WO2004107646A1 - System and method for application-level virtual private network - Google Patents

System and method for application-level virtual private network Download PDF

Info

Publication number
WO2004107646A1
WO2004107646A1 PCT/US2003/015383 US0315383W WO2004107646A1 WO 2004107646 A1 WO2004107646 A1 WO 2004107646A1 US 0315383 W US0315383 W US 0315383W WO 2004107646 A1 WO2004107646 A1 WO 2004107646A1
Authority
WO
WIPO (PCT)
Prior art keywords
requestor
application
messages
hash value
forwarding
Prior art date
Application number
PCT/US2003/015383
Other languages
French (fr)
Inventor
Robert L. Hollis
J. Marc Enger
R. Gunnar Engelbach
Original Assignee
Threatguard, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US10/249,877 priority Critical patent/US6804777B2/en
Priority to US10/249,877 priority
Application filed by Threatguard, Inc. filed Critical Threatguard, Inc.
Publication of WO2004107646A1 publication Critical patent/WO2004107646A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Abstract

A method for enabling users to securely share application information and resources (122) by granting resource owners access to user-application combinations (110). It provides a means for ensuring that only approved and unaltered applications (110) may access available resources (122). A connection negotiation scheme allows both ends of a communication channel to agree on a specific version of a specific application (110) to be used to access a target resource (122). Once agreement is reached, a virtual private network channel may be established between approved applications (110) and designated resources (122) that enables channel encryption using an encryption key and a verified signature using a calculated hash value of the negotiated application (110).

Description

SYSTEM AND METHOD FOR APPLICATION-LEVEL VIRTUAL PRIVATE NETWORK by J. Marc Enger, Robert L. Hollis, and R. Gunnar Engelbach, all of San Antonio, Texas

This application claims benefit of TJ. S. Provisional Application No. 60/380,727, filed on May 15, 2002.

BACKGROUND The invention relates generally to network security, and more specifically to secure message and file transfers across public or private networks using an application-level virtual private network. It provides a means for specifying and validating the application being used to access a remote resource over a dynamic dedicated secure conduit or tunnel that is established over existing network pathways.

The need for providing and accessing information throughout small and large enterprise organizations spawned rapid a growth in intranets and extranets to satisfy these organizational communications requirements. With the rapid growth of the Internet as a public network communication medium, organizations found substantial cost savings by using the Internet as an worldwide vehicle for providing and accessing organizational information. The result was a shift from closed and protected to open and less secure, open information infrastructure. Gateways were provided to connect existing private networks to the Internet to replace many private dedicated networks providing access to disparate parts of the world. It is not unusual in today's business environment to have multiple computer workstations and servers interconnected by complex and widely dispersed communications networks. These communications networks are critical to many businesses that rely on these information networks to provide services for the day-to-day operation of their enterprises.

800693.010 With the growth of these communications networks came an increase in incidences of unauthorized access to these networks by individuals and software programs for accessing confidential information and causing disruptions or irreparable harm to these informational networks. These intrusions, oftentimes resulting in economic losses, have created a demand for means for detecting and preventing malicious and unauthorized access to these networks by users and organizations that seek to find and exploit the smallest security hole. In addition to enterprises instituting safeguards to prevent harm caused to business enterprises and individuals, the government has instituted regulations to protect the privacy of information on individuals that may be available on these information networks. The Gramm-Leach-Bliley Act requires financial institutions and financial services companies to comply with stringent privacy and security standards. The health care market has similar legislation called the Health Insurance Portability and Accountability Act (HIPAA). While the details of HIPAA are still being completed, it will clearly establish uniform information security standards for health care organizations. Since the late 1980s, the government agencies have been under legislative pressure to secure networked systems.

Emerging homeland defense initiatives will add additional and enforceable network security requirements to the government agencies.

In response to unauthorized intrusions into informational networks, various protective measures have been implemented to eliminate or reduce intrusion incidences. Some of these measures include Public Key Infrastructure (PKI) encryption, S/MME Email security,

Secure Sockets Layer (SSL) 128 bit encryption, Virtual Private Network (VPN), firewalls, and vulnerability scanners. Some of these network protection schemes may work at cross- purposes to one another by inhibiting other protection schemes from operating effectively. For example, a firewall may inhibit a vulnerability scanner form assessing the intrusion vulnerability of a system protected by the firewall.

800693.010 Traditional VPN solutions have typically provided network-to-network secure communications, and machine-to-machine secure communications. In the former case, one network gateway can establish a secure channel to another network's gateway by employing encryption technologies and using the public Internet as a medium. This approach has the benefit of using public resources in a secure manner, but has several notable disadvantages as well. The disadvantages include: (1) all resources on one side of the connection can access all resources on the other side of the connection, unless additional (often overlooked or too restrictive) measures are taken; and (2) if one side of the connection has multiple VPN channels to other locations, all locations can potentially access each other. Although machine-to-machine VPN solutions seem to address these problems, they s still have issues of their own that are often ignored due to the inability of current technologies to address them. The issues include: (1) if an intruder gains access to the one machine in the connection, she can use whatever application is available on the compromised machine to attack resources on the other side of the connection; and if the user of one machine contracts a virus or worm that corrupts his applications, that virus can spread across the VPN to attack resources on the other side of the connection.

SUMMARY The present invention provides a solution that overcomes many of the disadvantages and issues encountered in the use of network-to-network VPN secure communications and machine-to-machine VPN secure communications. It enables users to securely share application information and resources by granting resource owners access to user-application combinations, and ensuring that only approved and unaltered applications can access the resources being made available. A process of negotiation is a necessary preamble to any secure connection attempt from an application to a resource. This negotiation allows both ends of a communication channel to agree upon an application and version of an application

800693.010 to be used to access a target resource. Upon agreement by both ends of the communication channel, channel encryption may be established using an encryption key and a signature verified using the hash of the negotiated application.

