Field of the Invention
The present invention is generally related to establishing a transport layer security (TLS) session without interruption. More specifically, the present invention relates to a client device communicating with a server through a firewall without interrupting an initial transport control protocol (TCP) session.
Description of the Related Art
Servers and client devices connecting to servers over computer networks are often protected from cyber-attacks by a firewall. Firewalls commonly intercept messages and inspect them for cyber-threats. In certain instances, a firewall also stops intercepting and inspecting messages between a client device and a server after the firewall determines that the server does not pose a threat to the client device, and that the client device does not pose a threat to the server.
Firewalls in modern computer networks validate the credentials of servers and client devices before allowing them to communicate directly. An example of direct communications between a client device and a server is a transport layer security (TLS) session where a firewall stops intercepting and inspecting messages between the client device and the server.
Messages encrypted over a TLS session are usually inspected by the firewall using deep packet inspection over a secure socket layer (DPI-SSL) software. When inspecting messages using DPI-SSL software, the firewall separates and parses information contained within messages received by the firewall. By inspecting data within the messages cyber-threats such as computer viruses or worms are identified and blocked. DPI-SSL is used to inspect messages received from client devices or servers that are more likely to contain a cyber-threat.
Firewalls also hide from the server the internet protocol (IP) address of client devices that communicate with the server. To accomplish this firewalls communicate with servers using network address translation (NAT). NAT abstracts the real IP address of the client from the server by assigning a configured outbound IP address and a random TCP port numbers on a TCP connection between the firewall and server. Typically, a client device only sees TCP packets including a server IP address and server TCP port number. Because of this, the client has no idea that the connection is going through a NAT'd firewall, and the server only sees the connection coming from the firewall without being aware of the actual client IP address of the client device or the TCP port used to communicate with the client device. Communications between the firewall and the server use network addresses and port numbers that are virtual, random, and that are dynamically assigned. For example, when establishing a transfer control protocol (TCP) connection between a firewall and a server, NAT designates a configured NAT IP address, assigns a dynamically obtained NAT TCP port number. These NAT address and NAT port numbers are unique and are associated with a specific TCP connection. The NAT TCP port number is usually picked from a large range of valid TCP port numbers. The source/client IP address and source/client TCP port number are mapped to the NAT IP address and NAT TCP port number in the TCP packets from client that are sent to the firewall. Likewise, the destination/NAT IP address and destination/NAT TCP port number in the packets from the server to the firewall are mapped to the client IP address and client TCP port number respectively. These mappings are associated with a particular client-server TCP connection and are stored in the firewall. Each time a new TCP connection is established, new NAT port numbers are assigned to the new TCP session.
After a firewall has established a TLS session, the firewall passes through the messages associated with the TLS session without inspecting them for cyber-threats using a direct point to point connection through the firewall. This direct point to point connection is commonly referred to as a tunnel through the firewall. In certain instances, the messages tunneled through the firewall are forwarded according to a NAT mapping that hides real IP address of the client device from the server.
Before a client device attempts to initiate a TLS session with a server, the client device must establish a TCP connection between the client device and a firewall, and the firewall must establish a TCP connection between the firewall and the server.
When establishing a TCP connection between a client device and a firewall, the client device first transmits to the firewall a TCP synchronize message, next the client device receives a TCP synchronize acknowledgement message from the firewall, and then the client device transmits a TCP acknowledgment to the firewall. Establishing the TCP connection between the firewall and the server includes a series of similar steps, where the firewall transmits a TCP synchronize message to the server, the firewall receives a TCP synchronize acknowledgement message from the server, and the firewall transmits a TCP acknowledgement to the server. After a TCP connection between the client device and the firewall is established, the client device initiates a TLS handshake by sending a TLS hello message to the firewall that addresses the server.
After the TLS client hello message is sent to the firewall, the firewall obtains the DNS name of the server from the TLS client hello message, when it is available. The DNS name of server is part of a TLS extension in the TLS client hello message is optional, and is therefore not always included in a TLS client hello message. If the domain name of server is available in the TLS client hello, the firewall compares information in the client hello with information stored in memory at the firewall. The information stored at the firewall is usually stored in either a user defined exclusion list, a dynamic exclusion list, or in both. The TLS handshake between the firewall and the server enforces local policies for TLS connections, where servers are identified using a domain name service (DNS) hostname provided by the server in the server certificate. The DNS hostname is compared against the user defined exclusion list or the dynamic exclusion list to determine whether subsequent TCP messages from the client device addressing the server should be bypassed from interception and inspection by deep packet inspection secure socket layer (DPI-SSL) software. Once it is determined that subsequent TCP messages should be bypassed from interception and inspection, legacy implementations terminate the TCP connection between the client device and firewall because the firewall has already initiated a TLS session with the server for this client connection. The firewall then adds the certificate information to an entry in the dynamic exclusion list. Firewalls terminate the TCP connection between the client and the firewall because their design expects that a user of a client device will either refresh the previous TCP connection or establish a new TCP connection between the client and the firewall. Once a TCP connection between the client device and firewall is refreshed or a new TCP connection is established, legacy firewall implementations use the new entry in the dynamic exclusion list to determine if the connection should be intercepted or tunneled prior to establishing a TLS session with the server.
After the TCP connection between the client device and the firewall is terminated, a user of the client device experiences delay. This is because the client device must refresh the session or initiate a new TCP connection. In certain instances applications installed on the user device experience a fatal error when the initial TCP connection is interrupted. When an application program terminates or closes due to a fatal error, the user of the client device must also re-start the application before a TLS session can be initiated. By interrupting the TLS session between the client device and the firewall, a user of the client device is subjected to unnecessary delays caused by the firewall terminating the client device/firewall TCP connection.
What is needed is a system and a method for initiating a TLS session that does not terminate an existing TCP connection between a client device and a firewall.