TRAFFIC REDIRECTION IN CLOUD BASED SECURITY SERVICES

US 20100125903A1
Filed: 11/19/2008
Published: 05/20/2010
Est. Priority Date: 11/19/2008
Status: Active Grant

First Claim

Patent Images

1. A network security system, comprising:

a plurality of processing nodes external to network edges of a plurality of enterprises, each processing node performing operations comprising;

hosting a plurality of tunnel endpoints, each tunnel endpoint being associated with a corresponding enterprise and being a tunnel endpoint for a tunnel between the enterprise and the processing node; and

storing security policy data defining security policies for each of the enterprises, performing threat detection processes to classify content items communicated over the tunnel between the enterprises and the processing node and managing the classified content items in accordance with the security policy data so that security policies for the enterprises in communication with the processing node over tunnels are implemented external to the network edges for each of the enterprises.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for tunneling in a cloud based security system. Management of tunnels, such as data tunnels, between enterprises and processing nodes for a security service is facilitate by the use of virtual gateway nodes and migration failover to minimize traffic impacts when a tunnel is migrated from one processing node to another processing node.

141 Citations

20 Claims

1. A network security system, comprising:
- a plurality of processing nodes external to network edges of a plurality of enterprises, each processing node performing operations comprising;
  
  hosting a plurality of tunnel endpoints, each tunnel endpoint being associated with a corresponding enterprise and being a tunnel endpoint for a tunnel between the enterprise and the processing node; and
  
  storing security policy data defining security policies for each of the enterprises, performing threat detection processes to classify content items communicated over the tunnel between the enterprises and the processing node and managing the classified content items in accordance with the security policy data so that security policies for the enterprises in communication with the processing node over tunnels are implemented external to the network edges for each of the enterprises.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein hosting the plurality of tunnel end points, each tunnel endpoint being associated with a corresponding enterprise and being a tunnel endpoint for a communication tunnel between the enterprise and the processing node comprises the operations of:
    - hosting a plurality of virtual gateway nodes, each virtual gateway node corresponding to an enterprise and having an associated tunnel destination address for a corresponding tunnel, each tunnel destination address being one of the tunnel endpoints;
      
      wherein each processing node performs the further operation of propagating routing data related to the processing node and the virtual gateway nodes, and receiving routing data propagated by processing nodes and a monitoring node in data communication with the processing nodes; and
      
      wherein the monitoring node is configured to perform operations comprising;
      
      monitoring a tunnel status of each of the corresponding tunnels in the processing nodes;
      
      detecting routes to each of the virtual gateway nodes and propagating routing data related to the processing nodes and the virtual gateway nodes to the processing nodes; and
      
      identifying failover states for the tunnels, and in response to identifying a failover state for a first tunnel in a first processing node;
      
      updating the routing data to specify a second processing node as hosting a virtual gateway node associated with the first tunnel and hosted in the first processing node; and
      
      propagating the updated routing data to the processing nodes so that the second processing node hosts the virtual gateway node.
  - 3. The system of claim 2, wherein the operation of identifying failover states for the tunnels comprises identifying migration failover states;
    - andin response to identifying a migration failover state for the first tunnel in the first processing node, providing tunnel state data for the first tunnel corresponding to the virtual gateway node hosted in the first processing node to the second processing node;
      
      wherein the updated routing data specifies the same tunnel destination address for the virtual gateway node for the first tunnel identified in the migration failover state.
  - 4. The system of claim 3, wherein the tunnel state data includes a number of packets transmitted and a number of bytes exchanged in the tunnel.
  - 5. The system of claim 2, wherein the monitoring node is an authority node.
  - 6. The system of claim 2, wherein the monitoring node is a logging node.
  - 7. The system of claim 1, further comprising an access agent configured to perform operations comprising:
    - for each corresponding enterprise, processing authorization and authentication requests over an authorization tunnel corresponding to the enterprise, the authorization tunnel being a tunnel that is separate from the tunnel corresponding to the enterprise.
  - 8. The system of claim 7, wherein the authorization tunnel is defined by an authorization tunnel destination address that is hosted on an authority node.
  - 9. The system of claim 2, wherein the processing node is further configured to perform the operations of port mapping traffic exchanged between a virtual gateway node and a target site.

