NETWORK SECURE COMMUNICATIONS IN A CLUSTER COMPUTING ENVIRONMENT

US 20080098126A1
Filed: 12/21/2007
Published: 04/24/2008
Est. Priority Date: 01/17/2001
Status: Active Grant

First Claim

Patent Images

1. A secure network communications system a in a distributed workload environment having target hosts which are accessed through a distribution processor by a common network address, comprising:

means for receiving at the distribution processor, network communications directed to the common network address;

means for determining whether the network communications are secure network communications;

means for processing secure network communications having;

means for routing both inbound and outbound communications with target hosts which are associated with an end-to-end secure network communication through the distribution processor;

means for processing both inbound and outbound end-to-end secure network communications at the distribution processor so as to provide endpoint network security processing of communications from the target host to the distribution processor and endpoint network security processing of communications from the distribution processor to the target host such that the distribution processor serves as an endpoint for the end-to-end secure network communication; and

means for distributing the received secure network communications that are directed to the common network address among selected ones of the target hosts so as to distribute workload associated with the network communications among the target hosts including means for encapsulating communications between the distribution processor and the selected ones of the plurality of target hosts which are associated with end-to-end secure network communications so as to distinguish communications between the distribution processor and the selected ones of the plurality of target hosts which are associated with secure network communications from other communications; and

means for processing non-secure communications by distributing the received network communications that are directed common network address among the target hosts so as to distribute workload associated with the network communications among the target hosts.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communications are provided over a network in a distributed workload environment having target hosts which are accessed through a distribution processor by a common network address. Secure communications are provided by routing both inbound and outbound communications with target hosts which are associated with a secure network communication through the distribution processor. Both inbound and outbound secure network communications are processed at the distribution processor so as to provide network security processing of communications from the target host and network security processing of communications to the target host.

44 Citations

View as Search Results

20 Claims

1. A secure network communications system a in a distributed workload environment having target hosts which are accessed through a distribution processor by a common network address, comprising:
- means for receiving at the distribution processor, network communications directed to the common network address;
  
  means for determining whether the network communications are secure network communications;
  
  means for processing secure network communications having;
  
  means for routing both inbound and outbound communications with target hosts which are associated with an end-to-end secure network communication through the distribution processor;
  
  means for processing both inbound and outbound end-to-end secure network communications at the distribution processor so as to provide endpoint network security processing of communications from the target host to the distribution processor and endpoint network security processing of communications from the distribution processor to the target host such that the distribution processor serves as an endpoint for the end-to-end secure network communication; and
  
  means for distributing the received secure network communications that are directed to the common network address among selected ones of the target hosts so as to distribute workload associated with the network communications among the target hosts including means for encapsulating communications between the distribution processor and the selected ones of the plurality of target hosts which are associated with end-to-end secure network communications so as to distinguish communications between the distribution processor and the selected ones of the plurality of target hosts which are associated with secure network communications from other communications; and
  
  means for processing non-secure communications by distributing the received network communications that are directed common network address among the target hosts so as to distribute workload associated with the network communications among the target hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system according to claim 1, further comprising:
    - means for determining if the received network communications are end-to-end secure network communications which are to be distributed to ones of the target hosts;
      
      wherein the means for encapsulating communications between the distribution processor and selected ones of the plurality of target hosts which are associated with end-to-end secure network communications comprises a means for processing the received network communications so as to provide encapsulated generic communications to the ones of the plurality of target hosts if the received network communications are end-to-end secure network communications which are distributed to ones of the target hosts and means to not provide encapsulated generic communications to the ones of the plurality of target hosts if the received network communications are not end-to-end secure network communications.
  - 3. The system according to claim 1, wherein the means for encapsulating communications between the distribution processor and selected ones of the plurality of target hosts which are associated with end-to-end secure network communications comprises means to encapsulate the communications in a generic routing format.
  - 4. The system according to claim 3, wherein generic communications are encapsulated in a generic routing format having sufficient information in a header of the generic routing format so as to authenticate the source of the communication between the distributing processor and ones of the plurality of target hosts.
  - 5. The system according to claim 3, further comprising means for establishing common IP filters for communications at the distributing processor and the plurality of target hosts.
  - 6. The system according to claim 5, wherein the common IP filters bypass IP filtering for inbound communications encapsulated in the generic routing format.
  - 7. The system according to claim 1, wherein the communications received from the target hosts at the distribution processor and the encapsulated communications to ones of the plurality of target hosts from the distribution processor are communicated over trusted communication links.
  - 8. The system according to claim 1, further comprising:
    - means for receiving at a target host, an encapsulated communication;
      
      means for comparing a physical link corresponding to said distributor to a source of encapsulation; and
      
      means for ignoring the encapsulated communication if said physical link does not match to said source of encapsulation.
  - 9. The system according to claim 1, wherein the means for distributing the received network communications that are directed to the common network address among selected ones of the target hosts distribution processor comprises distributing the received network communications using a sysplex distributor.
  - 10. The system according to claim 1, wherein the end-to-end secure network communication comprises a communication using the IPSEC communication protocol.