Each application that runs on a client workstation is subject to a check upon all attempts to use an established application-level VPN channel. This check involves a query to the host operating system to determine which application has requested access and then a calculation of that application's hash. As traffic passes into the VPN channel, the discovered hash and encryption process with a provided session key is used to establish secure communication. As packets emerge on the other side of the channel, the hash of the pre- coordinated application is used as a signature to validate the connection. Therefore, if a rogue or tainted application attempts to use the channel once it has been established, the hash- encryption step will not match the hash-signature step, and communications will not be successful. An embodiment of a network that satisfies these requirements is disclosed in U. S. Patent Application No. 10/249668 filed on April 29, 2003, and incorporated herein by reference.

An embodiment of the present invention is a method for application-level virtual private networking, comprising the steps of requesting access for sending requestor messages to an external resource by a requestor application within a user workstation, identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation, forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway, receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway, authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource, and receiving the requestor messages by the external resource. The step of

800693 010 requesting access for sending requestor messages to an external resource by a requestor application within a user workstation may comprise the step of requesting access for sending requestor messages to an external server application program within the channel gateway by a requestor application within a user workstation, the step of forwarding the requestor messages to the external resource may comprise the step of forwarding the requestor messages to an external server application program within the channel gateway, and the step of receiving the requestor messages by the external resource may comprise receiving the requestor messages by the external server application program within the channel gateway. The step of identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation may further comprise calculating a hash value of only one specific version of one specific requestor application by a connection manager within the user workstation, and the step of authenticating the received requestor messages using the calculated application hash value may comprise authenticating the received requestor messages using the calculated hash value of only the one specific version of the one specific requestor application. The step of identifying the user application may comprise querying a workstation operating system for identifying the user application. The method may further comprise preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway, receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation, receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requestor application within the user workstation, and receiving the response messages by the requestor application within the user workstation. The step of authenticating the received response messages using the received calculated application hash

800693.010 value may comprise authenticating the received response messages by comparing the received calculated application hash value with an application hash value calculated by the connection manager. The step of forwarding the requestor messages and the calculated application hash value may comprise the steps of obtaining public and private keys from a PKI authority, encrypting the requestor messages using the external resource public PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway, the step of receiving the requestor messages and the calculated application hash value may comprise receiving the encrypted requestor messages, application hash value, digital signature, user ID and password by the channel receiver of the channel gateway, and the step of authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource may comprise decrypting the application hash value, digital signature, user ID and password using the application requestor PKI public key, decrypting the encrypted requestor messages using the external resource PKI private key, authenticating the received requestor messages using the decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requestor messages to the external resource. The step of receiving the response messages by the channel receiver and forwarding the response messages may comprise receiving the response messages by the channel receiver, encrypting the response messages using the requestor application PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user

800693.010 workstation, and the step of receiving the response messages by the connection manager may comprise receiving the response messages by the connection manager, decrypting the response messages using the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation. The method may further comprise the step of forwarding the calculated application hash value, a digital signature, a user ID and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key, the step of encrypting the requestor messages by the connection manager using the session key, and the step of decrypting the requestor messages by the channel receiver using the session key. The method may further comprise the step of negotiating a connection and obtaining a session key from an access authority, the step of encrypting the response messages by the channel receiver using a session key, and the step of decrypting the response messages by the connection manager using the session key. A computer-readable medium may contain instructions for controlling a computer system to implement the method above.

Another embodiment of the present invention is a system for application-level virtual private networking, comprising means for requesting access for sending requestor messages to an external resource by a requestor application within a user workstation, means for identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation, means for forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway, means for receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway, means for

800693.010 authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource, and means for receiving the requestor messages by the external resource. The external resource may be a server application program. The requestor application may be one specific version of one specific application. The system may further comprise means for preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway, means for receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation, means for receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requestor application within the user workstation, and means for receiving1 the response messages by the requestor application within the user workstation. The means for forwarding the requestor messages and the calculated application hash value may comprise the steps of obtaining public and private keys from a PKI authority, encrypting the requestor messages using the external resource public PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway, the means for receiving the requestor messages and the calculated application hash value may comprise receiving the encrypted requestor messages, application hash value, digital signature, user ID and password by the channel receiver of the channel gateway, and the means for authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource may comprise decrypting the application hash value, digital signature, user ID and password using the application

800693.010 requestor PKI public key, decrypting the encrypted requestor messages using the external resource PKI private key, authenticating the received requestor messages using the decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requestor messages to the external resource. The means for receiving the response messages by the channel receiver and forwarding the response messages may comprise receiving the response messages by the channel receiver, encrypting the response messages using the requestor application PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user workstation, and the means for receiving the response messages by the connection manager comprises receiving the response messages by the connection manager, decrypting the response messages using the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation. The system may further comprise means for forwarding the calculated application hash value, a digital signature, a user LD and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key, means for encrypting the requestor messages by the connection manager using the session key, and means for decrypting the requestor messages by the channel receiver using the session key. The method may further comprising means for negotiating a connection and obtaining a session key from an access authority, means for encrypting the response messages by the channel receiver

800693.010 using a session key, and means for decrypting the response messages by the connection manager using the session key.

Yet another embodiment of the present invention is a user interface method for application-level virtual private networking, comprising defining a remote resource to be accessed without connection negotiation, including selecting a remote resource to be accessed, designating a local port for accessing a virtual private network, providing an IP address of the remote resource, assigning a port number where the remote resource is available, defining a connection for the requestor application, including using an executable application program for connecting to the remote resource, selecting a remote resource designation, supplying a user ID, entering a password, and clicking an enable button for accessing the remote resource. The user interface method may further comprise defining a remote resource to be accessed with connection negotiation, including checking a box for designating negotiation required, and assigning an access authority to be used and for determining an IP address and remote resource port. BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, aspects and advantages of the present invention will become better understood with regard to the following description, appended claims, and accompanying drawings wherein:

Figure 1 shows a graphical user interface of a Connection Manager for configuring an embodiment of the present invention;

Figure 2 shows a diagram of a local User Application and a Connection Manager with a Channel Listener for accessing a requested resource according to the present invention;

Figure 3 A shows a Channel Gateway on a remote server for processing incoming messages to a server application;

800693010 1 Λ Figure 3B shows a Channel Gateway on a remote server for processing incoming messages to a resource external to the server;

Figure 4 shows a typical network application of users accessing a target resource; Figure 5 shows a flow diagram of connecting to a resource that does not require negotiation; and

Figure 6 shows a flow diagram of connecting to a resource that requires negotiation.

