发明名称 |
Transport layer security traffic control using service name identification |
摘要 |
Traffic control techniques are provided for intercepting an initial message in a handshaking procedure for a secure communication between a first device and a second device at a proxy device. Identification information associated with the second device is extracted from the initial message. A policy is applied to communications between the first device and second device based on the identification information. |
申请公布号 |
US9237168(B2) |
申请公布日期 |
2016.01.12 |
申请号 |
US201213473835 |
申请日期 |
2012.05.17 |
申请人 |
Cisco Technology, Inc. |
发明人 |
Wang Jianxin;Shankar Hari;Highland Trevor;Koduri Niranjan;Odnert Daryl |
分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
代理机构 |
Edell, Shapiro & Finnan, LLC |
代理人 |
Edell, Shapiro & Finnan, LLC |
主权项 |
1. A method of establishing a connection across a network, comprising:
intercepting at a proxy device a partially encrypted initial message of a handshaking procedure for a secure encrypted communication session between a first device and a second device, wherein the initial message is a ClientHello message of a Transport Layer Security (TLS) handshaking procedure that includes identification information associated with the second device, wherein the identification information comprises a plurality of parameters including host names, categories of hosts, reputations of hosts, and application types, and wherein each parameter has assigned a weight; extracting from the initial message the identification information associated with the second device; comparing the plurality of parameters with a plurality of databases to generate comparison results; balancing the comparison results based on the assigned weights to the parameters to determine a policy; and applying the policy to communications between the first device and the second device based on the identification information, wherein extracting the identification information comprises extracting a server name indication extension in the initial message without decrypting the initial message, and wherein the service name indication extension indicates a host name of the second device. |
地址 |
San Jose CA US |