Load balancing secure sockets layer accelerator

US 7,853,781 B2
Filed: 07/06/2001
Issued: 12/14/2010
Est. Priority Date: 07/06/2001
Status: Active Grant

First Claim

Patent Images

1. A load balancing acceleration device, comprising:

a processor, memory and communications interface;

a TCP communications manager capable of interacting with a plurality of client devices and server devices simultaneously via the communications interface;

a secure communications manager to negotiate a secure communication session with one of the client devices;

an encryption and decryption engine instructing the processor to decrypt data received via the secure communication session and direct the decrypted data to one of said server devices via a second communication session; and

a load balancing engine associating each of said client devices with a respective one of said server devices based on calculated processing loads of each said server devices,wherein the decryption engine and the load balancing engine bypass an application layer of a network stack by decrypting the data from the secure communication sessions of the clients and outputting the decrypted data to the associated server devices without processing the data with the application layer of the network stack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A load balancing SSL acceleration device. The device includes a processor, memory and communications interface. A TCP communications manager capable of interacting with a plurality of client devices and server devices simultaneously is provided, along with a secure communications manager. The apparatus further includes an encryption and decryption engine instructing the processor to encrypt data from a secure communications session and direct it to said second communication session. Still further, the apparatus includes a load balancing engine associating ones of said client devices with ones of said servers for a communications session based on calculated processing loads of each said server. In a further aspect, a method for performing SSL acceleration of data communications between a plurality of customer devices attempting to communicate with an enterprise having a plurality of servers is disclosed.

59 Citations

View as Search Results

24 Claims

1. A load balancing acceleration device, comprising:
- a processor, memory and communications interface;
  
  a TCP communications manager capable of interacting with a plurality of client devices and server devices simultaneously via the communications interface;
  
  a secure communications manager to negotiate a secure communication session with one of the client devices;
  
  an encryption and decryption engine instructing the processor to decrypt data received via the secure communication session and direct the decrypted data to one of said server devices via a second communication session; and
  
  a load balancing engine associating each of said client devices with a respective one of said server devices based on calculated processing loads of each said server devices,wherein the decryption engine and the load balancing engine bypass an application layer of a network stack by decrypting the data from the secure communication sessions of the clients and outputting the decrypted data to the associated server devices without processing the data with the application layer of the network stack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The device of claim 1 wherein the TCP communications manager provides an IP address of an enterprise to said secure communications manager, and each of said plurality of servers devices is associated with the enterprise.
  - 3. The device of claim 2 wherein the secure communications manager negotiates a secure communication session with each of said plurality of client devices over an open network.
  - 4. The device of claim 3 wherein the TCP communications manager negotiates a separate, open communications session with one of the plurality of servers devices associated with the enterprise for each secure communications session negotiated with the client devices based on the associations of said client devices to said server devices by said load balancing engines.
  - 5. The device of claim 1 wherein the encryption and decryption engine decrypts the data on a packet level by decrypting packet data received on the communications interface via the secure communications session to extract a secure record, decrypting application data from the secure record in the packet data, and outputting the decrypted application data from the secure record to the one of said server devices via the second communication session without processing the application data with the application layer of the network stack.
  - 6. The device of claim 5 wherein the load-balancing engine selects the second communication session.
  - 7. The device of claim 1 wherein the TCP communications manager responds to TCP communications negotiations directly for an enterprise.
  - 8. The device of claim 1,wherein the TCP communications manager receives packets from the client devices, andwherein the TCP communications manager changes destination IP addresses for the packets to IP addresses for the server devices.
  - 9. The device of claim 8,wherein the TCP communications manager maintains TCP communication sessions with the server devices, andwherein the secure communications manager negotiates a secure communication session for each TCP communications session.
  - 10. The device of claim 9 wherein the secure communications manager responds to all secure communications with each client device.
  - 11. The device of claim 9 wherein the secure communications manager changes a destination IP address for each packet to a server IP address.
  - 12. The device of claim 1, wherein the device comprises a network router.

13. A method for performing acceleration of data communications between a plurality of customer devices attempting to communicate with an enterprise having a plurality of servers, comprising:
- providing an intermediate acceleration device enabled for secure communication with the customer devices, wherein the acceleration device has an IP address associated with the enterprise;
  
  receiving with the acceleration device communications directed to the enterprise in a secure protocol from one of the customer devices;
  
  decrypting data packets of the secure protocol with the acceleration device to provide decrypted packet data;
  
  without processing the data packets with an application layer of a network stack, selecting with the acceleration device at least one of the plurality of servers in the enterprise based on a load calculation including processing sessions of other servers in the enterprise and associating the selected server with a communications session from the one of the clients; and
  
  forwarding the decrypted packet data from the acceleration device to the selected server of the enterprise.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13 further including the steps of:
    - receiving application data from the selected server of the enterprise;
      
      encrypting the application data received from the selected server; and
      
      forwarding encrypted application data to the customer device.
  - 15. The method of claim 13 wherein the step of receiving communications directed to the enterprise includes receiving with the device communications having a destination IP address of the enterprise.
  - 16. The method of claim 13 further including the step of negotiating the secure protocol session with the customer device by responding as the enterprise to the customer devices.
  - 17. The method of claim 13 further wherein the step of forwarding comprises:
    - modifying a destination IP address of data packets from an IP address associated with the enterprise IP to an IP address for the selected server.
  - 18. The method of claim 13 wherein the step of forwarding comprises:
    - establishing an open communication session from the acceleration device to the selected server, andmapping the decrypted packet data to the open communication session established with the selected server.
  - 19. The method of claim 18 wherein the open communication session is established via a secure network.
  - 20. The method of claim 13 wherein the step of receiving comprises:
    - receiving encrypted data having a length greater than a TCP segment carrying said data; and
      
      wherein said step of decrypting comprises;
      
      buffering the encrypted data in a memory buffer in the acceleration device, the buffer having a length equivalent to the block cipher size necessary to perform the cipher; and
      
      decrypting the buffered segment of the received encrypted data to provide decrypted application data.
  - 21. The method of claim 20 further including the step of authenticating the data on receipt of a final TCP segment on a packet level without processing the application data with the application layer of the network stack.
  - 22. The method of claim 20 further including the step of generating an alert if said step of authenticating results in a failure.
  - 23. The method of claim 13, wherein decrypting data packets comprises decrypting the data packets at a packet level of the network stack.
  - 24. The method of claim 13, wherein decrypting data packets comprises:
    - decrypting the data packets to extract a secure record,decrypting application data from the secure record, andauthenticating the application data without processing the application data with the application layer of the network stack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Gannesan, Elango, Freed, Michael
Primary Examiner(s)
Moorthy; Aravind K

Application Number

US09/900,494
Publication Number

US 20030014650A1
Time in Patent Office

3,448 Days
Field of Search

713/200, 713/150, 713151-153, 713/160, 713/165, 713/168, 713/189, 726/3, 726/12
US Class Current

713/151
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 63/0281   Proxies

H04L 63/0471   applying encryption by an i...

H04L 63/0853   using an additional device,...

H04L 63/166   at the transport layer

H04L 67/1001   for accessing one among a p...

H04L 67/10015   Access to distributed or re...

H04L 67/1008   based on parameters of serv...

H04L 9/40   Network security protocols

Load balancing secure sockets layer accelerator

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Load balancing secure sockets layer accelerator

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links