DETAILED DESCRPTION Turning now to Figure 1, Figure 1 shows a graphical user interface 100 of a Connection Manager for configuring an embodiment of the present invention. Figure 1A shows a connection window and Figure IB shows a resource window of the user interface 100. When an end-user wants to use a network-aware application 110 to access a protected resource 112, the application 110 must be configured to use resources on a local host rather than a network. For example, if access is desired to a resource oracle database 124 with a resource name Research DB 122, an application configuration must be changed from "my- oracle_server:1521" to "localhost:1521" 150. This configuration can be done manually, or an agent or local library that hijacks specified connections and reroutes them to localhost can handle it. A VPN channel is then configured to accept connections on "localhost: 1521" 150 using a graphical user interface such as the one illustrated in Figure 1. Once the ENABLE button 140 is pressed, the Connection Manager initiates a connection negotiation if it is required by the selected resource. The connection negotiation requires determining the selected application's hash from the operating system, packaging it with the User ID and Password entered for the connection, adding the digital signature from an attached strong authentication device of choice (such as SmartCard, iButton, etc.), and sending the combined message to a specified Access Authority 160. The status 114 of the connection shows a state of "Negotiating" until a response is received from the Access Authority 160. This response

800693.010 1 < includes an approval notice, a session key, and a rendezvous point (IP address :port of an RVP) where the requested resource can be accessed. Once a connection has been approved, the Connection Manager opens a Listener on the local port 150 specified for the connection, and the system is ready to transfer messages. As shown in Figure 1, the graphical user interface 100 of the Connection Manager enables a user to define a connection to a remote resource. The remote resource definition includes (1) a resource name 122 as a reference to the remote resource, (2) a local port 150 where local applications connect for access the remote resource, (3) whether negotiation is required 160 to initiate a negotiation sequence with the specified Access Authority 160 when

1 a connection is "Enabled" 114 for this resource, (4) an Access Authority 160 that specifies a Key Authority for access to the remote resource if negotiation is required, (5) an IP address 170 where the remote resource is available (provided by a negotiation process if negotiation is required), and (6) a port number 172 where the remote resource is available (provided by a negotiation process if negotiation is required). A list of resources and resource definitions is stored on a local user file system to enable a user to recall previously defined entries. The graphical user interface 100 enables a user to define a reusable connection. This definition includes (1) a fully qualified executable for connecting to a specified resource 120, (2) a defined resource that is added to a drop-down resource list 122, (3) a user ID 130 to be used in a negotiation process, and (4) a password 132 for use in a negotiation process. The list of connections 122 and each connection definition is stored on a local user file system to enable a user to recall previously defined entries. Once a negotiation process is completed, signified either by approval from an Access Authority 160 or assumed in the case of no required negotiation, the Connection Manager instantiates the Channel Listener on the specified local port 150 and provides a session key from the from the Access Authority 160.

800693.010 1 r. Turning to Figure 2, Figure 2 shows a diagram 200 of a local User Application 210 and a Connection Manager 220 with a Channel Listener 230 for accessing a requested resource according to the present invention. The purpose of the Channel Listener 230 is to calculate the hash as a signature of any application that attempts to use its resource, to encrypt all traffic and forward the traffic to the specified resource, and to verify signatures using the application hash and decrypt return traffic. Figure 2 illustrates how local applications can use the Channel Listener 230 to access a requested resource once the Channel Listener 230 has been started. When a User Application 210 connects to the local resource 240 provided by the Connection Manager 220 and Channel Listener 230, the Channel Listener 230 performs a hash check of that application 250. This involves some native functions that allow the connection routines to match file descriptors to requesting programs. Once the hash of the User Application program 210 is determined, the Channel Listener 230 uses the program's hash for use as a signature for validating a connection and uses a session key provided by an Access Authority to encrypt all messages 260. The Channel Listener 230 then forwards the encrypted traffic to a specified resource 270.

As shown in Figure 2, the Channel Listener 230 accepts traffic from the workstation via a loopback address (127.0.0.1) 240. Upon receiving a connection, the Channel Listener 230 interrogates the operating system to identify the requestor of the resource. Once the requestor is known, the Channel Listener 230 calculates a hash of the requestor 250. This hash is used as a signature and a session key is used to encrypt all traffic from the connecting application 260 as the Channel Listener 230 forwards it to the remote resource 270. The Channel Listener 230 opens ports on a local host such that they are not accessible from external sources. Upon accepting a connection, the Channel Listener 230 must determine the requestor of the connection by any accurate means. This can include native languages and operating system dependent methods. Native methods used to fulfill this requirement are

800693.010 < -, modularized such that they can be easily integrated into the Connection Manager 220. Upon identifying a requestor, the Channel Listener 230 calculates its hash as it resides on the file system. As traffic passes through the Channel Listener 230, the Channel Listener 230 uses the session key provided by the Connection Manager 220 to encrypt the traffic. The Channel Listener 230 forwards the encrypted traffic to the external resource 270 specified in the Connection Manager 220. The return traffic is decrypted with the same session key and verified with a signature.

