WO2013150543A2 - Precomputed high-performance rule engine for very fast processing from complex access rules - Google Patents

Precomputed high-performance rule engine for very fast processing from complex access rules Download PDF

Info

Publication number
WO2013150543A2
WO2013150543A2 PCT/IN2013/000170 IN2013000170W WO2013150543A2 WO 2013150543 A2 WO2013150543 A2 WO 2013150543A2 IN 2013000170 W IN2013000170 W IN 2013000170W WO 2013150543 A2 WO2013150543 A2 WO 2013150543A2
Authority
WO
WIPO (PCT)
Prior art keywords
server
client
destination
communication network
access
Prior art date
Application number
PCT/IN2013/000170
Other languages
French (fr)
Other versions
WO2013150543A3 (en
Inventor
Sharan JITENDER
Original Assignee
Ciphergraph Networks, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ciphergraph Networks, Inc. filed Critical Ciphergraph Networks, Inc.
Publication of WO2013150543A2 publication Critical patent/WO2013150543A2/en
Publication of WO2013150543A3 publication Critical patent/WO2013150543A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/58Caching of addresses or names
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching

Definitions

  • the present invention is generally related to a method and system for connecting a user with a network resource through a communication network and is more particularly related to the method and system for caching multiple DNS results for faster rule evaluation for faster connection to a network resource.
  • VPN virtual private networks
  • a company's resource or any network resource can be specified by various methods. Resolving most resources by the specification is typically a deterministic procedure (like IP, subnet, IP-range, set of IP addresses, port, protocol etc.) since they do not require any external input to resolve as they are already in directly usable form.
  • names like DNS names must first be resolved by using a nameserver (DNS server) to get into a directly usable format (usually a single or set of IP addresses).
  • DNS server nameserver
  • names map to multiple addresses then one needs to ensure that the complete set of resolved results is consistent across all involved participants to ensure error free and accurate policy enforcement.
  • the implementation of VPN channels for secure connection is done through various methods.
  • IPs there may be several IPs mapped to a single host/domain name to ensure transparent failover or to load balance the Internet traffic.
  • a user selects any one of the IPs to access a hostname over the Internet (The hostname has several IPs mapped onto it).
  • This request is sent to a DNS server which is used by the rule engine for name resolution of the requested hostname.
  • the rule engine has a set of rules present at the rule engine for authentication. The rule engine tries to for each access rule in the set of rules, map the hostname to IP by using the same DNS server.
  • the present invention provides a method and system for connecting a remote user to a network resource or a website by using an intermediate DNS server that stores and forwards pre-computed results for fast processing of complex access rules.
  • One of the objectives of the present invention is to provide a method and system for enabling the remote user to access the network resource by enabling the usage of the complex access rules based on DNS / WINS directly with access rules based on rule qualifying criteria such as IP address, Subnet address, port address or any other directly usable address.
  • the remote user who wishes to connect to the network resource makes an access request from his personal computer (the client).
  • the access request is forwarded to the intermediate server which further uses the primary DNS servers to resolve the IP address of the destination. All the possible resolved IP addresses of the destination along with the complex access rules are then processed at a rule server that computes a set of results corresponding to the resolved addresses and the assigned virtual IP address of the client. These pre-computed results are stored at the intermediate server.
  • the remote user who wishes to subsequently connect to the network resource makes an access request from his personal computer (the client).
  • the user attempts to log in to the network resource servers using a communication and security protocol, wherein the user is required to authenticate himself by providing a password, pass-code or by using any other identification method.
  • the intermediate network or the first server may forcibly terminate and answer the access request or forward them to the first server (or the intermediate server). This enables the intermediate server to act as a proxy for communication, as expected for DNS requests, and enables a rule evaluator for fast processing of the complex rules.
  • Intermediate server can either forward any requests by routing or by proxying the requests received from the client.
  • the intermediate server would proxy the request when either the access request may need some changes or in case of termination of the access request.
  • access request needing changes may be that the http request may require adding or removing headers from the original requests.
  • the intermediate server may alternately route the network traffic to the destination.
  • the rule engine determines whether any request may be allowed or denied.
  • the rule server and the primary DNS server are cached while serving an access request through a tunnel or any other secure connection.
  • the method of caching primary DNS using the intermediate server and the rule server prevents latencyand is most suited for cloud or hybrid networks. Complex access rule evaluation by traditional methods where the access request would easily time-out because of long processing time to evaluate complex rules for those network resources which have multiple IP addresses.
  • FIG. 1 is a diagram depicting an environment where the invention may be practiced, according to one embodiment of the invention.
  • FIG. 2A is a flow chart depicting the method steps of practicing the invention according to one embodiment of the invention.
  • FIG. 2B is a flow chart depicting the method steps of practicing the invention according to one embodiment of the invention.
  • FIG. 2C is a flow chart depicting the method steps of practicing the invention according to one embodiment of the invention.
  • Server- A server is a physical computer (a computer hardware system) or a virtual machine (software implementation of a machine that executes programs like a physical machine) dedicated to running one or more services (as a host) to serve the needs of users of the other computers on the network.
  • a virtual machine software implementation of a machine that executes programs like a physical machine
  • Depending on the computing service that it offers it could be a database server, file server, mail server, print server, web server, or any other computing server.
  • Domain Name-A domain name is a user-friendly name that represents a " physical point on the Internet that is a network address (most often an IP address). It is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS).
  • DNS Domain Name System
  • WINS - Windows Internet Naming Service is a system that determines the IP address associated with a particular network computer. It is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. WINS uses a distributed database that is automatically updated with the names of computers currently available and the IP address assigned to each one.
  • NBNS NetBIOS Name Service
  • DNS - Domain Name System or DNS is a standard technology for managing the names of Web sites and other Internet domains.
  • DNS is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. DNS associates information with domain names assigned to each of the participating entities.
  • DNS technology allows a user to type names into his Web browser google.com which enables his computer to automatically find that address on the Internet.
  • a key element of the DNS is a worldwide collection of DNS servers.
  • DNS server - A DNS server is computer server that is part of the Domain Name System (DNS) running a special-purpose networking software, and containing a database of network names and addresses for other Internet hosts.
  • DNS servers which are an example of a name server
  • the DNS servers map a human-recognizable identifier to a system-internal, often numeric, identification or addressing component.
  • Web browser A Web browser, like Netscape NavigatorTM or MicrosoftTM Internet ExplorerTM, is a computer program (also known as a software application, or simply an application) that is enabled to go to a Web server on the Internet and request a page, so that the browser can pull the Webpage through the network and into user's machine. Also, a Web browser can interpret the set of HTML tags within the Webpage in order to display the Webpage on a user screen as the page is intended to be displayed.
  • VPN - A virtual private network is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. It is a network segregation technology that ensures prevention of disclosure of private information to unauthorized parties.
  • Cloud - Cloud is network enabling delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).
