Multi-Tenant NATting for Segregating Traffic Through a Cloud Service

US 20130103834A1
Filed: 10/21/2011
Published: 04/25/2013
Est. Priority Date: 10/21/2011
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus configured to perform multi-tenant NATting for segregating customer traffic through a cloud service, the apparatus including:

a memory;

one or more network interfaces;

one or more processors; and

computer program code stored on a non-transitory storage medium, the computer program code including computer-readable instructions operative, when executed, to cause the one or more processors toperform network address translation (NAT) on first and second data packets as they are transmitted between the cloud service and a plurality of subnets, the NAT being performed to translate each of a plurality of first private network IP addresses from the plurality of subnets into a second private network IP address for use within the cloud service after said first data packets are received from the plurality of subnets and to translate the second private network IP address back into a corresponding one of the plurality of first private network IP addresses before said second data packets are sent to the plurality of subnets; and

perform network address and port translation (NAPT) on the first and second data packets as they are transmitted between the cloud service and one or more remote hosts, the NAPT being performed to translate a first public network IP address for the one more remote hosts into the second private network IP address after said second data packets are received from the one or more remote hosts and to translate the second private network IP address into a second public network IP address for the cloud service before sending said first data packets to the one or more remote hosts.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus, system, and method for segregating customer traffic through a cloud service are disclosed. The apparatus, system, and method perform network address translation (NAT) on first data packets received from a subnet to translate a first private network IP address into a second private network IP addresses, perform network address and port translation (NAPT) on the first data packets to translate the second private network IP address into a second public network IP address before sending the first data packets to a remote host, perform NAPT on second data packets received from the remote host to translate the second private network IP address back into the first private network IP address, and perform NAT on the second data packets to translate the second private network IP address back into the first private network IP address before sending the second data packets to the subnet.

Citations

20 Claims

1. An apparatus configured to perform multi-tenant NATting for segregating customer traffic through a cloud service, the apparatus including:
- a memory;
  
  one or more network interfaces;
  
  one or more processors; and
  
  computer program code stored on a non-transitory storage medium, the computer program code including computer-readable instructions operative, when executed, to cause the one or more processors toperform network address translation (NAT) on first and second data packets as they are transmitted between the cloud service and a plurality of subnets, the NAT being performed to translate each of a plurality of first private network IP addresses from the plurality of subnets into a second private network IP address for use within the cloud service after said first data packets are received from the plurality of subnets and to translate the second private network IP address back into a corresponding one of the plurality of first private network IP addresses before said second data packets are sent to the plurality of subnets; and
  
  perform network address and port translation (NAPT) on the first and second data packets as they are transmitted between the cloud service and one or more remote hosts, the NAPT being performed to translate a first public network IP address for the one more remote hosts into the second private network IP address after said second data packets are received from the one or more remote hosts and to translate the second private network IP address into a second public network IP address for the cloud service before sending said first data packets to the one or more remote hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, further comprising a data analysis engine configured to filter the first and second data packets in accordance with one or more policies as the first and second data packets pass between the plurality of subnets and the one or more remote hosts via the cloud service, each of the one or more policies being selected based on the second private network IP addresses of the first and second data packets.
  - 3. The apparatus of claim 2, wherein the data analysis engine is further configured to perform in-line analysis of the first and second data packets in accordance with the one or more policies as the first and second data packets pass between the plurality of subnets and the one or more remote hosts via the cloud service, the in-line analysis including at least one of anti-virus (AV) scanning, dynamic real-time rating (DRTR), and content filtering service (CFS).
  - 4. The apparatus of claim 2, further comprising a firewall configured to apply a filter mark to the first data packets when they are received from the plurality of subnets, to remove the filter mark from the first data packets before they are transmitted to the one or more remote hosts, to apply the filter mark to the second data packets when they are received from the one or more remote hosts, and to remove the filter mark from the second data packets before they are transmitted to the plurality of subnets.
  - 5. The apparatus of claim 4, whereinthe data analysis agent performs in-line analysis of the first and second data packets in accordance with one or more policies;
    - andeach of the one or more policies is selected based on the second private network IP addresses of the first and second data packets.
  - 6. The apparatus of claim 1, whereinthe second private network IP address is specific to one user;
    - andthe one user is identified based on the subnet from which the first data packets were received and a corresponding one of the plurality of first private network IP addresses.
  - 7. The apparatus of claim 6, whereineach of the plurality of first private network IP addresses is associated with a connection via which a computer within one of the plurality of subnets is connected to the apparatus, the computer being the source of the first data packets;
    - andeach second private network IP address is assigned to the first data packets based on the connection.
  - 8. The apparatus of claim 7, whereineach of the plurality of first private network IP addresses is further associated with a user ID used to log on to the computer;
    - andeach second private network IP address is further assigned to the first data packets based on a combination of the connection and the user ID.