Turning now to Figure 3, Figure 3 A shows a Channel Gateway 300 on a remote server for processing incoming messages to a server application and Figure 3B shows a Channel Gateway 350 on a remote server for processing incoming messages to a resource external to the server. Figure 3A and Figure 3B show how the Channel Gateway 300, 350 on a remote server processes incoming message traffic 330. In both cases, the connection negotiation has already occurred, as discussed above, for providing a Channel Receiver 310 with the proper application hash and session key. Similar to the Channel Listener discussed above, which encrypted the traffic with a session key and used the hash as a signature, the Channel Receiver 310 decrypts the incoming message traffic 330 in a comparable manner. The message traffic flows both ways for the users' applications to communicate effectively with the target resources. Therefore, return traffic is encrypted and decrypted such that the Channel Listener and Channel Receiver 310 switch encryption/decryption roles. When communicating 360 with a Channel Receiver 310, an External Resource 370 performs the same message communications functions as a Server Application 320 and a Server Listener 34 communicating 334 with a Channel Receiver 310, similar to the Communication Manager discussed above. Incoming message traffic 330 enters a Channel Gateway 300, 350 via a Channel receiver 310. The Channel Receiver 310 decrypts the message traffic using a session key and verifies a signature using an application hash 332. The Channel Receiver 310 then

800693.010 14 forwards the decrypted message traffic 334, 360 to a Server listener 340 connected to a Server Application 320, or an external resource 370.

As shown in Figure 3A and Figure 3B, the purpose of a Channel Gateway 300, 350 is to provide an environment where a Channel Receiver 310 can operate. The Channel Gateway 300, 350 is a network appliance that serves as the server-side tunnel to the secured resource. It is the platform on which the Channel Receiver 310 runs, and may or may not be the host of the target resource, as shown in Figure 3A and Figure 3B. The Channel Gateway 300, 350 is capable of providing a Java Runtime Environment (JRE) in which the Channel Receiver 310 can execute. The Channel Gateway 300, 350 has sufficient processor speed and memory specification to appropriately minimize the latency caused by encryption and decryption. The purpose of the Channel Receiver 310 is to accept network traffic 330, decrypt it using a session key and verify signature authorization using the application hash, and forward it on to the designated resource 334, 360. The Channel Receiver 310 is a network-aware process that opens a service listening for traffic sent from a Connection Manager Channel Listener described above. When initiated, the Channel Receiver 310 is instantiated with a session key and application hash specifying who and what is permitted to connect. This information is used to verify authorized signatures and to decrypt the incoming message stream 330 prior to forwarding it to its ultimate destination 334, 360. The Channel Receiver 310 accepts a session key, application hash, and target resource as part of its instantiation parameters. The key and hash are used to decrypt and verify signatures of all message traffic received from the sending Connection Manager Channel Listener. Decrypted traffic is forwarded to the specified target resource 334, 360. Return message traffic 334, 360 from the target resource 320, 370 is encrypted with the same session key and verified with the application hash. Encrypted return message traffic 330 is forwarded back to the originating Connection Manager Channel Listener described above.

800693.010 -j j- Turning to Figure 4, Figure 4 shows a typical network application 400 of users 410- 416 accessing a target resource 460. It shows multiple researchers 410, 412, 414, 416 connecting to a centralized research database 460. Some researchers 410, 412 are connected from a secure network behind a firewall 420, 422. Other researchers 414, 416 are connected from unsecured points on the Internet. Since the target database 460 is protected by its own firewall 424, a connection to it has been forwarded to a public connection point on the Internet. Typically, such a service would pose a high security risk because a user on the Internet would be able to connect to the database 460 through the firewall 424. Using the present invention, traffic does not advance beyond the Channel Gateway 450 to touch the database 460, unless an authorized user-application pair is accessing the resource 460. As discussed above, using a Secure Message-Oriented-Middleware to send and receive the appropriate messages, user can use the Access Authority 440 for Connection Negotiation. The Channel Receiver 470 is the process or library on the Channel Gateway 450 that decrypts incoming traffic and encrypts the return traffic. A user having a qualified application, Connection Manager and Channel Listener shown in Figure 1 , such a researcher anywhere 416, must first obtain a session key for encryption purposes from the Access Authority 440 via the rendezvous peer (RVP) 430. Using the session key to encrypt message traffic and application hash for signature verification, the user 416 connects to the RVP 430 to the Channel Gateway 450 and Channel Receiver 470, as shown in Figure 3. The Channel Gateway 450 containing the Channel Receiver 470 verifies an authorized signature using the forwarded application hash and decrypts the message traffic using the session key, forwarding the message traffic to the target resource 460. When sending message traffic from the target resource 460 to the researcher 416, the process of signature verification and encryption is reversed, as explained above.

800693.010 16 Turning to Figure 5, Figure 5 shows a flow diagram 500 of connecting to a resource that does not require negotiation. The predetermined application hash has previously been provided to the Channel Listener 510. This scenario only permits one version of one application to be used to access the protected resource. Furthermore, it does not facilitate the exchange of session keys and is thus not recommended for solutions that need more appropriate security. The end-user defines a resource using the Connection Manager 520 with information similar to this example data:

Resource Name: Research Database

Local port: 1521 Negotiation Required: No

Access Authority: N/A

IP Address: 192.168.10.100

Port: 1521 The end-user defines a connection using the Connection Manager 530 with information similar to this example data:

Connect Using: C: Program Files\MyApp.exe

Connect To: Research Database

User ID: <userid>

Password: <password> The end-user clicks the ENABLE button on the Connection Manager, and the Connection Manager immediately reports the selected connection as AVAILABLE 540. The end-user, having configured his application to connect to localhost: 1521 to match the information provided above, launches his application and the application makes a connection to the local host 550 provided by the Channel Listener. The Channel Listener interrogates the local operating system to determine the executable that has connected to the resource, and

800693.010 7 calculates a hash of that file for use as signature authentication 560. As message traffic passes through the Channel Listener, the hash value calculated from the requestor application is used to authenticate the signature, and the Channel Listener forwards all message traffic to the specified resource 570. The Channel Receiver accepts the connection and authenticates the traffic using the pre-coordinated application hash 580.