  • ' Cloud computing provides computation, software applications, data access, data management and storage resources without requiring cloud users to know ihe location and other details of the computing infrastructure.
  • IPsec Internet Protocol Security
  • IP Internet Protocol
  • IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
  • Load balancing - is a computer networking methodology to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives or other resources, to achieve optimal resource utilization and avoiding overload by redundancy.
  • FIG. 1 is a diagram depicting an environment where the invention may be practiced, according to one embodiment of the invention.
  • the environment comprises a client 102 existing in a first communication network 104 wishing to connect with a destination 106 existing in a second communication network 108 through a third communication network 1 10.
  • the client 102 further accesses the destination 106 through a communication device 1 12 that uses the third communication network 1 10.
  • the system elements referred viz. the client 102, the destination 106 and the communication device 1 12 in the description of the present invention may be defined as follows.
  • the client 102 is a device that enables a user to access a network resource of an organization or any database over a communication network.
  • Examples of the client 102 include but are not limited to laptops, personal desktop, computers, mobile phones, Personal Digital Assistants (PDAs), iPadsTM, Tablets, internet kiosks device or any other communication and processing device. Th us, the user can connect with the network resource remotely or while travelling.
  • the destination 106 as referred herein in the specification refers to a server or cluster of servers hosting a website or a network resource of an orga ni a lion that the client 102 wishes to access.
  • the destination 106 thus may have one or more networks like several branch offices or other deployments in the organization, including but not limited to a cloud hosted or a virtual deployment of the organization.
  • the destination 106 has plurality of Internet protocol addresses or I P addresses mapped onto it for load balancing of Internet traffic and transparent failover for communication reliability and continuity.
  • the communication device 1 1 2as referred herein in the specification refers to a router, a firewall, a Gateway or any other device that is capable of carrying network traffic.
  • the communication device 1 12 is VPN.
  • the VPN authenticates the remote users of the network using mapping rules and plurality of IP addresses of the destination 106.
  • first communication network 104 the second communication network 108 and the third communication network 1 10 in the description of the present invention may be defined as follows.
  • the first communicat ion network 104 and the second communication network 108 may he internet, local area network, telecommunication network, cloud or any other communication network, wherein the third communication network 1 0 is a c!oud network.
  • the third communication network 1 08 may be . Internet, local area network, mobile communication network, te lecommunication network or any other communication network that can act as intermediate to first communication network 104 and the second communication network 1 08.
  • the third communication network 1 1 0 nv be a combination of plurality of networks that maybe used individually or may be used as a communication between dynamic communication network hubs (such as in different cellular towers in mobile communication)during the movement of the client 102.
  • the access request from the c!ien! 102 is forwarded over the third communication network 1 1 0.
  • the third communication network 1 10 comprises of a first server 1 14 acting as an intermedia te server that proxies and caches the results obtained from a second server 1 1 n.
  • a rule server 1 1 8 further exists in the third communication network 1 0 for processing the access request.
  • the intermediate server, hereinafter referred to as the first server 114 is a name resolution server for caching DNS or WINS results from the second server 116 as well as the computed rules from the rule server 118.
  • the first server 114 acts a repository of pre-computed access rules corresponding to various network resources. The readymade rules drastically reduce the processing time to access a resource at the destination 106.
  • the first server 114 acts as an authoritative DNS server, wherein destination 106 may use the first server 114 for the authorization, even when any pre-computed results are not present in the first server 114.
  • the authoritative DNS records are always present with the first server 1 14, hence role of the second server 1 16 is obviated.
  • the second server 116 is a Domain Name System (DNS) server that is registered to join the Domain Name System over the Internet and acts as a primary server to process the access requests of the client 102 by resolving the IP addresses corresponding to the destination 106.
  • DNS Domain Name System
  • second server 116 may be a cluster of DNS servers registered with the Domain Name System that may use other DNS servers for resolving the destination 106 and fetching corresponding IP address results.
  • the second server 116 may be a Windows Internet Naming Service (WINS) that determines the IP address associated with a network computer.
  • WINS Windows Internet Naming Service
  • the second server 116 may be any name resolution service that maps one format of naming servers/services to another. Further, the second server 116 may resolve domain names from both network 108 as well as the Internet or any other Naming server the destination 106server chooses to use.
  • the rule server 18 is a server that processes a set of access rules that need to be executed and verified before providing access of the client 102 to the destination 106.
  • the access rules are the rules that allow/deny access to users to the services they requested.
  • the access rules determine the user's rights or the privileges of the client 02 based on the identity, group, organization structure, the current network and the device the user is on.
  • the administrator of the destination 106 may be an authorized person of the company who can access the rule server 118 and can configure conditions or the complex access rules granting privileges to different set of users who can access the destination 106.
  • Complex access rules for the destination 106 thus can be configured at the rule server 118. It may be apparent to a person skilled in the art that the rule server 118 may be programmed to automatically fetch the complex access rules from a network service that is independent of the destination 1 8. For every request that a user makes, a decision is taken based on the access rules whether to allow/deny that request to be processed.
  • the rule server 1 18 processes the complex access rules for the IP addresses associated with the destination 106.
  • a pre-computed ruleset is constituted comprising processed results of the complex access rules.
  • the pre-computed ruleset is communicated to the first server 1 14automatically.
  • the pre-computed ruleset may be requested by the first server 114.Further, the first server 114 and the rule server 118 may be load balanced or may work in failover mode for providing a high performance and resilient service in case of high volume of access requests, wherein the first server 1 14 and the rule server 118may use each other's cache.
  • the rule server 1 8 is integrated with the first DNS server 1 14.
  • the rule server 118 may exist in the second communication network 108 and may be hosted on the destination server 106.
  • the rule server 118 may exist in the first communication network 108 and may be hosted on the client 102.
  • FIGs. 2A, 2B and 2C flowcharts.
  • FIGS. 2A, FIG. 2B and FIG. 2C are interlinked flow charts depicting the method steps of practicing the invention according to one embodiment of the invention.
  • a user makes an access request using the client 102 to access the destination 106.
  • the path to the destination 106 has a rule server 1 18 that acts as a network access control, that determines whether access should be allowed or not.
  • the path to the destination 106 may be either through a secure connection, a tunnelled communication or an insecure path at various stages in the network.
  • the user makes the access request by logging ⁇ on to the third communication network 1 0.
  • the user may login using L2TP over IPSec. It will be apparent to person skilled in the art that any tunneling or communication protocol may be used without altering the scope of the invention.
  • the user may be at any remote location wherein the user uses his personal computer (the client 102) to access the destination 106that exists over a cloud network.
  • the destination 106 may be any website or a network resource in a corporation or an organization.
  • access control from the first communication network 104 to the second communication network 108 is based on a set of access rules being controlled by the rule server 1 18.
  • the access rules may be based on unique or non-unique properties of the client 102 and the destination 106 including but not limited to IP address, Port address, Protocol, Network header, Network header extension, QOS header or flags, the MAC address of the client 102 and the destination 106, Subnet address, an IP range, VLAN tag, Tunneling protocol, Tunneling protocol extension/header or stateful inspection of traffic.
  • the rule server 118 is thus enabled to operate with high speed for the access rules corresponding to the primary identification property corresponding to the client 102 and the destination 106, that are easy and fast to filter during access rule resolution.
  • access rules may be created from identification properties that need secondary identifying properties to create a deterministic rule.
  • the secondary identifying properties may be mapped to primary uniquely identifying properties to authenticate access to the destination 106.
  • Properties that can be used as secondary identifying properties of the client 102 and the destination 106 while processing an access rule may include but not limited to hostname, operating system of the client 102 and the destination 106, application being used in the client 102 and the destination 106, MAC address of the client 102 and the destination 106, DNS/WINS name used to access the client 102 and the destination 106, machine or system or user identity, machine/system/user group, a first communication network 104 identifier, a third communication network 1 10 identifier, time when the access request is made, antivirus and key-logger status.
  • Internet network streams can be used for altering or marking either at the first communication network 104 or at the intermediate network (the third communication network 106), wherein the network streams allow easy and quick identification of an access request based on secondary identifying property.
  • Secondary identifying property information may also be embedded into the access request at any stage of the network access request, for example VLAN tags may be used to manage network traffic, wherein the VLAN tag may be added to any access request using appropriately enabled network software or hardware.
  • the rule server 1 18 may force the client 102 to use a separate VLAN, wherein the VLAN is enabled by the client 120 or by the first server 14 that can switch access request of the client 102 to the VLAN.
  • marking the Internet network stream is to mark traffic by modifying reserved/unused field in the relevant network header of the communication. It may be noted that the operations including marking the Internet network traffic and embedding secondary indentifying information may further require removal of the tags or the unmarking information before the communication is sent to the destination 106.
  • the client 102 in the next step 204 forwards the access request to the first server 1 14, wherein the client 102 is forced to forward the access request to the first server 1 4 by customizing a port in the client 102. It may be noted that other methods of forcing the access request to terminate at the first server 1 14. Also, the first server 1 14 assigns a virtual IP address (hereinafter referred to as 'UIP') to the client 102.
  • the UIP may be used to uniquely identify the client 102 from the network traffic. For example, in case user logs in using L2TP over IPSec, a virtual IP address is assigned by the point-to-point protocol (PPP), that is stored along with the plurality of IP addresses resolved by the primary DNS server or the second server 1 16.
  • PPP point-to-point protocol
  • the pre-computed ruleset is accessed from the first server 114 corresponding to the destination 106.
  • the first server 1 14 checks if the pre-computed ruleset is cached in the first server 1 14 in step 208.
  • the pre-computed ruleset provides a condensed form of the complex access rules that can be processed quickly by a DNS server or a WINS server or any other intermediate machine.
  • the pre-computed ruleset is always fully generated or processed for any rule that depends directly on usable parameters like IP address, Subnet address, port address, protocol etc. For others like rules depending on domain names (user friendly names) the rule set is updated with the parameters resolved from the cache.
  • the pre-computed ruleset may be pre-generated for all resources referenced in the ruleset so there is no delay even for the first request.
  • the pre-computed ruleset enables the first server 114 in caching the primary DNS server (the second server 1 16) and the rule server 118.
  • the first server 114 acts as the proxy DNS server that evaluates the pre-computed ruleset.
  • the access status is then checked at the next step 224. If the pre-computed ruleset authenticates the access to the client 102, the permission is granted to access the destination 106 and the communication device 112 forwards the access request to the destination 106 in step 226. Thus, a forwarding path is established between the client 102 and the destination 106. Else, if the pre-computed ruleset does not permit the access, the access request is denied at step 228.
  • the access request is forwarded to the second server 116 for resolving the access request by fetching the IP address of the destination 106, in the step 210.
  • the second server 106 communicates with the Domain Name System servers and authoritative servers over the Internet to resolve the destination 106 at the step 212.
  • a plurality of IP addresses are fetched by the second server 116 corresponding to the destination 106 at step 214.
  • the plurality of IP addresses are cached at the first server 112.
  • the complex access rules that have been configured at the rule server 118 are processed and a pre-computed ruleset is constituted at step 218.
  • the pre-computed ruleset is communicated to the first server 114 at step 220. Thereafter, the access status is then checked by the first server 1 14 in step 222. If the pre-computed ruleset authenticates the access to the client 102, the first server 1 14 directs the communication device 1 12 granting access to the destination 106 in step 224. The communication device 112 forwards the access request to the destination 106 in step 226. Thus, a forward path is established between the client 102 and the destination 106. Else, if the pre-computed ruleset does not permit the access, the access request is denied at step 228.
  • FIG. 10 A typical example illustrating the method steps of the invention is illustrated below. However, it may be noted that the illustration and the formulae presented are only an embodiment of the invention and in no way limits the scope of the invention.
  • An user who is a an employee of Google Inc. makes an access request for the first time to access the source code atsourcecode. google. com(the destination 106) existing in the Google cloud (the second communication network 108) from his personal laptop (the client 102).
  • Now 'sourcecode.google.com' has at least seven IP addresses associated with it so as to enable hundreds of Google programmers all around the world to effectively collaborate to the source code and to ensure transparent failover or to load balance the Internet traffic.
  • the user makes the access request by logging on to the Google cloud (the third communication network 110) using L2TP over IPSec.
  • the point-point protocol assigns a virtual IP address to the client 102 say UIP1.
  • the user access request is forwarded to the first server 1 14 in the next step that acts as an intermediate server. If there is no pre-computed ruleset present at the first server 114, the first server 1 14 forwards the access request to the second server 116.
  • the second server 16 fetches all the IP addresses (say IP1 , IP2, IP3, IP4, IP5, IP6 and IP7) from the Internet directory database that the 'sourcecode.google.com' resolves to and the fetched IP addresses are cached at the first server 1 14.
  • the IP addresses along with the virtual IP address are cached at the first server 1 4 and may be represented as: 1.
  • UIP1 ->IP1 Allow
  • an administrator of the 'sourcecode.google.com' configures complex access rules at the rule server 1 18 for accessing Google's organization directory server, wherein the rules for 'sourcecode.google.com' may be presented as:
  • the VPN (the communication device 1 12) forwards the access to 'sourcecode.google.com' with privileges as determined in the pre-computed ruleset. 20
  • the client 102 chooses say IP3 to resolve the name.
  • the pre-computed ruleset for UIP1 are fetched at the first server 1 14.Thus, the first server 1 14 acting as proxy server allows the access to the user to Set 2 and Set 3 in the 'sourcecode.google.com' as per the pre-computed ruleset. It must be noted that the use of caching of results and rule set at the first server 1 14 allows even non-exhaustive DNS result set to function accurate.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method of setting up a forwarding path between a client existing in a first communication network and a destination existing in a second communication network through a third communication network, wherein after the step of requesting for connection to the destination, the request is forwarded to an intermediate DNS server. The intermediate DNS server after accessing the access rules from the rule server determines the access privileges of the client at the destination, and thereby setting up the forwarding path between the client and the destination via a secure channel.

Description

PRECOMPUTED HIGH-PERFORMANCE RULE ENGINE FOR VERY FAST PROCESSING FROM COMPLEX ACCESS RULES FIELD OF INVENTION
[0001] The present invention is generally related to a method and system for connecting a user with a network resource through a communication network and is more particularly related to the method and system for caching multiple DNS results for faster rule evaluation for faster connection to a network resource.
BACKGROUND
[0002] In large organizations and corporations users are enabled to connect andaccess-the-eompanyVresmirces remotely through virtual private networks (VPN) over Internet, LAN or any other communication network. These VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.
[0003] A company's resource or any network resource can be specified by various methods. Resolving most resources by the specification is typically a deterministic procedure (like IP, subnet, IP-range, set of IP addresses, port, protocol etc.) since they do not require any external input to resolve as they are already in directly usable form. However names like DNS names must first be resolved by using a nameserver (DNS server) to get into a directly usable format (usually a single or set of IP addresses). Also, if names map to multiple addresses then one needs to ensure that the complete set of resolved results is consistent across all involved participants to ensure error free and accurate policy enforcement. The implementation of VPN channels for secure connection is done through various methods. Further, there may be several IPs mapped to a single host/domain name to ensure transparent failover or to load balance the Internet traffic. In a traditional approach, a user selects any one of the IPs to access a hostname over the Internet (The hostname has several IPs mapped onto it). This request is sent to a DNS server which is used by the rule engine for name resolution of the requested hostname. The rule engine has a set of rules present at the rule engine for authentication. The rule engine tries to for each access rule in the set of rules, map the hostname to IP by using the same DNS server. However, directly using the DNS results can create performance bottlenecks and incorrect rule evaluation, specifically if the number of resolution required to match a rule's hostname to the request network address is too may (in case of too many rules) or a resolution request returns only partial results that may or may not be consistent across resolution requests. Thus, the request to resolve the hostname by the rule engine may result in a different set of IPs that may not match with the selected IP. Hence, the request is erroneously declined. Apart from this drawback, the limitations of multiple IP addresses corresponding to a single domain name makes access control difficult as definitive set of rules for granting access cannot be generated. Moreover, in a cloud network where the users are in a separate network from that of VPN servers the rule verification corresponding to multiple IPs adds latency in the processing of the access requests. Thus, an inherent latency is present in communications over slow networks and also the rules cannot be increased beyond a limit in the set of rules.
[0004] Hence, in the light of the drawbacks, what is needed therefore is a system and method for a very fast and highly scalable access control system that is suited for access control in the cloud or across large WAN and has good performance even in slow or high latency networks.
SUMMARY
[0005] The present invention provides a method and system for connecting a remote user to a network resource or a website by using an intermediate DNS server that stores and forwards pre-computed results for fast processing of complex access rules. One of the objectives of the present invention is to provide a method and system for enabling the remote user to access the network resource by enabling the usage of the complex access rules based on DNS / WINS directly with access rules based on rule qualifying criteria such as IP address, Subnet address, port address or any other directly usable address.
[0006] In one embodiment of the invention, the remote user who wishes to connect to the network resource (destination) makes an access request from his personal computer (the client). The access request is forwarded to the intermediate server which further uses the primary DNS servers to resolve the IP address of the destination. All the possible resolved IP addresses of the destination along with the complex access rules are then processed at a rule server that computes a set of results corresponding to the resolved addresses and the assigned virtual IP address of the client. These pre-computed results are stored at the intermediate server.
[0007] In yet another embodiment of the invention, the remote user who wishes to subsequently connect to the network resource makes an access request from his personal computer (the client). The user attempts to log in to the network resource servers using a communication and security protocol, wherein the user is required to authenticate himself by providing a password, pass-code or by using any other identification method. The intermediate network or the first server may forcibly terminate and answer the access request or forward them to the first server (or the intermediate server). This enables the intermediate server to act as a proxy for communication, as expected for DNS requests, and enables a rule evaluator for fast processing of the complex rules. Intermediate server can either forward any requests by routing or by proxying the requests received from the client. The intermediate server would proxy the request when either the access request may need some changes or in case of termination of the access request. In a typical example of access request needing changes may be that the http request may require adding or removing headers from the original requests. Further, the intermediate server may alternately route the network traffic to the destination. In both cases the rule engine determines whether any request may be allowed or denied. Thereby, the rule server and the primary DNS server are cached while serving an access request through a tunnel or any other secure connection. The method of caching primary DNS using the intermediate server and the rule server prevents latencyand is most suited for cloud or hybrid networks. Complex access rule evaluation by traditional methods where the access request would easily time-out because of long processing time to evaluate complex rules for those network resources which have multiple IP addresses.
[0008] The summary is provided to give a brief idea of the invention and is not intended to be used as a means for limiting the scope of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] FIG. 1 is a diagram depicting an environment where the invention may be practiced, according to one embodiment of the invention.
[00010] FIG. 2A is a flow chart depicting the method steps of practicing the invention according to one embodiment of the invention.
[00011] FIG. 2B is a flow chart depicting the method steps of practicing the invention according to one embodiment of the invention.
[00012] FIG. 2Cis a flow chart depicting the method steps of practicing the invention according to one embodiment of the invention.
DETAILED DESCRIPTION
[00013] The exemplary embodiments, described in this section with details, are provided merely to illustrate the principles of the invention. Various details are set forth for the purpose of explanation rather than limitation. However it will be apparent to a person skilled in the art that the invention can be practiced without these details and the given exemplary embodiments should not be construed as limiting the scope of the invention. Some of the terms as used in the patent application have been described below without limiting the scope of the invention.
[00014] Definitions:
[00015] Server- A server is a physical computer (a computer hardware system) or a virtual machine (software implementation of a machine that executes programs like a physical machine) dedicated to running one or more services (as a host) to serve the needs of users of the other computers on the network. Depending on the computing service that it offers it could be a database server, file server, mail server, print server, web server, or any other computing server.
[00016] Domain Name-A domain name is a user-friendly name that represents a "physical point on the Internet that is a network address (most often an IP address). It is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS).
[00017] WINS - Windows Internet Naming Service (WINS) is a system that determines the IP address associated with a particular network computer. It is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. WINS uses a distributed database that is automatically updated with the names of computers currently available and the IP address assigned to each one.
[00018] DNS - Domain Name System or DNS is a standard technology for managing the names of Web sites and other Internet domains. DNS is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. DNS associates information with domain names assigned to each of the participating entities. Hence, DNS technology allows a user to type names into his Web browser google.com which enables his computer to automatically find that address on the Internet. A key element of the DNS is a worldwide collection of DNS servers.
[00019] DNS server - A DNS server is computer server that is part of the Domain Name System (DNS) running a special-purpose networking software, and containing a database of network names and addresses for other Internet hosts. Hence, the DNS servers (which are an example of a name server) are computer servers that host a. network service for providing responses to queries against a directory service. The DNS servers map a human-recognizable identifier to a system-internal, often numeric, identification or addressing component.
[00020] Web browser - A Web browser, like Netscape Navigator™ or Microsoft™ Internet Explorer™, is a computer program (also known as a software application, or simply an application) that is enabled to go to a Web server on the Internet and request a page, so that the browser can pull the Webpage through the network and into user's machine. Also, a Web browser can interpret the set of HTML tags within the Webpage in order to display the Webpage on a user screen as the page is intended to be displayed.
[00021] VPN - A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. It is a network segregation technology that ensures prevention of disclosure of private information to unauthorized parties.
[00022] Cloud - Cloud is network enabling delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).' Cloud computing provides computation, software applications, data access, data management and storage resources without requiring cloud users to know ihe location and other details of the computing infrastructure.
[00023] Internet Protocol Security (IPsec) -is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
[00024] Load balancing - is a computer networking methodology to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives or other resources, to achieve optimal resource utilization and avoiding overload by redundancy.
[00025] The embodiments are described below in order to explain the invention by referring to the figures.
[00026] FIG. 1 is a diagram depicting an environment where the invention may be practiced, according to one embodiment of the invention. Illustratively, the environment comprises a client 102 existing in a first communication network 104 wishing to connect with a destination 106 existing in a second communication network 108 through a third communication network 1 10.The client 102 further accesses the destination 106 through a communication device 1 12 that uses the third communication network 1 10. The system elements referred viz. the client 102, the destination 106 and the communication device 1 12 in the description of the present invention may be defined as follows. The client 102 is a device that enables a user to access a network resource of an organization or any database over a communication network. Examples of the client 102 include but are not limited to laptops, personal desktop, computers, mobile phones, Personal Digital Assistants (PDAs), iPads™, Tablets, internet kiosks device or any other communication and processing device. Th us, the user can connect with the network resource remotely or while travelling. The destination 106 as referred herein in the specification refers to a server or cluster of servers hosting a website or a network resource of an orga ni a lion that the client 102 wishes to access. The destination 106 thus may have one or more networks like several branch offices or other deployments in the organization, including but not limited to a cloud hosted or a virtual deployment of the organization. The destination 106 has plurality of Internet protocol addresses or I P addresses mapped onto it for load balancing of Internet traffic and transparent failover for communication reliability and continuity.
[00027] The communication device 1 1 2as referred herein in the specification refers to a router, a firewall, a Gateway or any other device that is capable of carrying network traffic. In an embodiment of the invention the communication device 1 12 is VPN. In order to protect and segregate private information the VPN authenticates the remote users of the network using mapping rules and plurality of IP addresses of the destination 106.
[00028] Further, the network communication elements referred viz. first communication network 104, the second communication network 108 and the third communication network 1 10 in the description of the present invention may be defined as follows. The first communicat ion network 104 and the second communication network 108may he internet, local area network, telecommunication network, cloud or any other communication network, wherein the third communication network 1 0 is a c!oud network. I n an embodiment of the "invention the third communication network 1 08 may be . Internet, local area network, mobile communication network, te lecommunication network or any other communication network that can act as intermediate to first communication network 104 and the second communication network 1 08. It may be noted that the third communication network 1 1 0 nv be a combination of plurality of networks that maybe used individually or may be used as a communication between dynamic communication network hubs (such as in different cellular towers in mobile communication)during the movement of the client 102.
[00029] The access request from the c!ien! 102 is forwarded over the third communication network 1 1 0. The third communication network 1 10 comprises of a first server 1 14 acting as an intermedia te server that proxies and caches the results obtained from a second server 1 1 n. A rule server 1 1 8 further exists in the third communication network 1 0 for processing the access request. The intermediate server, hereinafter referred to as the first server 114 is a name resolution server for caching DNS or WINS results from the second server 116 as well as the computed rules from the rule server 118. The first server 114 acts a repository of pre-computed access rules corresponding to various network resources. The readymade rules drastically reduce the processing time to access a resource at the destination 106. In an embodiment of the invention the first server 114 acts as an authoritative DNS server, wherein destination 106 may use the first server 114 for the authorization, even when any pre-computed results are not present in the first server 114. Here as the authoritative DNS records are always present with the first server 1 14, hence role of the second server 1 16 is obviated.
[00030] In an embodiment, the second server 116 is a Domain Name System (DNS) server that is registered to join the Domain Name System over the Internet and acts as a primary server to process the access requests of the client 102 by resolving the IP addresses corresponding to the destination 106. It will be apparent to a person skilled in the art that second server 116 may be a cluster of DNS servers registered with the Domain Name System that may use other DNS servers for resolving the destination 106 and fetching corresponding IP address results. In yet another embodiment of the invention, the second server 116 may be a Windows Internet Naming Service (WINS) that determines the IP address associated with a network computer. It may be apparent to a person skilled in the art that the second server 116 may be any name resolution service that maps one format of naming servers/services to another. Further, the second server 116 may resolve domain names from both network 108 as well as the Internet or any other Naming server the destination 106server chooses to use.
[00031] Now, the rule server 18is a server that processes a set of access rules that need to be executed and verified before providing access of the client 102 to the destination 106. The access rules are the rules that allow/deny access to users to the services they requested. Thus, the access rules determine the user's rights or the privileges of the client 02 based on the identity, group, organization structure, the current network and the device the user is on. There may be other policy parameters that an administrator of the destination 106 may configure. The administrator of the destination 106 may be an authorized person of the company who can access the rule server 118 and can configure conditions or the complex access rules granting privileges to different set of users who can access the destination 106. For example, a CEO of the company may be allowed to access the company's email server from his mobile while all other users must use company laptops. Complex access rules for the destination 106 thus can be configured at the rule server 118. It may be apparent to a person skilled in the art that the rule server 118 may be programmed to automatically fetch the complex access rules from a network service that is independent of the destination 1 8. For every request that a user makes, a decision is taken based on the access rules whether to allow/deny that request to be processed. The rule server 1 18 processes the complex access rules for the IP addresses associated with the destination 106. Thus, a pre-computed ruleset is constituted comprising processed results of the complex access rules. The pre-computed ruleset is communicated to the first server 1 14automatically. In an embodiment of the invention, the pre-computed ruleset may be requested by the first server 114.Further, the first server 114 and the rule server 118 may be load balanced or may work in failover mode for providing a high performance and resilient service in case of high volume of access requests, wherein the first server 1 14 and the rule server 118may use each other's cache.
[00032] In an embodiment of the invention, the rule server 1 8 is integrated with the first DNS server 1 14. In another embodiment of the invention, the rule server 118may exist in the second communication network 108 and may be hosted on the destination server 106. In yet another embodiment, the rule server 118 may exist in the first communication network 108 and may be hosted on the client 102. Detailed functioning of the rule server 1 18 is described in conjunction with the flowchart (FIGs. 2A, 2B and 2C) below.
[00033] FIGS. 2A, FIG. 2B and FIG. 2C are interlinked flow charts depicting the method steps of practicing the invention according to one embodiment of the invention. At step 202, a user makes an access request using the client 102 to access the destination 106. The path to the destination 106 has a rule server 1 18 that acts as a network access control, that determines whether access should be allowed or not. The path to the destination 106 may be either through a secure connection, a tunnelled communication or an insecure path at various stages in the network.
[00034] The user makes the access request by logging \ on to the third communication network 1 0. The user may login using L2TP over IPSec. It will be apparent to person skilled in the art that any tunneling or communication protocol may be used without altering the scope of the invention. The user may be at any remote location wherein the user uses his personal computer (the client 102) to access the destination 106that exists over a cloud network. The destination 106 may be any website or a network resource in a corporation or an organization. Further, access control from the first communication network 104 to the second communication network 108 is based on a set of access rules being controlled by the rule server 1 18. The access rules may be based on unique or non-unique properties of the client 102 and the destination 106 including but not limited to IP address, Port address, Protocol, Network header, Network header extension, QOS header or flags, the MAC address of the client 102 and the destination 106, Subnet address, an IP range, VLAN tag, Tunneling protocol, Tunneling protocol extension/header or stateful inspection of traffic. The rule server 118is thus enabled to operate with high speed for the access rules corresponding to the primary identification property corresponding to the client 102 and the destination 106, that are easy and fast to filter during access rule resolution.
[00035] It may be apparent to a person skilled in the art that access rules may be created from identification properties that need secondary identifying properties to create a deterministic rule. The secondary identifying properties may be mapped to primary uniquely identifying properties to authenticate access to the destination 106. Properties that can be used as secondary identifying properties of the client 102 and the destination 106 while processing an access rule may include but not limited to hostname, operating system of the client 102 and the destination 106, application being used in the client 102 and the destination 106, MAC address of the client 102 and the destination 106, DNS/WINS name used to access the client 102 and the destination 106, machine or system or user identity, machine/system/user group, a first communication network 104 identifier, a third communication network 1 10 identifier, time when the access request is made, antivirus and key-logger status.
[00036] In yet another embodiment of the invention, Internet network streams can be used for altering or marking either at the first communication network 104 or at the intermediate network (the third communication network 106), wherein the network streams allow easy and quick identification of an access request based on secondary identifying property. Secondary identifying property information may also be embedded into the access request at any stage of the network access request, for example VLAN tags may be used to manage network traffic, wherein the VLAN tag may be added to any access request using appropriately enabled network software or hardware. In an embodiment of the invention the rule server 1 18 may force the client 102 to use a separate VLAN, wherein the VLAN is enabled by the client 120 or by the first server 14 that can switch access request of the client 102 to the VLAN. According to another embodiment for marking the Internet network stream is to mark traffic by modifying reserved/unused field in the relevant network header of the communication. It may be noted that the operations including marking the Internet network traffic and embedding secondary indentifying information may further require removal of the tags or the unmarking information before the communication is sent to the destination 106.
[00037] The client 102 in the next step 204 forwards the access request to the first server 1 14, wherein the client 102 is forced to forward the access request to the first server 1 4 by customizing a port in the client 102. It may be noted that other methods of forcing the access request to terminate at the first server 1 14. Also, the first server 1 14 assigns a virtual IP address (hereinafter referred to as 'UIP') to the client 102. The UIP may be used to uniquely identify the client 102 from the network traffic. For example, in case user logs in using L2TP over IPSec, a virtual IP address is assigned by the point-to-point protocol (PPP), that is stored along with the plurality of IP addresses resolved by the primary DNS server or the second server 1 16.
[00038] In the next step 206, the pre-computed ruleset is accessed from the first server 114 corresponding to the destination 106. The first server 1 14 checks if the pre-computed ruleset is cached in the first server 1 14 in step 208. It may be noted that the pre-computed ruleset provides a condensed form of the complex access rules that can be processed quickly by a DNS server or a WINS server or any other intermediate machine. Further, the pre-computed ruleset is always fully generated or processed for any rule that depends directly on usable parameters like IP address, Subnet address, port address, protocol etc. For others like rules depending on domain names (user friendly names) the rule set is updated with the parameters resolved from the cache. Hence, the pre-computed ruleset may be pre-generated for all resources referenced in the ruleset so there is no delay even for the first request. The pre-computed ruleset enables the first server 114 in caching the primary DNS server (the second server 1 16) and the rule server 118. In an embodiment of the invention the first server 114 acts as the proxy DNS server that evaluates the pre-computed ruleset. The access status is then checked at the next step 224. If the pre-computed ruleset authenticates the access to the client 102, the permission is granted to access the destination 106 and the communication device 112 forwards the access request to the destination 106 in step 226. Thus, a forwarding path is established between the client 102 and the destination 106. Else, if the pre-computed ruleset does not permit the access, the access request is denied at step 228.
[00039] If the pre-computed ruleset is not present in the first server 114 corresponding to the destination 106 requested, the access request is forwarded to the second server 116 for resolving the access request by fetching the IP address of the destination 106, in the step 210. The second server 106 communicates with the Domain Name System servers and authoritative servers over the Internet to resolve the destination 106 at the step 212. A plurality of IP addresses are fetched by the second server 116 corresponding to the destination 106 at step 214. In the next step 216 the plurality of IP addresses are cached at the first server 112. Thereafter, the complex access rules that have been configured at the rule server 118 are processed and a pre-computed ruleset is constituted at step 218. The pre-computed ruleset is communicated to the first server 114 at step 220. Thereafter, the access status is then checked by the first server 1 14 in step 222. If the pre-computed ruleset authenticates the access to the client 102, the first server 1 14 directs the communication device 1 12 granting access to the destination 106 in step 224. The communication device 112 forwards the access request to the destination 106 in step 226. Thus, a forward path is established between the client 102 and the destination 106. Else, if the pre-computed ruleset does not permit the access, the access request is denied at step 228.
[00040] A typical example illustrating the method steps of the invention is illustrated below. However, it may be noted that the illustration and the formulae presented are only an embodiment of the invention and in no way limits the scope of the invention. An user, who is a an employee of Google Inc. makes an access request for the first time to access the source code atsourcecode. google. com(the destination 106) existing in the Google cloud (the second communication network 108) from his personal laptop (the client 102). Now 'sourcecode.google.com' has at least seven IP addresses associated with it so as to enable hundreds of Google programmers all around the world to effectively collaborate to the source code and to ensure transparent failover or to load balance the Internet traffic. The user makes the access request by logging on to the Google cloud (the third communication network 110) using L2TP over IPSec. Here the point-point protocol (PPP) assigns a virtual IP address to the client 102 say UIP1. The user access request is forwarded to the first server 1 14 in the next step that acts as an intermediate server. If there is no pre-computed ruleset present at the first server 114, the first server 1 14 forwards the access request to the second server 116. The second server 16 fetches all the IP addresses (say IP1 , IP2, IP3, IP4, IP5, IP6 and IP7) from the Internet directory database that the 'sourcecode.google.com' resolves to and the fetched IP addresses are cached at the first server 1 14. The IP addresses along with the virtual IP address are cached at the first server 1 4 and may be represented as: 1. UIP1 ->IP1 : Allow
2. UIP1 ->IP2: Allow
3. UIP1 ->IP3: Allow
4. UIP1 -XP4: Allow
5. UIP1 ->IP5: Allow
6. UIP1 ->IP6: Allow
7. UIP1 ->IP7: Allow
[00041] Further, an administrator of the 'sourcecode.google.com' configures complex access rules at the rule server 1 18 for accessing Google's organization directory server, wherein the rules for 'sourcecode.google.com' may be presented as:
1. User 1 has access to Set 1 i.e. 'all.sourcecode.google.com'
2. Users who are in United States have access to Set 2 i.e. 'UI.sourcecode.google.com'
3. Users who are permanent employees and are in source code team have access to Set 3 i.e. 'app.sourcecode.google.com'
Hence, for all the IP addresses (IP1 to IP7) the access rule for the user with virtual IP address as UIP1 (The user is a permanent source code team member in United States), the pre-computed ruleset takes the following form: Rule 1->source = UIP1 and destination = Set 1 : Deny
Rule 2->source = UIP1 and destination = Set 2: Allow
Rule 2->source = UIP1 and destination = Set 3: Allow
Thereafter, the VPN (the communication device 1 12) forwards the access to 'sourcecode.google.com' with privileges as determined in the pre-computed ruleset. 20
Now, during a subsequent attempt by the user to access 'sourcecode.google.com', the client 102 chooses say IP3 to resolve the name. The pre-computed ruleset for UIP1 are fetched at the first server 1 14.Thus, the first server 1 14 acting as proxy server allows the access to the user to Set 2 and Set 3 in the 'sourcecode.google.com' as per the pre-computed ruleset. It must be noted that the use of caching of results and rule set at the first server 1 14 allows even non-exhaustive DNS result set to function accurate. For example, if sourcecode.google.com is resolved to 10 more IP addresses, and only the known seven, say from IP1-IP7 addresses would be used in all communication since the same cache is used to populate the ruleset as well as to send the resolution responses to the first network 104, hence the remaining three IP addresses are not received by the client 102. This is valid for the duration of the cache lifetime, beyond which the ruleset and the cache are updated). The need for exhaustive DNS results or complete list of IP addresses at the first server 114 is thus obviated.
[00042] It will be apparent to person skilled in the art that once a forwarding path is established between the client 102 and the destination 06, the client 102 and the destination 106 may exchange information across the first communication network 104, the second communication network 108 and the third communication network 1 10. However, different access rules for forward communication i.e. from the client 102 to the destination 106 and reverse communication i.e. from the destination 106 to the client 102 may govern the communication level or the type of files and data that can be exchanged both in forward communication and the reverse communication. These access rules can be easily implemented by creating a temporary opposite accesses path rule once a forward path rule or the forwarding path is establishedbetween the client 102 and the destination 106.
[00043] The embodiments of the invention described above are intended for the purpose of illustration only. Numerous modifications, changes, variations, substitutions and equivalents will be apparent to those skilled in the art without departing from the spirit and scope of the invention as described in the claims.

Claims

CLAIMS:
1. A method of setting up a forwarding path between a client existing in a first communication network and a destination existing in a second communication network through a third communication network , the method comprising:
a. the client making an access request for connection to the destination; b. the client forwarding the access request to a first server; c. the first server evaluating a pre-computed ruleset, wherein the pre- computed ruleset is cached at the first server; d— prOvidtng-the-access_to-the^^^ wherein" the access is based on the pre-computed ruleset, wherein the communicating device acts a router between the client and the destination.
2. The method as claimed in claim 1 , wherein a rule server communicates the recomputed ruleset to the first server.
3. The method as claimed in claim 1 , wherein the access request is a DNS resolution request for the destination.
4. The method as claimed in claim 1 , wherein the client is configured to forward the access request to the first server.
5. The method as claimed in claim 1 , wherein the step of forwarding the access request comprises forcing the access request to the first server.
6. The method as claimed in claim 1 , wherein the first communication network and the second communication network is Internet.
7. The method as claimed in claim 1 , wherein the third communication network is a cloud network.
8. The method as claimed in claim 1 , wherein the second server is a primary DNS server.
9. The method as claimed in claim 1 , wherein the first server is a proxy DNS server.
10. A method of constituting a pre-computed ruleset, wherein a client existing in a first communication network requests access to a destination existing in a second communication network through a third communication network, the method comprising:
a. the client forwarding the access request to a first server; b. the first server assigning a virtual IP address to the client; c. the first server forwarding the access request to a second server; d. the second server resolving a plurality of IP addresses corresponding to the destination; e. transmitting the plurality of IP addresses to the first server by the second server; and f. constituting a pre-computed ruleset by the rule server, wherein the pre- computed ruleset is constituted by processing a set of complex access rules corresponding to the plurality of IP addresses, wherein the first server communicates the plurality of IP addresses to the rule server.
11. The method step as claimed in claim 9, wherein the set of complex access rules are configured at the rule server by an administrator of the destination.
12. The method as claimed in claim 9, wherein the second server is a primary DNS server.
13. The method as claimed in claim 9, wherein the first server is a proxy DNS server.
14. The method as claimed in claim 9, wherein the client uses L2TP over IPSec to connect with the destination.
15. A system for setting up a forwarding path for a pre-computed ruleset, the system comprising: a. a client existing in a first communication network; b. a destination existing in a second communication network, wherein the client making an access request for connecting to the destination through a third communication network; c. a first server, wherein the client forwards the access request to the first server; wherein the first server evaluates the pre-computed ruleset corresponding to the client; d. a communicating device, wherein the communicating device acts a router between the client and the destination, thereby providing access to the client based on the pre-computed ruleset.
16. A system for constituting a pre-computed ruleset, wherein the pre-computed ruleset defining the level of access of a client existing in a first communication network to a destination existing in a second communication network through a third communication network, the system comprising: a. a client existing in a first communication network; b. a destination existing in a second communication network, wherein the client making an access request for connecting to the destination through a third communication network;
c. a first server, wherein the client forwards the access request to the first server and assigns a virtual IP address to the client;
d. a second server, wherein the first server forwards the access request to the second server, wherein the second server is a DNS server that resolves plurality of IP addresses corresponding to the destination;
e. a rule sei^ec.-W.he.r,ei.nJ^^
by evaluating a set of complex access rules corresponding to the plurality of IP addresses.
17. The system as claimed in claim 15, wherein the set of complex access rules are configured at the rule server by an administrator of the destination.
PCT/IN2013/000170 2012-04-02 2013-03-18 Precomputed high-performance rule engine for very fast processing from complex access rules WO2013150543A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN1304CH2012 2012-04-02
IN1304/CHE/2012 2012-04-02

Publications (2)

Publication Number Publication Date
WO2013150543A2 true WO2013150543A2 (en) 2013-10-10
WO2013150543A3 WO2013150543A3 (en) 2013-12-05

Family

ID=49301126

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2013/000170 WO2013150543A2 (en) 2012-04-02 2013-03-18 Precomputed high-performance rule engine for very fast processing from complex access rules

Country Status (1)

Country Link
WO (1) WO2013150543A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015134933A1 (en) * 2014-03-07 2015-09-11 Iboss, Inc. Manage encrypted network traffic using spoofed addresses
US9386038B2 (en) 2013-11-20 2016-07-05 Iboss, Inc. Manage encrypted network traffic using spoofed addresses
CN111444278A (en) * 2020-04-01 2020-07-24 Oppo(重庆)智能科技有限公司 Data synchronization method and device and transfer server
US20230188494A1 (en) * 2021-12-13 2023-06-15 Tailscale Inc. Management of domain name services across multiple device and software configurations

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050102410A1 (en) * 2003-10-24 2005-05-12 Nokia Corporation Communication system
US20070156897A1 (en) * 2005-12-29 2007-07-05 Blue Jungle Enforcing Control Policies in an Information Management System
US20090040983A1 (en) * 2007-08-08 2009-02-12 Samsung Electronics Co., Ltd. Apparatus and method for managing quality of service of service flow in wireless communication system
US20090210519A1 (en) * 2008-02-18 2009-08-20 Microsoft Corporation Efficient and transparent remote wakeup
US20100251329A1 (en) * 2009-03-31 2010-09-30 Yottaa, Inc System and method for access management and security protection for network accessible computer services
US20120017262A1 (en) * 2000-09-25 2012-01-19 Harsh Kapoor Systems and methods for processing data flows

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120017262A1 (en) * 2000-09-25 2012-01-19 Harsh Kapoor Systems and methods for processing data flows
US20050102410A1 (en) * 2003-10-24 2005-05-12 Nokia Corporation Communication system
US20070156897A1 (en) * 2005-12-29 2007-07-05 Blue Jungle Enforcing Control Policies in an Information Management System
US20090040983A1 (en) * 2007-08-08 2009-02-12 Samsung Electronics Co., Ltd. Apparatus and method for managing quality of service of service flow in wireless communication system
US20090210519A1 (en) * 2008-02-18 2009-08-20 Microsoft Corporation Efficient and transparent remote wakeup
US20100251329A1 (en) * 2009-03-31 2010-09-30 Yottaa, Inc System and method for access management and security protection for network accessible computer services

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9386038B2 (en) 2013-11-20 2016-07-05 Iboss, Inc. Manage encrypted network traffic using spoofed addresses
US9699151B2 (en) 2013-11-20 2017-07-04 Iboss, Inc. Manage encrypted network traffic using spoofed addresses
WO2015134933A1 (en) * 2014-03-07 2015-09-11 Iboss, Inc. Manage encrypted network traffic using spoofed addresses
US9596217B2 (en) 2014-03-07 2017-03-14 Iboss, Inc. Manage encrypted network traffic using spoofed addresses
CN111444278A (en) * 2020-04-01 2020-07-24 Oppo(重庆)智能科技有限公司 Data synchronization method and device and transfer server
CN111444278B (en) * 2020-04-01 2023-08-29 Oppo(重庆)智能科技有限公司 Data synchronization method and device and transfer server
US20230188494A1 (en) * 2021-12-13 2023-06-15 Tailscale Inc. Management of domain name services across multiple device and software configurations
US12010090B2 (en) * 2021-12-13 2024-06-11 Tailscale Inc. Management of domain name services across multiple device and software configurations

Also Published As

Publication number Publication date
WO2013150543A3 (en) 2013-12-05

Similar Documents

Publication Publication Date Title
US9794215B2 (en) Private tunnel network
US10135827B2 (en) Secure access to remote resources over a network
EP2856702B1 (en) Policy service authorization and authentication
US8291468B1 (en) Translating authorization information within computer networks
JP5038887B2 (en) System and method for managing a network
US20100100949A1 (en) Identity and policy-based network security and management system and method
US20090300721A1 (en) Reverse VPN over SSH
US9973590B2 (en) User identity differentiated DNS resolution
EP3306900B1 (en) Dns routing for improved network security
US11968201B2 (en) Per-device single sign-on across applications
US20060190990A1 (en) Method and system for controlling access to a service provided through a network
CN109617753A (en) A kind of platform management method, system and electronic equipment and storage medium
WO2022169823A1 (en) Selective policy-driven interception of encrypted network traffic utilizing a domain name service and a single-sign on service
US20210226918A1 (en) Endpoint-assisted access control for network security devices
Yan et al. The road to DNS privacy
WO2013150543A2 (en) Precomputed high-performance rule engine for very fast processing from complex access rules
Lewis Virtual private cloud security
US11943195B1 (en) Zero-trust DNS and FQDN based traffic acquisition using synthetic IP
US20240195795A1 (en) Computer-implemented methods and systems for establishing and/or controlling network connectivity
Shinjo et al. Magic mantle using social vpns against centralized social networking services
WO2006096875A1 (en) Smart tunneling to resources in a remote network
Sharma et al. Design and Configuration of App Supportive Indirect Internet Access using a Transparent Proxy Server
Christou On Services Exposed by DNS Infrastructure: A KINDNS Investigation
Cherry Firewalls
WO2023199189A1 (en) Methods and systems for implementing secure communication channels between systems over a network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13772645

Country of ref document: EP

Kind code of ref document: A2

122 Ep: pct application non-entry in european phase

Ref document number: 13772645

Country of ref document: EP

Kind code of ref document: A2