programmable application. In one embodiment, the policy engine 236 provides a configuration mechanism to allow a user to identify, specify, define, or configure a caching policy. In some embodiments, the policy engine 236 also accesses memory to support data structures, such as lookup tables (lookup tables) or hash tables (hash) to enable user-selected cache policy decisions. In other embodiments, policy engine 236 may include any logic, rules, functions, or operations to determine and provide access, control, and management of objects, data, or content cached by appliance 200, in addition to access, control, and management of security, network traffic, network access, compression, or any other function or operation performed by appliance 200. Other embodiments of particular cache policies are described further herein.
The encryption engine 234 comprises any logic, business rules, functions, or operations for controlling any security-related protocol processes, such as SSL or TLS, or any functions related thereto. For example, the encryption engine 234 encrypts and decrypts network packets, or any portion thereof, communicated through the appliance 200. The encryption engine 234 may also install or establish SSL or TLS connections on behalf of the clients 102a-102n, servers 106a-106n, or the appliance 200. Likewise, the encryption engine 234 provides offloading and acceleration of SSL processing. In one embodiment, the encryption engine 234 uses a tunneling protocol to provide a virtual private network between the clients 102a-102n and the servers 106a-106 n. In some embodiments, the encryption engine 234 is in communication with an encryption processor 260. In other embodiments, the encryption engine 234 comprises executable instructions running on the encryption processor 260.
The multi-protocol compression engine 238 comprises any logic, business rules, functions, or operations for compressing one or more network packet protocols (e.g., any protocols used by the network stack 267 of the appliance 200). In one embodiment, multi-protocol compression engine 238 bi-directionally compresses any TCP/IP based protocol between clients 102a-102n and servers 106a-106n, including Messaging Application Programming Interface (MAPI) (electronic mail), File Transfer Protocol (FTP), HyperText transfer protocol (HTTP), Common Internet File System (CIFS) protocol (file transfer), Independent Computing Architecture (ICA) protocol, Remote Desktop Protocol (RDP), Wireless Application Protocol (WAP), Mobile IP protocol, and Voice over IP (VoIP) protocol. In other embodiments, the multi-protocol compression engine 238 provides compression of hypertext markup language (HTML) based protocols, and in some embodiments, compression of any markup language, such as extensible markup language (XML). In one embodiment, the multi-protocol compression engine 238 provides compression of any high performance protocol, such as any protocol designed for the appliance 200 for appliance 200 communications. In another embodiment, the multi-protocol compression engine 238 compresses any communication or any payload thereof using a modified transmission control protocol (e.g., transactional TCP (T/TCP), TCP with selective acknowledgement (TCP-SACK), TCP with large window (TCP-LW), congestion prediction protocols such as the TCP-Vegas protocol, and TCP spoofing protocols).
Likewise, the multi-protocol compression engine 238 speeds up the execution of user access applications through desktop clients, e.g., Micosoft Outlook and non-web thin clients, such as any client launched by general purpose enterprise applications like Oracle, SAP, and Siebel, and even mobile clients (e.g., portable personal computers). In some embodiments, the multi-protocol compression engine 238, by executing within the kernel mode 204 and integrating with the packet processing engine 240 accessing the network stack 267, may compress any protocol carried by the TCP/IP protocol, such as any application layer protocol.
The high speed layer 2-7 integrated packet engine 240, also commonly referred to as a packet processing engine, or packet engine, is responsible for managing the kernel-level processing of packets received and transmitted by the appliance 200 through the network port 266. The high speed layer 2-7 integrated packet engine 240 may include a buffer for queuing one or more network packets during processing, e.g., for receipt of a network packet or transmission of a network packet. In addition, the high speed layer 2-7 integrated packet engine 240 communicates with one or more network stacks 267 through network ports 266 to send and receive network packets. The high-speed layer 2-7 integrated packet engine 240 works in conjunction with the encryption engine 234, cache manager 232, policy engine 236, and multi-protocol compression logic 238. More specifically, encryption engine 234 is configured to perform SSL processing of packets, policy engine 236 is configured to perform functions related to traffic management, such as request-level content switching and request-level cache redirection, and multi-protocol compression logic 238 is configured to perform functions related to data compression and decompression.
The packet engine 240 of the integrated high speed layers 2-7 includes a packet processing timer 242. In one embodiment, the packet processing timer 242 provides one or more time intervals to trigger processing of incoming (i.e., received or outgoing (i.e., transmitted)) network packets. In some embodiments, the high speed layer 2-7 integrated packet engine 240 processes network packets in response to a timer 242. The packet processing timer 242 provides any type and form of signal to the packet engine 240 to notify, trigger, or transmit time-related events, intervals, or occurrences. In many embodiments, the packet processing timer 242 runs in milliseconds, such as 100ms, 50ms, or 25 ms. For example, in some embodiments, the packet processing timer 242 provides a time interval or causes the packet engine 240 integrated by the high speed layers 2-7 to process network packets at 10ms intervals, while in other embodiments at 5ms intervals, and in further embodiments as short as 3, 2, or 1ms intervals. The high-speed layer 2-7 integration packet engine 240 may be connected, integrated, or in communication with the encryption engine 234, the cache manager 232, the policy engine 236, and the multi-protocol compression engine 238 during operation. Likewise, any logic, functions, or operations of the encryption engine 234, cache manager 232, policy engine 236, and multi-protocol compression engine 238 may be performed in response to the packet processing timer 242 and/or the packet engine 240. Thus, any logic, functions, or operations of the encryption engine 234, cache manager 232, policy engine 236, and multi-protocol compression engine 238 may be performed at the granularity of a time interval provided by the packet processing timer 242 (e.g., a time interval less than or equal to 10 ms). For example, in one embodiment, the cache manager 232 may perform invalidation of any cached objects in response to the high speed layer 2-7 integrated packet engine 240 and/or the packet processing timer 242. In another embodiment, the expiration or invalidation time of the cached objects is set to the same level of granularity as the time interval of the packet processing timer 242, e.g., every 10 ms.
Unlike kernel space 204, user space 202 is a storage area or portion of an operating system that is used by user mode applications or programs that otherwise run in user mode. User mode applications cannot directly access kernel space 204 and use service calls in order to access kernel services. As shown in FIG. 2, the user space 202 of the appliance 200 includes a Graphical User Interface (GUI)210, a Command Line Interface (CLI)212, a shell service (shellservice)214, a health monitor 216, and a daemon service 218. GUI 210 and CLI 212 provide a method by which a system administrator or other user can interact with and control the operation of appliance 200, such as through the operating system of appliance 200, and either user space 202 or kernel space 204. The GUI 210 may be any type and form of graphical user interface and may be presented through text, graphics, or any other type of program or application, such as a browser. CLI 212 may be any type and form of command line or text-based interface, such as a command line provided by an operating system. For example, the CLI 212 may include a shell (shell), which is a tool that enables a user to interact with an operating system. In some embodiments, the CLI 212 may be provided by a bash, csh, tcsh, or ksh type of shell. Shell services 214 include programs, services, tasks, processes, or executable instructions to support interaction with operating system or device 200 by a user through GUI 210 and/or CLI 212.
Health monitoring program 216 is used to monitor, check, report and ensure that the network system is functioning properly and that the user is receiving requested content over the network. The health monitoring program 216 includes one or more programs, services, tasks, processes, or executable instructions that provide logic, rules, functions, or operations for monitoring any behavior of the device 200. In some embodiments, the health monitor 216 intercepts and inspects any network traffic passing through the appliance 200. In other embodiments, the health monitor 216 interfaces with one or more of the following devices by any suitable method and/or mechanism: encryption engine 234, cache manager 232, policy engine 236, multi-protocol compression logic 238, packet engine 240, daemon services 218, and shell services 214. Likewise, health monitor 216 may invoke any Application Programming Interface (API) to determine the status, condition, or health of any portion of device 200. For example, the health monitor 216 may periodically ping or send status queries to check whether a program, process, service, or task is activated and currently running. In another example, the health monitoring program 216 may examine any status, error, or history log provided by any program, process, service, or task to determine any condition, status, or error of any portion of the appliance 200.
