DYNAMIC SECURED NETWORK IN A CLOUD ENVIRONMENT

US 20140282817A1
Filed: 03/14/2013
Published: 09/18/2014
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method of adding a machine provided by a cloud provider to an overlay network, the method performed by the machine and comprising:

gathering data relating to the machine, including a private internet protocol (IP) address of the machine within a network of the cloud provider;

receiving or determining configuration data for connecting the machine to the overlay network, including an overlay IP address for the machine in the overlay network, said configuration data being at least partly dependent on said gathered data; and

connecting the machine to the overlay network in accordance with at least part of said configuration data, including establishing at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said machine is used to encapsulate said overlay address.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure presents systems, methods and computer program products relating to an overlay network in a cloud environment. A management machine may manage an overlay network. Machine(s), which may be provided by cloud provider(s), may be added to or removed from the overlay network. Data relating to a machine may be gathered and configuration data may be determined, for example when the machine is being added to the overlay network. A device associated with a user authorized for the overlay network may connect to the overlay network. The overlay network may include one or more secure tunnels wherein a private IP address or public IP address may encapsulate an overlay IP address.

Citations

45 Claims

1. A method of adding a machine provided by a cloud provider to an overlay network, the method performed by the machine and comprising:
- gathering data relating to the machine, including a private internet protocol (IP) address of the machine within a network of the cloud provider;
  
  receiving or determining configuration data for connecting the machine to the overlay network, including an overlay IP address for the machine in the overlay network, said configuration data being at least partly dependent on said gathered data; and
  
  connecting the machine to the overlay network in accordance with at least part of said configuration data, including establishing at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said machine is used to encapsulate said overlay address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said configuration data is also at least partly dependent on data gathered relating to at least one other machine in said overlay network.
  - 3. The method of claim 1, wherein said connecting is performed with assistance of at least one other machine in said overlay network.
  - 4. The method of claim 1, wherein said overlay IP address is allocated so as not to conflict with any other allocated overlay IP address, or with any private IP address in any network of any cloud provider with at least one machine in said overlay network.
  - 5. The method of claim 1, further comprising:
    - presenting a machine authentication token when communicating with a management machine.
  - 6. The method of claim 1, further comprising:
    - subsequent to connection to said overlay network, gathering data relating to the machine.
  - 7. The method of claim 1, further comprising:
    - subsequent to connection to said overlay network, receiving or determining configuration data for connecting the machine to the overlay network; and
      
      if said configuration data is updated, updating machine connection to the overlay network in accordance with at least part of said updated configuration data.
  - 8. The method of claim 1, further comprising:
    - translating a policy regarding access control into at least one firewall rule for implementing the policy.
  - 9. The method of claim 1, further comprising:
    - translating a policy regarding private/public interface into at least one rule for implementing the policy.
  - 10. The method of claim 1, wherein said configuration data includes an internal DNS name for the machine.
  - 11. The method of claim 1, wherein said machine is a server or a gateway.
  - 12. The method of claim 1, wherein said private IP address is used whenever possible.
  - 13. The method of claim 1, wherein said overlay network comprises one or more secure tunnels and traffic between machines in said overlay network is routed via said overlay network.

14. A method of connecting a device to an overlay network, said overlay network including at least one server provided by at least one cloud provider, comprising:
- determining that the device is attempting connection to the overlay network;
  
  verifying that a user associated with the device is authorized for the overlay network;
  
  assigning an overlay IP to the device from a pool of overlay IP addresses; and
  
  connecting the device to the overlay network by establishing at least one secure tunnel between the device and a gateway in the overlay network.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - receiving said pool of overlay IP addresses from a management machine.
  - 16. The method of claim 14, further comprising:
    - translating an internal DNS name for a server, provided by said device, to an overlay IP address of said server.
  - 17. The method of claim 14, further comprising:
    - translating an overlay IP address assigned to said device into an overlay IP address of said gateway.
  - 18. The method of claim 14, further comprising:
    - translating an access control policy to at least one server in said overlay network which relates to said user into at least one firewall rule for implementing the policy.
  - 19. The method of claim 14, wherein said method enables provisioning of at least one of:
    - broad network access or on-demand self service to said user.
  - 20. The method of claim 14, wherein said overlay network comprises one or more secure tunnels and traffic between the device and any server in the overlay network is routed over the overlay network via the gateway.

21. A method of managing an overlay network, performed by a management machine, comprising:
- determining that a server or gateway provided by a cloud provider is to be added to said overlay network;
  
  generating a temporary machine authentication token for said server or gateway;
  
  receiving said temporary machine authentication token from said server or gateway and authenticating said server or gateway; and
  
  providing a replacement longer expiration machine authentication token to said server or gateway;
  
  wherein after said replacement token has been provided, said server or gateway connects to the overlay network, including establishing at least one secure tunnel, and wherein for any secure tunnel a private IP address or a public IP address of said server or gateway is used to encapsulate an overlay address that was allocated to said server or gateway.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, further comprising:
    - receiving said longer expiration machine authentication token from a different machine;
      
      determining that said longer expiration machine authentication token does not match said different machine; and
      
      acting in accordance with a procedure regarding a non-matching token.
  - 23. The method of claim 21, further comprising:
    - generating program code for requesting software for said server or gateway.

