U.S. patent application number 15/445485 was filed with the patent office on 2017-06-15 for proxy authentication for a multiple core network device.
The applicant listed for this patent is SonicWall Inc.. Invention is credited to Riji Cai, Zhong Chen.
Application Number | 20170171162 15/445485 |
Document ID | / |
Family ID | 56432920 |
Filed Date | 2017-06-15 |
United States Patent
Application |
20170171162 |
Kind Code |
A1 |
Cai; Riji ; et al. |
June 15, 2017 |
PROXY AUTHENTICATION FOR A MULTIPLE CORE NETWORK DEVICE
Abstract
The present invention is generally related to a network
computing device including a first processor communicating with a
second processor as a proxy for a client device when authenticating
access privileges of the client device. The present invention may
include more than two processors where at least one of the multiple
processors may be optimized for performing one or more control
functions and one or more other processors may be optimized for
transferring data or administrating the transfer of data through a
gateway or firewall.
Inventors: |
Cai; Riji; (Pudong New Area,
CN) ; Chen; Zhong; (San Jose, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
SonicWall Inc. |
Santa Clara |
CA |
US |
|
|
Family ID: |
56432920 |
Appl. No.: |
15/445485 |
Filed: |
February 28, 2017 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14605731 |
Jan 26, 2015 |
9584516 |
|
|
15445485 |
|
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
H04L 63/083 20130101;
H04L 63/164 20130101; H04L 63/0884 20130101; H04L 63/10 20130101;
H04L 63/0281 20130101; H04L 63/102 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Claims
1. A method for proxy authentication, the method comprising:
receiving an authentication request at a first processor of a
multi-processor computing device, the authentication request sent
by a client device in order to access computing resources of a
computing network; forwarding the authentication request from the
first processor to a second processor of the multi-processor
computing device, the second processor executing software to
authenticate the client device; forwarding an authentication
response from the second processor to the first processor; and
enabling the client device to access the computing resources of the
computing network when the authentication response indicates that
the client device is authorized, wherein the first processor
executes software to process data transfer to the client
device.
2. The method of claim 1, further comprising establishing a
connection between the first processor and the second processor,
wherein the authentication request is forwarded from the first
processor to the second processor over the established connection,
and wherein the authentication response is forwarded from the
second processor to the first processor over the established
connection.
3. The method of claim 2, wherein the established connection is a
socket connection, and wherein the first processor uses an internet
protocol address and a port number associated with the client
device to forward the authentication request to the second
processor.
4. The method of claim 1, wherein the authentication request
includes credentials, and wherein the client device is validated
when the credentials match credential information stored at an
authentication server.
5. The method of claim 1, further comprising receiving a request to
initiate secure communications over a secure socket layer at the
multi-processor computing device, the request received prior to
receiving the authentication request.
6. The method of claim 1, wherein enabling the client device to
access the computing resources of the computing network is based on
an access rule defined in the first software.
7. A non-transitory computer-readable storage medium, having
embodied thereon a program comprising instructions executable by a
processor to perform a method for proxy authentication, the method
comprising: receiving an authentication request at a first
processor of a multi-processor computing device, the authentication
request sent by a client device in order to access computing
resources of a computing network; forwarding the authentication
request from the first processor to a second processor of the
multi-processor computing device, the second processor executing
software to authenticate the client device; forwarding an
authentication response from the second processor to the first
processor; and enabling the client device to access the computing
resources of the computing network when the authentication response
indicates that the client device is authorized, wherein the first
processor executes software to process data transfer to the client
device.
8. The non-transitory computer readable medium of claim 7, further
comprising instructions executable to establish a connection
between the first processor and the second processor, wherein the
authentication request is forwarded from the first processor to the
second processor over the established connection, and wherein the
authentication response is forwarded from the second processor to
the first processor over the established connection.
9. The non-transitory computer readable medium of claim 8, wherein
the established connection is a socket connection, and wherein the
first processor uses an internet protocol address and a port number
associated with the client device to forward the authentication
request to the second processor.
10. The non-transitory computer readable medium of claim 7, wherein
the authentication request includes credentials, and wherein the
client device is validated when the credentials match credential
information stored at an authentication server.
11. The non-transitory computer readable medium of claim 7, further
comprising receiving a request to initiate secure communications
over a secure socket layer at the multi-processor computing device,
the request received prior to receiving the authentication
request.