The daemon services 218 are programs that run continuously or in the background and process periodic service requests received by the appliance 200. In some embodiments, the daemon service forwards the request to another program or process, such as to another daemon service 218 as appropriate. As is well known to those skilled in the art, the daemon service 218 may operate unattended to perform continuous or periodic system wide functions, such as network control, or to perform any desired task. In some embodiments, one or more daemon services 218 run in the user space 202, while in other embodiments, one or more daemon services 218 run in the kernel space.
Referring now to FIG. 2B, a block diagram depicts another embodiment of the device 200. In general, the device 200 provides one or more of the following services, functionalities or operations: SSL VPN connectivity 280 for communication between one or more clients 102 and one or more servers 106, translation/load balancing 284, domain name service resolution 286, acceleration 288, and application firewalls 290. In one embodiment, the appliance 200 includes any one of the network devices manufactured by Citrix systems of lauderdale Florida, referred to as Citrix NetScaler devices. Each of the servers 106 may provide one or more network-related services 270a-270n (referred to as services 270). For example, the server 106 may provide the http service 270. The appliance 200 includes one or more virtual servers or virtual internet protocol servers, referred to as vservers, VIP servers, or just VIPs 275a-275n (also referred to herein as vservers 275). The vServer275 receives, intercepts, or otherwise processes communications between the client 102 and the server 106 in accordance with the configuration and operation of the appliance 200.
The vServer275 may comprise software, hardware, or any combination of software and hardware. The vServer275 comprises any type and form of program, service, task, process, or executable instructions that operate in any combination of user mode 202, kernel mode 204, or appliance 200. The vServer275 includes any logic, function, rule, or operation to perform any embodiment of the techniques described herein, such as SSL VPN 280, translation/load balancing 284, domain name service resolution 286, acceleration 288, and application firewall 290. In some embodiments, the vServer275 establishes a connection to the service 270 of the server 106. The service 275 may comprise any program, application, process, task, or set of executable instructions capable of connecting to and communicating with the appliance 200, client 102, or vServer 275. For example, the service 275 may include a web server, an http server, an ftp, an email, or a database server. In some embodiments, the service 270 is a daemon process or network driver that listens, receives, and/or sends communications for an application, such as an email, a database, or an enterprise application. In some embodiments, the service 270 may communicate on a particular IP address, or IP address and port.
In some embodiments, the vServer275 applies one or more policies of the policy engine 236 to network communications between the client 102 and the server 106. In one embodiment, the policy is associated with the vServer 275. In another embodiment, the policy is based on a user or group of users. In yet another embodiment, policies are generic and apply to one or more vServers 275a-275n and any users or groups of users communicating through the appliance 100. In some embodiments, the policy of the policy engine has conditions for applying the policy based on any content of the communication, such as a protocol address, a port, a protocol type, a header or field in a packet, or a context of the communication, such as a user, a group of users, a vServer275, a transport layer connection, and/or an identification or attribute of the client 102 or server 106.
In other embodiments, the appliance 200 communicates or interfaces with the policy engine 236 to determine the authentication and/or authorization of a remote user or remote client 102 to access the computing environment 15, applications, and/or data files from the server 106. In another embodiment, the appliance 200 communicates or interfaces with the policy engine 236 to determine the authentication and/or authorization of a remote user or remote client 102 to cause the application delivery system 190 to deliver one or more computing environments 15, applications, and/or data files. In yet another embodiment, the appliance 200 establishes a VPN or SSL VPN connection based on the policy engine 236 verifying and/or authorizing the remote user or remote client 102. In one embodiment, the appliance 200 controls the flow of network traffic and communication sessions based on policies of the policy engine 236. For example, the appliance 200 may control access to the computing environment 15, applications, or data files based on the policy engine 236.
In some embodiments, the vServer275 establishes a transport layer connection, such as a TCP or UDP connection, with the client 102 via the client proxy 120. In one embodiment, the vServer275 listens for and receives communications from the client 102. In other embodiments, the vServer275 establishes a transport layer connection, such as a TCP or UDP connection, with the server 106. In one embodiment, the vServer275 establishes a transport layer connection to the internet protocol address and port of the server 270 running on the server 106. In another embodiment, the vServer275 associates a first transport layer connection to the client 102 with a second transport layer connection to the server 106. In some embodiments, the vServer275 establishes a pool of transport layer connections to the servers 106 and multiplexes client requests via the pooled transport layer connections.
In some embodiments, the appliance 200 provides an SSL VPN connection 280 between the client 102 and the server 106. For example, a client 102 on a first network 104 requests to establish a connection to a server 106 on a second network 104'. In some embodiments, the second network 104' is not routable from the first network 104. In other embodiments, the client 102 is located on a public network 104 and the server 106 is located on a private network 104', such as an enterprise network. In one embodiment, the client agent 120 intercepts communications of the client 102 on the first network 104, encrypts the communications, and sends the communications to the appliance 200 via the first transport layer connection. The appliance 200 associates the first transport layer connection on the first network 104 with the second transport layer connection to the server 106 on the second network 104. The appliance 200 receives the intercepted communication from the client 102, encrypts the communication, and sends the communication to the server 106 on the second network 104 via the second transport layer connection. The second transport layer connection may be a pooled transport layer connection. Thus, the appliance 200 provides an end-to-end secure transport layer connection for clients between the two networks 104, 104'.
In one embodiment, the appliance 200 hosts an intranet internet protocol or intranet IP 282 address of the client 102 on the virtual private network 104. The client 102 has a local network identifier, such as an Internet Protocol (IP) address and/or a host name on the first network 104. When connected to the second network 104 'via the appliance 200, the appliance 200 establishes, assigns, or otherwise provides an intranet IP, which is a network identifier, such as an IP address and/or host name, for the client 102 on the second network 104'. The appliance 200 listens on the second or private network 104 'for and receives any communications directed to the client 102 using the client's established intranet IP 282. In one embodiment, the appliance 200 acts as or represents a client 102 on the second private network 104. For example, in another embodiment, the vServer275 listens for and responds to communications to the intranet IP 282 of the client 102. In some embodiments, if the computing device 100 on the second network 104' sends a request, the appliance 200 processes the request as if it were the client 102. For example, device 200 may respond to a ping of client intranet IP 282. In another embodiment, the appliance may establish a connection, such as a TCP or UDP connection, with a computing device 100 on the second network 104 requesting a connection with the client intranet IP 282.
In some embodiments, the appliance 200 provides one or more of the following acceleration techniques 288 to communicate between the client 102 and the server 106: 1) compressing; 2) decompressing; 3) a transmission control protocol pool; 4) transmission control protocol multiplexing; 5) transmission control protocol buffering; and 6) caching. In one embodiment, the appliance 200 relieves servers 106 of the multiple processing loads incurred by repeatedly opening and closing transport layer connections to clients 102 by opening one or more transport layer connections with each server 106 and maintaining these connections to allow repeated data accesses by clients over the internet. This technique is referred to herein as "connection pooling".
In some embodiments, to seamlessly splice communications from the client 102 to the server 106 via the pooled transport layer, the appliance 200 translates or multiplexes the communications by modifying the sequence and acknowledgement numbers at the transport layer protocol level. This is called "connection multiplexing". In some embodiments, no application layer protocol interaction is required. For example, in the example of an inbound packet (i.e., a packet received from client 102), the source network address of the packet is changed to the address of the output port of appliance 200, and the destination network address is changed to the address of the designated server. In the example of an outbound packet (i.e., a packet received from the server 106), the source network address is changed from the address of the server 106 to the address of the output port of the appliance 200, and the destination address is changed from the address of the appliance 200 to the address of the requesting client 102. The sequence number and acknowledgement number of the packet are also translated into a sequence number and acknowledgement expected by the client 102 on the transport layer connection of the appliance 200 to the client 102. In some embodiments, the packet checksum of the transport layer protocol is recalculated to account for these translations.
