US2016119330A1PendingUtilityA1

Smart router with enhanced security

50
Assignee: L HEUREUX ISRAELPriority: Sep 29, 2011Filed: Jan 7, 2016Published: Apr 28, 2016
Est. expirySep 29, 2031(~5.2 yrs left)· nominal 20-yr term from priority
H04L 63/0281H04L 63/1466H04L 63/0428H04L 63/0823H04L 67/2814H04L 63/10H04L 67/02G06F 17/30864H04L 67/42H04L 67/01H04L 67/563H04L 63/0876H04L 63/083H04L 63/168H04L 67/14H04L 63/102H04L 63/0272G06F 16/951H04L 63/0471H04L 63/02H04L 63/166
50
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A router receives, from a LAN-side client computing device, a request for a web resource served by a WAN side destination server, sent via an unsecure protocol. The router determines if the destination server supports a secure protocol. If it is determined that the destination server supports a secure protocol, then the router sends the request to the server via the supported secure protocol, receives a response in the server supported secure protocol, and forwards a payload of the response in an unsecure response to the unsecure request received from the client device. If it is determined that the destination server does not support the secure protocol, then the router sends the request to the destination server via the unsecure protocol.

Claims

exact text as granted — not AI-modified
1 . A router, comprising:
 a processor configured to:
 receive from a LAN-side client computing device a request for a web resource served by a WAN side destination server, sent via an unsecure protocol; 
 determine if the destination server supports a secure protocol; and 
 if it is determined that the destination server supports a secure protocol, then
 send the request to the server via the supported secure protocol; 
 receive a response in the server supported secure protocol; and 
 forward a payload of the response in an unsecure response to the unsecure request received from the client device; and 
 
 if it is determined that the destination server does not support the secure protocol, then send the request to the destination server via the unsecure protocol. 
   
     
     
         2 . The router of  claim 1 , wherein the unsecure protocol and secure protocol are a pair of protocols selected from the group of pairs comprising: HTTP and HTTPS, IMAP and IMAPS, and POP and POPS. 
     
     
         3 . The router of  claim 1 , wherein the processor is configured to receive a DNS look up request from the client device, determine if a requested site associated with the DNS look up request offers a secure connection, and store a certificate from the requested site, if received. 
     
     
         4 . The router of  claim 1 , wherein the processor is further configured to:
 implement a redirection, by replying to the request from the client device with an alternative domain to be used in future client requests for the same domain, thereby forcing encrypted connections via a different URI.   
     
     
         5 . The router of  claim 1 , wherein the processor is further configured to:
 route the request through a client-side proxy on the router which forces WAN-side connections from the router to remote servers to be implemented via secure SSL connections.   
     
     
         6 . The router of  claim 1 , wherein in the event that the WAN-side destination server does support a secure protocol, the router maintains a separate secure connection to the client device, to thereby enable the router to rewrite data in replies from the destination server before it reaches the client device, including adding, deleting or modifying cookie data, protocol headers, or sent or received application data. 
     
     
         7 . The router of  claim 1 , wherein the processor is configured to perform certificate validation tests, at least in part by performing a DNS lookup with a trusted service of the WAN to verify an identity of a host or network server of the WAN that the client device is communicating with or requesting to communicate with. 
     
     
         8 . The router of  claim 1 , further comprising: implement a secure DNS query protocol by querying a first DNS server and receiving a DNS response therefrom, determining that the DNS response from the first server deviates from an expected value, and upon determining that the DNS response deviates from the expected value, querying a second DNS server. 
     
     
         9 . The router of  claim 1 , wherein the processor is further configured to:
 detect a possibility of a WAN-side man-in-the-middle attack originating from a suspected malicious server by comparing SSL certificates used to authenticate each of a plurality of SSL connections, and determining that one of the plurality of SSL certificates was issued by a known rogue authority, or does not match historically known-safe versions; and   in response to detecting the possibility of a WAN-side man-in-the-middle attack, alert the client device and/or refuse connections with a suspected malicious server.   
     
     
         10 . A networking method for use in a router, comprising:
 receiving from a LAN-side client computing device a request for a web resource served by a WAN side destination server, sent via an unsecure protocol;   determining if the destination server supports a secure protocol; and   if it is determined that the destination server supports a secure protocol, then
 sending the request to the server via the supported secure protocol; 
 receiving a response in the server supported secure protocol; and 
 forwarding a payload of the response in an unsecure response to the unsecure request received from the client device; and 
   if it is determined that the destination server does not support the secure protocol, then sending the request to the destination server via the unsecure protocol.   
     
     
         11 . The method of  claim 10 , wherein the unsecure protocol and secure protocol are a pair of protocols selected from the group of pairs comprising: HTTP and HTTPS, IMAP and IMAPS, and POP and POPS. 
     
     
         12 . The method of  claim 10 , further comprising:
 receiving a DNS look up request from the client device,   determining if a requested site associated with the DNS look up request offers a secure connection, and   storing a certificate from the requested site, if received.   
     
     
         13 . The method of  claim 10 , further comprising:
 implementing a redirection, by replying to the request from the client device with an alternative domain to be used in future client requests for the same domain, thereby forcing encrypted connections via a different URI.   
     
     
         14 . The method of  claim 10 , further comprising:
 routing the request through a client-side proxy on the router which forces WAN-side connections from the router to remote servers to be implemented via secure SSL connections.   
     
     
         15 . The method of  claim 10 , wherein in the event that the WAN-side destination server does support a secure protocol, the router maintains a separate secure connection to the client device, to thereby enable the router to rewrite data in replies from the destination server before it reaches the client device, including adding, deleting or modifying cookie data, protocol headers, or sent or received application data. 
     
     
         16 . The router of  claim 10 , wherein the processor is configured to perform certificate validation tests, at least in part by performing a DNS lookup with a trusted service of the WAN to verify an identity of a host or network server of the WAN that the client device is communicating with or requesting to communicate with. 
     
     
         17 . The method of  claim 10 , further comprising: implement a secure DNS query protocol by querying a first DNS server and receiving a DNS response therefrom, determining that the DNS response from the first server deviates from an expected value, and upon determining that the DNS response deviates from the expected value, querying a second DNS server. 
     
     
         18 . The method of  claim 10 , further comprising:
 detecting a possibility of a WAN-side man-in-the-middle attack originating from a suspected malicious server by comparing SSL certificates used to authenticate each of a plurality of SSL connections, and determining that one of the plurality of SSL certificates was issued by a known rogue authority, or does not match historically known-safe versions; and   in response to detecting the possibility of a WAN-side man-in-the-middle attack, alerting the client device and/or refusing connections with a suspected malicious server.   
     
     
         19 . The method of  claim 10 , further comprising:
 periodically exchanging application layer challenges with LAN-side client devices to determine that those devices are not being spoofed.   
     
     
         20 . The method of  claim 10 , wherein the challenges are issued by client devices of DNS or ARP servers, and routed through the router, and request a preshared secret between the client devices and DNS or ARP servers.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.