System for SSL re-encryption after load balance

US 20060095969A1
Filed: 05/06/2005
Published: 05/04/2006
Est. Priority Date: 10/28/2004
Status: Active Grant

First Claim

Patent Images

1. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data center provides secure handling of HTTPS traffic using backend SSL decryption and encryption in combination with a load balancer such as a content switch. The load balancer detects HTTPS traffic and redirects it to an SSL offloading device for decryption and return to the load balancer. The load balancer then uses the clear text traffic for load balancing purposes before it redirects the traffic back to the SSL offloading device for re-encryption. Thereafter, the re-encrypted traffic is sent to the destination servers in the data center. In one embodiment, the combination with the back-end SSL with an intrusion detection system improves security by performing intrusion detection on the decrypted HTTPS traffic.

96 Citations

View as Search Results

52 Claims

1. (canceled)

2. (canceled)

3. (canceled)

4. (canceled)

5. (canceled)

6. (canceled)

7. (canceled)

8. (canceled)

9. (canceled)

10. (canceled)

11. (canceled)

12. (canceled)

13. (canceled)

14. (canceled)

15. (canceled)

16. (canceled)

17. (canceled)

18. (canceled)

19. (canceled)

20. (canceled)

21. (canceled)

22. (canceled)

23. (canceled)

24. (canceled)

25. (canceled)

26. (canceled)

27. (canceled)

28. (canceled)

29. (canceled)

30. A network device that performs a method comprising:
- receiving SSL encrypted traffic;
  
  transferring said SSL encrypted traffic to an SSL offload device receiving form said SSL offload device clear text traffic that has been generated by decrypting the SSL encrypted traffic;
  
  determining a destination server for the clear text traffic;
  
  forwarding said clear text traffic to said SSL offload device for re-encryption; and
  
  routing said encrypted traffic to said destination server.
- View Dependent Claims (31, 32, 33, 34, 35, 37)
- - 31. The method of claim 30 further comprising transferring said clear text traffic to an intrusion detection system prior to said routing step.
  - 32. The method of claim 30 further comprising rewriting said clear text traffic with IP information of the real server address.
  - 33. The method of claim 32 further comprising, prior to said traffic forwarding, rewriting the destination MAC address to the MAC address for the encryption device.
  - 34. The method of claim 30 wherein said receiving step further comprises the step of receiving HTTPS traffic from a client.
  - 35. The method of claim 30 further comprising the step of protecting a data center from intruders by transferring traffic between subnets as HTTPS traffic.
  - 37. The method of claim 30 wherein a signature of the certificate from said destination server SSL certificate is verified during the encryption.

36. The method of claim 36 wherein said traffic is encrypted using Secure Socket Layer (SSL) encryption.

38. A network device that performs a method comprising:
- receiving SSL encrypted traffic from a load balancer;
  
  performing network based decryption on said SSL encrypted traffic to obtain clear text traffic;
  
  forwarding said clear text traffic to said load balancer;
  
  receiving form said load balancer clear text traffic that has been modified to specify one of a plurality of destination servers; and
  
  performing network based encryption of said modified clear text traffic.
- View Dependent Claims (39, 40, 41, 42, 43, 44)
- - 39. The method of claim 38 further comprising distributing the SSL decryption and encryption the load among a plurality of SSL devices.
  - 40. The method of claim 38 further comprising the step of monitoring said clear text traffic with a security device.
  - 41. The method of claim 40 wherein said at least one security device includes an intrusion detection system, a layer 7 firewall, an email spam processor or an XML firewall.
  - 42. The method of claim 38 further comprising forwarding the traffic after re-encryption to said load balancer such that said IP address remains unchanged.
  - 43. The method of claim 38 where said network device is configured to establish an SSL handshake with the IP address selected by said load balancer.
  - 44. The method of claim 42 wherein said IP address is a real server IP address.

45. A method for handling encrypted data in a data center comprising:
- advertising a host route to a load balancer;
  
  routing a request for a destination IP address to said load balancer;
  
  recognizing said request comprises a HTTPS request; and
  
  redirecting the HTTPS request to a destination MAC address corresponding to an SSL device by specifying no nat server to preserve the destination IP address and to rewrite only the destination MAC address.
- View Dependent Claims (46, 47, 48, 49, 50)
- - 46. The method of claim 45 further comprising:
    - decrypting said HTTPS request;
      
      returning clear text traffic to said load balancer;
      
      performing load balancing operations to select a real destination IP address and thereby modifying said clear text by including said real destination IP address;
      
      encrypting said modified clear text traffic; and
      
      forwarding said encrypted modified clear text traffic to said destination.
  - 47. The method of claim 46 further comprising distributing the HTTPS request among a plurality of SSL network devices.
  - 48. The method of claim 46 where configuring at least one said SSL device to establish an SSL handshake with said real destination IP address selected by said load balancer.
  - 49. The method of claim 45 further comprising the step of monitoring said clear text traffic with a security device.
  - 50. The method of claim 49 wherein said security device includes at least one of the following:
    - an intrusion detection system, a layer 7 firewall, an email spam processor or an XML firewall.

51. A data center comprising a load balancer that specifies nat server source-mac to rewrite the destination IP address to the servers'"'"' address and to rewrite the destination MAC address to an SSL offload device MAC address and to send traffic back to the VLAN where the SSL offloader is attached for encryption after the load balancing decision.
- View Dependent Claims (52)
- - 52. The data center of claim 51 further comprising means for reusing a connection established with the server specified by said MAC address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Chang, David W., Portolani, Maurizio, Testa, Stefano, Bagepalli, Nagaraj A., Arregoces, Mauricio

Granted Patent

US 7,657,940 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/0464   using hop-by-hop encryption...

H04L 63/166   at the transport layer

H04L 67/1001   for accessing one among a p...

H04L 67/1006   with static server selectio...

H04L 67/101   based on network conditions

H04L 67/1014   based on the content of a r...

H04L 67/1023   based on a hash applied to ...

H04L 67/1027   Persistence of sessions dur...

System for SSL re-encryption after load balance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

96 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

System for SSL re-encryption after load balance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links