In another embodiment, the appliance 200 provides a translation or load balancing function 284 for communication between the client 102 and the server 106. In some embodiments, based on layer 4 or application layer request data, the appliance 200 distributes traffic and directs client requests to the server 106. In one embodiment, although the network layer or layer 2 of the network packet identifies the destination server 106, the appliance 200 determines that the server 106 distributes the network packet using the application information and data carried by the payload of the transport layer packet. In one embodiment, the health monitoring program 216 of the appliance 200 monitors the health of the servers to determine which server 106 to distribute the client request for. In some embodiments, the appliance 200 may direct or distribute the client request to another server 106 if the appliance 200 detects that the server 106 is unavailable or has a load that exceeds a predetermined threshold.
In some embodiments, the appliance 200 acts as a Domain Name Service (DNS) resolver or otherwise provides resolution of DNS requests from the client 102. In some embodiments, the appliance intercepts a DNS request sent by the client 102. In one embodiment, the appliance 200 responds to the client's DNS request with the IP address hosted by or for the appliance 200. In this embodiment, the client 102 sends a network communication for the domain name to the device 200. In another embodiment, the appliance 200 responds to the client's DNS request with the IP address or hosted by the second appliance 200'. In some embodiments, the appliance 200 responds to the client's DNS request with the IP address of the server 106 determined by the appliance 200.
In yet another embodiment, the appliance 200 provides application firewall functionality 290 for communications between the client 102 and the server 106. In one embodiment, policy engine 236 provides rules for detecting and blocking illegitimate requests. In some embodiments, the application firewall 290 protects against denial of service (DoS) attacks. In other embodiments, the appliance examines the content of the intercepted request to identify and block application-based attacks. In some embodiments, the rules/policy engine 236 includes one or more application firewalls or security control policies for providing protection against different classes or types of web or internet based vulnerabilities, such as one or more of: 1) buffer overflow, 2) CGI-BIN parameter manipulation, 3) table/hidden field manipulation, 4) forced browsing (forcefullbrowsing), 5) cookie or session location, 6) interrupted Access Control List (ACL) or weak password, 7) cross site scripting (XSS), 8) command injection, 9) SQL injection, 10) false trigger sensitive information leakage, 11) insecure use of cryptography, 12) server misconfiguration, 13) backdoor and debug options, 14) web site corruption, 15) platform or operating system vulnerability, and 16) zero-day attacks. In one embodiment, the application firewall 290 provides HTML-formatted domain protection in the form of inspecting or analyzing network traffic for one or more of: 1) return requested fields, 2) disallow add fields, 3) read-only and hidden field enforcement, 4) drop-down list and radio button consistency, 5) table field maximum length enforcement. In some embodiments, the application firewall 290 ensures that cookies are not modified. In other embodiments, the application firewall 290 protects against forced browsing by enforcing a legitimate URL.
In still other embodiments, the application firewall 290 protects any confidential information included in the network communication. The application firewall 290 may examine or analyze any network traffic according to rules or policies of the engine 236 to identify any confidential information in any domain of the network packet. In some embodiments, the application firewall 290 identifies the presence of one or more of a credit card number, password, social security number, name, patient number, contact information, and age in the network communication. The encoded portion of the network communication may include the presence of these or confidential information. Based on these occurrences, in one embodiment, the application firewall 290 may take policy on network communications, such as blocking transport network communications. In another embodiment, the application firewall 290 may rewrite, move, or otherwise mask the identified occurrences or confidential information.
C、Client agent
Turning now to FIG. 3, an embodiment of the client agent 120 is described. The client 102 includes a client agent 120 for establishing and exchanging communications with the appliance 200 and/or the server 106 via the network 104. In general, the client 102 operates on a computing device 100, the computing device 100 having an operating system with a kernel mode 302 and a user mode 303, and a network stack 310 with one or more layers 310a-310 b. The client 102 may have installed and/or executed one or more applications. In some embodiments, one or more applications may communicate with the network 104 through the network stack 310. One of the applications, such as a web browser, may also include a first program 322. For example, the first program 322 may be used in some embodiments to install and/or execute the client agent 120, or any portion thereof. The client agent 120 includes an interception mechanism or interceptor 350 for intercepting network communications from one or more applications via the network stack 310.
The network stack 310 of the client 102 may include any type and form of software, or hardware, or combination thereof, for providing connectivity and communication with a network. In one embodiment, the network stack 310 includes a software implementation for a network protocol suite. The network stack 310 may include one or more network layers, such as any network layer of the Open Systems Interconnection (OSI) communication model recognized and understood by those skilled in the art. Likewise, the network stack 310 may include any type and form of protocol for any of the following layers of the OSI model: 1) physical link layer, 2) data link layer, 3) network layer, 4) transport layer, 5) session layer, 6) presentation layer, and 7) application layer. In one embodiment, the network stack 310 may include a Transmission Control Protocol (TCP) over a network layer protocol of the Internet Protocol (IP), commonly referred to as TCP/IP. In some embodiments, the TCP/IP protocol may be carried over an Ethernet protocol, which may include any family of IEEE Wide Area Network (WAN) or Local Area Network (LAN) protocols, such as those covered by IEEE 802.3. In some embodiments, the network stack 310 includes any type and form of wireless protocol, such as IEEE 802.11 and/or mobile Internet protocol.
Considering a TCP/IP-based network, any TCP/IP-based protocol may be used, including Messaging Application Programming Interface (MAPI) (email), File Transfer Protocol (FTP), HyperText transfer protocol (HTTP), Common Internet File System (CIFS) protocol (file transfer), independent computing framework (ICA) protocol, Remote Desktop Protocol (RDP), Wireless Application Protocol (WAP), Mobile IP protocol, and Voice over IP (VoIP) protocol. In another embodiment, the network stack 310 includes any type and form of transmission control protocol, such as a modified transmission control protocol, e.g., transactional TCP (T/TCP), TCP with selective acknowledgement (TCP-SACK), TCP with large window (TCP-LW), congestion prediction protocols, e.g., TCP-Vegas protocol, and TCP spoofing protocol. In other embodiments, any type and form of User Datagram Protocol (UDP), such as UDP over IP, may be used by the network stack 310, such as for voice communications or real-time data communications.
Additionally, the network stack 310 may include one or more network drivers, such as a TCP driver or a network layer driver, that support one or more layers. The network driver may be included as part of the operating system of the computing device 100 or as part of any network interface card or other network access component of the computing device 100. In some embodiments, any network driver of the network stack 310 may be customized, modified, or adapted to provide a customized or modified portion of the network stack 310 to support any of the techniques described herein. In other embodiments, the acceleration program 120 is designed and constructed to operate or work in conjunction with a network stack 310, the network stack 310 being installed or otherwise provided by the operating system of the client 102.
The network stack 310 includes any type and form of interface for receiving, obtaining, providing domains to otherwise access any information and data related to network communications of the client 102. In one embodiment, the interface of the network stack 310 includes an Application Programming Interface (API). The interface may also include any function call, hook or filter mechanism, event or callback mechanism, or any type of interface technology. The network stack 310 may receive or provide any type and form of data structure, such as an object, associated with the functionality or operation of the network stack 310 via an interface. For example, the data structure may include information and data related to a network packet, or one or more network packets. In some embodiments, the data structure comprises a portion of a network packet processed at a protocol layer of the network stack 310, such as a transport layer network packet. In some embodiments, data structure 325 comprises a kernel-level data structure, while in other embodiments, data structure 325 comprises a user-mode data structure. The kernel-level data structures may include data structures obtained or referenced by portions of the network stack 310 operating in the kernel mode 302, or network drivers or other software running in the kernel mode 302, or any data structure obtained or received by services, processes, tasks, threads, or other executable instructions running or operating in the kernel mode of the operating system.
