Smart router with enhanced security
Abstract
A router receives, from a LAN-side client computing device, a request for a web resource served by a WAN side destination server, sent via an unsecure protocol. The router determines if the destination server supports a secure protocol. If it is determined that the destination server supports a secure protocol, then the router sends the request to the server via the supported secure protocol, receives a response in the server supported secure protocol, and forwards a payload of the response in an unsecure response to the unsecure request received from the client device. If it is determined that the destination server does not support the secure protocol, then the router sends the request to the destination server via the unsecure protocol.
Claims
exact text as granted — not AI-modified1 . A router, comprising:
a processor configured to:
receive from a LAN-side client computing device a request for a web resource served by a WAN side destination server, sent via an unsecure protocol;
determine if the destination server supports a secure protocol; and
if it is determined that the destination server supports a secure protocol, then
send the request to the server via the supported secure protocol;
receive a response in the server supported secure protocol; and
forward a payload of the response in an unsecure response to the unsecure request received from the client device; and
if it is determined that the destination server does not support the secure protocol, then send the request to the destination server via the unsecure protocol.
2 . The router of claim 1 , wherein the unsecure protocol and secure protocol are a pair of protocols selected from the group of pairs comprising: HTTP and HTTPS, IMAP and IMAPS, and POP and POPS.
3 . The router of claim 1 , wherein the processor is configured to receive a DNS look up request from the client device, determine if a requested site associated with the DNS look up request offers a secure connection, and store a certificate from the requested site, if received.
4 . The router of claim 1 , wherein the processor is further configured to:
implement a redirection, by replying to the request from the client device with an alternative domain to be used in future client requests for the same domain, thereby forcing encrypted connections via a different URI.
5 . The router of claim 1 , wherein the processor is further configured to:
route the request through a client-side proxy on the router which forces WAN-side connections from the router to remote servers to be implemented via secure SSL connections.
6 . The router of claim 1 , wherein in the event that the WAN-side destination server does support a secure protocol, the router maintains a separate secure connection to the client device, to thereby enable the router to rewrite data in replies from the destination server before it reaches the client device, including adding, deleting or modifying cookie data, protocol headers, or sent or received application data.
7 . The router of claim 1 , wherein the processor is configured to perform certificate validation tests, at least in part by performing a DNS lookup with a trusted service of the WAN to verify an identity of a host or network server of the WAN that the client device is communicating with or requesting to communicate with.
8 . The router of claim 1 , further comprising: implement a secure DNS query protocol by querying a first DNS server and receiving a DNS response therefrom, determining that the DNS response from the first server deviates from an expected value, and upon determining that the DNS response deviates from the expected value, querying a second DNS server.
9 . The router of claim 1 , wherein the processor is further configured to:
detect a possibility of a WAN-side man-in-the-middle attack originating from a suspected malicious server by comparing SSL certificates used to authenticate each of a plurality of SSL connections, and determining that one of the plurality of SSL certificates was issued by a known rogue authority, or does not match historically known-safe versions; and in response to detecting the possibility of a WAN-side man-in-the-middle attack, alert the client device and/or refuse connections with a suspected malicious server.
10 . A networking method for use in a router, comprising:
receiving from a LAN-side client computing device a request for a web resource served by a WAN side destination server, sent via an unsecure protocol; determining if the destination server supports a secure protocol; and if it is determined that the destination server supports a secure protocol, then
sending the request to the server via the supported secure protocol;
receiving a response in the server supported secure protocol; and
forwarding a payload of the response in an unsecure response to the unsecure request received from the client device; and
if it is determined that the destination server does not support the secure protocol, then sending the request to the destination server via the unsecure protocol.
11 . The method of claim 10 , wherein the unsecure protocol and secure protocol are a pair of protocols selected from the group of pairs comprising: HTTP and HTTPS, IMAP and IMAPS, and POP and POPS.
12 . The method of claim 10 , further comprising:
receiving a DNS look up request from the client device, determining if a requested site associated with the DNS look up request offers a secure connection, and storing a certificate from the requested site, if received.
13 . The method of claim 10 , further comprising:
implementing a redirection, by replying to the request from the client device with an alternative domain to be used in future client requests for the same domain, thereby forcing encrypted connections via a different URI.
14 . The method of claim 10 , further comprising:
routing the request through a client-side proxy on the router which forces WAN-side connections from the router to remote servers to be implemented via secure SSL connections.
15 . The method of claim 10 , wherein in the event that the WAN-side destination server does support a secure protocol, the router maintains a separate secure connection to the client device, to thereby enable the router to rewrite data in replies from the destination server before it reaches the client device, including adding, deleting or modifying cookie data, protocol headers, or sent or received application data.
16 . The router of claim 10 , wherein the processor is configured to perform certificate validation tests, at least in part by performing a DNS lookup with a trusted service of the WAN to verify an identity of a host or network server of the WAN that the client device is communicating with or requesting to communicate with.
17 . The method of claim 10 , further comprising: implement a secure DNS query protocol by querying a first DNS server and receiving a DNS response therefrom, determining that the DNS response from the first server deviates from an expected value, and upon determining that the DNS response deviates from the expected value, querying a second DNS server.
18 . The method of claim 10 , further comprising:
detecting a possibility of a WAN-side man-in-the-middle attack originating from a suspected malicious server by comparing SSL certificates used to authenticate each of a plurality of SSL connections, and determining that one of the plurality of SSL certificates was issued by a known rogue authority, or does not match historically known-safe versions; and in response to detecting the possibility of a WAN-side man-in-the-middle attack, alerting the client device and/or refusing connections with a suspected malicious server.
19 . The method of claim 10 , further comprising:
periodically exchanging application layer challenges with LAN-side client devices to determine that those devices are not being spoofed.
20 . The method of claim 10 , wherein the challenges are issued by client devices of DNS or ARP servers, and routed through the router, and request a preshared secret between the client devices and DNS or ARP servers.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.