24. A method of managing an overlay network, performed by a management machine, comprising:
- determining that a server or gateway provided by a cloud provider is to be added to said overlay network;
  
  receiving data from said server or gateway relating to said server or gateway, including a private internet protocol (IP) address of the server or gateway within a network of the cloud provider;
  
  determining configuration data for connecting the server or gateway to the overlay network, including an overlay IP address for the server or gateway in the overlay network, said configuration data being at least partly dependent on said gathered data; and
  
  providing said configuration data at least to said server or gateway, thereby enabling said server or gateway to connect to the overlay network in accordance with at least part of said configuration data, including to establish at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said server or gateway is used to encapsulate said overlay address.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24, further comprising:
    - providing configuration data to at least one other server or gateway in said overlay network, thereby enabling said at least one other server or gateway in said network to assist in establishing said at least one secure tunnel.
  - 26. The method of claim 24, further comprising:
    - receiving data from at least one other server or gateway in said overlay network, wherein said configuration data is also at least partly dependent on received data from said at least one other server or gateway.

27. A method of adding a server to or removing a server from an overlay network, comprising:
- a device accessing management software in a management machine; and
  
  the device indicating that a server provided by a cloud provider is to be added or removed from an overlay network;
  
  thereby enabling said server to connect to the overlay network, including to establish at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said server is used to encapsulate an overlay address which was allocated to said server, or thereby enabling said server to disconnect from said overlay network.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The method of claim 27, wherein if a server is being added said management software generates program code, said method further comprising:
    - said device providing the generated program code to the server, wherein said program code when run enables software to be provided to said server for connecting the server to the overlay network.
  - 29. The method of claim 27, further comprising:
    - said device indicating an access control policy relating to the server.
  - 30. The method of claim 27, wherein said management software is provided as a service in a cloud environment.
  - 31. The method of claim 27, wherein said method enables provisioning of at least one of:
    - broad network access or on-demand self service to a user associated with said device.

32. A method of adding at least one gateway provided by at least one cloud provider to an overlay network, comprising:
- a device accessing management software in a management machine; and
  
  a device providing program code generated by the management software to at least one gateway provided by the at least one cloud provider;
  
  thereby enabling allocation of at least one overlay IP address to the at least one gateway, and allocation of a pool of overlay IP addresses from which an overlay IP address is to be assigned by a gateway to a device connecting to the overlay network which is associated with a user authorized for the overlay network, so that the overlay address of the device will be encapsulated by a public IP address of the device in a secure tunnel established between the gateway and the connecting device.
- View Dependent Claims (33, 34)
- - 33. The method of claim 32, wherein said management software is provided as a service in a cloud environment.
  - 34. The method of claim 32, wherein said method enables provisioning of at least one of:
    - broad network access or on-demand self service to a user associated with said device.

35. A method of managing an overlay network, performed by a management machine, comprising:
- receiving data from at least one machine provided by at least one cloud provider, which is included in the overlay network; and
  
  providing configuration data determined at least partly based on said received data, to at least one machine provided by at least one cloud provider, which is in the overlay network;
  
  thereby enabling addition of, removal of, or change in at least one secure tunnel comprised in said overlay network.

36. A system for adding a machine provided by a cloud provider to an overlay network, the system including the machine capable of:
- gathering data relating to the machine, including a private internet protocol (IP) address of the machine within a network of the cloud provider;
  
  receiving or determining configuration data for connecting the machine to the overlay network, including an overlay IP address for the machine in the overlay network, said configuration data being at least partly dependent on said gathered data; and
  
  connecting the machine to the overlay network in accordance with at least part of said configuration data, including establishing at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said machine is used to encapsulate said overlay address.

37. A system for connecting a device to an overlay network, said overlay network including at least one server provided by at least one cloud provider, said system comprising a gateway capable of:
- determining that the device is attempting connection to the overlay network;
  
  verifying that a user associated with the device is authorized for the overlay network;
  
  assigning an overlay IP to the device from a pool of overlay IP addresses; and
  
  connecting the device to the overlay network by establishing at least one secure tunnel between the device and the gateway.

38. A system for managing an overlay network, comprising a management machine capable of:
- determining that a server or gateway provided by a cloud provider is to be added to said overlay network;
  
  generating a temporary machine authentication token for said server or gateway;
  
  receiving said temporary machine authentication token from said server or gateway and authenticating said server or gateway; and
  
  providing a replacement longer expiration machine authentication token to said server or gateway;
  
  wherein after said replacement token has been provided, said server or gateway connects to the overlay network, including establishing at least one secure tunnel, and wherein for any secure tunnel a private IP address or a public IP address of said server or gateway is used to encapsulate an overlay address that was allocated to said server or gateway.