Further, some portions of the network stack 310 may be performed or operated in kernel mode 302, e.g., the data link or network layer, while other portions are performed or operated in user mode 303, e.g., the application layer of the network stack 310. For example, a first portion 310a of the network stack may provide applications with access to a user mode of the network stack 310, while a second portion 310b of the network stack 310 provides access to the network. In some embodiments, the first portion 310a of the network stack may include one or more upper layers of the network stack 310, such as any of layers 5-7. In other embodiments, the second portion 310b of the network stack 310 includes one or more lower layers, such as any of layers 1-4. Each of the first portion 310a and the second portion 310b of the network stack 310 may include any portion of the network stack 310, at any one or more network layers, at the user mode 303, the kernel mode 302, or a combination thereof, or at any portion of the network layers or interface points directed to the network layers, or any portion of the user mode 303 and the kernel mode 302 or interface points directed to the user mode 303 and the kernel mode 302.
Interceptor 350 may comprise software, hardware, or any combination of software and hardware. In one embodiment, the interceptor 350 intercepts network communications at any point of the network stack 310 and redirects or transmits the network communications to a destination desired, managed, or controlled by the interceptor 350 or the client agent 120. For example, the interceptor 350 may intercept the network communications of the network stack 310 of the first network and send the network communications to the appliance 200 for transmission on the second network 104'. In some embodiments, the interceptor 350 comprises an interceptor 350 comprising any type of driver, such as a network driver constructed and designed to connect to and work with the network stack 310. In some embodiments, the client agent 120 and/or interceptor 350 operate at one or more layers of the network stack 310, such as at the transport layer. In one embodiment, interceptor 350 includes a filter driver, a hook mechanism, or any form and type of suitable network driver interface connected to the transport layer of the network stack, such as through a Transport Driver Interface (TDI). In some embodiments, the interceptor 350 is connected to a first protocol layer, such as a transport layer, and another protocol layer, such as an application protocol layer, at any layer above the transport protocol layer. In one embodiment, interceptor 350 may include a driver that complies with the Network Driver Interface Specification (NDIS), or an NDIS driver. In another embodiment, the interceptor 350 may include a micro-filter or a miniport driver. In one embodiment, interceptor 350, or portions thereof, operates in kernel mode 302. In another embodiment, the interceptor 350, or portions thereof, operates in the user mode 303. In some embodiments, a portion of interceptor 350 operates in kernel mode 302 while another portion of interceptor 350 operates in user mode 303. In other embodiments, the client agent 120 operates in user mode 303, but is connected through an interceptor 350 to a kernel mode driver, process, service, task, or part of the operating system, such as to obtain a kernel-level data structure 325. In other embodiments, the interceptor 350 is a user mode application or program, such as an application.
In one embodiment, the interceptor 350 intercepts any transport layer connection requests. In these embodiments, the interceptor 350 executes a transport layer Application Programming Interface (API) call to set destination information, such as a destination IP address and/or port to a desired location for location. In this manner, the interceptor 350 intercepts and redirects the transport layer connection to IP addresses and ports controlled or managed by the interceptor 350 or the client agent 120. In one embodiment, the interceptor 350 sets destination information for connections to the local IP address and port of the client 102 that the client agent 120 is listening to. For example, the client agent 120 may include a proxy service that listens for local IP addresses and ports for redirected transport layer communications. In some embodiments, the client agent 120 then transmits the redirected transport layer communication to the appliance 200.
In some embodiments, the interceptor 350 intercepts Domain Name Service (DNS) requests. In one embodiment, the client agent 120 and/or interceptor 350 resolves the DNS request. In another embodiment, the interceptor sends the intercepted DNS request to the appliance 200 for DNS resolution. In one embodiment, the appliance 200 resolves the DNS request and transmits a DNS response to the client agent 120. In some embodiments, the appliance 200 resolves the DNS request via another appliance 200' or the DNS server 106.
In yet another embodiment, the client agent 120 may include two agents 120 and 120'. In one embodiment, the first agent 120 may include an interceptor 350 operating at the network layer of the network stack 310. In some embodiments, the first agent 120 intercepts network layer requests such as Internet Control Message Protocol (ICMP) requests (e.g., ping and trace routes). In other embodiments, the second agent 120' may operate at the transport layer and intercept transport layer communications. In some embodiments, the first agent 120 communicates at a layer of the network stack 310 and connects with the second agent 120 'or transmits intercepted communications to the second agent 120'.
The client agent 120 and/or interceptor 350 may operate at or interface with the protocol layers in a manner that is transparent to any other protocol layers of the network stack 310. For example, in one embodiment, the interceptor 350 may operate at or interface with the transport layer of the network stack 310 in a manner that is transparent to any protocol layer below the transport layer, such as the network layer, and any protocol layer above the transport layer, such as the session, presentation, or application layer protocols. This allows other protocol layers of the network stack 310 to operate as desired and need not be modified for the interceptor 350. As such, the client agent 120 and/or interceptor 350 may be connected with the transport layer to secure, optimize, accelerate, route, or load balance any communication provided via any protocol carried by the transport layer, such as any application layer protocol over TCP/IP.
Further, the client agent 120 and/or interceptor may operate at or interface with the network stack 310 in a manner that is transparent to any application, user of the client 102, and any other computing device in communication with the client 102, such as a server. The client agent 120 and/or interceptor 350 may be installed and/or executed on the client 102 in a manner that does not require modification of the application. In some embodiments, a user of the client 102 or a computing device in communication with the client 102 is unaware of the presence, execution, or operation of the client agent 120 and/or interceptor 350. As such, in some embodiments, the client agent 120 and/or interceptor 350 are installed, executed, and/or operated in a manner that is transparent to the application, a user of the client 102, another computing device such as a server, or any protocol layer above and/or below the protocol layer to which the interceptor 350 is connected.
The client agent 120 includes an acceleration program 302, a streaming client 306, and/or a collection agent 304. In one embodiment, the client agent 120 comprises an Independent Computing Architecture (ICA) client, or any portion thereof, developed by Citrix Systems, Inc. of Florida, Fort Laudedale, and is also referred to as an ICA client. In some embodiments, the client 120 includes an application streaming client 306 for streaming applications from the server 106 to the client 102. In some embodiments, the client agent 120 includes an acceleration program 302 for accelerating communications between the client 102 and the server 106. In another embodiment, the client agent 120 includes a collection agent 304 to perform endpoint detection/scanning and collect endpoint information for the appliance 200 and/or the server 106.
In some embodiments, the acceleration program 302 includes a client-side acceleration program to perform one or more acceleration techniques to accelerate, enhance, or otherwise improve client communication with the server 106 and/or access to the server 106, such as to access an application provided by the server 106. The logic, functionality, and/or operations of the executable instructions of the acceleration program 302 may perform one or more of the following acceleration techniques: 1) multiprotocol compression, 2) transport control protocol pooling, 3) transport control protocol multiplexing, 4) transport control protocol buffering, and 5) caching by a cache manager. Additionally, the acceleration program 302 may perform encryption and/or decryption of any communications received and/or transmitted by the client 102. In some embodiments, the acceleration program 302 performs one or more acceleration techniques in an integrated manner or format. Additionally, the acceleration program 302 may perform compression on any protocol or protocols carried by the payload of network packets of the transport layer protocol.
