Virtual private network having automatic reachability updating

US 20050138204A1
Filed: 11/08/2004
Published: 06/23/2005
Est. Priority Date: 06/10/1999
Status: Abandoned Application

First Claim

Patent Images

1. A computer network comprising:

a first edge device coupled to a first private network, the first edge device configured to create a first table with information of member networks reachable through the first edge device, the first table being stored in a first database;

a second edge device coupled to a second private network, the second edge device configured to create a second table with information of member networks reachable through the second edge device, the second table being stored in a second database;

wherein, the first and second edge devices enable secure communication between the first and second private networks, and the first edge device shares the first table with the second edge device and the second edge device shares the second table with the first edge device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A unified policy management system for an organization including a central policy server and remotely situated policy enforcers. A central database and policy enforcer databases storing policy settings are configured as LDAP databases adhering to a hierarchical object oriented structure. Such structure allows the policy settings to be defined in an intuitive and extensible fashion. Changes in the policy settings made at the central policy server are automatically transferred to the policy enforcers for updating their respective databases. Each policy enforcer collects and transmits health and status information in a predefined log format and transmits it to the policy server for efficient monitoring by the policy server. For further efficiencies, the policy enforcement functionalities of the policy enforcers are effectively partitioned so as to be readily implemented in hardware. The system also provides for dynamically routed VPNs where VPN membership lists are automatically created and shared with the member policy enforcers. Updates to such membership lists are also automatically transferred to remote VPN clients. The system further provides for fine grain access control of the traffic in the VPN by allowing definition of firewall rules within the VPN. In addition, policy server and policy enforcers may be configured for high availability by maintaining a backup unit in addition to a primary unit. The backup unit become active upon failure of the primary unit.

271 Citations

16 Claims

1. A computer network comprising:
- a first edge device coupled to a first private network, the first edge device configured to create a first table with information of member networks reachable through the first edge device, the first table being stored in a first database;
  
  a second edge device coupled to a second private network, the second edge device configured to create a second table with information of member networks reachable through the second edge device, the second table being stored in a second database;
  
  wherein, the first and second edge devices enable secure communication between the first and second private networks, and the first edge device shares the first table with the second edge device and the second edge device shares the second table with the first edge device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer network of claim 1, wherein the first edge device includes logic for:
    - receiving a new route information;
      
      storing the new route information in the first database; and
      
      transmitting a portion of the new route information to the second edge device.
  - 3. The computer network of claim 2, wherein the portion of the new route information is a route name.
  - 4. The computer network of claim 2, wherein the second edge device includes logic for:
    - receiving the portion of the new route information;
      
      accessing the first database based on the portion of the new route information;
      
      retrieving the new route information from the first database; and
      
      storing the retrieved route information in the second database.
  - 5. The computer network of claim 1, wherein communication between the first and second networks is managed according to a security policy associated with the networks.
  - 6. The computer network of claim 5, wherein the security policy is defined for a security group providing a hierarchical organization of the group, the group including member networks, users allowed to access the member networks, and a rule controlling access to the member networks.
  - 7. The computer network of claim 6, wherein each member network has full connectivity with all other member networks and the security policy defined for the security policy group is automatically configured for each connection.
  - 8. The computer network of claim 6, wherein the security policy provides encryption of traffic among the member networks and the rule is a firewall rule providing access control of the encrypted traffic among the member networks.

9. In a computer network including a first edge device coupled to a first private network and a second edge device coupled to a second private network, the first and second edge devices enabling secure communication between the first and second private networks, a method for gathering membership information comprising:
- creating a first table with information of member networks reachable through the first edge device, storing the first table in a first database;
  
  creating a second table with information of member networks reachable through the second edge device;
  
  storing the second table in a second database;
  
  sharing the first table with the second edge device; and
  
  sharing the second table with the first edge device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 further comprising:
    - receiving a new route information;
      
      storing the new route information in the first database; and
      
      transmitting a portion of the new route information to the second edge device.
  - 11. The method of claim 10, wherein the portion of the new route information is a route name.
  - 12. The method of claim 10 further comprising:
    - receiving the portion of the new route information;
      
      accessing the first database based on the portion of the new route information;
      
      retrieving the new route information from the first database; and
      
      storing the retrieved route information in the second database.
  - 13. The method of claim 9, wherein communication between the first and second networks is managed according to a security policy associated with the networks.
  - 14. The method of claim 13 further comprising defining the security policy for a security policy group, the group providing a hierarchical organization of the group including member networks, users allowed to access the member networks, and a rule controlling access to the member networks.
  - 15. The method of claim 14, wherein each member network has full connectivity with all other member networks and the security policy defined for the security policy group is automatically configured for each connection.
  - 16. The method of claim 14, wherein the security policy provides encryption of traffic among the member networks and the rule is a firewall rule providing access control of the encrypted traffic among the member networks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mahadevan Iyer, Rahul P. Kale, Shanker V. Iyer, William Hunt
Original Assignee
Mahadevan Iyer, Rahul P. Kale, Shanker V. Iyer, William Hunt
Inventors
Hunt, William, Iyer, Mahadevan, Iyer, Shanker V., Kale, Rahul P.

Application Number

US10/983,840
Publication Number

US 20050138204A1
Time in Patent Office

Days
Field of Search
US Class Current

709/242
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0233   Object-oriented techniques,...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 41/40   using virtualisation of net...

H04L 45/00   Routing or path finding of ...

H04L 45/22   Alternate routing

H04L 45/586   of virtual routers

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/2441   relying on flow classificat...

H04L 47/41   by acting on aggregated flo...

H04L 61/4523   using lightweight directory...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/164 : at the network layer

H04L 63/20 : for managing network securi...

H04L 67/1095 : Replication or mirroring of...

H04L 69/329 : in the application layer [O...

H04L 69/40 : for recovering from a failu...

H04L 9/40 : Network security protocols

Y02D 30/50 : in wire-line communication ...

View All

Virtual private network having automatic reachability updating

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

271 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual private network having automatic reachability updating

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

271 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links