Multiplex communications – Diagnostic testing – Path check
Reexamination Certificate
1997-07-31
2002-10-29
Chin, Wellington (Department: 2664)
Multiplex communications
Diagnostic testing
Path check
C370S355000, C370S401000, C370S403000, C709S225000, C709S227000, C709S230000, C713S152000, C713S152000, C713S152000
Reexamination Certificate
active
06473406
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates generally to methods and apparatuses for transparently proxying a connection. More specifically, the invention relates to methods and apparatuses for intercepting packets or datagrams from a client bound for a server and establishing a client connection with the client. A server connection is also established with the server and data is passed to and from the client and the server via the two connections.
2. Description of the Related Art
Proxies
In many network applications, it is often desirable or necessary to prevent a user from making a connection to a first machine at one IP address that has information that the user needs and instead service an information request with a second machine at a different IP address. For example, it is often desired from a security standpoint not to allow connections from potentially hostile machines to a machine that stores sensitive information. Instead, it may be required that a connection first be made to a proxy which itself has various security features such as user authentication and possibly encryption.
The user requests the information from the proxy and the proxy establishes a connection with the machine that is being protected and obtains the information. If the protected machine determines that the user is authorized to receive the information, the proxy can then relay the information to the user that requested it. The proxy thus stands in for the machine that stores the sensitive information and prevents outside users from connecting directly to the protected machine. Instead, the user must first request the information from the proxy and only the proxy connects with the protected machine. The protected machine is insulated from contact with potentially dangerous outside contact.
In a proxy arrangement that is used for security, the proxy generally first identifies and authenticates the user who is requesting information from a machine at a target IP address. In the discussion that follows, the user requesting information will be referred to as the client and the protected machine that is providing information will be referred to as the server. It should be noted that in certain situations the client and server designations may be reversed. The machine that is protected (in the example above, the server) is also referred to as the proxied machine at the proxied address. In some applications, the proxied machine is also referred to as the target machine at the target address because it is the machine that the client or user actually intends to access and from which the user expects to obtain data or some other service.
The target machine is distinguished from the proxy because the user does not generally desire to retrieve information from or contact the proxy other than for the purpose of authenticating himself or otherwise preparing for the desired connection with the target machine. The machine that acts as a proxy is called the proxy machine at the proxy address. The user making the connection is referred to as the user or the client. When a proxy is used, the user connects to the proxy machine at the proxy IP address and never actually makes a connection to the proxied machine at the proxied IP address.
Another example of a situation in which a proxy may be desirable is a web cache. It may be desirable to store certain information that is available from a primary web site at a first IP address at a web cache located at another IP address. In this situation, the user is directed to the IP address of the web cache for the information, and, if the information requested is not found in the cache, then the web cache connects to the IP address of the first web site, obtains the information and then transfers it to the user.
FIG. 1
is a block diagram illustrating a proxied connection. A client
100
has an IP address of aaa.1. Client
104
wishes to obtain information from a server
102
that has an IP address bbb.1. Client
100
, however, is not authorized to connect to server
102
. Client
100
therefore must make a connection to a proxy
104
which has an IP address of xxx.1. Proxy
104
is authorized to make a connection to server
102
.
In the example illustrated, client
100
connects to proxy
104
via the Internet
110
. It should be noted that on other embodiments, the client connects to the proxy via some other internet or intranet. To connect to proxy
104
via the Internet, client
100
must know the IP address, xxx.1, of proxy
104
so that a connection can be made to proxy
104
. Furthermore, client
100
must obtain authorization to log onto proxy
104
. Usually, this is done by some sort of authentication or password procedure. Once client
100
has successfully logged on to proxy
104
, client
100
may request proxy
104
to make a connection to server
102
and obtain data that is contained on server
102
.
Once client
100
has successfully logged on to proxy
104
, client
100
requests that the proxy establish a connection and log onto the server. The client sends datagrams or packets to the proxy and the proxy relays them to the server. It should be noted that in the following description the terms datagram and packet are used interchangeably to refer to messages or portions of messages sent to or from a network device. Generally, the client must also specify to the proxy the IP address of the server that it wishes to access so that the proxy can make a connection to the server. Once a connection with the server is established, then proxy
104
reads the data received from the client and relays the data to the server via the server connection. Likewise, the proxy reads the data received from the server and relays the data to the client via the client connection.
Typically, the client is required to log on to the proxy to get authorization to send information to the proxy to be relayed to the server and then the client must again log onto the server through the proxy. Although the proxy makes its own direct connection with the server which may require authentication of the proxy, the server in most cases will run a separate process to verify that the user of the proxy is authorized to get the information from the server that is being requested. Thus, the proxy protects the server from a direct connection with a hostile source, but the server still must ensure that the user of the proxy is authorized to obtain the requested information. If the same information is required by the proxy and the server, then the information often must be supplied twice, once during authentication to the proxy and once during authentication to the server. Thus, the client must know to request the proxy address and then go through two separate authentication procedures in order to successfully obtain information from the server.
Certain proxy programs simplify the process somewhat by allowing the client to provide both a proxy password and a server password in a single step when the client signs on to the proxy. In some instances, a single password is used for both the proxy and the server. Nevertheless, the client still must know to contact the proxy. As a result, when a proxy is changed, many separate client applications must often be reconfigured to contact the appropriate proxy.
The use of a proxy as described above requires the user to log onto the proxy at the proxy IP address. It is thus evident to the user that a proxy is being used. Furthermore, in some situations, the user is required to go through two separate security procedures, one to log onto the proxy, and a second to log onto the target machine or server. It would be desirable if a proxy could be provided that operated in a transparent manner so that the user would not be aware of the operation of the proxy and would not be required to go through two separate security procedures. Such a proxy would also eliminate the need to reconfigure a large number client applications when a proxy is changed.
SUMMARY OF THE INVENTION
Accordingly, the present invention provides a proxy that oper
Coile Brantley W.
Howes Richard A.
LeBlanc William M.
Chin Wellington
Cisco Technology Inc.
Phan M.
Van Pellt & Yi LLP
LandOfFree
Method and apparatus for transparently proxying a connection does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for transparently proxying a connection, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for transparently proxying a connection will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2956005