The streaming client 306 includes an application, program, process, service, task, or executable instruction for receiving and executing an application streamed from the server 106. The server 106 may stream one or more application data files to the streaming client 306 for playing, executing, or otherwise causing an application on the client 102 to be executed. In some embodiments, the server 106 sends a set of compressed or packaged application data files to the streaming client 306. In some embodiments, the plurality of application files are compressed and stored in an archive file on a file server, such as a CAB, ZIP, SIT, TAR, JAR, or other archive file. In one embodiment, the server 106 decompresses, unpacks, or un-archives the application file and sends the file to the client 102. In another embodiment, the client 102 decompresses, unpacks, or un-archives the application file. The streaming client 306 dynamically installs the application or portions thereof and executes the application. In one embodiment, the streaming client 306 may be an executable program. In some embodiments, the streaming client 306 may be capable of launching another executable program.
The collection agent 304 includes an application, program, process, service, task, or executable instruction for identifying, obtaining, and/or collecting information about the client 102. In some embodiments, the appliance 200 sends the collection agent 304 to the client 102 or client agent 120. The collection agent 304 may be configured according to one or more policies of the policy engine 236 of the appliance. In other embodiments, the collection agent 304 sends the information collected on the client 102 to the appliance 200. In one embodiment, policy engine 236 of appliance 200 uses the collected information to determine and provide access, authentication, and authorization control for the client's connection to network 104.
In one embodiment, the collection agent 304 includes an endpoint detection and scanning mechanism that identifies and determines one or more attributes or characteristics of the client. For example, the collection agent 304 may identify and determine any one or more of the following client-side attributes: 1) an operating system and/or version of the operating system, 2) a service package for the operating system, 3) services that run, 4) processes that run, and 5) files. The collection agent 304 may also identify and determine the presence or version of any one or more of the following on the client: 1) anti-virus software, 2) personal firewall software, 3) anti-worm software, and 4) internet security software. The policy engine 236 may have one or more policies based on any one or more of the attributes or characteristics of the client or client-side attributes.
In some embodiments, still referring to fig. 3, the first program 322 may be used to automatically, silently, transparently, or otherwise install and/or execute the client agent 120 or a portion thereof, such as the interceptor 350. In one embodiment, the first program 322 comprises a plug-in component, such as an ActiveX control or Java control or script, that is loaded into and executed by an application. For example, the first program comprises an ActiveX control that is launched and loaded by a web browser application, for example in the context of a memory space or application. In another embodiment, the first program 322 includes a set of executable instructions that are loaded and executed by an application, such as a browser. In one embodiment, the first program 322 comprises a program designed and constructed to install the client agent 120. In some embodiments, the first program 322 obtains, downloads, or receives the client agent 120 from another computing device over a network. In another embodiment, the first program 322 is an installer program or plug-and-play manager for installing programs, such as network drivers, on the operating system of the client 102.
D、Granular and client side interception
Referring to fig. 4, an embodiment of a system for providing fine-grained client-side interception is described. In one embodiment, the system of fig. 4 provides a finer grained mechanism for intercepting communications of a client 102, the client 102 having an SSL VPN connection to the network 104' via the appliance 200. In general, the device 200 includes an application routing table 400. An Application Routing Table (ART)400 provides a network destination description 410 and/or a client application identifier 450. In some embodiments, the application routing table 400 identifies applications or services 270 on the server 106 that are authorized to be accessed by the client 102 via the network destination description. In other embodiments, the application routing table 400 identifies applications running on the client 102 that may be authorized to access levels of the server 106 or the service 270 of the server 106 via the client application identifier 450. The appliance 200 may send the application routing table 400 to the client 102 or client agent 120. The client agent 120 uses the application routing table 400 to make a decision whether to intercept and send the client network communication to the appliance 200, such as via an SSL VPN tunnel to the appliance, based on the application routing table 400.
Application routing table 400 comprises any type and form of table, database, object, or data structure for arranging and storing information described herein. In some embodiments, the application routing table 400 is populated, configured, created, edited, or modified via the command line interface 212 or the graphical user interface 210 of the device. In other embodiments, the device routing table 400 is populated (populated), configured, created, edited, or modified via the client 102, the server 106, or another computing apparatus 100. In one embodiment, the client 102 receives the application routing table 400 from the appliance 200. For example, the client agent 120 receives the application routing table 400 upon establishing a connection with the appliance 200. In another embodiment, the client agent 120 downloads the application routing table 400 from a server, web site, or any other computing device 100 on the network 104. In another embodiment, the user creates or modifies the application routing table 400 on the client 102.
In some embodiments, the application routing table 400 includes one or more network destination descriptions 410. The network destination description 410 may include information identifying one or more of the following: destination network identifier 415, destination port 420, protocol 425, source network identifier 430, source port 435, and intranet application name 440. The destination network identifier 415 and the source network identifier 430 may include a host or domain name, and/or an intranet protocol address. In some embodiments, the destination network identifier 415 and the source network identifier 430 include a range of internet protocol addresses, a list of internet protocol addresses, and/or a list of domain or host names. The destination port 420 and the source port 435 identify one or more port numbers of the network communications end node. For example, the destination port 430 may identify the port 80 for http traffic and http or web servers. In another example, the destination port 430 may identify a port 21 for a file transfer protocol (ftp). In some embodiments, the protocol identifier 425 identifies one or more types of protocols by name, number, version, or application. In other embodiments, the protocol identifier 425 identifies the protocol by a layer of the network stack, such as layers 1-7. In one embodiment, the intranet application name 440 identifies a name or identifier of an application associated with the destination network identifier 415 and/or the destination port 420. For example, the intranet application name 440 may identify a name of a corporate application, database, or email accessed via the destination network identifier 415 and/or the destination port 420.
In one embodiment, the network destination description 410 identifies the location of the application or service 270 on the network 104 by internet protocol layer information or network layer information. For example, the destination network identifier 415 and the destination port may identify a destination address of an application on the network 104. In some embodiments, the network destination description 410 identifies a destination authorized to be accessed via the device 200. In another embodiment, the network destination description 410 identifies the location of a client accessing an application or service 270 of the server 106 via the network 104 by internet protocol layer information or network layer information. For example, the destination network identifier 415 and the destination port 420 may identify a destination location of an application on the network. In some embodiments, the network destination description 410 identifies a client authorized to access the network 104 or the server 106 via the appliance 200. In yet another embodiment, the network destination description identifies the source and destination of the traffic flow between the client 102 and the server 106 through Internet protocol or network layer information. In one embodiment, the network destination description 410 identifies the traffic flow between the client 102 and the server 106 authorized to be accessed via the appliance 200.
In some embodiments, the application routing table 400 includes one or more client application identifiers 450. The client application identifier 450 identifies an application operating or installed on the client 102, which client 102 is authorized to access the network 104 or the server 106 via the device 200. In one embodiment, the client application identifier 450 includes a name of an executable file for the application, such as a name of an. exe file of the application. For example, client application identifier 450 may include the name "explorer. exe", "outlook. exe", or "world. exe". In other embodiments, the client application identifier 450 identifies the image name of a process or executable (file). In other embodiments, the client application identifier 450 includes the name of the script. In yet another embodiment, the client application identifier 450 includes a name of a process, task, or service that may or is operating on the client. In yet another embodiment, the client application identifier 450 includes a process identifier, or a PID, or a range of PIDs.
In one embodiment, policy engine 236 of appliance 200 includes one or more rules, or any portion thereof, associated with application routing table 400. In some embodiments, the policy engine 236 includes policies for access, authorization, and/or auditing based on the network destination description 410. In other embodiments, the policy engine 236 includes policies for access, authorization, and/or auditing based on the client application identifier 450. In other embodiments, the policy engine 236 includes a session policy and/or a traffic management policy based on the network destination description 410 and/or the client application identifier 450. In yet another embodiment, the client 102 includes a policy engine 236 for applying one or more policies or rules based on the network destination description 410 and/or the client application identifier 450.
