Method and apparatus for order independent processing of virtual private network protocols
First Claim
1. A security gateway for interfacing between virtual private network data packets and corporate network packets, each data packet comprising address information, the security gateway comprising:
- a plurality of protocol modules each for processing packets in accordance with a different virtual private network protocol;
memory for storing sequence information identifying which of the protocol modules is to process each packet and the order of the processing;
a protocol discriminator for receiving data packets and being responsive to the address information of a received data packet for passing the received data packet to one or more of the protocol modules, for processing thereby in the sequence identified by the protocol sequence information.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and arrangements for virtual private network (VPN) data packets are disclosed. VPN packets include a payload having Internet Protocol (IP) addresses which guide the packet through a network to a security gateway. The payload may be encrypted and/or compressed and may include internal addresses to denote the real source and destination for a data portion of the payload. As initial control packets are received they are authenticated and rules and procedures are identified for proper treatment of VPN data packets bearing the same source IP address. The rules and procedures are stored in a gateway data engine having a plurality of protocol processing modules. VPN data packets are received by a protocol discriminator which reads the stored rules and procedures identified for the source IP address of the received packet. The discriminator passes the received packet to a first protocol module as identified in the stored rules and procedures. After the first module completes processing, the packet is passed back to the protocol discriminator which determines whether further protocol processing is required. When further protocol processing is required, the packet is passed to another protocol module for processing in accordance with another protocol. At the completion of processing, the second protocol module returns the packet to the protocol discriminator.
-
Citations
18 Claims
-
1. A security gateway for interfacing between virtual private network data packets and corporate network packets, each data packet comprising address information, the security gateway comprising:
-
a plurality of protocol modules each for processing packets in accordance with a different virtual private network protocol;
memory for storing sequence information identifying which of the protocol modules is to process each packet and the order of the processing;
a protocol discriminator for receiving data packets and being responsive to the address information of a received data packet for passing the received data packet to one or more of the protocol modules, for processing thereby in the sequence identified by the protocol sequence information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. In a security gateway for interfacing between virtual private network packets and corporate network packets, each packet comprising address information and a plurality of protocol modules each for processing packets in accordance with a different virtual private network protocol, the method comprising:
-
storing protocol sequence information identifying which of the protocol modules is to process each packet and the order of the processing;
receiving data packets and responsive to addressing information of a received data packet, sending the received data packet to one or more of the protocol modules, for processing thereby in the sequence identified by the protocol sequence information. - View Dependent Claims (11, 12, 13, 14, 16, 17, 18)
-
-
15. A method of operating a security gateway in a virtual private network in which a user is assigned an IP address on a per session basis, the method comprising:
-
receiving at the security gateway a network packet and ascertaining from the packet the assigned IP address and the identity of the user initiating the packet;
identifying from storage at the security gateway rules and policies specifying permissions for the identified user to communicate and VPN protocols for packets from the identified user;
binding a portion of the rules and policies for the identified user to the assigned IP address of the user;
processing received packets in a plurality of protocol modules in accordance with the identified VPN protocols; and
controlling virtual packet network security functions for packets from the user under direction of data in the rules and policies bound to the assigned IP address of the user.
-
Specification