12. The non-transitory computer readable medium of claim 7, wherein
enabling the client device to access the computing resources of the
computing network is based on an access rule defined in the first
software.
13. A system for proxy authentication, the system comprising: a
computing network server that hosts computing resources; and a
multi-processor computing device comprising: a first processor that
receives an authentication request sent by a client device in order
to access computing resources of a computing network; and a second
processor that: receives the authentication request forwarded by
the first processor, executes software to authenticate the client
device, and forwards an authentication response to the first
processor; wherein the first processor executes software to process
data transfer to the client device when the authentication response
indicates that the client device is authorized, thereby enabling
the client device to access the computing resources of the
computing network.
14. The system of claim 13, wherein the multi-processor computing
device further establishes a connection between the first processor
and the second processor, wherein the authentication request is
forwarded from the first processor to the second processor over the
established connection, and wherein the authentication response is
forwarded from the second processor to the first processor over the
established connection.
15. The system of claim 14, wherein the established connection is a
socket connection, wherein the first processor uses an internet
protocol address and a port number associated with the client
device to forward the authentication request to the second
processor.
16. The system of claim 13, wherein the authentication request
includes credentials, and wherein the client device is validated
when the credentials match credential information stored at an
authentication server.
17. The system of claim 13, wherein the multi-processor computing
device further receives a request to initiate secure communications
over a secure socket layer at the multi-processor computing device,
the request received prior to receiving the authentication
request.
18. The system of claim 13, wherein enabling the client device to
access the computing resources of the computing network is based on
an access rule defined in the first software.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] The present application is a continuation and claims the
priority benefit of U.S. patent application Ser. No. 14/605,731
filed Jan. 26, 2015, issuing as U.S. Pat. No. 9,584,516 on Feb. 28,
2017, the disclosure of which is incorporated herein by
reference.
BACKGROUND OF THE INVENTION
[0002] Field of the Invention
[0003] The present invention is generally related to a network
computing device including a first processor communicating with a
second processor as a proxy for a client device when authenticating
access privileges of the client device. More specifically, the
present invention relates to the first processor running software
to communicate with the second processor as if it were a client
device where the software running on the first processor does not
validate the authenticity of the client device.
[0004] Description of the Related Art
[0005] Client devices attempting to gain access to a resource in a
networked computing environment are commonly authenticated before
being allowed to access data or programs stored at the resource. A
client device commonly gains access to a specific resource after
sending a request to access the resource and after credentials of
the client device have been authenticated.
[0006] The authentication of credentials from a client device may
include communications between the client device, a gateway or
firewall, and an authentication server. After an authentication
process has been completed, the gateway or firewall may allow the
client device to communicate with a computing resource in a
networked computing environment. The computing resource may be a
computer or a server that is distinct from the authentication
server that was communicated with during the authentication process
of the client device.
[0007] Information used to authenticate the credentials of a client
device may include, yet are not limited to a password, a user name,
a security certificate, or other information provided by the client
device. The authentication information provided by the client
device may be compared with information at or provided by an
authentication server. A gateway or firewall located between the
client device and the authentication server may also perform an
authentication process where credentials of a server or a client
device may be authenticated. In some configurations, a gateway or
firewall may act as the authentication server itself.
[0008] When additional security is desired the authentication of a
client device may be performed after a secure socket layer (SSL)
communication session has been established. The authentication of
the credentials of a client device may therefore be performed with
our without establishing an SSL communication session. When an SSL
communication session is used, it is commonly established after
establishing a transmission control protocol (TCP) session between
a client device and a computing device.
[0009] Today computing devices including gateways and firewalls
commonly include multiple processors (i.e., a multi-processor)
where at least one of the multiple processors may be optimized for
performing one or more control functions. In these systems one or
more other processors may be optimized from transferring data
between a client device and a computing resource. The functionality
of a processor optimized for transferring data, i.e. a data plane
(DP) processor, may process the movement of data (i.e., data
traffic) according to a set of access rule or other settings that
may be configured by a processor optimized for control functions,
i.e. a control plane (CP) processor.