Turning to Figure 6, Figure 6 shows a flow diagram 600 of connecting to a resource that requires negotiation. The predetermined application hash has previously been provided to the Access Authority 610. The end-user defines a resource using the Connection Manager 620 with information similar to this example data: Resource Name: Research Database

Local port: 1521

Negotiation Required: Yes

Access Authority: world.usa.ThreatGuard.axess.keymaster

IP Address: N/A Port: N/A

The end-user defines a connection using the Connection Manager 622 with information similar to this example data:

Connect Using: C: Program Files\MyApp.exe

Connect To: Research Database User ID: <userid>

Password: <password> The end-user clicks the ENABLE button on the Connection Manager and the Connection Manager reports the status of the selected connection as NEGOTIATING 624. The Connection Manager then calculates the hash of the specified application, pulls the user's digital signature from a local strong authentication device, packages that information with the

800693.010 User ID and password, and sends the message to the specified Access Authority via a Message-Oriented Middleware API 630. The Access Authority validates the request and arranges the rendezvous 640 by generating a session key for the Listener and Receiver to share, instructing the Channel Gateway to open a forwarded tunnel from the RVP to the specified resource, instructing the Channel Receiver of the application hash and session key to use for decryption, and instructing the user's Connection Manager Channel Listener of the session key, as well as the IP address and port on the RVP has been opened by the Channel Gateway to offer the service. Upon receiving approval of the request, the Connection Manager updates the connection status from NEGOTIATING to ENABLED 650. The end- user, having configured his application to connect to localhost: 1521 to match the information provided above, launches his application and the application makes a connection to the localhost resource provided by the Channel Listener 660. The Channel Listener interrogates the local operating system to determine the executable that has connected to the resource and calculates a hash of that file for use as signature authentication 670. As traffic passes through the Channel Listener, it is encrypted by the Listener using the provided session key as the encryption key, and the Listener forwards all traffic to the IP address and port provided by the Access Authority 672. The Channel Receiver accepts the connection and decrypts the traffic using the pre-coordinated application hash and session key as the decryption key 680. Although the present invention has been described in detail with reference to certain preferred embodiments, it should be apparent that modifications and adaptations to those embodiments might occur to persons skilled in the art without departing from the spirit and scope of the present invention.

800693.010 1 Q

Claims

CLAIMS What is claimed is:
1. A method for application-level virtual private networking, comprising the steps of: requesting access for sending requestor messages to an external resource by a requestor application within a user workstation; identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation; forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway; receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway; authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource; and receiving the requestor messages by the external resource.
2. The method of claim 1 , wherein the step of requesting access for sending requestor messages to an external resource by a requestor application within a user workstation comprises the step of requesting access for sending requestor messages to an external server application program within the channel gateway by a requestor application within a user workstation; the step of forwarding the requestor messages to the external resource comprises the step of forwarding the requestor messages to an external server application program within the channel gateway; and
800693.010 the step of receiving the requestor messages by the external resource comprises receiving the requestor messages by the external server application program within the channel gateway.
3. The method of claim 1, wherein: the step of identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation further comprises calculating a hash value of only one specific version of one specific requestor application by a connection manager within the user workstation; and the step of authenticating the received requestor messages using the calculated application hash value comprises authenticating the received requestor messages using the calculated hash value of only the one specific version of the one specific requestor application.
4. The method of claim 1, wherein the step of identifying the user application comprises querying a workstation operating system for identifying the user application.
5. The method of claim 1, further comprising: preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway; receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation; receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requestor application within the user workstation; and
800693.010 t -I receiving the response messages by the requestor application within the user workstation.
6. The method of claim 5, wherein the step of authenticating the received response messages using the received calculated application hash value comprises authenticating the received response messages by comparing the received calculated application hash value with an application hash value calculated by the connection manager.
7. The method of claim 1, wherein: the step of forwarding the requestor messages and the calculated application hash value comprises the steps of obtaining public and private keys from a PKI authority, encrypting the requestor messages using the external resource public
PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway; the step of receiving the requestor messages and the calculated application hash value comprises receiving the encrypted requestor messages, application hash value, digital signature, user LD and password by the channel receiver of the channel gateway; and the step of authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource comprises decrypting the application hash value, digital signature, user ID and password using the application requestor PKI public key, decrypting the encrypted requestor messages using the external resource PKI private key, authenticating the received requestor messages using the
800693.010 22 decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requestor messages to the external resource.
8. The method of claim 5, wherein: the step of receiving the response messages by the channel receiver and forwarding the response messages comprises receiving the response messages by the channel receiver, encrypting the response messages using the requestor application PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user workstation; and the step of receiving the response messages by the connection manager comprises receiving the response messages by the connection manager, decrypting the response messages using the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation.
9. The method of claim 1, further comprising: the step of forwarding the calculated application hash value, a digital signature, a user ID and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key;
800693.010 the step of encrypting the requestor messages by the connection manager using the session key; and the step of decrypting the requestor messages by the channel receiver using the session key.
10. The method of claim 5, further comprising: the step of negotiating a connection and obtaining a session key from an access authority; the step of encrypting the response messages by the channel receiver using a session key; and the step of decrypting the response messages by the connection manager using the session key.
11. A computer-readable medium containing instructions for controlling a computer system to implement the method of claim 1.
12. A computer-readable medium containing instructions for controlling a computer system to implement the method of claim 5.
13. A system for application-level virtual private networking, comprising: means for requesting access for sending requestor messages to an external resource by a requestor application within a user workstation; means for identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation; means for forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway; means for receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway;
800693.010 means for authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource; and means for receiving the requestor messages by the external resource.
14. The system of claim 13, wherein the external resource is a server application program.
15. The system of claim 13, wherein the requestor application is one specific version of one specific application.
16. The system of claim 13, further comprising: means for preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway; means for receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation; means for receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requestor application within the user workstation; and means for receiving the response messages by the requestor application within the user workstation.
17. The system of claim 13, wherein: means for forwarding the requestor messages and the calculated application hash value comprises the steps of obtaining public and private keys from a PKI authority, encrypting the requestor messages using the external resource public PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding
800693.010 25 the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway; means for receiving the requestor messages and the calculated application hash value comprises receiving the encrypted requestor messages, application hash value, digital signature, user ID and password by the channel receiver of the channel gateway; and means for authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource comprises decrypting the application hash value, digital signature, user ID and password using the application requestor PKI public key, decrypting the encrypted requestor messages using the external resource PKI private key, authenticating the received requestor messages using the decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requestor messages to the external resource.
18. The system of claim 16, wherein: means for receiving the response messages by the channel receiver and forwarding the response messages comprises receiving the response messages by the channel receiver, encrypting the response messages using the requestor application
PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user workstation; and
800693.010 means for receiving the response messages by the connection manager comprises receiving the response messages by the connection manager, decrypting the response messages using the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation.
19. The system of claim 13, further comprising: means for forwarding the calculated application hash value, a digital signature, a user
ID and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key; means for encrypting the requestor messages by the connection manager using the session key; and means for decrypting the requestor messages by the channel receiver using the session key.
20. The method of claim 16, further comprising: means for negotiating a connection and obtaining a session key from an access authority; means for encrypting the response messages by the channel receiver using a session key; and means for decrypting the response messages by the connection manager using the session key.
21. A user interface method for application-level virtual private networking, comprising: defining a remote resource to be accessed without connection negotiation, including :
800693.010 27 selecting a remote resource to be accessed; designating a local port for accessing a virtual private network; providing an IP address of the remote resource; assigning a port number where the remote resource is available; defining a connection for the requestor application, including: using an executable application program for connecting to the remote resource; selecting a remote resource designation; supplying a user ID; entering a password; and clicking an enable button for accessing the remote resource.
22. The user interface method of claim 21, further comprising defining a remote resource to be accessed with connection negotiation, including: checking a box for designating negotiation required; and assigning an access authority to be used and for determining an IP address and remote resource port.
800693 010 28
PCT/US2003/015383 2002-05-15 2003-05-15 System and method for application-level virtual private network WO2004107646A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US10/249,877 US6804777B2 (en) 2002-05-15 2003-05-14 System and method for application-level virtual private network
US10/249,877 2003-05-14

