Cloud over IP for enterprise hybrid cloud network and security
First Claim
1. A method for securing communications between endpoints in a local area network (LAN) comprising:
- receiving, at a first endpoint in the LAN, a request from an application to initiate a first communication session with a second endpoint in the LAN;
requesting approval from a controller to establish a Secure Socket Layer (SSL) tunnel to the second endpoint for the first communication session;
upon receiving the approval from the controller, receiving, at the first endpoint from the controller, a session identifier for the SSL tunnel, wherein the session identifier is generated by the controller, the controller and the second endpoint are different entities, and wherein a copy of the session identifier is also distributed by the controller to the second endpoint for the initiation of the first communication session;
after receipt of the session identifier at the first endpoint in the LAN, forwarding the session identifier for security authentication from the first endpoint to the second endpoint; and
based on the security authentication, establishing the SSL tunnel between the first and second endpoints in the LAN, wherein the SSL tunnel extends from the first endpoint in the LAN to the second endpoint in the LAN.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and technique for securing communications between endpoints in a local area network (LAN) includes receiving at a first endpoint in the LAN, a request from an application to connect to a second endpoint in the LAN. Approval from a controller to establish a Secure Socket Layer (SSL) tunnel to the second endpoint is requested. Upon receiving approval from the controller, the first endpoint receives from the controller a session identifier for the SSL tunnel. The controller also distributes a copy of the session identifier to the second endpoint. After receipt of the session identifier at the first endpoint, the session identifier is forwarded from the first endpoint to the second endpoint for security authorization, and the SSL tunnel is established. The SSL tunnel extends from the first endpoint in the LAN to the second endpoint in the LAN.
115 Citations
23 Claims
-
1. A method for securing communications between endpoints in a local area network (LAN) comprising:
-
receiving, at a first endpoint in the LAN, a request from an application to initiate a first communication session with a second endpoint in the LAN; requesting approval from a controller to establish a Secure Socket Layer (SSL) tunnel to the second endpoint for the first communication session; upon receiving the approval from the controller, receiving, at the first endpoint from the controller, a session identifier for the SSL tunnel, wherein the session identifier is generated by the controller, the controller and the second endpoint are different entities, and wherein a copy of the session identifier is also distributed by the controller to the second endpoint for the initiation of the first communication session; after receipt of the session identifier at the first endpoint in the LAN, forwarding the session identifier for security authentication from the first endpoint to the second endpoint; and based on the security authentication, establishing the SSL tunnel between the first and second endpoints in the LAN, wherein the SSL tunnel extends from the first endpoint in the LAN to the second endpoint in the LAN.
-
-
2. The method of claim 1 wherein the first endpoint, second endpoint, or both comprises at least one of a virtual machine or a container.
-
3. The method of claim 1 wherein the requesting approval comprises:
transmitting, from the first endpoint to the controller, an endpoint identifier associated with the first endpoint for the controller to authenticate, wherein the endpoint identifier is different from an Internet Protocol (IP) address associated with the first endpoint.
-
4. The method of claim 1 wherein network settings of the application are configured to recognize an Internet Protocol (IP) address of the LAN and the method comprises:
-
assigning the first endpoint a virtual IP address that matches the IP address of the LAN; mapping the virtual IP address to a physical IP address of the LAN; after a migration to a new LAN, different from the LAN, remapping the virtual IP address to a physical IP address of the new LAN, the LAN now being a previous LAN; and routing traffic from the application through the new LAN while the network settings of the application remain configured to recognize the IP address of the previous LAN, wherein the routing of the traffic is permitted through the new LAN because the virtual IP address that matches the IP address of the previous LAN has been remapped to the physical IP address of the new LAN.
-
-
5. The method of claim 1 wherein the SSL tunnel extending between the first and second endpoints in the LAN does not pass through an internet gateway or a web site to bridge traffic between the first and second endpoints.
-
6. The method of claim 1 wherein the LAN comprises a load balancer that manages load across two or more endpoints in the LAN, and the method comprises:
-
requesting approval from the controller to establish a second SSL tunnel from the first endpoint to one of the two or more endpoints; upon receiving the approval from the controller, receiving at the first endpoint from the controller, a second session identifier for the second SSL tunnel, wherein a copy of the second session identifier is also distributed by the controller to each of the two or more endpoints, each of the two or more endpoints being potential destinations for the second SSL tunnel; and after receipt of the second session identifier at the first endpoint and each of the two or more endpoints, initiating an SSL handshake from the first endpoint, through the load balancer, to a particular endpoint of the two or more endpoints.