11. A computer program product for providing secure communications over a network in a distributed workload environment having target hosts which are accessed through a distribution processor by a common network address, comprising:
- a computer readable storage medium having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code configured to receive at the distribution processor, network communications directed to the common network address;
  
  computer readable program code configured to determine whether the network communications are secure network communications;
  
  computer readable program code configured to process secure network communications including;
  
  computer readable program code configured to route both inbound and outbound communications with target hosts which are associated with an end-to-end secure network communication through the distribution processor;
  
  computer readable program code configured to process both inbound and outbound end-to-end secure network communications at the distribution processor so as to provide endpoint network security processing of communications from the target host to the distribution processor and endpoint network security processing of communications from the distribution processor to the target host such that the distribution processor serves as an endpoint for the end-to-end secure network communication; and
  
  computer readable code configured to distribute the received secure network communications that are directed to the common network address among selected ones of the target hosts so as to distribute workload associated with the network communications among the target hosts including computer readable program code configured to encapsulate communications between the distribution processor and the selected ones of the plurality of target hosts which are associated with end-to-end secure network communications so as to distinguish communications between the distribution processor and the selected ones of the plurality of target hosts which are associated with secure network communications from other communications; and
  
  computer readable program code configured to process non-secure communications by distributing the received network communications that are directed to the common network address among the target hosts so as to distribute workload associated with the network communications among the target hosts.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product according to claim 11, further comprising:
    - computer readable program code configured to determine if the received network communications are end-to-end secure network communications which are to be distributed to ones of the target hosts;
      
      wherein the computer readable program code configured to encapsulate communications between the distribution processor and selected ones of the plurality of target hosts which are associated with end-to-end secure network communications comprises computer readable program code which processes the received network communications so as to provide encapsulated generic communications to the ones of the plurality of target hosts if the received network communications are end-to-end secure network communications which are distributed to ones of the target hosts and to not provide encapsulated generic communications to the ones of the plurality of target hosts if the received network communications are not end-to-end secure network communications.
  - 13. The computer program product according to claim 11, wherein the computer readable program code configured to encapsulate communications between the distribution processor and selected ones of the plurality of target hosts which are associated with end-to-end secure network communications comprises computer readable program code configured to encapsulate the communications in a generic routing format having sufficient information in a header of the generic routing format so as to authenticate the source of the communication between the distributing processor and ones of the plurality of target hosts.
  - 14. The computer program product according to claim 13, further comprising computer readable program code configured to provide common IP filters for communications at the distributing processor and the plurality of target hosts.
  - 15. The computer program product according to claim 14, wherein the computer readable program code configured to provide common IP filters bypass IP filtering for inbound communications encapsulated in the generic routing format.
  - 16. The computer program product according to claim 11, wherein the computer readable program code configured to distribute the received network communications that are directed to the common IP address among selected ones of the target hosts comprises:
    - computer readable program code configured to select among the target hosts for distribution of the network communications in response to a predefined selection pattern to distribute workload associated with the network communications among the target hosts.
  - 17. The computer program product according to claim 16, wherein the computer readable program code that selects among the target hosts for distribution of the network communications in response to a predefined selection pattern to distribute workload associated with the network communications among the target hosts comprises:
    - computer readable program code that selects among the target hosts associated with the common network address based on a round-robin pattern.
  - 18. The computer program product according to claim 11, wherein the computer readable program code which distributes the received network communications that are directed to the common network address among selected ones of the target hosts comprises:
    - computer readable program code that selects among the target hosts for distribution of the network communications in response to a dynamic criteria that changes over time to distribute workload associated with the network communications among the target hosts.
  - 19. The computer program product according to claim 11, further comprising:
    - computer readable program code configured to receive at a target host, an encapsulated communication;
      
      computer readable program code configured to compare a physical link corresponding to said distributor to a source of encapsulation; and
      
      computer readable program code configured to ignore the encapsulated communication if said physical link does not match to said source of encapsulation.
  - 20. The computer program product according to claim 11, further comprising computer readable program code configured to provide end-to-end secure network communication using the IPSEC communication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Herr, David, Godwin, James, Overby, Linwood

Granted Patent

US 8,972,475 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/232
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/16   Implementing security featu...

H04L 63/20   for managing network securi...

H04L 67/1001   for accessing one among a p...

NETWORK SECURE COMMUNICATIONS IN A CLUSTER COMPUTING ENVIRONMENT

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK SECURE COMMUNICATIONS IN A CLUSTER COMPUTING ENVIRONMENT

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links