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
AU2003229299A AU2003229299A1 (en) 2003-05-14 2003-05-15 System and method for application-level virtual private network

Publications (1)

Publication Number Publication Date
WO2004107646A1 true WO2004107646A1 (en) 2004-12-09

Family

ID=33489111

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/015383 WO2004107646A1 (en) 2002-05-15 2003-05-15 System and method for application-level virtual private network

Country Status (2)

Country Link
AU (1) AU2003229299A1 (en)
WO (1) WO2004107646A1 (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014062337A1 (en) * 2012-10-15 2014-04-24 Citrix Systems, Inc. Providing virtualized private network tunnels
US8799994B2 (en) 2011-10-11 2014-08-05 Citrix Systems, Inc. Policy-based application management
US8806570B2 (en) 2011-10-11 2014-08-12 Citrix Systems, Inc. Policy-based application management
US8813179B1 (en) 2013-03-29 2014-08-19 Citrix Systems, Inc. Providing mobile device management functionalities
US8850049B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing mobile device management functionalities for a managed browser
US8850010B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing a managed browser
US8849978B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing an enterprise application store
US8869235B2 (en) 2011-10-11 2014-10-21 Citrix Systems, Inc. Secure mobile browser for protecting enterprise data
US8887230B2 (en) 2012-10-15 2014-11-11 Citrix Systems, Inc. Configuring and providing profiles that manage execution of mobile applications
US8910239B2 (en) 2012-10-15 2014-12-09 Citrix Systems, Inc. Providing virtualized private network tunnels
US8910264B2 (en) 2013-03-29 2014-12-09 Citrix Systems, Inc. Providing mobile device management functionalities
US8914845B2 (en) 2012-10-15 2014-12-16 Citrix Systems, Inc. Providing virtualized private network tunnels
US8959579B2 (en) 2012-10-16 2015-02-17 Citrix Systems, Inc. Controlling mobile device access to secure data
US9053340B2 (en) 2012-10-12 2015-06-09 Citrix Systems, Inc. Enterprise application store for an orchestration framework for connected devices
US9111105B2 (en) 2011-10-11 2015-08-18 Citrix Systems, Inc. Policy-based application management
US9215225B2 (en) 2013-03-29 2015-12-15 Citrix Systems, Inc. Mobile device locking with context
US9280377B2 (en) 2013-03-29 2016-03-08 Citrix Systems, Inc. Application with multiple operation modes
US9430664B2 (en) 2013-05-20 2016-08-30 Microsoft Technology Licensing, Llc Data protection for organizations on computing devices
US9477614B2 (en) 2011-08-30 2016-10-25 Microsoft Technology Licensing, Llc Sector map-based rapid data encryption policy compliance
US9516022B2 (en) 2012-10-14 2016-12-06 Getgo, Inc. Automated meeting room
EP3119056A1 (en) * 2015-07-13 2017-01-18 Vodafone IP Licensing Limited Machine to machine virtual private network
US9606774B2 (en) 2012-10-16 2017-03-28 Citrix Systems, Inc. Wrapping an application with field-programmable business logic
US9825945B2 (en) 2014-09-09 2017-11-21 Microsoft Technology Licensing, Llc Preserving data protection with policy
US9853812B2 (en) 2014-09-17 2017-12-26 Microsoft Technology Licensing, Llc Secure key management for roaming protected content
US9853820B2 (en) 2015-06-30 2017-12-26 Microsoft Technology Licensing, Llc Intelligent deletion of revoked data
US9900325B2 (en) 2015-10-09 2018-02-20 Microsoft Technology Licensing, Llc Passive encryption of organization data
US9900295B2 (en) 2014-11-05 2018-02-20 Microsoft Technology Licensing, Llc Roaming content wipe actions across devices
US9971585B2 (en) 2012-10-16 2018-05-15 Citrix Systems, Inc. Wrapping unmanaged applications on a mobile device
US9985850B2 (en) 2013-03-29 2018-05-29 Citrix Systems, Inc. Providing mobile device management functionalities
US10284627B2 (en) 2013-03-29 2019-05-07 Citrix Systems, Inc. Data management for an application with multiple operation modes

