Propagating black hole shunts to remote routers with split tunnel and IPSec direct encapsulation
First Claim
1. A method for managing a network having at least one remote router coupled to a head-end location, said method comprising:
- identifying at least one rogue website;
advertising the address of said at least one rogue website to said remote router to set up a centrally administered policy at said remote router; and
blocking traffic from said rogue website at said remote router by routing packet traffic destined for said rogue website to a black hole shunt at said remote router.
1 Assignment
0 Petitions
Accused Products
Abstract
Remote routers are configured to block the return path to malicious websites with the use of split tunneling while allowing paths to third party resource websites. The iBGP protocol runs on the agent'"'"'s router, advertises routes and enables the head-end to set up a policy at each remote router. Enterprise policies for blocking access to “blackholed” website addresses are centrally administered but third party website traffic is not routed to the enterprise'"'"'s network resources. Since remote offices may connect directly to third party websites, latency is minimized and network resources at the enterprise are not unduly burdened.
143 Citations
22 Claims
-
1. A method for managing a network having at least one remote router coupled to a head-end location, said method comprising:
-
identifying at least one rogue website;
advertising the address of said at least one rogue website to said remote router to set up a centrally administered policy at said remote router; and
blocking traffic from said rogue website at said remote router by routing packet traffic destined for said rogue website to a black hole shunt at said remote router. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network topology comprising:
an enterprise head-end having at least one shunt router coupled to a remote router by a split IPSec tunnel, said remote router having a Null0 IP route to blackhole traffic destined for a rogue address identified by said shunt router. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
18. A network topology comprising:
-
an enterprise head-end having at least a shunt router;
a remote router coupled to said head-end by a split IPSec tunnel, said remote router having a Null0 IP route to blackhole traffic destined for rogue address identified by said shunt router; and
means for generating a list of blackholed website addresses and for advertising said list to said peer routers.
-
-
19. In a network system having a router coupled to a peer shunt router by an IPSec split tunnel, a method for blocking access to a malicious website comprising:
-
receiving, at said router, a central policy that specifies that access to said malicious website is denied for outgoing traffic;
sending traffic destined for said malicious website to a black hole; and
blocking incoming traffic from said malicious website. - View Dependent Claims (20, 21, 22)
-
Specification