Tunnel interface for securing traffic over a network

US 20020152373A1
Filed: 09/13/2001
Published: 10/17/2002
Est. Priority Date: 09/13/2000
Status: Active Grant

First Claim

Patent Images

1. A method of delivering security services, comprising:

establishing a first routing node within a first processing system;

establishing a second routing node within a second processing system;

establishing a first internet protocol (IP) connection communications path between the first processing system and the second processing system that includes the first routing node and the second routing node;

receiving a plurality of data packets into the first routing node;

encrypting all of the received packets, without regard to any indication in the received packets, to form encrypted packets;

sending the encrypted packets from the first routing node to the second routing node;

receiving the encrypted packets into the second routing node;

decrypting all of the received encrypted packets, without regard to any indication in the received encrypted packets, to form decrypted packets; and

sending the decrypted packets from the second routing node to a destination in the second processing system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system. A secure communications tunnel is formed by routing all packets for the tunnel through an encrypting router at the sending end to obtain encrypted packets, and routing the encrypted packets through a decrypting router at the receiving end of an IP connection.

286 Citations

19 Claims

1. A method of delivering security services, comprising:
- establishing a first routing node within a first processing system;
  
  establishing a second routing node within a second processing system;
  
  establishing a first internet protocol (IP) connection communications path between the first processing system and the second processing system that includes the first routing node and the second routing node;
  
  receiving a plurality of data packets into the first routing node;
  
  encrypting all of the received packets, without regard to any indication in the received packets, to form encrypted packets;
  
  sending the encrypted packets from the first routing node to the second routing node;
  
  receiving the encrypted packets into the second routing node;
  
  decrypting all of the received encrypted packets, without regard to any indication in the received encrypted packets, to form decrypted packets; and
  
  sending the decrypted packets from the second routing node to a destination in the second processing system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein, to support a communications network, the first processing system includes one or more control processors, one or more access processors, and one or more processing processors.
  - 3. The method of claim 1, wherein for a first customer, a virtual router forms the first routing node in the first processing system and is operably connected to a virtual router that forms the second routing node in the second processing system.
  - 4. The method of claim 1, wherein for each of a plurality of customers, a virtual private network is formed using a virtual encrypting router formed in the first processing system and operably connected to a virtual decrypting router formed in the second processing system.
  - 5. The method of claim 1, wherein the establishing the first routing node in the first processing system includes connecting a plurality of processors in a ring configuration.
  - 6. The method of claim 5, wherein the connecting the plurality of processors comprises connecting the plurality of processors in a ring configuration, and wherein the connecting a plurality of processors in the ring configuration includes forming dual counter rotating ring connections, each connecting to each of the plurality of processors.

7. A system of delivering security services, comprising:
- a first processing system;
  
  a second processing system; and
  
  means for establishing a secure connection between the processors across an internet protocol (IP) connection to a second processing system to form a tunnel, wherein the secure connection encrypts all packets going into the tunnel and decrypts all packets coming from the tunnel.
- View Dependent Claims (8, 9, 10, 11, 13, 14, 15, 16, 17, 18, 19)
- - 8. The system of claim 7, wherein, to support a communications network, the first processing system includes one or more control processors, one or more access processors, and one or more processing processors.
  - 9. The system of claim 7, wherein for each of a plurality of customers, a virtual router is formed in the first processing system and is operably connected to a virtual router formed in the second system.
  - 10. The system of claim 7, wherein for each of a plurality of customers, a virtual private network is formed using an encrypting virtual router formed in the first processing system and operably connected to a decrypting virtual router formed in the second system.
  - 11. The system of claim 8, wherein the one or more control processors, the one or more access processors, and the one or more processing processors are connected by dual counter-rotating ring connections, each connecting to each of the plurality of processors.
  - 13. The system of claim 12 wherein, to support a communications network, the first processing system includes one or more control processors, one or more access processors, and one or more processing processors.
  - 14. The system of claim 12 wherein for each of a plurality of customers, an encrypting virtual router is formed in the first processing system and is operably connected to a decrypting virtual router formed in the second system.
  - 15. The system of claim 12 wherein for each of a plurality of customers, a virtual private network is formed using an encrypting virtual router formed in the first processing system and operably connected to a decrypting virtual router formed in the second system.
  - 16. The system of claim 13, wherein the one or more control processors, the one or more access processors, and the one or more processing processors are connected in a ring configuration that includes dual counter rotating ring connections, each connecting to each of the first plurality of processors.
  - 17. The system of claim 12, further comprising:
    - a first virtual router in the first processing system that receives packets to be sent and routes such packets to the first routing node for encryption.
  - 18. The system of claim 12, further comprising:
    - a first virtual router in the first processing system that receives packets to be sent and routes such packets to the first routing node for encryption; and
      
      a second virtual router in the second processing system that receives packets from the second routing node after decryption and routes such packets towards a destination.
  - 19. The system of claim 12, further comprising:
    - a second virtual router in the second processing system that receives packets from the second routing node after decryption and routes such packets towards a destination.

12. A system of delivering security services, comprising:
- a first processing system;
  
  a second processing system;
  
  a first routing node within the first processing system; and
  
  a second routing node within the second processing system;
  
  wherein the first routing node encrypts all packets routed to it and forwards encrypted packets to the second routing node, and the second routing node decrypts the encrypted packets sent from the first routing node and sends the decrypted packets from the second routing node to a destination in the second processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Sun, Chih-Tang, Yum, Kiho, Matthews, Abraham R.

Granted Patent

US 8,250,357 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/08   Configuration management of...

H04L 41/0895   Configuration of virtualise...

H04L 45/14   Routing performance; Theore...

H04L 61/256   NAT traversal

H04L 61/2592   using tunnelling or encapsu...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

Tunnel interface for securing traffic over a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Tunnel interface for securing traffic over a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links