[0010] Frequently data passing through a gateway or a firewall is
administrated by a one or more DP processors. The communication of
data through the gateway or firewall may be optimized by using
software that is designed to transfer data that includes little or
no program code for performing control functions. Similarly,
software optimized for performing control functions includes little
or no program code that optimizes the transfer of data through the
gateway or firewall. CP processors may include a full set of
operating system (OS) software, where DP processors include an
entirely different set program code. A gateway/firewall that
includes multiple processors that may also communicate with a
client device using a single communication path or socket. A socket
is an endpoint implemented in software that establishes
bidirectional communication between a program that communicates
information between a computer or server and one or more client
programs. A socket is known to associate a computer/server program
with a specific logical port on a machine where it runs such that a
client program may communicate with a compute/server program over
the socket that is associated with the port.
[0011] A client device, therefore, may not communicate
simultaneously with a CP processor and an DP processor over the
single communication pathway. Conventionally if a DP processor is
used to authenticate a client device, program code associated with
the DP processor must be overly complex because it must include all
of the software required to authenticate a client device.
Similarly, if a CP processor is used to authenticate a client
device, the CP processor may be overloaded handling information
relating to SSL virtual private network (VPN) data traffic
transmitted between a computing resource and the client device
after an authentication process has been completed. In either
instance, the performance of the CP processor or the DP processor
cannot be fully optimized using currently available multi-processor
computing systems.
[0012] What is needed is a system and a method for optimizing the
performance of CP processors and DP processors in a multi-processor
system that does not require a DP processor to validate the
credentials of a client device and that does not require a CP
processor to administrate the transfer of data through a computing
device.
SUMMARY OF THE PRESENTLY CLAIMED INVENTION
[0013] The present invention is generally related to a
multi-processor system including at least a first processor
executing software that is optimized for administrating the
transfer of data and a second processor executing software that is
optimized for performing control functions where the first
processor acts as a proxy for the client device when the
credentials of a client device are authenticated
[0014] A client device attempting to gain access to resource on a
computing network sends an authorization request a first processor
in a gateway that includes a plurality of processors. After
receiving the authorization request the first processor initiates a
socket communication pathway to a second processor, and the first
processor sends the authorization request to the second processor.
After receiving the authorization request the second processor
sends a corresponding request to an authentication server, and the
authentication server responds by sending a response to the second
processor.
[0015] After receiving the response from the authentication server
the second processor sends a communication to the first processor
using the socket pathway. After receiving the communication from
the second processor the first processor forwards the communication
to the client device. When the forwarded response authorizes
communications between the client device and the computing resource
the client device may communicate with the resource on the computer
network.
[0016] Communications between the client device and the first
processor may be communicated over a first network communication
interface and communications between the second processor and the
authorization server may be communicated over a second network
communication interface. Communications between the first processor
and the second processor may identify an internet protocol (IP)
address and a port number of the client device. Communications
transmitted through the gateway to the requested computing resource
may be communicated through any network communication port at the
gateway.
BRIEF DESCRIPTION OF THE DRAWINGS
[0017] FIG. 1 illustrates a block diagram of a computing device
that may be used to implement various embodiments of the present
invention.
[0018] FIG. 2 illustrates a client device, a gateway, and
authentication server communicating according to an exemplary
methodology consistent with the disclosure of the present
invention.
[0019] FIG. 3 illustrates a method of the present invention that
may be implemented at a computing device including multiple
processors in a computer network.
DETAILED DESCRIPTION
[0020] The present invention is generally related to a
multi-processor system including at least a first processor
executing software that is optimized for administrating the
transfer of data and a second processor executing software that is
optimized for performing control functions where the first
processor acts as a proxy for the client device when the
credentials of a client device are authenticated.
[0021] The present invention may use secure communications channels
using the Secure Socket Layers (SSL) protocol, the Hypertext
Transfer Protocol Secure (HTTPS) protocol (which employs the Secure
Socket Layers (SSL) protocol, or the Internet Protocol Security
(IPSec) protocol.
[0022] FIG. 1 illustrates a block diagram of a computing device
that may be used to implement various embodiments of the present
invention. FIG. 1 illustrates an exemplary computing system 100
that may be used to implement a computing device with the present
technology. Note that FIG. 1 is exemplary and that all features
shown in the figure may not be included in a gateway or a firewall
implementing the present invention. System 100 of FIG. 1 may be
implemented in the contexts of the likes of clients and servers.
The computing system 100 of FIG. 1 includes one or more processors
110 and memory 120. Main memory 120 may store, in part,
instructions and data for execution by processor 110. Main memory
120 can store the executable code when in operation. The system 100
of FIG. 1 further includes mass storage 130, which may include
resident mass storage and portable storage, antenna 140, output
devices 150, user input devices 160, a display system 170,
peripheral devices 180, and I/O devices 195.
[0023] The components shown in FIG. 1 are depicted as being
connected via a single bus 190. However, the components may be
connected through one or more data transport means. For example,
processor unit 110 and main memory 120 may be connected via a local
microprocessor bus, and the storage 130, peripheral device(s) 180,
and display system 170 may be connected via one or more
input/output (I/O) buses.
[0024] Mass storage device 130, which may include mass storage
implemented with a magnetic disk drive, an optical disk drive,
FLASH memory, or be a portable USB data storage device. Mass
storage device 130 can store the system software for implementing
embodiments of the present invention for purposes of loading that
software into main memory 120. The system software for implementing
embodiments of the present invention may be stored on such a
portable medium and input to the computer system 100 via the
portable storage device.
[0025] Antenna 140 may include one or more antennas for
communicating wirelessly with another device. Antenna 140 may be
used, for example, to communicate wirelessly via Wi-Fi, Bluetooth,
with a cellular network, or with other wireless protocols and
systems. The one or more antennas may be controlled by a processor
110, which may include a controller, to transmit and receive
wireless signals. For example, processor 110 executes programs
stored in memory 120 to control antenna 140, transmit a wireless
signal to a cellular network, and receive a wireless signal from
the cellular network.
[0026] The system 100 as shown in FIG. 1 includes output devices
150 and input devices 160. Examples of suitable output devices
include speakers, printers, and monitors. Input devices 160 may
include a microphone, accelerometers, a camera, and other devices.
Input devices 160 may also include an alpha-numeric keypad, such as
a keyboard, for inputting alpha-numeric and other information, or a
pointing device, such as a mouse, a trackball, stylus, or cursor
direction keys. I/O devices 195 include network interfaces, and
touch screens. Network interfaces used the present invention may be
any computer network (wired or wireless) known in the art,
including, yet are not limited to Ethernet, or 802.11.
[0027] Display system 170 may include a liquid crystal display
(LCD), LED display, a plasma display, or be another suitable
display device. Display system 170 receives textual and graphical
information, and processes the information for output to the
display device.
[0028] Peripherals 180 may include any type of computer support
device to add additional functionality to the computer system. For
example, peripheral device(s) 180 may include a modem or a
router.
[0029] The components contained in the computer system 100 of FIG.
1 are those typically found in computing system, such as but not
limited to a gateway, a firewall, a desktop computer, a laptop
computer, a notebook computer, a netbook computer, a tablet
computer, a smart phone, a personal data assistant (PDA), or other
computer that may be suitable for use with embodiments of the
present invention and are intended to represent a broad category of
such computer components that are well known in the art. Thus, the
computer system 100 of FIG. 1 can be a personal computer, hand held
computing device, telephone, mobile computing device, workstation,
server, minicomputer, mainframe computer, gateway, firewall, or any
other computing device. The computer can also include different bus
configurations, networked platforms, multi-processor platforms,
etc. Various operating systems can be used including but not
limited to Unix, Linux, Windows, Macintosh OS, Palm OS, Android OS,
and Apple iOS.
[0030] FIG. 2 illustrates a client device, a gateway, and
authentication server communicating according to an exemplary
methodology consistent with the disclosure of the present
invention. The gateway 220 in FIG. 2 includes a first processor DP
230 and a second processor CP 240. The first processor DP 230
executes software out of memory that is optimized for communicating
data between computing resource 260 on and the client device 210
after credentials of the client device 210 have been validated by
authentication server 250. The second processor CP executes
software out of memory that is optimized for control functions
executed by the gateway. Software operating on the first processor
DP 230 may communicate with the second processor CP 240 when the
credentials of the client device are being validated. Processor
DP230 may communicate with the second processor CP 240 using a
socket or other remote procedure communication (RPC). The DP
processor and the CP processor may be integrated within a single
multi-processor package that include one or more silicon chips,
i.e. dies where each chip/die may include one or more processors.
The multi-processor package may be a multi-chip module. The
multiple processors in gateway 220 may include one or more
processors assembled into one or more packages and may include one
or more multi-chip modules.
[0031] The gateway of FIG. 2 may communicate with an authentication
server 250 when the credentials of a client device are being
authenticated. After the credentials of a client device have been
authenticated to access data on computing resource 260, data may be
transmitted though the gateway 220 between the client device 210
and the computing resource 260.
[0032] FIG. 2 also includes a series of steps that may be performed
according to an embodiment of the present invention. Client device
210 using an internet protocol address (IP) 1.1.1.1 communicates
with the gateway 220 over port 1234 (i.e., IP address and port
1.1.1.1:1234) at the client device 210 and over a port at the
gateway 220. The gateway in FIG. 2 uses IP address and port
2.2.2.2:443. The gateway 240 is depicted as communicating with an
authentication server 250 over a second port at the gateway 240 and
over a port at the authentication server 250. The IP address and
port of the authentication server in FIG. 2 is 3.3.3.3:1812.
[0033] FIG. 2 illustrates the client device 210 sending an
authorization request 1 to a DP processor 230 in gateway 220. The
DP processor then forwards this authentication request 2 to the CP
processor 240 in gateway 240, after which the CP processor 240
sends a corresponding authentication request 3 to the
authentication server 250. In an embodiment of the invention the DP
processor communicates with the CP processor using the IP address
and port number of the client device. In this instance the DP
processor acts as a transparent proxy for the client device. The CP
processor may be entirely unaware that the DP processor is acting
as a transparent proxy.
[0034] After the authentication server 250 has received the
authentication request from the CP processor, the authentication
server 250 sends an authentication response 4 to the CP processor,
and then the CP processor sends the authentication response 5 to
the DP processor 230. Next the DP processor forwards the
authentication response 6 to the client device 210. When the
authentication response 6 authorizes communications between the
client device and the computing resource 260 data traffic 7 flow
between the computing resource 260 and the client device 210 may
occur according one or more access rules or other settings set in
software executed by the DP processor 230.
[0035] FIG. 3 illustrates a method of the present invention that
may be implemented at a computing device including multiple
processors in a computer network. Step 310 is where a processor in
a computing device receives a request to initiate secure
communications over a secure socket layer (SSL) session. In step
320, the first processor at the computing device receives a request
from a client device to gain access to computing resources at a
computing network. The request in step 320 may include one or more
communications and may include credentials used to validate the
authenticity of the client device or a user using the client
device. The credentials provided by a client device may include,
yet are not limited to a password, a user name, a security
certificate, or other information provided by the client
device.
[0036] In step 330 a connection is created between the first
processor and a second processor at the computing device. The
connection may be a socket connection where the first processor
acts as a proxy for the client device by representing itself as the
client device by using an IP address and a port number associated
with the client device. The first processor may then forward the
authentication request to the second processor using the IP address
and the port number associated with the client device is step 340
of the flow chart. Then in step 350 the second processor transmits
a corresponding authentication request to an authentication server
over a second network communication interface. The authentication
request transmitted to the authentication server in step 350 may
include some or all of the authentication information provided by
the client device.
[0037] Then in step 360 a response to the authentication request is
received by the second processor, and in step 370 a corresponding
response message is sent to the first processor. The corresponding
response message sent to the first processor in step 370 may
include the IP address and the IP port number of the client device.
The first processor then forwards the corresponding response
message to the client device in step 380 of the method of FIG. 3.
In step 390 the client device and the requested resource
communicate with each other through the computing device.
[0038] The various methods may be performed by software operating
in conjunction with hardware. For example, instructions executed by
a processor, the instructions otherwise stored in a non-transitory
computer readable medium such as memory. Various interfaces may be
implemented--both communications and interface. One skilled in the
art will appreciate the various requisite components of a mobile
device and integration of the same with one or more of the
foregoing figures and/or descriptions.
[0039] While various embodiments have been described above, it
should be understood that they have been presented by way of
example only, and not limitation. The description are not intended
to limit the scope of the presently claimed invention or to limit
the scope of embodiments of the present invention. The present
descriptions are intended to cover alternatives, modifications, and
equivalents consistent with the spirit and scope of the
disclosure.
* * * * *