In operation, the client agent 120 uses the application routing table 400 for determining network communications on the network stack 310 to intercept. In one embodiment, the client agent 120 intercepts network communications having information identifying or corresponding to the network destination description 410. For example, for the destination network identifier 415 and/or the destination port 420 of the network destination description 410 of the application routing table 400, the client agent 120 may intercept the network packet on the specified network stack 310. In another embodiment, the client agent 120 intercepts network communications on the network stack 310 originating from an application on the client 102 corresponding to the client application identifier 450 of the application routing table 400. In other embodiments, the client agent 120 does not intercept network communications on the network stack 310 that do not correspond to the network destination specification 410 or the client application identifier 450.
Referring to fig. 5, an embodiment of a method 500 for the client 102 to intercept network communications of the client 102 based on the granularity specified by the application routing table 400 is described. In general, the method 500, at step 505, the client 102 establishes a connection, such as an SSL VPN connection, with the appliance 200. At step 510, the client agent 120 receives the application routing table 400 from the appliance 200. At step 515, the client agent 120 intercepts the request of the client 102. In one embodiment, the client agent 120 identifies the application that originated or generated the request at step 520. At step 525, the client agent 120 determines whether to send the intercepted request via a connection with the appliance 200 based on the application routing table 400. For example, if the request originates from an application identified by the client application identifier 450, the client agent 120 sends the intercepted request via a connection to the appliance 200. If the client agent 120 determines to allow the intercepted request to access the network 104 via the appliance 200 at step 530, the client agent 120 sends the intercepted request via a connection to the appliance 200. Otherwise the client agent 120 discards the request or allows it to be sent via the network stack 310 of the client 102.
In further detail, at step 505, the client agent 120 establishes a transport layer connection with the appliance 200, such as via a transmission control protocol or a user datagram protocol. In one embodiment, the client agent 120 establishes a tunneling connection with the appliance 200 using any type and form of tunneling protocol. In another embodiment, the client agent 120 establishes a virtual private network connection with the network 104 via the appliance 200. For example, the client agent 120 may establish a virtual private network connection with the appliance 200 to connect the client 102 on the first network 104 to the second network 104'. In some embodiments, the client agent 120 establishes an SSL VPN connection with the appliance 200. In yet another embodiment, the client agent 120 establishes a tunnel or virtual private network connection using the Transport Layer Security (TLS) protocol. In one embodiment, the client agent 120 establishes the tunnel connection using the Common Gateway Protocol (CGP) manufactured by citrix systems Inc of Florida ft.
At step 510, the client agent 120 obtains or receives the application routing table 400 from the appliance 200, a user of the client 102, or the computing device 100. In one embodiment, the client agent 120 receives the application routing table 400 upon establishing a connection with the appliance 200. For example, the client agent 120 may request the application routing table 400 from the appliance 200. In another embodiment, the appliance 200 sends the application routing table 400 to the client agent 120. For example, if a change occurs to the application routing table 400, the appliance 200 may transmit or push the change to the client agent 120. In some embodiments, the client agent 120 loads or opens the application routing table 400 from memory on the client 102 or computing device 100 accessible via the network 104. In yet another embodiment, the client agent 120 downloads the application routing table 400 from a web site, such as via http. In a further embodiment, the client agent 120 transmits the file with the application routing table 400 via File Transfer Protocol (FTP). In one embodiment, a user creates or generates an application routing table on the client 102. In another embodiment, the user configures the client agent 120 to have the application routing table 400.
At step 515, the client agent 120 intercepts the request of the client 102 on the network stack 310. In one embodiment, the client agent 120 intercepts a request from an application on the client 102 to open a transport layer connection. In another embodiment, the client agent 120 intercepts a request of an application for an established transport layer connection. In some embodiments, the client agent 120 intercepts network packets of the first network 104 destined for the client 102. In another embodiment, the client agent 120 intercepts network packets destined for the second network 104' provided by the VPN connection to the appliance 200. In one embodiment, the client agent 120 intercepts transport layer network packets at an interface of the transport layer of the network stack 310, such as via a Transport Driver Interface (TDI). In other embodiments, the client agent 120 intercepts network packets at layer 4 or the transport layer of the network stack 310 or any layer below, such as the network or IP layer. In still other embodiments, the client agent 120 intercepts network packets at or above layer 4, such as the application layer of the network stack 310.
In some embodiments, the client agent 120 identifies the application that originated or generated the intercepted request at step 520 through any suitable means and/or mechanism. In one embodiment, the client agent 120 determines the identifier of the application via a system level or kernel mode function call. In one embodiment, the client agent 120 determines, via an Application Programming Interface (API), a Process ID (PID) and/or name of an application associated with the connection or context that intercepted the request. In some embodiments, the client agent 120 determines the identifier of the application when the client agent 120 intercepts the connection request of the application via the network stack 310. In other embodiments, the client agent 120 determines the identifier of the application via inspection of the payload of the intercepted request. In one embodiment, the client agent 120 stores an application identifier in memory, such as a data structure, object, table, file, or database. In another embodiment, the client 120 associates an identifier of the application with a transport layer connection of the application and maintains such association, such as a transport layer connection to the appliance 200 established via the client agent 120.
At step 525, the client agent 120 uses the application routing table 400 to determine which network communication of the client 102 is intercepted and sent via the connection established with the appliance 200. In some embodiments, the client agent 120 intercepts network communications of the client 102 over the first network 104 and transmits via the appliance 200 to the second network 104' through a transport layer connection or an application layer protocol. By intercepting only those network communications of the client corresponding to the network destination description 410 and/or the client application identifier 450 of the application routing table 400, the client agent 120 provides a more secure mechanism and finer grain control for sending network communications via a tunnel or connection to the second network 104'. In one embodiment, the client agent 120 examines or analyzes the intercepted request to determine one or more of the following: a destination IP address, a destination port, a source IP address, and a source port. In some embodiments, the client agent 120 obtains either the network layer or IP related information of the requested network packet.
In one embodiment, the client agent 120 compares the information of the intercepted request to the network destination description 410 of the application routing table 400. If the intercepted request matches the network destination description 410, the client agent 120 sends the intercepted request via a connection to the appliance 200 at step 530. In other embodiments, if the intercepted request does not correspond to the network destination description 410, the client agent 120 does not send the intercepted request via a connection to the appliance 200 at step 535. In some embodiments, the client agent 120 discards the intercepted request. In another embodiment, the client agent 120 does not intercept the request, but rather allows it to pass through via the network stack 310 of the client 102. In some examples, the client 102 sends the request via the client's first network 104, rather than via a connection to the appliance 200.
In one example, the client agent 120 determines an identifier of the application from the intercepted request. In some embodiments, the client agent 120 queries for an application associated with the requested connection or context. In another embodiment, the client agent 120 determines the name and/or PID of the application via a system API call. In some embodiments, the client agent 120 determines the application from an inspection or analysis of the requested network packet. For example, in one embodiment, the client agent 120 uses information of the payload of the network packet to identify the application.
In one embodiment, the client agent 120 compares the information of the intercepted request to the client application identifier 450 of the application routing table 400 at step 525. If the initiation or transmission intercepted request identified by the application matches the client application identifier 450, the client agent 120 transmits the intercepted request via the connection to the appliance 200 at step 530. In other embodiments, the client agent 120 does not send the intercepted request via a connection to the appliance 200 if the intercepted request does not correspond to the client application identifier 450. In some embodiments, the client agent 120 discards the intercepted request, and in another embodiment, the client agent 120 does not intercept the request, but rather allows it to be transmitted via the network stack 310 of the client 102. In some examples, the client 102 sends the request via the client's first network 104, rather than a connection to the appliance 200.
In some embodiments, the application routing table 400 identifies network destination descriptions 410 and/or client application identifiers 450 that the client agent 120 should not intercept. Also, in one embodiment, the method 500 described above is used to determine network packets or client requests that are not sent by the device based on the information in the application routing table 400. In another embodiment, the client agent 120 sends any network communications of the client 102 or application via the appliance 200 if it does not correspond to the network destination description 410 or the client application identifier 450.