9. A method of performing multi-tenant NATting for segregating customer traffic through a cloud service, the method comprising the steps of:
- performing network address translation (NAT) on first data packets to translate a plurality of different first private network IP addresses into a plurality of different second private network IP addresses, each of the second private network IP addresses being assigned based on a subnet and a first private network IP address from which the corresponding first data packets were received;
  
  performing network address and port translation (NAPT) on the first data packets to translate each of the plurality of different second private network IP addresses into a first public network IP address for the cloud service; and
  
  sending the NATted and NAPTed first data packets to one or more remote hosts.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The method of claim 9, further comprising the step of receiving the first data packets from one of the plurality of subnets, the first data packets corresponding to one or more queries performed at a computer within that subnet and having a first private network IP address that corresponds to that computer.
  - 11. The method of claim 9, further comprising the step of applying a filter mark to the first data packets as the first data packets are received.
  - 12. The method of claim 11, further comprising the steps of:
    - filtering the first data packets within the cloud service using the filter mark; and
      
      removing the filter mark from the first data packets before they leave the cloud service.
  - 13. The method of claim 9, further comprising the step of performing in-line analysis of the first data packets, the in-line analysis including at least one of anti-virus (AV) scanning, dynamic real-time rating (DRTR), and content filtering service (CFS).
  - 14. The method of claim 13, further comprising the step of selecting one or more policies based on the second private network IP address of the first data packets, wherein the step of performing in-line analysis includes performing in-line analysis of the first data packets in accordance with the one or more policies.
  - 15. The method of claim 9, further comprising the steps of:
    - receiving second data packets from the one or more remote hosts, the second data packets being sent in response to the one or more queries and having one or more second public network IP addresses for the corresponding one or more remote hosts; and
      
      performing NAPT on the second data packets to translate each of the one or more second public network IP addresses into the second private network IP address that corresponds to the subnet and first private network IP address of the computer at which the corresponding query was performed.
  - 16. The method of claim 15, further comprising the step of applying a filter mark to the second data packets as the second data packets are received.
  - 17. The method of claim 16, further comprising the steps of:
    - filtering the second data packets within the cloud service using the filter mark; and
      
      removing the filter mark from the second data packets before they leave the cloud service.
  - 18. The method of claim 17, further comprising the step of performing in-line analysis of the second data packets, the in-line analysis including at least one of AV scanning, DRTR, and CFS.
  - 19. The method of claim 17, further comprising the steps of:
    - performing NAT on the second data packets to translate each different second private network addresses back into the corresponding different first private network IP address; and
      
      sending each of the NAPTed and NATted second data packets to the subnet in which the corresponding query was performed.
  - 20. The method of claim 15, further comprising the steps of:
    - receiving one or more user IDs from one or more connection logging agents at one or more of the plurality of subnets, whereineach first private network IP address is associated with a computer at which one of the one or more users is logged on within one of the plurality of subnets,each first private network IP address is further associated with the user ID of the user logged on to the computer with that first private network IP address, andthe step of performing NAT on the first data packets includes assigning a second private network IP address to the first data packets based on the user ID of the user logged on to the computer from which the corresponding first data packets were received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Lakshmanan, Meenakshi Sundaram, Dzerve, Janis

Application Number

US13/279,146
Publication Number

US 20130103834A1
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 61/2517   using port numbers

H04L 61/2557   Translation policies or rules

H04L 63/145   the attack involving the pr...

H04L 67/10   in which an application is ...

Multi-Tenant NATting for Segregating Traffic Through a Cloud Service

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-Tenant NATting for Segregating Traffic Through a Cloud Service

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links