Search

US-12621271-B2 - Zero-trust network access (ZTNA) secure traffic forwarding

US12621271B2US 12621271 B2US12621271 B2US 12621271B2US-12621271-B2

Abstract

Systems and methods for performing zero-trust network access (ZTNA) secure traffic forwarding are provided. In one example, as part of setting up a transmission control protocol (TCP) forward access proxy (TFAP) tunnel, between a target service and an endpoint security agent of an endpoint device through which an application running on the endpoint device can interact with the target service, a secure connection is established between the endpoint security agent and a ZTNA access proxy (AP). Based on an encryption status of traffic transmitted from the application to the target service: (i) protection against eavesdropping by a man-in-the-middle attacker is provided by using the secure connection to encrypt one or more critical messages of the traffic between the endpoint security agent and the ZTNA AP; and (ii) the endpoint security agent abstains from switching to bypassing mode through the TFAP tunnel until after the one or more critical messages of the traffic have been exchanged.

Inventors

  • Ying Li Wang
  • Wenping Luo
  • Feng Han
  • Weining Wu

Assignees

  • FORTINET, INC.

Dates

Publication Date
20260505
Application Date
20231229

Claims (18)

  1. 1 . A method comprising: as part of setting up a transmission control protocol (TCP) forward access proxy (TFAP) tunnel, between a zero-trust network access (ZTNA) access point (AP) and an endpoint security agent, through which an application running on an endpoint device accesses a target service, establishing a secure connection between the endpoint security agent and the ZTNA AP; based on an encryption status of traffic transmitted from the application to the target service via the endpoint security agent: protecting against eavesdropping by an attacker that has inserted itself between the endpoint security agent and the ZTNA AP, by using the secure connection to encrypt one or more critical messages of the traffic between the endpoint security agent and the ZTNA AP; and abstaining from switching the endpoint security agent to bypassing mode through the TFAP tunnel until after the one or more critical messages of the traffic have been exchanged; and based on determining the traffic is encrypted, avoiding re-encryption of the traffic by forwarding the traffic to the target service via the TFAP tunnel.
  2. 2 . The method of claim 1 , wherein a protocol carrying the traffic comprises secure sockets layer (SSL) protocol or transport layer security (TLS) protocol and wherein the one or more critical messages comprises a client hello message of the SSL protocol or the TLS protocol.
  3. 3 . The method of claim 1 , wherein a protocol carrying the traffic comprises secure shell (SSH) protocol and wherein the one or more critical messages comprises a key exchange initialization (KEXINIT) message of the SSH protocol or a message of the SSH protocol indicating completion of the key exchange.
  4. 4 . The method of claim 1 , wherein a protocol carrying the traffic comprises quick user datagram protocol (UDP) internet connections (QUIC) and wherein the one or more critical messages comprises an encryption confirmation message of the QUIC protocol.
  5. 5 . The method of claim 1 , wherein the secure connection is established via hypertext transfer protocol secure (HTTPS), hypertext transfer protocol version 1.1 (HTTP 1.1) over SSL, hypertext transfer protocol version 2.0 (HTTP 2.0) over SSL, or hypertext transfer protocol version 3.0 (HTTP 3.0) over QUIC.
  6. 6 . A non-transitory machine readable medium storing instructions associated with an endpoint security agent, which when executed by one or more processing resources of a client device, cause the endpoint security agent to: during establishment of transmission control protocol (TCP) forward access proxy (TFAP) tunnel between a zero-trust network access (ZTNA) access point (AP) and the endpoint security agent, through which an application running on the client device accesses a target service, establish a secure connection between the endpoint security agent and the ZTNA AP; based on an encryption status of service packets transmitted from the application to the target service via the endpoint security agent: protect against eavesdropping by an attacker that has inserted itself between the endpoint security agent and the ZTNA AP, by maintaining the secure connection and encrypting one or more critical messages of the service packets between the endpoint security agent and the ZTNA AP; and abstain from switching the endpoint security agent to bypassing mode through the TFAP tunnel until after exchange of the one or more critical messages of the service packets has been completed; and based on determining the service packets are encrypted, avoiding re-encryption of the service packets by forwarding the service packets to the target service via the TFAP tunnel.
  7. 7 . The non-transitory machine readable medium of claim 6 , wherein a protocol carrying the service packets comprises secure sockets layer (SSL) protocol or transport layer security (TLS) protocol and wherein the one or more critical messages comprises a client hello message of the SSL protocol or the TLS protocol.
  8. 8 . The non-transitory machine readable medium of claim 6 , wherein a protocol carrying the service packets comprises secure shell (SSH) protocol and wherein the one or more critical messages comprises a key exchange initialization (KEXINIT) message of the SSH protocol.
  9. 9 . The non-transitory machine readable medium of claim 6 , wherein a protocol carrying the service packets comprises quick user datagram protocol (UDP) internet connections (QUIC) and wherein the one or more critical messages comprises an encryption confirmation message of the QUIC protocol.
  10. 10 . The non-transitory machine readable medium of claim 6 , wherein the secure connection is established via hypertext transfer protocol secure (HTTPS).
  11. 11 . The non-transitory machine readable medium of claim 6 , wherein the secure connection is established via hypertext transfer protocol version 1.1 (HTTP 1.1) over SSL.
  12. 12 . The non-transitory machine readable medium of claim 6 , wherein the secure connection is established via hypertext transfer protocol version 2.0 (HTTP 2.0) over SSL.
  13. 13 . The non-transitory machine readable medium of claim 6 , wherein the secure connection is established via hypertext transfer protocol version 3.0 (HTTP 3.0) over QUIC.
  14. 14 . A client device comprising: one or more processing resources; and instructions that when executed by the one or more processing resources cause an endpoint security agent on the client device to: during establishment of transmission control protocol (TCP) forward access proxy (TFAP) tunnel between a zero-trust network access (ZTNA) access point (AP) and the endpoint security agent, through which an application running on the client device accesses a target service, establish a secure connection between the endpoint security agent and the ZTNA AP; based on an encryption status of service packets transmitted from the application to the target service via the endpoint security agent: protect against eavesdropping by an attacker that has inserted itself between the endpoint security agent and the ZTNA AP, by maintaining the secure connection and encrypting one or more critical messages of the service packets between the endpoint security agent and the ZTNA AP; and abstain from switching the endpoint security agent to bypassing mode through the TFAP tunnel until after exchange of the one or more critical messages of the service packets has been completed; and based on determining the service packets are encrypted, avoid re-encryption of the service packets by forwarding the service packets to the target service via the TFAP tunnel.
  15. 15 . The client device of claim 14 , wherein a protocol carrying the service packets comprises secure sockets layer (SSL) protocol or transport layer security (TLS) protocol and wherein the one or more critical messages comprises a client hello message of the SSL protocol or the TLS protocol.
  16. 16 . The client device of claim 14 , wherein a protocol carrying the service packets comprises secure shell (SSH) protocol and wherein the one or more critical messages comprises a key exchange initialization (KEXINIT) message of the SSH protocol.
  17. 17 . The client device of claim 14 , wherein a protocol carrying the service packets comprises quick user datagram protocol (UDP) internet connections (QUIC) and wherein the one or more critical messages comprises an encryption confirmation message of the QUIC protocol.
  18. 18 . The client device of claim 14 , wherein the secure connection is established via hypertext transfer protocol secure (HTTPS), hypertext transfer protocol version 1.1 (HTTP 1.1) over SSL, hypertext transfer protocol version 2.0 (HTTP 2.0) over SSL, or hypertext transfer protocol version 3.0 (HTTP 3.0) over QUIC.

Description

BACKGROUND Field Various embodiments of the present disclosure generally relate to zero-trust network access (ZTNA). In particular, some embodiments relate to secure traffic forwarding when making use of a ZTNA access point (AP) to facilitate access by a client application (e.g., a browser) to a protected transmission control protocol (TCP) application (or a target service). Description of the Related Art A ZTNA AP allows users to securely access resources through a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encrypted access proxy. This simplifies remote access by eliminating the use of dial-up Virtual Private Networks (VPNs). ZTNA rules and tagging offer additional identity and posture checking. For example, by establishing a ZTNA network connection, a virtual tunnel can be provided between an endpoint security agent running on a client device (e.g., a workstation, a laptop computer, a desktop computer, a tablet computer, or the like) through which a client application (e.g., a browser) and a target service may exchange service packets. The policies on the ZTNA AP control what devices and users can access the target service (which may also be referred to herein as a protected service as the ZTNA AP is limiting access to the service). Once the session matches a policy, the ZTNA AP sets up a proxy tunnel session (e.g., a TCP forwarding access proxy (TFAP) tunnel) between the peers (e.g., the endpoint security agent, acting as a proxy on behalf of the client application and the target service). SUMMARY Systems and methods are described for performing ZTNA secure traffic forwarding. According to one embodiment, as part of setting up a transmission control protocol (TCP) forward access proxy (TFAP) tunnel, between a target service and an endpoint security agent, operable on an endpoint device and through which an application running on the endpoint device can interact with the target service, a secure connection is established between the endpoint security agent and a ZTNA access point (AP). Based on an encryption status of traffic transmitted from the application to the target service via the endpoint security agent: (i) protection against eavesdropping by an attacker logically positioned between the endpoint security agent and the ZTNA AP is provided by using the secure connection to encrypt one or more critical messages of the traffic between the endpoint security agent and the ZTNA AP; and (ii) the endpoint security agent abstains from switching to bypassing mode through the TFAP tunnel until after the one or more critical messages of the traffic have been exchanged. Other features of embodiments of the present disclosure will be apparent from accompanying drawings and detailed description that follows. BRIEF DESCRIPTION OF THE DRAWINGS In the Figures, similar components and/or features may have the same reference label. Further, various components of the same type may be distinguished by following the reference label with a second label that distinguishes among the similar components. If only the first reference label is used in the specification, the description is applicable to any one of the similar components having the same first reference label irrespective of the second reference label. FIG. 1 is a block diagram illustrating an operating environment in which various embodiments of the present disclosure may be employed. FIG. 2 is a message sequence diagram illustrating a traditional approach for setting up a TFAP tunnel. FIG. 3 is a message sequence diagram illustrating potential malicious action that may be taken by an attacker during establishment of the TFAP tunnel. FIG. 4 is a flow diagram illustrating a set of operations for setting up a TFAP tunnel in accordance with an embodiment of the present disclosure. FIG. 5 illustrates an example computer system in which or with which embodiments of the present disclosure may be utilized. DETAILED DESCRIPTION Systems and methods are described for performing ZTNA secure traffic forwarding. In the context of cryptography and cybersecurity, a man-in-the-middle (MITM) attack is a cyberattack in which an attacker, which has inserted itself between or otherwise is logically positioned between two entities, eavesdrops on the communications between the two entities, for example, by secretly relaying the communications. Existing ZTNA APs may use tunnel technology to tunnel service packets between an endpoint (or client) device on which a client application (e.g., a browser) runs and a protected service (a target service) to which the policies on the ZTNA AP allow access. If the ZTNA AP utilizes non-encrypted tunnel technology, there is a potential for information leakage or malicious activity due to a MITM attack. While the use of encrypted tunnel technology may prevent MITM attacks, a naïve implementation may re-encrypt already encrypted tunnel traffic, thereby reducing performance. Embodiments described herein seek to address or at least miti