Using the method 500 described above, the client agent 120 intercepts and sends those network packets of the client 102 that conform to the application specifications for the fine control. In this manner and in some embodiments, the client agent 120 and appliance 200 provide a more secure network tunneling mechanism to connect the client 102 to the private network 104'. In one embodiment, the client agent 120 intercepts network packets having a particular network layer and routes information and translates the transmission of the network packets via layer 4 or application layer information via a transport layer connection to the appliance 200.
Referring to FIG. 6, steps of an embodiment of a method for applying policies based on an identification of an application to control access of the application via the device 200 are described. In general, the client agent 120 establishes a connection with the appliance 200 at step 605. At step 610, the client agent 120 intercepts a request for an application on the client 102, and at step 615, identifies the application on the client making the request. At step 620, the client agent 120 sends an identifier of the application to the appliance 200. At step 625, the client agent 120 sends the intercepted application's request to the appliance 200. Based on the identification of the application and the associated policy, the appliance 200 determines an access level to provide the application for the client 102 at step 630. In step 635, in one embodiment, the appliance 200 grants the application a level of access to one of the network 104 or the server 106 via the appliance. In another embodiment, at step 640, the device 200 denies the level of access of the application to the network 104 or server 106 via the device.
In the detailed description, the client 102 establishes a connection with the appliance 200, such as via the client agent 120, at step 605. In some embodiments, the client agent 120 establishes a transport layer connection with the appliance 200, such as via a transmission control protocol or a user datagram protocol. In one embodiment, the client agent 120 establishes a tunneling connection with the appliance 200 using any type and form of tunneling protocol. In another embodiment, the client agent 120 establishes a virtual private network connection, such as an SSL VPN or TLS VPN connection, with the network 104 via the appliance 200. In yet another embodiment, the client agent 120 establishes the tunnel connection using the Common Gateway Protocol (CGP) manufactured by Citrix System Inc of lauderdale.
At step 610, the client agent 120 intercepts the request for the application on the network stack 310. In one embodiment, the client agent 120 intercepts a request to open a transport layer connection to the server 106 via the appliance 200. In another embodiment, the client agent 120 intercepts a request of an application to a server via an established transport layer connection with the appliance 200. In some embodiments, the client agent 120 intercepts network packets of the first network 104 destined for the client 102. In another embodiment, the client agent 120 intercepts network packets destined for the second network 104' provided through the VPN connection to the appliance 200. In one embodiment, the client agent 120 intercepts transport layer network packets at an interface at the transport layer of the network stack 310, such as via a Transport Driver Interface (TDI). In other embodiments, the client agent 120 intercepts network packets at any layer below layer 4 or the transport layer of the network stack 310, such as the network or IP layer. In yet another embodiment, the client agent 120 intercepts network packets at or above layer 4 of the network stack 310, such as the application layer of the network stack 310.
At step 615, the client agent 120 identifies the application that generated or initiated the intercepted request. In one embodiment, the client agent 120 determines the identifier of the application via a system layer or kernel mode function call. In one embodiment, the client agent 120 determines, via an Application Programming Interface (API), a Process ID (PID) and/or name of an application associated with the connection or context that intercepted the request. In some embodiments, the client agent 120 determines the identifier of the application when the client agent 120 intercepts a connection request for the application via the network stack 310. In other embodiments, the client agent 120 determines the identifier of the application via inspection of the payload of the intercepted request. In one embodiment, the client agent 120 queries or queries the application's identifier from a data structure, object, table, file, or database. In another embodiment, the client agent 120 associates and maintains an identifier of the application with a transport layer connection of the application to the appliance 200 via the agent 120.
At step 620, the client agent 120 sends an identifier of the application, such as a name or PID, to the appliance 200. In one embodiment, the client agent 120 sends an identifier of the application to the appliance 200, e.g., a transport layer connection of the application, via the connection established at step 605. In some embodiments, the client agent 120 sends the identifier of the application to the appliance 200 via a header or field of the network packet. In yet another embodiment, the client agent 120 sends the identifier of the appliance 200 as part of the payload of a network packet sent to the appliance 200. In other embodiments, the client agent 120 sends the identifier of the application via a control or communication channel between the client agent 120 and the appliance 200. For example, the client agent 120 and the appliance 200 may communicate information over a transport layer connection established for exchanging information, such as TCP or UDP. In some embodiments, the client agent 120 may make remote procedure or function calls to the appliance 200 to identify applications for the appliance 200. In one embodiment, the device 200 associates an identifier of an application to a connection of the application established by the device 200. In yet another embodiment, the device 200 determines the identity of the application from a connection request via the application of the device 200 or by examining or analyzing the content of the network traffic via the application of the device 200.
At step 625, the client agent 120 sends the intercepted application's request to the appliance 200. The request may be any type and form of network communication from the application. In one embodiment, the client agent 120 sends a connection request for an application on the client 102 to the appliance 200. For example, the application may request to open a transport layer, SSL, or TLS connection with the appliance 200 or to the server 106 via the appliance 200. In other embodiments, the client agent 120 may intercept network communications of an application to be sent via a connection to the appliance 200 and send the intercepted network communications to the appliance 200. In one embodiment, the client agent 120 sends an identification of the application as the intercepted request is sent. In other embodiments, the appliance 200 has received an identification of an application for connection to the appliance 200 from the client agent 120.
Based on the identification of the application and the associated policy, the appliance 200 determines an access level to provide the application for the client 102 at step 630. For the intercepted request sent at step 625, the appliance 200 determines a level of access to provide to the application from a policy associated with the application. In one embodiment, the appliance 200 receives the intercepted request from the client agent 120 and queries the policy for the application associated with the request or the connection used to send the request. In some embodiments, the policy for the application provided by the policy engine 236 identifies the type of authorization, access, and/or audit to apply to the intercepted request. In some other embodiments, the appliance 200 may determine the content of the audit, the location of the audit log, and the type and level of audit for execution based on the identification of the application.
A policy may be associated with a list of one or more applications by the name of the application, the type of the application, or by a pattern matching name of the application, such as an application that starts with "ms. In some embodiments, for an application, a policy identifies the type of authorization to perform. For example, the policy may indicate that a credential is requested from the application to send the intercepted request over the network 104' or to the server 106. In another embodiment, the policy may indicate that the application may require two-factor (two-factor) or secondary authentication to grant access via the appliance 200. In some embodiments, the policy may indicate the type of authentication based on the type of request of the application. For example, a first authentication type, such as two-factor authentication, may be necessary for an open connection request to a server 106, and a second authentication type is used to query a protected directory on the server 106.
In another embodiment, the policy identifies a level of access to the network 104' or the server 106 via the appliance 200. In one embodiment, the policy identifies whether access is granted or denied through an identifier of the application. For example, the device 200 may deny or grant access through an application having a particular name, such as "outlook. In another embodiment, the appliance 200 may grant access to all applications unless the identifier of the application matches a list of one or more applications that are not accessed via a given access of the policy. In some embodiments, the appliance 200 may deny access to all applications unless the identifiers of the applications match a list of one or more applications for a given access via the policy. In yet another embodiment, the appliance 200 may provide or assign one of a plurality of levels of access to the intercepted request or application based on the identifier of the application. For example, a first application may be assigned a level of isolated or limited access to the network 104 or server 106 via a device. In another embodiment, the second application may be assigned to a group of users based on the name of the application, such as assigning an application named "performance.
Based on the policy determination of step 630, in step 635, the appliance 200, in one embodiment, grants the application a level of access to one of the network 104 or the server 106 via the appliance. In some embodiments, device 200 may assign a level of access, such as a downgrade or upgrade level of access, to device 200 based on the authentication provided by the application, such as receiving or not receiving credentials, and the identification of the application. In one embodiment, the appliance 200 grants access by an application and sends the intercepted request to its destination. In another embodiment, the appliance 200 grants access by the application upon receiving the first request, and subsequently after applying the policy to the first request, the appliance 200 allows continued access by the application. In some embodiments, the appliance 200 applies an application-based policy to each intercepted request sent via the appliance 200. In still other embodiments, the appliance 200 applies an application-based policy to the type of request of the application.