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5604807A (en) * 1993-10-06 1997-02-18 Nippon Telegraph And Telephone Corporation System and scheme of cipher communication
US6272631B1 (en) * 1997-06-30 2001-08-07 Microsoft Corporation Protected storage of core data secrets
US6470450B1 (en) * 1998-12-23 2002-10-22 Entrust Technologies Limited Method and apparatus for controlling application access to limited access based data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5604807A (en) * 1993-10-06 1997-02-18 Nippon Telegraph And Telephone Corporation System and scheme of cipher communication
US6272631B1 (en) * 1997-06-30 2001-08-07 Microsoft Corporation Protected storage of core data secrets
US6470450B1 (en) * 1998-12-23 2002-10-22 Entrust Technologies Limited Method and apparatus for controlling application access to limited access based data

Cited By (70)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9477614B2 (en) 2011-08-30 2016-10-25 Microsoft Technology Licensing, Llc Sector map-based rapid data encryption policy compliance
US9740639B2 (en) 2011-08-30 2017-08-22 Microsoft Technology Licensing, Llc Map-based rapid data encryption policy compliance
US9043480B2 (en) 2011-10-11 2015-05-26 Citrix Systems, Inc. Policy-based application management
US10063595B1 (en) 2011-10-11 2018-08-28 Citrix Systems, Inc. Secure execution of enterprise applications on mobile devices
US8806570B2 (en) 2011-10-11 2014-08-12 Citrix Systems, Inc. Policy-based application management
US10044757B2 (en) 2011-10-11 2018-08-07 Citrix Systems, Inc. Secure execution of enterprise applications on mobile devices
US9183380B2 (en) 2011-10-11 2015-11-10 Citrix Systems, Inc. Secure execution of enterprise applications on mobile devices
US8799994B2 (en) 2011-10-11 2014-08-05 Citrix Systems, Inc. Policy-based application management
US9286471B2 (en) 2011-10-11 2016-03-15 Citrix Systems, Inc. Rules based detection and correction of problems on mobile devices of enterprise users
US8869235B2 (en) 2011-10-11 2014-10-21 Citrix Systems, Inc. Secure mobile browser for protecting enterprise data
US9111105B2 (en) 2011-10-11 2015-08-18 Citrix Systems, Inc. Policy-based application management
US8881229B2 (en) 2011-10-11 2014-11-04 Citrix Systems, Inc. Policy-based application management
US9213850B2 (en) 2011-10-11 2015-12-15 Citrix Systems, Inc. Policy-based application management
US9143530B2 (en) 2011-10-11 2015-09-22 Citrix Systems, Inc. Secure container for protecting enterprise data on a mobile device
US9143529B2 (en) 2011-10-11 2015-09-22 Citrix Systems, Inc. Modifying pre-existing mobile applications to implement enterprise security policies
US9529996B2 (en) 2011-10-11 2016-12-27 Citrix Systems, Inc. Controlling mobile device access to enterprise resources
US9137262B2 (en) 2011-10-11 2015-09-15 Citrix Systems, Inc. Providing secure mobile device access to enterprise resources using application tunnels
US8886925B2 (en) 2011-10-11 2014-11-11 Citrix Systems, Inc. Protecting enterprise data through policy-based encryption of message attachments
US9521147B2 (en) 2011-10-11 2016-12-13 Citrix Systems, Inc. Policy based application management
US9854063B2 (en) 2012-10-12 2017-12-26 Citrix Systems, Inc. Enterprise application store for an orchestration framework for connected devices
US9386120B2 (en) 2012-10-12 2016-07-05 Citrix Systems, Inc. Single sign-on access in an orchestration framework for connected devices
US9189645B2 (en) 2012-10-12 2015-11-17 Citrix Systems, Inc. Sharing content across applications and devices having multiple operation modes in an orchestration framework for connected devices
US9053340B2 (en) 2012-10-12 2015-06-09 Citrix Systems, Inc. Enterprise application store for an orchestration framework for connected devices
US9516022B2 (en) 2012-10-14 2016-12-06 Getgo, Inc. Automated meeting room
US8910239B2 (en) 2012-10-15 2014-12-09 Citrix Systems, Inc. Providing virtualized private network tunnels
US8931078B2 (en) 2012-10-15 2015-01-06 Citrix Systems, Inc. Providing virtualized private network tunnels
US8914845B2 (en) 2012-10-15 2014-12-16 Citrix Systems, Inc. Providing virtualized private network tunnels
US9521117B2 (en) 2012-10-15 2016-12-13 Citrix Systems, Inc. Providing virtualized private network tunnels
US9654508B2 (en) 2012-10-15 2017-05-16 Citrix Systems, Inc. Configuring and providing profiles that manage execution of mobile applications
US8887230B2 (en) 2012-10-15 2014-11-11 Citrix Systems, Inc. Configuring and providing profiles that manage execution of mobile applications
WO2014062337A1 (en) * 2012-10-15 2014-04-24 Citrix Systems, Inc. Providing virtualized private network tunnels
US9973489B2 (en) 2012-10-15 2018-05-15 Citrix Systems, Inc. Providing virtualized private network tunnels
EP3364629A1 (en) * 2012-10-15 2018-08-22 Citrix Systems Inc. Providing virtualized private network tunnels
US9467474B2 (en) 2012-10-15 2016-10-11 Citrix Systems, Inc. Conjuring and providing profiles that manage execution of mobile applications
US8904477B2 (en) 2012-10-15 2014-12-02 Citrix Systems, Inc. Configuring and providing profiles that manage execution of mobile applications
US8959579B2 (en) 2012-10-16 2015-02-17 Citrix Systems, Inc. Controlling mobile device access to secure data
US9858428B2 (en) 2012-10-16 2018-01-02 Citrix Systems, Inc. Controlling mobile device access to secure data
US9606774B2 (en) 2012-10-16 2017-03-28 Citrix Systems, Inc. Wrapping an application with field-programmable business logic
US9602474B2 (en) 2012-10-16 2017-03-21 Citrix Systems, Inc. Controlling mobile device access to secure data
US9971585B2 (en) 2012-10-16 2018-05-15 Citrix Systems, Inc. Wrapping unmanaged applications on a mobile device
US8898732B2 (en) 2013-03-29 2014-11-25 Citrix Systems, Inc. Providing a managed browser
US10097584B2 (en) 2013-03-29 2018-10-09 Citrix Systems, Inc. Providing a managed browser
US9455886B2 (en) 2013-03-29 2016-09-27 Citrix Systems, Inc. Providing mobile device management functionalities
US9280377B2 (en) 2013-03-29 2016-03-08 Citrix Systems, Inc. Application with multiple operation modes
US8996709B2 (en) 2013-03-29 2015-03-31 Citrix Systems, Inc. Providing a managed browser
US9413736B2 (en) 2013-03-29 2016-08-09 Citrix Systems, Inc. Providing an enterprise application store
US8910264B2 (en) 2013-03-29 2014-12-09 Citrix Systems, Inc. Providing mobile device management functionalities
US8849978B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing an enterprise application store
US9112853B2 (en) 2013-03-29 2015-08-18 Citrix Systems, Inc. Providing a managed browser
US8813179B1 (en) 2013-03-29 2014-08-19 Citrix Systems, Inc. Providing mobile device management functionalities
US9369449B2 (en) 2013-03-29 2016-06-14 Citrix Systems, Inc. Providing an enterprise application store
US9355223B2 (en) 2013-03-29 2016-05-31 Citrix Systems, Inc. Providing a managed browser
US8893221B2 (en) 2013-03-29 2014-11-18 Citrix Systems, Inc. Providing a managed browser
US10284627B2 (en) 2013-03-29 2019-05-07 Citrix Systems, Inc. Data management for an application with multiple operation modes
US8850049B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing mobile device management functionalities for a managed browser
US8850010B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing a managed browser
US8881228B2 (en) 2013-03-29 2014-11-04 Citrix Systems, Inc. Providing a managed browser
US9985850B2 (en) 2013-03-29 2018-05-29 Citrix Systems, Inc. Providing mobile device management functionalities
US9158895B2 (en) 2013-03-29 2015-10-13 Citrix Systems, Inc. Providing a managed browser
US8850050B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing a managed browser
US8849979B1 (en) 2013-03-29 2014-09-30 Citrix Systems, Inc. Providing mobile device management functionalities
US9215225B2 (en) 2013-03-29 2015-12-15 Citrix Systems, Inc. Mobile device locking with context
US9948657B2 (en) 2013-03-29 2018-04-17 Citrix Systems, Inc. Providing an enterprise application store
US9430664B2 (en) 2013-05-20 2016-08-30 Microsoft Technology Licensing, Llc Data protection for organizations on computing devices
US9825945B2 (en) 2014-09-09 2017-11-21 Microsoft Technology Licensing, Llc Preserving data protection with policy
US9853812B2 (en) 2014-09-17 2017-12-26 Microsoft Technology Licensing, Llc Secure key management for roaming protected content
US9900295B2 (en) 2014-11-05 2018-02-20 Microsoft Technology Licensing, Llc Roaming content wipe actions across devices
US9853820B2 (en) 2015-06-30 2017-12-26 Microsoft Technology Licensing, Llc Intelligent deletion of revoked data
EP3119056A1 (en) * 2015-07-13 2017-01-18 Vodafone IP Licensing Limited Machine to machine virtual private network
US9900325B2 (en) 2015-10-09 2018-02-20 Microsoft Technology Licensing, Llc Passive encryption of organization data