39. A system for managing an overlay network, comprising a management machine, capable of:
- determining that a server or gateway provided by a cloud provider is to be added to said overlay network;
  
  receiving data from said server or gateway relating to said server or gateway, including a private internet protocol (IP) address of the server or gateway within a network of the cloud provider;
  
  determining configuration data for connecting the server or gateway to the overlay network, including an overlay IP address for the server or gateway in the overlay network, said configuration data being at least partly dependent on said gathered data; and
  
  providing said configuration data at least to said server or gateway, thereby enabling said server or gateway to connect to the overlay network in accordance with at least part of said configuration data, including to establish at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said server or gateway is used to encapsulate said overlay address.

40. A system for managing an overlay network, comprising a management machine, capable of:
- receiving data from at least one machine provided by at least one cloud provider, which is included in the overlay network; and
  
  providing configuration data determined at least partly based on said received data, to at least one machine provided by at least one cloud provider, which is in the overlay network;
  
  thereby enabling addition of, removal of, or change in at least one secure tunnel comprised in said overlay network.

41. A computer program product comprising a machine useable medium having machine readable program code embodied therein for adding a machine provided by a cloud provider to an overlay network, the computer program product comprising:
- machine readable program code for causing the machine to gather data relating to the machine, including a private internet protocol (IP) address of the machine within a network of the cloud provider;
  
  machine readable program code for causing the machine to receive or determine configuration data for connecting the machine to the overlay network, including an overlay IP address for the machine in the overlay network, said configuration data being at least partly dependent on said gathered data; and
  
  computer readable program code for causing the machine to connect the machine to the overlay network in accordance with at least part of said configuration data, including establishing at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said machine is used to encapsulate said overlay address.

42. A computer program product comprising a machine useable medium having machine readable program code embodied therein for connecting a device to an overlay network, said overlay network including at least one server provided by at least one cloud provider, the computer program product comprising:
- machine readable program code for causing a machine to determine that the device is attempting connection to the overlay network;
  
  machine readable program code for causing the machine to verify that a user associated with the device is authorized for the overlay network;
  
  machine readable program code for causing the machine to assign an overlay IP to the device from a pool of overlay IP addresses; and
  
  machine readable program code for causing the machine to connect the device to the overlay network by establishing at least one secure tunnel between the device and the machine.

43. A computer program product comprising a machine useable medium having machine readable program code embodied therein for managing an overlay network, the computer program product comprising:
- machine readable program code for causing a machine to determine that a server or gateway provided by a cloud provider is to be added to said overlay network;
  
  machine readable program code for causing the machine to generate a temporary machine authentication token for said server or gateway;
  
  machine readable program code for causing the machine to receive said temporary machine authentication token from said server or gateway and to authenticate said server or gateway; and
  
  machine readable program code for causing the machine to provide a replacement longer expiration machine authentication token to said server or gateway;
  
  wherein after said replacement token has been provided, said server or gateway connects to the overlay network, including establishing at least one secure tunnel, and wherein for any secure tunnel a private IP address or a public IP address of said server or gateway is used to encapsulate an overlay address that was allocated to said server or gateway.

44. A computer program product comprising a machine useable medium having machine readable program code embodied therein for managing an overlay network, the computer program product comprising:
- machine readable program code for causing a machine to determine that a server or gateway provided by a cloud provider is to be added to said overlay network;
  
  machine readable program code for causing the machine to receive data from said server or gateway relating to said server or gateway, including a private internet protocol (IP) address of the server or gateway within a network of the cloud provider;
  
  machine readable program code for causing the machine to determine configuration data for connecting the server or gateway to the overlay network, including an overlay IP address for the server or gateway in the overlay network, said configuration data being at least partly dependent on said gathered data; and
  
  machine readable program code for causing the machine to provide said configuration data at least to said server or gateway, thereby enabling said server or gateway to connect to the overlay network in accordance with at least part of said configuration data, including to establish at least one secure tunnel, wherein for any secure tunnel a private IP address or a public IP address of said server or gateway is used to encapsulate said overlay address.

45. A computer program product comprising a machine useable medium having machine readable program code embodied therein for managing an overlay network, the computer program product comprising:
- machine readable program code for causing a machine to receive data from at least one machine provided by at least one cloud provider, which is included in the overlay network; and
  
  machine readable program code for causing the machine to provide configuration data determined at least partly based on said received data, to at least one machine provided by at least one cloud provider, which is in the overlay network;
  
  thereby enabling addition of, removal of, or change in at least one secure tunnel comprised in said overlay network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FortyCloud Ltd. (FireMon, LLC)
Original Assignee
FortyCloud Ltd. (FireMon, LLC)
Inventors
SINGER, Noam, Naftali, Amir

Granted Patent

US 9,331,998 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 45/64   using an overlay routing layer

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/164   at the network layer

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

H04L 9/3213   using tickets or tokens, e....

DYNAMIC SECURED NETWORK IN A CLOUD ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC SECURED NETWORK IN A CLOUD ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links