U.S. patent application number 14/319136 was filed with the patent office on 2015-10-01 for identification of unauthorized application data in a corporate network.
The applicant listed for this patent is SonicWall, Inc.. Invention is credited to Jeffrey Kauffman, Chris D. Peterson.
Application Number | 20150281281 14/319136 |
Document ID | / |
Family ID | 54191900 |
Filed Date | 2015-10-01 |
United States Patent
Application |
20150281281 |
Kind Code |
A1 |
Peterson; Chris D. ; et
al. |
October 1, 2015 |
IDENTIFICATION OF UNAUTHORIZED APPLICATION DATA IN A CORPORATE
NETWORK
Abstract
An appliance works in conjunction with an agent on a remote
device to control application access to a corporate network. In
conjunction with an SSL tunnel and policy operating at the
appliance, granular application control may be implemented. In
particular, a device user may determine what applications from a
set of applications may access the corporate network and which
applications do not access the network. The policies applied to
application traffic may be generated by an administrator. Policies
may also be applied from a remote server to data stored on the user
device.
Inventors: |
Peterson; Chris D.;
(Bellingham, WA) ; Kauffman; Jeffrey; (Brier,
WA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
SonicWall, Inc. |
San Jose |
CA |
US |
|
|
Family ID: |
54191900 |
Appl. No.: |
14/319136 |
Filed: |
June 30, 2014 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
61973248 |
Mar 31, 2014 |
|
|
|
Current U.S.
Class: |
726/1 ;
726/15 |
Current CPC
Class: |
H04L 63/083 20130101;
H04W 12/0027 20190101; H04L 63/105 20130101; H04L 63/20 20130101;
H04W 12/08 20130101; H04L 67/141 20130101; H04L 63/0272 20130101;
H04L 63/0263 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Claims
1. A method for establishing a connection, comprising: establishing
a connection between a user client device and a server, the user
client device having a plurality of applications; receiving by a
server a list of applications on a user device requesting access to
a corporate network; granting corporate network access by the
server to applications within the list of applications on the user
device that satisfy a rule set.
2. The method of claim 1, wherein the connection is a virtual
private network tunnel.
3. The method of claim 1, wherein the server is located on the edge
of the corporate network and receives all corporate network access
requests.
4. The method of claim 1, wherein granting corporate network access
by the server to applications within the list of applications on
the user device that satisfy the rule set includes denying
corporate network access by the server to applications within the
list of applications on the user device that do not satisfy the
rule set.
5. The method of claim 1, wherein the rule set includes at least
one rule that specifies access by an application of the list of
applications to a selected set of corporate resources for a
selected set of one or more users.
6. The method of claim 1, wherein the rule set allows a single rule
to control both device level corporate network access and
application level corporate network access.
7. The method of claim 1, further comprising providing the rule set
to the client device from the server, the rule set applied to
application data traffic initiated from the client and intended for
the corporate network.
8. The method of claim 1, further comprising controlling
application data accessed at the user client device by the
corporate network based on the rule set.
9. The method of claim 1, wherein the policy controls data access
by an application at the user client device.
10. The method of claim 1, wherein the rule set controls whether
application data is transmitted to the corporate network.
11. The method of claim 1, wherein the policy is enforced at the
server.
12. The method of claim 11, further comprising: modifying the rule
set; and applying the modified rule set to application data at the
user client device.
13. A non-transitory computer readable storage medium having
embodied thereon a program, the program being executable by a
processor to perform a method for establishing a connection, the
method comprising: establishing a connection between a user client
device and a server, the user client device having a plurality of
applications; applying a policy created at a server to data at the
user client device; and controlling data access at the user client
device based on the policy. establishing a connection between a
user client device and a server, the user client device having a
plurality of applications; receiving by a server a list of
applications on a user device requesting access to a corporate
network; granting corporate network access by the server to
applications within the list of applications on the user device
that satisfy a rule set.
14. The non-transitory computer readable storage medium of claim
13, wherein the connection is a virtual private network tunnel.
15. The non-transitory computer readable storage medium of claim
13, wherein the server is located on the edge of the corporate
network and receives all corporate network access requests.
16. The non-transitory computer readable storage medium of claim
13, wherein granting corporate network access by the server to
applications within the list of applications on the user device
that satisfy the rule set includes denying corporate network access
by the server to applications within the list of applications on
the user device that do not satisfy the rule set.
17. The non-transitory computer readable storage medium of claim
13, wherein the rule set includes at least one rule that specifies
access by an application of the list of applications to a selected
set of corporate resources for a selected set of one or more
users.
18. The non-transitory computer readable storage medium of claim
13, wherein the rule set controls device level corporate network
access and application level corporate network access.
19. The non-transitory computer readable storage medium of claim
13, further comprising providing the rule set to the client device
from the server, the rule set applied to application data traffic
initiated from the client and intended for the corporate
network.
20. The non-transitory computer readable storage medium of claim
13, the method of claim 1, further comprising controlling
application data accessed at the user client device by the
corporate network based on the rule set.
21. The non-transitory computer readable storage medium of claim
13, wherein the policy controls data access by an application at
the user client device.
22. The non-transitory computer readable storage medium of claim
13, wherein the rule set controls whether application data is
transmitted to the corporate network.
23. The non-transitory computer readable storage medium of claim
13, wherein the policy is created at the server.
24. The non-transitory computer readable storage medium of claim
23, further comprising: modifying the rule set; and applying the
modified rule set to application data at the user client
device.
25. A system for establishing a connection, the system including: a
server in communication with a user client device, the server
including a processor, memory, and one or more applications stored
in memory at the server and executable to establish a connection
between a user client device and a server, the user client device
having a plurality of applications, receive by a server a list of
applications on a user device requesting access to a corporate
network, and grant corporate network access by the server to
applications within the list of applications on the user device
that satisfy a rule set.
26. The system of claim 25, wherein the connection is a virtual
private network tunnel.
27. The system of claim 25, wherein the server is located on the
edge of the corporate network and receives all corporate network
access requests.
28. The system of claim 25, wherein granting corporate network
access by the server to applications within the list of
applications on the user device that satisfy the rule set includes
denying corporate network access by the server to applications
within the list of applications on the user device that do not
satisfy the rule set.
29. The system of claim 25, wherein the rule set includes at least
one rule that specifies access by an application of the list of
applications to a selected set of corporate resources for a
selected set of one or more users.
30. The system of claim 25, wherein the rule set controls device
level corporate network access and application level corporate
network access.
31. The system of claim 25, further comprising providing the rule
set to the client device from the server, the rule set applied to
application data traffic initiated from the client and intended for
the corporate network.
32. The system of claim 25, the method of claim 1, further
comprising controlling application data accessed at the user client
device by the corporate network based on the rule set.
33. The system of claim 25, wherein the policy controls data access
by an application at the user client device.
34. The system of claim 25, wherein the rule set controls whether
application data is transmitted to the corporate network.
35. The system of claim 25, wherein the policy is created at the
server.
36. The system of claim 35, further comprising: modifying the rule
set; and applying the modified rule set to application data at the
user client device.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the priority benefit of U.S.
Provisional Application Ser. No. 61/973,248, titled "Mobile
Connect," filed Mar. 31, 2014, the disclosure of which is
incorporated herein by reference.
BACKGROUND OF THE INVENTION
[0002] Consumers continue to push for a mechanism that allows them
to use their own device to perform typical work tasks. In most
cases, these devices are owned by the individual user, which means
the company may have zero control over them. Because companies have
little if any control over these user devices, there is concern
regarding providing the device access to corporate remote networks
due to the potential for attacks vectors (nefarious applications,
leaking, tampering, or otherwise disclosing of critical
intellectual property owned by company). The market has coined the
term "unmanaged device" or "BYOD" (bring your own device) to
represent any device that is not owned or controlled by the company
that needs access to the corporate network so the employee can do
their work. In most cases, this device is owned by the employee
requesting access. Some companies require employee devices to be
put under mobile device management (MDM) control before allowed
onto the corporate network, but such a configuration is not really
zero control.
[0003] Most mobile solutions are all or nothing--all data is shared
or no data is shared with respect to a corporate intranet (i.e., an
appliance based network). With the advent of BYOD, users need to
access the corporate intranet but do not want their personal
information to be available to the corporate intranet. Likewise,
the corporate intranet may not want to risk exposure to certain
content on the user device that is not germane (or appropriate) for
the corporate network.
[0004] Secure communication with a corporate network can be
achieved through virtual private network (VPN) connections. Current
VPN clients that provide application level control block traffic in
that VPN application running on the client device. For example,
some companies provide a per-app VPN solution. Despite current VPN
per application solutions, there are still concerns regarding the
vulnerability of corporate network access from personal user
devices.
[0005] There is a need for managing access to corporate networks by
a user's personal device that applies to more than network traffic
and provides a more granular solution.
SUMMARY OF THE CLAIMED INVENTION
[0006] An appliance works in conjunction with an agent on a remote
device to control application access to a corporate network. In
conjunction with an SSL tunnel and policy operating at the
appliance, granular application control may be implemented. In
particular, a device user may determine what applications from a
set of applications may access the corporate network and which
applications do not access the network. The policies applied to
application traffic may be generated by an administrator. Policies
may also be applied from a remote server to data stored on the user
device.
[0007] An embodiment may include a method for establishing a
connection. The method may include establishing a connection
between a user client device and a VPN (Virtual Private Network)
server. The user client device may have a plurality of
applications. Corporate network access may be granted by the server
to applications within the list of applications on the user device
that satisfy a rule set. This rule set will be used by the server
to generate a list of applications that may be granted access to
the corporate network.
[0008] In an embodiment, a system for establishing a connection may
include a server in communication with a user client device. The
server may include a processor, memory, and one or more
applications stored in memory at the server and executable to
establish a connection between a user client device and a server,
the user client device having a plurality of applications, receive
by a server a list of applications on a user device requesting
access to a corporate network, and grant corporate network access
by the server to applications within the list of applications on
the user device that satisfy a rule set
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] FIG. 1 illustrates a block diagram of a client communicating
with a remote server.
[0010] FIG. 2 illustrates a method for providing application access
to a network.
[0011] FIG. 3 illustrates a method for generating a rule set for a
device application.
[0012] FIG. 4 illustrates a method for generating policies for a
device application.
[0013] FIG. 5 is a block diagram of an exemplary system for
implementing a computing device.
DETAILED DESCRIPTION
[0014] An Internet appliance works in conjunction with an agent on
a remote device to control application access to a corporate
network. In conjunction with an SSL tunnel and policy operating at
the appliance, granular application control may be implemented. In
particular, a device user may determine what applications from a
set of applications may access the corporate network and which
applications do not access the network. The policies applied to
application traffic may be generated by an administrator. Policies
may also be applied as the traffic passes through the VPN server
before it enters the corporate network.
[0015] FIG. 1 illustrates a block diagram of a client communicating
with a remote server. The system of FIG. 1 includes client device
110, network 120, VPN appliance 130, and corporate network 140. VPN
appliance 130 may include tunnel server 136, policy server 134, and
data store 138. Corporate network 140 may include one or more
servers such as corporate server 142.
[0016] Client 110 may include a user device that is not controlled
by the entity that provides the corporate network 140. Client 110
may be implemented as a mobile device such as a smart phone, tablet
or laptop computer, a desktop computer, or other computing
device.
[0017] Network 120 may include one or more networks used to
communicate data between client device 120 and, ultimately,
corporate server 142. For example, network 120 may include a
private network, public network, the Internet, an intranet, a local
area network, a wide area network, a wireless network, a cellular
network, and a combination of these networks.
[0018] Tunnel server 130 on VPN appliance 125 may establish a VPN
tunnel and communicate with client device 110 and serve as an
intermediary between client device 110 and corporate server 142.
This VPN may be used to allow applications on the client device 110
to communicate with a corporate server 142 in a secure fashion even
though traffic is flowing over a public network 120.
[0019] The policy server may include one or more applications that
perform functionality discussed herein, such as for example
generating and applying policy rules. Datastore 138 may store and
process data, and is accessible by servers 132, 134 and 136. For
example, datastore 138 may store communication log data,
application lists, application information, and other data. The
client device 110 may communicate with tunnel server 136 to
authorize access to corporate server 142. The client may also
communicate through an API Server 132 which is a peer to the tunnel
server and is used to authenticate the user, retrieve the list of
applications, authenticate a device, and other functionality. Both
API Server 132 and Tunnel Server 136 may communicate with policy
server 134 to obtain policy decisions to help provide responses to
client requests
[0020] Corporate server 142 of corporate network 140 may be
accessed by the user device 110 through tunnel server 136 of VPN
appliance 130. In this case, tunnel server 136 may receive and
analyze all network traffic to confirm the traffic is from an
authorized application before the traffic may access the corporate
server. Access to corporate server 142 and other resources on
corporate network 140 is determined by both policy server 134 and
tunnel server 136. Tunnel Server 136 provides policy enforcement
and traffic analysis while policy server 134 is the policy decision
point, and the two servers work in concert to both analyze traffic
and apply policy.
[0021] FIG. 2 illustrates a method for providing application access
to a network. A VPN connection is established between the tunnel
server and an agent on the client at step 205. The agent may
initiate the VPN establishment by sending a VPN request to the VPN
appliance.
[0022] A user is authenticated at step 210. User authentication is
performed to identify the user of the device. A user device is then
classified to determine if it meets acceptable parameters at step
215. After the user authenticates, the system will attempt to
verify the user's device. In some instances, an administrator
defines a set of device attributes, and the system may attempt to
find a set of attributes that match the device. Classification of
the device may include retrieval of a unique equipment identifier
along with other device attribute data. The unique equipment
identifier and device attribute data may be collected by an agent
and transmitted to policy server 134. The attribute data may be
used by the policy server to determine if client device 110 may
allow for application control by the policy server via the
agent.
[0023] Once the user is authenticated and the device is classified,
the data store is queried to determine if a matching entry for the
user and device exist. If the user and device combination are found
in the data store, then the user and device have established a
connection with the corporate network before and the version of the
user agreement previously agreed to by the user is checked against
the most recent version. If the most recent user agreement has not
changed from the stored user agreement for the user and device
combination, then the present system does not provide the user with
the same user agreement and a portion of or all of step 220 (and
corresponding method of FIG. 4) will not per performed for the
current session.
[0024] If the device requires a new user agreement to be accepted,
either because the user and device combination is not found in the
data store or the current version of the user agreement does not
match the stored version of the user agreement, the method
continues to step 220.
[0025] User acceptance of a user agreement is verified at step 220.
Once a user accepts a user agreement, the user may be authorized
for the corporate network access. In some embodiments, a policy
server determines authorization of the user, device, and checks
access permissions. The policy allows for application access to
particular data for a particular device type and user type. Once
the user has accepted the user agreement, the user may be
authorized to access a corporate network.
[0026] Application traffic may be transmitted to the corporate
network at step 225. An agent on the client device may monitor
communication data and provide information to the user of the
device regarding what applications are communicating with the
corporate network.
[0027] Application traffic is transmitted between the client
applications and corporate server via a VPN appliance at step 225.
When applications first attempt to communicate with the corporate
network at step 345, the agent running on the client device sends
the application identifier for the application and may send a code
signature for the application. The code signature may include a
hash of application information of some sort.
[0028] An agent on the client device may monitor communication data
and provide information to the user of the device regarding what
applications are communicating with the corporate network. From
this information, the user may determine if only authorized
applications are communicating with the corporate network and if
the authorized applications are communicating appropriately.
[0029] Policies may be applied to data at a user device at step
230. Application communication with a server may be analyzed or
audited at some point in time. By collecting data for the
application communication with the server, a user may determine if
the application is complying with any relevant policies or
requirements. Storing data for subsequent auditing is discussed in
more detail below with respect to FIG. 4.
[0030] FIG. 3 illustrates a method for generating a rule set for a
device application. An interface is provided to an administrator
for authoring an application policy at step 305. The interface may
be provided through a client application, web page, mobile
application or other program. The interface may allow the
administrator to specify how application traffic and data are to be
handled and processed via one or more policies. Each policy may
specify one or more parameters such as a particular application,
device type, operating system type, time period, set of users,
destinations IP address or port on the corporate network, and other
parameters. Policy rules are received through the interface from
the administrator at step 310. The policy rules are stored and
applied to an application at step 315.
[0031] FIG. 4 illustrates a method for generating policies for a
device application. A corporate network request is received by the
tunnel server from an application at step 410. The tunnel server
may communicate with the policy server to send detailed information
regarding the connection to the policy server. The detailed
information may include, for example, application identifier,
application signature (e.g., a hash of application information),
network destination and user connection information. The policy
server compares the information to a rules list at step 420. As
part of the comparison, the policy server determines if the
connection information corresponds to a rule that grants or denies
access to the connection request or if no rule can be found. If a
rule denies access or no rule can be found for the connection
information, the request is denied at step 430. If a rule is found
that grants access based on the connection information, the
connection request is granted and corporate network access is
granted at step 435.
[0032] Hence, the present system provides two levels of control. In
the first, the client is supposed to only send traffic to the
server for the set of applications that may be allowed access. In
the second, the tunnel server checks with the policy server for
permission to allow traffic that it received to enter the corporate
network. This second step is done on the VPN appliance with
information provided by the client about the current connection
(application, destination, etc).
[0033] In some instances, there may be only one list of policy
rules on an appliance. That list contains rules that grant access
at the device level, or the application level or both. A single
rule set may grant access to device level and application level
access control. Such a single rule set may provide a much better
administrator experience.
[0034] FIG. 5 is a block diagram of an exemplary system for
implementing a computing device. System 500 of FIG. 5 may be
implemented in the contexts of the likes of client device 110, VPN
appliance 130 and corporate server 142. The computing system 500 of
FIG. 5 includes one or more processors 510 and memory 520. Main
memory 510 stores, in part, instructions and data for execution by
processor 510. Main memory 520 can store the executable code when
in operation. The system 500 of FIG. 5 further includes a mass
storage device 530, portable storage medium drive(s) 540, output
devices 550, user input devices 560, a graphics display 570, and
peripheral devices 580.
[0035] The components shown in FIG. 5 are depicted as being
connected via a single bus 590. However, the components may be
connected through one or more data transport means. For example,
processor unit 510 and main memory 520 may be connected via a local
microprocessor bus, and the mass storage device 530, peripheral
device(s) 580, portable storage device 540, and display system 570
may be connected via one or more input/output (I/O) buses.
[0036] Mass storage device 530, which may be implemented with a
magnetic disk drive or an optical disk drive, is a non-volatile
storage device for storing data and instructions for use by
processor unit 510. Mass storage device 530 can store the system
software for implementing embodiments of the present invention for
purposes of loading that software into main memory 520.
[0037] Portable storage device 540 operates in conjunction with a
portable non-volatile storage medium, such as a floppy disk,
compact disk or Digital video disc, to input and output data and
code to and from the computer system 500 of FIG. 5. The system
software for implementing embodiments of the present invention may
be stored on such a portable medium and input to the computer
system 500 via the portable storage device 540.
[0038] Input devices 560 provide a portion of a user interface.
Input devices 560 may include an alpha-numeric keypad, such as a
keyboard, for inputting alpha-numeric and other information, or a
pointing device, such as a mouse, a trackball, stylus, or cursor
direction keys. Additionally, the system 500 as shown in FIG. 5
includes output devices 550. Examples of suitable output devices
include speakers, printers, network interfaces, and monitors.
[0039] Display system 570 may include a liquid crystal display
(LCD) or other suitable display device. Display system 570 receives
textual and graphical information, and processes the information
for output to the display device.
[0040] Peripherals 580 may include any type of computer support
device to add additional functionality to the computer system. For
example, peripheral device(s) 580 may include a modem or a
router.
[0041] The components contained in the computer system 500 of FIG.
5 are those typically found in computer systems that may be
suitable for use with embodiments of the present invention and are
intended to represent a broad category of such computer components
that are well known in the art. Thus, the computer system 500 of
FIG. 5 can be a personal computer, hand held computing device,
telephone, mobile computing device, workstation, server,
minicomputer, mainframe computer, or any other computing device.
The computer can also include different bus configurations,
networked platforms, multi-processor platforms, etc. Various
operating systems can be used including Unix, Linux, Windows,
Macintosh OS, Palm OS, iOS, Android and other suitable operating
systems.
[0042] The foregoing detailed description of the technology herein
has been presented for purposes of illustration and description. It
is not intended to be exhaustive or to limit the technology to the
precise form disclosed. Many modifications and variations are
possible in light of the above teaching. The described embodiments
were chosen in order to best explain the principles of the
technology and its practical application to thereby enable others
skilled in the art to best utilize the technology in various
embodiments and with various modifications as are suited to the
particular use contemplated. It is intended that the scope of the
technology be defined by the claims appended hereto.
* * * * *