TRAFFIC REDIRECTION IN CLOUD BASED SECURITY SERVICES
First Claim
Patent Images
1. A network security system, comprising:
- a plurality of processing nodes external to network edges of a plurality of enterprises, each processing node performing operations comprising;
hosting a plurality of tunnel endpoints, each tunnel endpoint being associated with a corresponding enterprise and being a tunnel endpoint for a tunnel between the enterprise and the processing node; and
storing security policy data defining security policies for each of the enterprises, performing threat detection processes to classify content items communicated over the tunnel between the enterprises and the processing node and managing the classified content items in accordance with the security policy data so that security policies for the enterprises in communication with the processing node over tunnels are implemented external to the network edges for each of the enterprises.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods and apparatus for tunneling in a cloud based security system. Management of tunnels, such as data tunnels, between enterprises and processing nodes for a security service is facilitate by the use of virtual gateway nodes and migration failover to minimize traffic impacts when a tunnel is migrated from one processing node to another processing node.
141 Citations
20 Claims
-
1. A network security system, comprising:
-
a plurality of processing nodes external to network edges of a plurality of enterprises, each processing node performing operations comprising; hosting a plurality of tunnel endpoints, each tunnel endpoint being associated with a corresponding enterprise and being a tunnel endpoint for a tunnel between the enterprise and the processing node; and storing security policy data defining security policies for each of the enterprises, performing threat detection processes to classify content items communicated over the tunnel between the enterprises and the processing node and managing the classified content items in accordance with the security policy data so that security policies for the enterprises in communication with the processing node over tunnels are implemented external to the network edges for each of the enterprises. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network security system, comprising:
-
a plurality of processing nodes external to network edges of a plurality of enterprises, each processing node performing operations comprising; hosting a plurality of internet protocol addresses, each internet protocol address corresponding to an enterprise and being a tunnel destination address for a corresponding tunnel established between the enterprise and the processing node; propagating routing data related to the processing node and the internet protocol addresses, and receiving routing data propagated by other processing nodes and a monitoring node in data communication with the processing node, the routing data defining routing for the internet protocol addresses hosted by the processing nodes; and storing security policy data defining security policies for each of the enterprises, performing a threat detection process to classify content items according to a threat classification for a corresponding threat, and managing the classified content item in accordance with the security policy data so that security policies for the plurality of enterprises in data communication with the processing nodes over the corresponding tunnels established between the enterprise and the processing node are implemented external to the network edges for each of the enterprises; wherein the monitoring node is configured to perform operations comprising; monitoring a tunnel status of each of the corresponding tunnels in the processing nodes; detecting routes to each of the internet protocol addresses and propagating corresponding routing data related to the processing nodes and the internet protocol addresses hosted by the processing nodes to the processing nodes; and identifying failover states for the tunnels, and in response to identifying a failover state for a first tunnel in a first processing node; updating the routing data to specify a second processing node as hosting an internet protocol address that is the tunnel destination address of the first tunnel and hosted in the first processing node; and propagating the updated routing data to the processing nodes so that the second processing node hosts the internet protocol address. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method for providing security services to a plurality of enterprises over a plurality of processing nodes external to the network edges of the enterprises, the method comprising:
-
in each processing node; hosting a plurality of virtual gateway nodes, each virtual gateway node corresponding to an enterprise and having an associated tunnel destination address for a corresponding tunnel, each tunnel destination address being an internet protocol address of the corresponding enterprise; propagating routing data related to the processing node and the virtual gateway nodes, and receiving routing data propagated by other processing nodes and a monitoring node in data communication with the processing nodes; managing classified content items in accordance with security policy data so that security policies for the plurality of enterprises in data communication with the processing nodes over tunnels corresponding to the virtual gateway nodes are implemented external to the network edges for each of the enterprises; in the monitoring node; monitoring a tunnel status of each of the corresponding tunnels in the processing nodes; detecting routes to each of the virtual gateway nodes and propagating routing data related to the processing nodes and the virtual gateway nodes to the processing nodes; and identifying failover states for the tunnels, and in response to identifying a failover state for a first tunnel in a first processing node; updating the routing data to specify a second processing node as hosting a virtual gateway node associated with the first tunnel and hosted in the first processing node; and propagating the updated routing data to the processing nodes so that the second processing node hosts the virtual gateway node. - View Dependent Claims (18, 19, 20)
-
Specification