10. A network security system, comprising:
- a plurality of processing nodes external to network edges of a plurality of enterprises, each processing node performing operations comprising;
  
  hosting a plurality of internet protocol addresses, each internet protocol address corresponding to an enterprise and being a tunnel destination address for a corresponding tunnel established between the enterprise and the processing node;
  
  propagating routing data related to the processing node and the internet protocol addresses, and receiving routing data propagated by other processing nodes and a monitoring node in data communication with the processing node, the routing data defining routing for the internet protocol addresses hosted by the processing nodes; and
  
  storing security policy data defining security policies for each of the enterprises, performing a threat detection process to classify content items according to a threat classification for a corresponding threat, and managing the classified content item in accordance with the security policy data so that security policies for the plurality of enterprises in data communication with the processing nodes over the corresponding tunnels established between the enterprise and the processing node are implemented external to the network edges for each of the enterprises;
  
  wherein the monitoring node is configured to perform operations comprising;
  
  monitoring a tunnel status of each of the corresponding tunnels in the processing nodes;
  
  detecting routes to each of the internet protocol addresses and propagating corresponding routing data related to the processing nodes and the internet protocol addresses hosted by the processing nodes to the processing nodes; and
  
  identifying failover states for the tunnels, and in response to identifying a failover state for a first tunnel in a first processing node;
  
  updating the routing data to specify a second processing node as hosting an internet protocol address that is the tunnel destination address of the first tunnel and hosted in the first processing node; and
  
  propagating the updated routing data to the processing nodes so that the second processing node hosts the internet protocol address.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the operation of identifying failover states for the tunnels comprises identifying migration failover states;
    - andin response to identifying a migration failover state for the first tunnel in the first processing node, providing tunnel state data for the first tunnel to the second processing node;
      
      wherein the updated routing data specifies the same tunnel destination address for the first tunnel identified in the migration failover state.
  - 12. The system of claim 11, wherein the tunnel state data includes a number of packets transmitted and a number of bytes exchanged in the tunnel.
  - 13. The system of claim 10, wherein the operation of identifying failover states for the tunnels comprises identifying backup failover states;
    - andin response to identifying a backup failover state for the first tunnel in the first processing node, updating the routing data to specify a different tunnel destination address for the first tunnel identified in the migration failover state.
  - 14. The system of claim 10, wherein the monitoring node is a logging node.
  - 15. The system of claim 10, further comprising an access agent configured to perform operations comprising:
    - for each corresponding enterprise, processing authorization and authentication requests over an authorization tunnel corresponding to the enterprise, the authorization tunnel being a tunnel that is separate from the tunnel established between the enterprise and the processing node.
  - 16. The system of claim 15, wherein the authorization tunnel is defined by an authorization tunnel destination address that is hosted on an authority node.

17. A computer-implemented method for providing security services to a plurality of enterprises over a plurality of processing nodes external to the network edges of the enterprises, the method comprising:
- in each processing node;
  
  hosting a plurality of virtual gateway nodes, each virtual gateway node corresponding to an enterprise and having an associated tunnel destination address for a corresponding tunnel, each tunnel destination address being an internet protocol address of the corresponding enterprise;
  
  propagating routing data related to the processing node and the virtual gateway nodes, and receiving routing data propagated by other processing nodes and a monitoring node in data communication with the processing nodes;
  
  managing classified content items in accordance with security policy data so that security policies for the plurality of enterprises in data communication with the processing nodes over tunnels corresponding to the virtual gateway nodes are implemented external to the network edges for each of the enterprises;
  
  in the monitoring node;
  
  monitoring a tunnel status of each of the corresponding tunnels in the processing nodes;
  
  detecting routes to each of the virtual gateway nodes and propagating routing data related to the processing nodes and the virtual gateway nodes to the processing nodes; and
  
  identifying failover states for the tunnels, and in response to identifying a failover state for a first tunnel in a first processing node;
  
  updating the routing data to specify a second processing node as hosting a virtual gateway node associated with the first tunnel and hosted in the first processing node; and
  
  propagating the updated routing data to the processing nodes so that the second processing node hosts the virtual gateway node.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein identifying failover states for the tunnels comprises identifying migration failover states;
    - andin response to identifying a migration failover state for the first tunnel in the first processing node, providing tunnel state data for the first tunnel corresponding to the virtual gateway node hosted in the first processing node to the second processing node;
      
      wherein the updated routing data specifies the same tunnel destination address for the virtual gateway node for the first tunnel identified in the migration failover state.
  - 19. The method of claim 17, wherein identifying failover states for the tunnels comprises identifying backup failover states;
    - andin response to identifying a backup failover state for the first in the first processing node, updating the routing data to specify a different tunnel destination address for the virtual gateway node for the tunnel identified in the migration failover state.
  - 20. The method of claim 17, further comprising for each corresponding enterprise, processing authorization and authentication requests over an authorization tunnel corresponding to the enterprise, the authorization tunnel being a tunnel that is separate from the tunnel corresponding to the virtual gateway node of the corresponding enterprise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Udupa, Sivaprasad, Devarajan, Srikanth, Apte, Manoj, Motyashov, Alex

Granted Patent

US 8,010,085 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

TRAFFIC REDIRECTION IN CLOUD BASED SECURITY SERVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

141 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRAFFIC REDIRECTION IN CLOUD BASED SECURITY SERVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links