-
-
7. The method of claim 1 comprising:
before the requesting approval from the controller, performing, at the first endpoint, a preliminary security check of the first endpoint in the LAN as being allowed to connect to the second endpoint in the LAN.
-
8. A method comprising:
-
inserting a virtual overlay network between applications and a plurality of endpoints located in a new local area network (LAN), the plurality of endpoints being associated with a plurality of new physical Internet Protocol (IP) addresses of the new LAN; assigning a plurality of virtual IP addresses to the plurality of endpoints, the plurality of virtual IP addresses being different from the plurality of new physical IP addresses; storing information mapping the plurality of virtual IP addresses to the plurality of new physical IP addresses; presenting the plurality of virtual IP addresses to the applications, wherein the plurality of virtual IP addresses mimic a plurality of previous physical IP addresses of a previous LAN, different from the new LAN; receiving, at a first endpoint in the new LAN, a request from an application to initiate a first communication session with a second endpoint in the new LAN; seeking approval from a controller to establish a secure tunnel between the first and second endpoints for the application; upon receipt of approval from the controller, receiving, at the first endpoint from the controller, a session identifier for the establishment of the secure tunnel, wherein a copy of the session identifier is also distributed by the controller to the second endpoint for the initiation of the first communication session; and after receipt of the session identifier sent by the controller to the first and second endpoints, forwarding, directly by the first endpoint, the session identifier sent by the controller to the second endpoint to allow the second endpoint to match the session identifier received from the first endpoint with the session identifier received from the controller; and establishing the secure tunnel with the session identifier, wherein the secure tunnel extends from the first endpoint to the second endpoint, and wherein certificates are exchanged after the second endpoint determines that the session identifier sent by the controller to the second endpoint matches the session identifier sent directly by the first endpoint to the second endpoint.
-
-
9. The method of claim 8 comprising:
-
storing, at the first endpoint, a static routing table comprising a listing of at least a subset of the plurality of virtual IP addresses, the at least a subset of virtual IP addresses having been assigned to other endpoints in the new LAN that the first endpoint is allowed to connect to; after the receiving, at a first endpoint in the new LAN, a request from an application to connect to a second endpoint in the new LAN, causing a search of the static routing table to determine whether the first endpoint is allowed to connect to the second endpoint; and based on the search, determining that the first endpoint is allowed to connect to the second endpoint.
-
-
10. The method of claim 8 comprising:
-
sending, from the first endpoint to the second endpoint, first traffic from the application through the secure tunnel associated with the session identifier, the session identifier being a first session identifier; after communications between the first and second endpoints have completed, terminating the secure tunnel; receiving, at the first endpoint, a second request from the application to connect to the second endpoint; and repeating the seeking approval to establish a second secure tunnel, wherein the second secure tunnel is established with a second session identifier, different from the first session identifier.
-
-
11. The method of claim 8 wherein the application is a first application and the method comprises:
-
receiving, at the first endpoint, a second request from a second application, different from the first application, to connect to the second endpoint; making, at the first endpoint, a preliminary determination that the first endpoint is allowed to connect to the second endpoint; after the preliminary determination, seeking approval from the controller to establish a second secure tunnel between the first and second endpoints for the second application; and receiving from the controller a denial of the approval, the second application thereby not being permitted to send traffic to the second endpoint.
-
-
12. The method of claim 8 wherein the establishing the secure tunnel comprises:
sending a copy of the session identifier received at the first endpoint to the second endpoint, wherein an agent at the second endpoint verifies that the copy of the session identifier received from the first endpoint matches the copy of the session identifier received from the controller before agreeing to establish the secure tunnel.
-
13. The method of claim 8 wherein the establishing the secure tunnel comprises:
-
initiating, by the first endpoint, a Secure Socket Layer (SSL) handshake with the second endpoint, the initiating comprising sending an SSL hello message directly to the second endpoint, wherein the SSL message is received at the second endpoint as an inbound message, and without having passed through an internet gateway or a website bridging the first and second endpoints.
-
-
14. The method of claim 8 wherein the first endpoint, second endpoint, or both comprises at least one of a virtual machine or a container.
-
15. The method of claim 8 wherein network settings of the application are configured to recognize the previous LAN via the plurality of previous physical IP addresses of the previous LAN, and
wherein the application recognizes the new LAN via the plurality of virtual IP addresses that mimic the plurality of previous physical IP addresses.