Also Published As

Publication number Publication date
AU2003229299A1 (en) 2005-01-21

Similar Documents

Publication Publication Date Title
Oppliger Security technologies for the world wide web
US7536715B2 (en) Distributed firewall system and method
EP2561663B1 (en) Server and method for providing secured access to services
USRE47443E1 (en) Document security system that permits external users to gain access to secured files
US6751728B1 (en) System and method of transmitting encrypted packets through a network access point
Oppliger Internet security: firewalls and beyond
CN100591003C (en) Enabling stateless server-based pre-shared secrets
US6931529B2 (en) Establishing consistent, end-to-end protection for a user datagram
US6823462B1 (en) Virtual private network with multiple tunnels associated with one group name
CN101543005B (en) Secure network architecture
US7913084B2 (en) Policy driven, credential delegation for single sign on and secure access to network resources
US6640302B1 (en) Secure intranet access
US8910255B2 (en) Authentication for distributed secure content management system
US5983350A (en) Secure firewall supporting different levels of authentication based on address or encryption status
JP4746333B2 (en) Efficient and secure authentication of a computing system
US8200818B2 (en) System providing internet access management with router-based policy enforcement
CN1578218B (en) Reducing network configuration complexity with transparent virtual private networks
US9619632B2 (en) System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data
JP4520840B2 (en) Relay method encrypted communication, the gateway server, the encrypted communication programs and encrypted communication program storage medium
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US8800024B2 (en) System and method for host-initiated firewall discovery in a network environment
US7543332B2 (en) Method and system for securely scanning network traffic
US7627896B2 (en) Security system providing methodology for cooperative enforcement of security policies during SSL sessions
US7395341B2 (en) System, method, apparatus and computer program product for facilitating digital communications
CN100380870C (en) System and method for managing a proxy request over a secure network using inherited security attributes

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP