Proxy Auto-Configuration For Directing Client Traffic To A Cloud Proxy
US-2020186500-A1 · Jun 11, 2020 · US
Device discovery for cloud-based network security gateways
US10834138B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10834138-B2 |
| Application number | US-201816101785-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 13, 2018 |
| Priority date | Aug 13, 2018 |
| Publication date | Nov 10, 2020 |
| Grant date | Nov 10, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Among other things, this document describes systems, methods and devices for discovering and identifying client devices that attempt to access out-of-policy network services via a secure web gateway (or other network security gateway) that lacks visibility into the client network actual IP space. This is a common problem with cloud hosted SWG services that enforce access policy from outside of a customer network (e.g., external to an enterprise network), due to network address translation at the interface between the customer network and the public Internet where the cloud-hosted SWG resides. The teachings hereof address this problem. In one embodiment, a cloud hosted SWG can redirect a client to a bouncer device inside the customer network; that bouncer device can capture the actual client IP address.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for identifying client devices violating an access policy in a private network, comprising: A. at a network security gateway in a public network: receiving a first content request from a client in a private network, the first content request being routed through a network address translation (NAT) device that separates the private network from the public network; applying an access policy to the first content request, the access policy defined by an administrator of the private network and relating to any of security threats and acceptable use policies for the private network; generating a unique request identifier for the first content request; based on the application of the access policy, issuing a redirect to a bouncer component in the private network; logging the request identifier and sending a record with the request identifier to a log processor and reporting component; B. at the log processor and reporting component; receiving the record from the network security gateway; receiving a record from the bouncer component, comprising the request identifier and client information; correlating the record from the network security gateway with the record from the bouncer component; and, generating any of: a user display, an alert based on the correlated records. 2. The method of claim 1 , wherein the record from the network security gateway comprises an identifier for a policy violation. 3. The method of claim 1 , further comprising: receiving a second content request from the client as a result a redirection from the bouncer component; and, serving an error page to the client in response to the second content request. 4. The method of claim 1 , wherein the first content request is a request for content at a host distinct from the network security gateway. 5. The method of claim 1 wherein the first content request is received via a TLS secured connection. 6. The method of claim 1 , wherein the network security gateway comprises a proxy server having a certificate to authenticate and serve content on behalf of a website. 7. The method of claim 1 , wherein the first content request is an HTTP GET request. 8. A system for identifying client devices violating an access policy in a private network, comprising: A. A network security gateway in a public network, the network security gateway comprising at least one hardware processor and memory holding instructions for execution on the at least one hardware processor to cause, upon execution, the network security gateway to: receive a first content request from a client in a private network, the first content request being routed through a network address translation (NAT) device that separates the private network from the public network; apply an access policy to the first content request, the access policy defined by an administrator of the private network and relating to any of security threats and acceptable use policies for the private network; generate a unique request identifier for the first content request; based on the application of the access policy, issue a redirect to a bouncer component in the private network; log the request identifier and sending a record with the request identifier to a log processor and reporting component; B, the log processor and reporting component comprising at least one hardware processor and memory holding instructions for execution on the at least one hardware processor to cause, upon execution, the log processor and reporting component to: receiving the record from the network security gateway; receive a record from the bouncer component, comprising the request identifier and client information; correlate the record from the network security gateway with the record from the bouncer component; and, generate any of: a user display, an alert based on the correlated records. 9. The system of claim 8 , wherein the record from the network security gateway comprises an identifier for a policy violation. 10. The system of claim 8 , the instructions of the network security gateway further comprising instructions that when executed cause the network security gateway to: receive a second content request from the client as a result a redirection from the bouncer component; and, serve an error page to the client in response to the second content request. 11. The system of claim 8 , wherein the first content request is a request for content at a host distinct from the network security gateway. 12. The system of claim 8 wherein the first content request is received via a TLS secured connection. 13. The system of claim 8 , wherein the network security gateway comprises a proxy server having a certificate to authenticate and serve content on behalf of a website. 14. The system of claim 8 , wherein the first content request is an HTTP GET request. 15. A method for identifying high-risk client devices in a private network, comprising: A. at a network security gateway in a public network: receiving a first content request from a client in a private network, the first content request being routed through a network address translation (NAT) device that separates the private network from the public network; applying an access policy to the first content request, the access policy defined by an administrator of the private network and relating to any of security threats and acceptable use policies for the private network; generating a unique request identifier for the first content request; based on the application of the access policy, issuing a redirect to a bouncer component in the private network; logging the request identifier and sending a record with the request identifier to a log processor and reporting component; B. at the log processor and reporting component, attempting to correlate records from the network security gateway and the bouncer component, said attempt to correlate comprising; receiving the record from the network security gateway; receiving a record from the bouncer component, comprising the request identifier and client information; and, at least one of: (i) failing to correlate the record from the network security gateway with any record from the bouncer component, and in response thereto, generating an alert that the client is failing to follow redirects; (ii) failing to correlate the record from the bouncer component with any record from the network security gateway, and in response thereto, generating an alert that the client is scanning the private network. 16. The method of claim 15 , wherein said attempt to correlate comprises: waiting for a time period to receive records from the network security gateway and the bouncer component, the time period being configurable.
Assignees
Inventors
Classifications
Data redirection of data network streams · CPC title
- H04L63/029Primary
Firewall traversal, e.g. tunnelling or, creating pinholes · CPC title
Event detection, e.g. attack signature detection · CPC title
Virtual private networks · CPC title
at the transport layer · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10834138B2 cover?
- Among other things, this document describes systems, methods and devices for discovering and identifying client devices that attempt to access out-of-policy network services via a secure web gateway (or other network security gateway) that lacks visibility into the client network actual IP space. This is a common problem with cloud hosted SWG services that enforce access policy from outside of …
- Who is the assignee on this patent?
- Akamai Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/029. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 10 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).