Domain Isolation Through Virtual Network Machines
First Claim
1. A computerized method comprising:
- retrieving a plurality of records for a plurality of subscribers associated with a plurality of end stations connected to a single network device through a plurality of links, wherein each of the plurality of subscribers is associated with a different one of the plurality of records;
authenticating each of the plurality of subscribers based on the one of the plurality of records retrieved for that subscriber;
authorizing each of the subscribers to determine what that subscriber can do after being authenticated based on the one of the plurality of records retrieved for that subscriber, wherein each of the plurality of records comprises information indicating which of a plurality of virtual networks the respective subscriber can access, wherein the plurality of virtual networks are virtually isolated from each other, wherein the single network device comprises a plurality of virtual network machines that are virtually independent but share a set of physical resources of the single network device, wherein each of the virtual network machines is one of a virtual router and a virtual bridge, and wherein each of the plurality of virtual network machines belongs to a different one of the plurality of virtual networks;
coupling different ones of the plurality of end stations to different ones of the virtual network machines according to said authorizing through dynamic bindings;
forwarding information flows of the plurality of end stations via the different respective virtual network machines to which the corresponding subscriber end station is coupled based on control and policy information in separate independently administrable network databases of the virtual network machines, wherein each of the separate independently administrable network databases includes address, policy and control information; and
accounting for the network activity of each of the plurality of end stations in the plurality of virtual network machines.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and device for communicating information resources between subscriber end stations and nodes belonging to different network domains is described. The device instantiates different virtual network machines for different network domains using separate independently administrable network databases. Each of the administrable chores of the separate independently administrable network databases includes the assignment of access control and the configuration of the policies for those network databases. The policies include traffic filtering policies to indicate what kind of information payloads can be carried, traffic and route filtering policies to indicate what paths through the network will be used for each payload carried. Each of the network domains includes one of the different virtual network machines and each of the different network domains is virtually isolated from other network domains.
97 Citations
25 Claims
-
1. A computerized method comprising:
-
retrieving a plurality of records for a plurality of subscribers associated with a plurality of end stations connected to a single network device through a plurality of links, wherein each of the plurality of subscribers is associated with a different one of the plurality of records; authenticating each of the plurality of subscribers based on the one of the plurality of records retrieved for that subscriber; authorizing each of the subscribers to determine what that subscriber can do after being authenticated based on the one of the plurality of records retrieved for that subscriber, wherein each of the plurality of records comprises information indicating which of a plurality of virtual networks the respective subscriber can access, wherein the plurality of virtual networks are virtually isolated from each other, wherein the single network device comprises a plurality of virtual network machines that are virtually independent but share a set of physical resources of the single network device, wherein each of the virtual network machines is one of a virtual router and a virtual bridge, and wherein each of the plurality of virtual network machines belongs to a different one of the plurality of virtual networks; coupling different ones of the plurality of end stations to different ones of the virtual network machines according to said authorizing through dynamic bindings; forwarding information flows of the plurality of end stations via the different respective virtual network machines to which the corresponding subscriber end station is coupled based on control and policy information in separate independently administrable network databases of the virtual network machines, wherein each of the separate independently administrable network databases includes address, policy and control information; and accounting for the network activity of each of the plurality of end stations in the plurality of virtual network machines. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A single network device to act as an intermediate station comprising:
-
a plurality of transceivers to communicate information resources between subscriber end stations and nodes belonging to different virtual networks; a set of two or more separately administrable network databases, wherein each of the independently administrable network databases includes address, policy and control information; and a machine-readable medium having stored therein a set of instructions to cause the single network device to, retrieve a plurality of records for a plurality of subscribers associated with a plurality of subscriber end stations connected to the single network device through a plurality of links, wherein each of the plurality of records is associated with a different one of the plurality of subscribers; authenticate each of the plurality of subscribers based on the one of the plurality of records retrieved for that subscriber, authorize each of the subscribers to determine what that subscriber can access after being authenticated based on the one of the plurality of records retrieved for that subscriber, wherein each of the plurality of records comprises information indicating which of a plurality of virtual networks the respective subscriber can access, wherein each of the plurality of virtual networks are virtually isolated from each other, wherein the single network device comprises a plurality of virtual network machines that are virtually independent but share a set of physical resources of the single network device, wherein the virtual network machine is one of a virtual router and a virtual bridge, and wherein each of the plurality of virtual network machines belongs to a different one of the plurality of virtual networks; couple the plurality of subscriber end stations to the different ones of the virtual network machines according to said authorizing through dynamic binding, forward information flows of the plurality of subscriber end stations via the different respective virtual network machines based on control and policy information in the separately administrable network databases of the virtual network machines, and account for the network activity of each of the subscribers in the plurality of virtual network machines. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A network comprising:
-
a plurality of subscriber end stations; a plurality of nodes belonging to a plurality of different virtual networks, wherein the plurality of different virtual networks is virtually isolated from each other; a remote server station having stored therein subscriber records, each record including information concerning a set of the plurality of different virtual networks to which a subscriber has access to; and a subscriber management system coupled to the remote server station, coupled to the subscriber end stations through links, and coupled between the subscriber end stations and the plurality of nodes, the subscriber management system being a single network device and having, a plurality of virtual network machines that are virtually independent but share a set of physical resources of the subscriber management system, wherein each of the virtual network machines is one of a virtual router and a virtual bridge, wherein each of the plurality of virtual network machines belongs to a different one of the plurality of different virtual networks, wherein each of the virtual network machines includes a separate independently administrable network database, and wherein each of the independently administrable network databases includes address, control and policy information, and client software in communication with the remote server station that collectively, retrieve the corresponding subscriber records responsive to establishment of the links with the subscriber end stations; authenticate through identification and verification based on the retrieved subscriber records, authorize based on the retrieved subscriber records to determine which of the different virtual network machines each of the subscriber end stations should be coupled, couple the plurality of subscriber end stations to the different virtual network machines based on the authorization through dynamic bindings, and forward information flows of the plurality of subscriber end stations via the different respective virtual network machines based on the separately administrable network databases, and account for network activity over each of the subscriber end stations in the plurality of virtual network machines. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification