DISTRIBUTED WAN SECURITY GATEWAY

US 20190104111A1
Filed: 05/04/2018
Published: 04/04/2019
Est. Priority Date: 10/02/2017
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a virtual wide area network (WAN) for an enterprise, the method comprising:

configuring a set of forwarding elements in first and second multi-tenant public cloud datacenters to implement the virtual WAN for the enterprise, the virtual WAN connecting a plurality of machines operating in a set of two or more locations of the enterprise that are outside of the first and second public cloud datacenters; and

configuring at least one WAN security gateway in at least one of the first and second public cloud datacenters, said WAN security gateway for controlling access to enterprise machines that are reachable through the virtual WAN.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments establish for an entity a virtual network over several public clouds of several public cloud providers and/or in several regions. In some embodiments, the virtual network is an overlay network that spans across several public clouds to interconnect one or more private networks (e.g., networks within branches, divisions, departments of the entity or their associated datacenters), mobile users, and SaaS (Software as a Service) provider machines, and other web applications of the entity. The virtual network in some embodiments can be configured to optimize the routing of the entity'"'"'s data messages to their destinations for best end-to-end performance, reliability and security, while trying to minimize the routing of this traffic through the Internet. Also, the virtual network in some embodiments can be configured to optimize the layer 4 processing of the data message flows passing through the network.

121 Citations

View as Search Results

21 Claims

1. A method of establishing a virtual wide area network (WAN) for an enterprise, the method comprising:
- configuring a set of forwarding elements in first and second multi-tenant public cloud datacenters to implement the virtual WAN for the enterprise, the virtual WAN connecting a plurality of machines operating in a set of two or more locations of the enterprise that are outside of the first and second public cloud datacenters; and
  
  configuring at least one WAN security gateway in at least one of the first and second public cloud datacenters, said WAN security gateway for controlling access to enterprise machines that are reachable through the virtual WAN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the reachable machines of the enterprise include machines located in at least one of an office of the enterprise and a private datacenter of the enterprise.
  - 3. The method of claim 2, wherein the reachable machines of the enterprise further include machines located in at least one of public cloud datacenter used by the enterprise or private SaaS (Software as a Service) datacenter used by the enterprise.
  - 4. The method of claim 1, wherein the WAN security gateway controls access to the enterprise machines by at least one of machines of remote users, machines located at an office of the enterprise, and machines at a private datacenter of the enterprise.
  - 5. The method of claim 1, whereinthe WAN security gateway is a firewall security gateway that enforces a plurality of firewall rules for the enterprise, andconfiguring the firewall security gateway comprises storing a set of the firewall rules in a rule storage of the firewall security gateway.
  - 6. The method of claim 1, whereinthe WAN security gateway is an intrusion detection security gateway that detects unauthorized third party intrusions into the virtual WAN for the enterprise, andconfiguring the WAN security gateway comprises storing at least one of intrusion detection policies for detecting intrusions and intrusion login policies for generating data logs relating to potential intrusion events.
  - 7. The method of claim 1, whereinthe WAN security gateway is an intrusion prevention security gateway that prevents unauthorized third party intrusions into the virtual WAN for the enterprise, andconfiguring the WAN security gateway comprises storing at least one of intrusion prevention policies for preventing intrusions and intrusion login policies for generating data logs relating to intrusion prevention events.
  - 8. The method of claim 1, whereinconfiguring at least one WAN security gateway comprises configuring a WAN security gateway in each public cloud datacenter over which the virtual WAN spans and through which data messages enter the virtual network or exit the virtual network,the WAN security gateways authorizing access to enterprise machines by analyzing data messages as the data messages enter the virtual WAN or as the data messages exit the virtual WAN.
  - 9. The method of claim 8, wherein at least one WAN security gateway authorizes access to enterprise machines by analyzing a data message as the data message passes through an intervening public cloud datacenter that is between the ingress public cloud datacenter through which the data message entered the virtual WAN and the egress public cloud datacenter through which the data message exits the virtual WAN.
  - 10. The method of claim 1, wherein the set of locations comprises a set of one or more offices and a set of remote user locations.
  - 11. The method of claim 10, wherein the set of locations further includes at least one private datacenter location of the enterprise.
  - 12. The method of claim 11, wherein the set of machine locations further includes a location comprising a plurality of machines of a SaaS (Software as a Service) provider.
  - 13. The method of claim 1, wherein the set of locations comprises a set of one or more private datacenter locations of the enterprise and a set of remote user locations.
  - 14. The method of claim 1, wherein the machines include at least one of virtual machines, containers, or standalone computers.
  - 15. The method of claim 1, wherein configuring the set of forwarding elements comprises configuring the set of forwarding elements to use overlay virtual WAN headers to encapsulate data messages exchanged between the enterprise machines between different locations in the set of locations.
  - 16. The method of claim 1, wherein the configuring of the set of forwarding elements is performed by a set of one or more controllers of a virtual network provider that deploys the virtual WAN for the enterprise over public cloud datacenters of different public cloud providers and in different regions.
  - 17. The method of claim 1, wherein the set of forwarding elements comprises a plurality of software forwarding elements executing on host computers.
  - 18. The method of claim 17, wherein the plurality of software forwarding elements comprise virtual machines that perform software forwarding operations.
  - 19. The method of claim 17, wherein at least a subset of the software forwarding elements execute on host computers along with other machines.
  - 20. The method of claim 1 further comprising configuring a plurality of WAN security gateways in a plurality of public cloud datacenters over which the virtual WAN spans, wherein configuring the plurality of WAN security gateways in the public cloud datacenters allows the enterprise to forego a central WAN security gateway at one of the set of machine locations of the enterprise.
  - 21. The method of claim 20, wherein by foregoing the central WAN security gateway at one of the set of machine locations of the enterprise, the enterprise avoids a central WAN gateway chokepoint and avoids expenses associated with network traffic that would only be sent to a central WAN gateway location to assess whether data messages intended for other locations should be able to access machines at the other locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Cidon, Israel, Dar, Chen, Venugopal, Prashanth, Zohar, Eyal, Markuze, Alex

Granted Patent

US 10,841,131 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/14   Charging , metering or bill...

H04L 12/1403   Architecture for metering, ...

H04L 12/1428   Invoice generation, e.g. cu...

H04L 12/2854   Wide area networks, e.g. pu...

H04L 12/2859   Point-to-point connection b...

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2101/35   containing special prefixes

H04L 2212/00   Encapsulation of packets

H04L 41/046   comprising network manageme...

H04L 41/0803   Configuration setting

H04L 41/0895   Configuration of virtualise...

H04L 41/40   using virtualisation of net...

H04L 43/08   Monitoring or testing based...

H04L 43/0829   Packet loss

H04L 43/0852   Delays

H04L 43/0888   Throughput

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/12   Shortest path evaluation

H04L 45/14   Routing performance; Theore...

H04L 45/64 : using an overlay routing layer

H04L 45/74 : Address processing for routing

H04L 45/745 : Address table lookup; Addre...

H04L 61/25 : of the same type

H04L 61/2514 : between local and global IP...

H04L 61/255 : Maintenance or indexing of ...

H04L 61/4511 : using domain name system [DNS]

H04L 63/0245 : Filtering by information in...

H04L 63/0263 : Rule management

H04L 63/0272 : Virtual private networks

H04L 63/0281 : Proxies

H04L 63/20 : for managing network securi...

H04L 67/10 : in which an application is ...

H04M 15/00 : Arrangements for metering, ...

H04M 15/51 : for resellers, retailers or...

View All

DISTRIBUTED WAN SECURITY GATEWAY

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED WAN SECURITY GATEWAY

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links