In another embodiment, at step 640, the device 200 denies the level of access of the application to the network 104 or server 106 via the device. In some embodiments, the appliance 200 denies any access by the application according to the application-based policy and discards the intercepted request. In other embodiments, the appliance 200 reduces the level of access by the application and sends the intercepted request according to the assigned level of access. In one embodiment, the appliance 200 denies access by the application on a per request basis. Upon some requests by the application, device 200 denies access, while device 200 grants access upon other requests. For example, the device may apply each request policy based on the type of request.
In some embodiments, device 200 may make a verification, authorization, or audit policy decision based on the identification of the application and any temporary information, such as the time of the request, the time the application establishes a connection via the device, and/or any temporary policy rules, at steps 630, 635, and/or 640. For example, device 200 may be authorized for access for a particular period of time. If the appliance receives an intercepted request outside of the authorized time period, the appliance 200 may have a policy to deny access to the intercepted request. Further, the application-based policy may be combined with user or group policies to make additional access, authorization, and authentication policy decisions to provide or not provide a level of access through the device.
In view of the structure, functionality, and operation of the client agent and appliance described above, the client agent provides fine-grained control of network communications sent by the client via the appliance, such as via an SSL VPN connection. The client agent 120 may intercept communications by application name or any part and combination of network or IP layer information, such as destination and source IP addresses and destination and source ports. In this manner, the client agent 120 can be configured to intercept particular network traffic patterns, such as traffic from a particular application to a particular application, and/or traffic between a particular source endpoint to a particular destination endpoint. By intercepting and filtering network traffic at or near the client, unnecessary network traffic is avoided from being handled by the device and the device needs to apply policies to protect the network. This provides additional security to the network protected by the device without the client agent sending unwanted network traffic to the device. Furthermore, the device provides finer grained control of authentication, authorization, and audit policies on a per application basis, and even on a per request basis for each application.

Claims (18)

1. A method for a client agent to intercept communications sent from a client via a virtual private network connection based on an identification of an application, wherein the client agent is executable on the client, the method comprising the steps of:
(a) receiving, by a client agent of a first network, an application routing table identifying a first application authorized to access a second network to intercept network communications transmitted from the first application to the second network via a virtual private network connection established by a device, the first application identified by an executable file name of the first application;
(b) determining, by the proxy, a network communication originating from the first application from a plurality of network communications established by the client based on the application routing table;
(c) intercepting, by the agent, the network communication of the first application based on the application routing table;
(d) sending, by the proxy, the network communication of the first application to the second network via the virtual private network connection based on the application routing table;
(e) determining, by the proxy, that at least one of the plurality of network communications established by the client originated from an application not identified in the application routing table; and
(f) allowing, by the proxy, the at least one network communication to be sent via the client's network stack instead of the virtual private network connection.
2. The method of claim 1, comprising determining, by the agent, a second network communication originating from a second application on the client from a plurality of network communications, and not intercepting the network communication.
3. The method of claim 2, comprising sending, by the client, the second network communication via the first network.
4. The method of claim 1, comprising sending, by the device, the application routing table to the proxy.
5. The method of claim 1, comprising sending, by the device, the name of the first application to the proxy.
6. The method of claim 1, comprising intercepting, by the agent, network communications for a first set of applications on the client identified for transmission via the virtual private network connection, and the agent not intercepting network communications for a second set of one or more applications on the client.
7. The method of claim 1, comprising establishing, by the agent, a virtual private network connection to the second network via the device.
8. The method of claim 7, comprising granting or denying, by the device, a level of access to the first application based on the identification of the first application.
9. The method of claim 8, comprising sending, by the proxy, an identification of the first application to the device.
10. A system for a client agent to intercept communications sent from an application of a client via a virtual private network connection based on an identification of the application, wherein the client agent is executable on the client, the system comprising:
means for receiving, by a client agent of a first network, an application routing table identifying a first application authorized to access a second network to intercept network communications transmitted from the first application to the second network via the virtual private network connection established by a device, the first application identified by an executable file name of the first application;
means for determining, by the proxy, one network communication originating from the first application from a plurality of network communications sent by clients based on the application routing table;
means for intercepting, by the agent, the network communication of the first application based on the application routing table;
means for sending, by the proxy, the network communication of the first application to the second network via the virtual private network connection based on the application routing table;
means for determining, by the proxy, that at least one of the plurality of network communications established by the client originated from a second application not identified in the application routing table; and
means for allowing, by the proxy, the at least one network communication to be sent via a network stack of the client instead of the virtual private network connection.
11. The system of claim 10, comprising means for determining, by the agent, a second network communication originating from a second application on the client from the plurality of network communications and not intercepting the network communication.
12. The system of claim 11, comprising means for sending, by the client, the second network communication via the first network.
13. The system of claim 10, comprising means for transmitting, by the appliance, the application routing table to the proxy.
14. The system of claim 10, comprising means for sending, by the device, the name of the first application to the proxy.
15. The system of claim 10, comprising means for intercepting, by the agent, network communications for a first set of applications on the client identified for transmission via the virtual private network connection and not intercepting network communications for a second set of one or more applications on the client.
16. The system of claim 10, comprising means for establishing, by the agent, a virtual private network connection to the second network via the appliance.
17. The system of claim 16, comprising means for granting or denying, by the device, a level of access to the first application based on the identification of the first application.
18. The system of claim 17, comprising means for sending, by the agent, an identification of the first application to the device.
HK10107195.6A 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of ssl/vpn traffic HK1140883B (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US11/462329 2006-08-03
US11/462,321 US8495181B2 (en) 2006-08-03 2006-08-03 Systems and methods for application based interception SSI/VPN traffic
US11/462321 2006-08-03
US11/462,329 US8869262B2 (en) 2006-08-03 2006-08-03 Systems and methods for application based interception of SSL/VPN traffic
PCT/US2007/075035 WO2008017011A2 (en) 2006-08-03 2007-08-02 Systems and methods for application-based interception and authorization of ssl/vpn traffic

Publications (2)

Publication Number Publication Date
HK1140883A1 HK1140883A1 (en) 2010-10-22
HK1140883B true HK1140883B (en) 2014-02-14

Family

ID=

Similar Documents

Publication Publication Date Title
US9497198B2 (en) Systems and methods for application based interception of SSL/VPN traffic
US9294439B2 (en) Systems and methods for application-based interception of SSL/VPN traffic
US7843912B2 (en) Systems and methods of fine grained interception of network communications on a virtual private network
US9253193B2 (en) Systems and methods for policy based triggering of client-authentication at directory level granularity
US8356101B2 (en) Systems and methods for managing a plurality of user sessions in a virtual private network environment
US9246878B2 (en) Methods and systems for routing packets in a VPN-client-to-VPN-client connection via an SSL/VPN network appliance
US8413229B2 (en) Method and appliance for authenticating, by an appliance, a client to access a virtual private network connection, based on an attribute of a client-side certificate
CN101523865B (en) System and method for using HTTP-aware client proxy
US8904475B2 (en) Method and system for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute
US7953889B2 (en) Systems and methods for routing VPN traffic around network disruption
CN101523866B (en) Systems and methods for hierarchical global load balancing
AU2007281166B2 (en) Systems and methods for application-based interception and authorization of SSL/VPN traffic
US7907621B2 (en) Systems and methods for using a client agent to manage ICMP traffic in a virtual private network environment
HK1140883B (en) Systems and methods for application-based interception and authorization of ssl/vpn traffic
HK1191153A (en) Systems and methods for application-based interception and authorization of ssl/vpn traffic