-
16. The method of claim 8 wherein the seeking approval from a controller comprises sending, to the controller, an identifier associated with the application, and the method comprises:
-
examining, by the controller, a whitelist of identifiers to determine whether the application is allowed or not allowed according to the whitelist; and upon determining that the application is allowed according to the whitelist, generating, by the controller, the session identifier for the secure tunnel.
-
-
17. The method of claim 8 wherein the session identifier is a first session identifier and the method comprises:
-
storing, at the first endpoint, a static routing table comprising a listing of at least a subset of the plurality of virtual IP addresses, the at least a subset of virtual IP addresses having been assigned to other endpoints in the new LAN that the first endpoint is allowed to connect to; receiving, at the first endpoint, a second request from a second application to connect to the second endpoint; causing a search of the static routing table to determine whether the first endpoint is allowed to connect to the second endpoint; based on the search, determining that the first endpoint is allowed to connect to the second endpoint; after the determination, seeking approval from the controller to establish a second secure tunnel between the first and second endpoints for the second application, the seeking approval comprising sending, to the controller, an identifier identifying the second application; examining, by the controller, a whitelist of identifiers to determine whether the second application is allowed or not allowed according to the whitelist to send traffic to the second endpoint; if the second application is allowed according to the whitelist, generating, by the controller, a second session identifier for a second secure tunnel, wherein the second session identifier is different from the first session identifier; and if the second application is not allowed according to the whitelist, not generating the second session identifier, the approval to establish the second secure tunnel thereby being denied by the controller for security purposes.
-
-
18. The method of claim 8 wherein the new LAN comprises a load balancer that manages load across two or more endpoints in the new LAN, and the method comprises:
-
seeking approval from the controller to establish a second secure tunnel from the first endpoint to one of the two or more endpoints; upon receiving the approval from the controller, receiving at the first endpoint from the controller, a second session identifier for the second secure tunnel, wherein a copy of the second session identifier is also distributed by the controller to each of the two or more endpoints, each of the two or more endpoints being potential destinations for the second secure tunnel; and after receipt of the second session identifier at the first endpoint and each of the two or more endpoints, establishing the second secure tunnel from the first endpoint, through the load balancer, to a particular endpoint of the two or more endpoints.
-
-
19. A method comprising:
-
receiving, at a first endpoint in a local area network (LAN), a request to initiate a first communication session with an endpoint of two or more second endpoints managed by a load balancer in the LAN; requesting approval from a controller to establish a Secure Socket Layer (SSL) tunnel to an endpoint of the two or more second endpoints managed by the load balancer; receiving, from the controller in response to the controller approving the first communication session, a session identifier for the SSL tunnel at the first endpoint, and each endpoint of the two or more second endpoints managed by the load balancer, each endpoint of the two or more second endpoints being a potential destination for the SSL tunnel; and after receipt of the session identifier at the first endpoint and each of the two or more second endpoints in the LAN managed by the load balancer, establishing the SSL tunnel between the first endpoint and a single particular endpoint of the two or more second endpoints managed by the load balancer, each of the two or more second endpoints having received the session identifier from the controller for the initiation of the first communication session, wherein the SSL tunnel extends from the first endpoint in the LAN, through the load balancer, to the single particular endpoint in the LAN.
-
-
20. The method of claim 19 comprising:
-
storing, at the first endpoint in the LAN, a static routing table comprising a listing of destination Internet Protocol (IP) addresses of other endpoints in the LAN that the first endpoint is allowed to connect to; before the requesting approval from a controller to establish an SSL tunnel, causing a scan of the static routing table to determine whether an IP address of the load balancer, representing the two or more second endpoints, is listed in the static routing table; and receiving an indication that the load balancer is listed in the static routing table.
-
-
21. The method of claim 19 wherein the establishing comprises:
transmitting a copy of the session identifier received at the first endpoint in the LAN from the first endpoint to the single particular endpoint of the two or more second endpoints in the LAN, wherein an agent at the single particular endpoint of the two or more second endpoints verifies that the copy of the session identifier received from the first endpoint matches the copy of the session identifier received from the controller before agreeing to establish the SSL tunnel.
-
22. The method of claim 19 wherein the first endpoint, single particular endpoint, or both comprises a virtual environment.
-
23. The method of claim 19 wherein the controller executes on a host or a virtual machine separate from the first endpoint.
Specification