| 主权项 |
1. A device comprising:
memory for storing machine instructions, an agent, and an operating system; a transceiver configured to enable the device to communicate with a policy manager on a first network, and one or more resources; and a processor for executing machine instructions stored in the memory, wherein execution of the machine instructions causes the device to perform operations including the following:
alternately performing either (a) or (b) depending on whether the device is hosted on the first network or on a second network other than the first network:
(a) if a device is hosted on a first network:
(i) receiving, by an agent on the device, a first request to access a resource outside the first network, wherein the first request is transmitted from an operating system of the device to the agent without being transmitted outside of the device;(ii) transmitting, by the agent on the device, a first policy request to a policy manager hosted on the first network in response to the agent's receiving the first request, wherein the first policy request is routed from the agent on the device to the policy manager hosted on the first network without leaving the first network;(iii) receiving, by the agent on the device, a first policy response from the policy manager, the first policy response instructing the agent to monitor communication between the device and the resource;(iv) establishing, by the agent on the device, a first encrypted connection between the device's operating system and the agent such that communication traffic of the first encrypted connection is not transmitted outside the device;(v) establishing, by the agent on the device, a second encrypted connection between the agent on the device and the resource such that communication traffic of the second encrypted connection enters and exits the first network at a gateway of the first network; and
(vi) monitoring, by the agent on the device, communication between the device's operating system and the resource; and(b) alternatively, if the device is hosted on a second network other than the first network:
(i) receiving, by the agent on the device, a second request to access the resource, wherein the request is transmitted from the operating system of the device to the agent without being transmitted outside of the device;(ii) transmitting, by the agent on the device, a second policy request to the policy manager hosted on the first network in response to the agent's receiving the second request, wherein the second policy request is routed from the second network to the first network in order to reach the policy manager on the first network;(iii) receiving, by the agent on the device, a second policy response from the policy manager, the policy response instructing the agent to monitor communication between the device and the resource;(iv) establishing, by the agent on the device, a third encrypted connection between the device's operating system and the agent such that communication traffic of the third encrypted connection is not transmitted outside the device;(v) establishing, by the agent on the device, a fourth encrypted connection between the agent and the resource such that communication traffic of the fourth encrypted connection is routed between the agent on the device and the resource without being routed to the first network; and(vi) monitoring, by the agent, communication between the device's operating system and the resource. |
