Field of the Invention
The present invention is generally related to a network computing device including a first processor communicating with a second processor as a proxy for a client device when authenticating access privileges of the client device. More specifically, the present invention relates to the first processor running software to communicate with the second processor as if it were a client device where the software running on the first processor does not validate the authenticity of the client device.
Description of the Related Art
Client devices attempting to gain access to a resource in a networked computing environment are commonly authenticated before being allowed to access data or programs stored at the resource. A client device commonly gains access to a specific resource after sending a request to access the resource and after credentials of the client device have been authenticated.
The authentication of credentials from a client device may include communications between the client device, a gateway or firewall, and an authentication server. After an authentication process has been completed, the gateway or firewall may allow the client device to communicate with a computing resource in a networked computing environment. The computing resource may be a computer or a server that is distinct from the authentication server that was communicated with during the authentication process of the client device.
Information used to authenticate the credentials of a client device may include, yet are not limited to a password, a user name, a security certificate, or other information provided by the client device. The authentication information provided by the client device may be compared with information at or provided by an authentication server. A gateway or firewall located between the client device and the authentication server may also perform an authentication process where credentials of a server or a client device may be authenticated. In some configurations, a gateway or firewall may act as the authentication server itself.
When additional security is desired the authentication of a client device may be performed after a secure socket layer (SSL) communication session has been established. The authentication of the credentials of a client device may therefore be performed with our without establishing an SSL communication session. When an SSL communication session is used, it is commonly established after establishing a transmission control protocol (TCP) session between a client device and a computing device.
Today computing devices including gateways and firewalls commonly include multiple processors (i.e., a multi-processor) where at least one of the multiple processors may be optimized for performing one or more control functions. In these systems one or more other processors may be optimized from transferring data between a client device and a computing resource. The functionality of a processor optimized for transferring data, i.e. a data plane (DP) processor, may process the movement of data (i.e., data traffic) according to a set of access rule or other settings that may be configured by a processor optimized for control functions, i.e. a control plane (CP) processor.
Frequently data passing through a gateway or a firewall is administrated by a one or more DP processors. The communication of data through the gateway or firewall may be optimized by using software that is designed to transfer data that includes little or no program code for performing control functions. Similarly, software optimized for performing control functions includes little or no program code that optimizes the transfer of data through the gateway or firewall. CP processors may include a full set of operating system (OS) software, where DP processors include an entirely different set program code. A gateway/firewall that includes multiple processors that may also communicate with a client device using a single communication path or socket. A socket is an endpoint implemented in software that establishes bidirectional communication between a program that communicates information between a computer or server and one or more client programs. A socket is known to associate a computer/server program with a specificlogical port on a machine where it runs such that a client program may communicate with a compute/server program over the socket that is associated with the port.
A client device, therefore, may not communicate simultaneously with a CP processor and an DP processor over the single communication pathway. Conventionally if a DP processor is used to authenticate a client device, program code associated with the DP processor must be overly complex because it must include all of the software required to authenticate a client device. Similarly, if a CP processor is used to authenticate a client device, the CP processor may be overloaded handling information relating to SSL virtual private network (VPN) data traffic transmitted between a computing resource and the client device after an authentication process has been completed. In either instance, the performance of the CP processor or the DP processor cannot be fully optimized using currently available multi-processor computing systems.
What is needed is a system and a method for optimizing the performance of CP processors and DP processors in a multi-processor system that does not require a DP processor to validate the credentials of a client device and that does not require a CP processor to administrate the transfer of data through a computing device.