Virtual security interface
First Claim
1. A network security method for exchanging IP packets and IP tunnel packets between secured networks, the method comprising:
- determining first and second packets received from a first secured network are addressed to a virtual security interface that represents, logically, a plurality of security interfaces to a second secured network;
when the first and second packets are addressed to the virtual security interface, establishing at a first one of the plurality of security interfaces, a first secured network connection between the first secured network and the second secured network;
responding to a network condition by establishing, at a second one of the plurality of security interfaces, at least one second secured network connection between the first secured network and the second secured network, the at least one second secured network connection being logically the same as the first secured network connection;
sending the first and second packets to the second secured network using both the first and the at least one second secured network connections; and
wherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses.
12 Assignments
0 Petitions
Accused Products
Abstract
In some networking situations, securing an inner packet of a tunnel packet requires an intermediary networking device knowing a destination address of the secured inner packet. Consequently, an identity of a secured network is known to others and presents a security risk. The provided technique addresses this risk by: i) establishing at a first security interface a first secured network connection between a first and second secured network, the connection established for a first packet addressed to a virtual security interface and destined for the second secured network; and ii) responding to a network condition by establishing at a second security interface at least one second secured network connection between the first and second secured network, the connection established for a second packet addressed to the virtual security interface and destined for the second secured network.
59 Citations
20 Claims
-
1. A network security method for exchanging IP packets and IP tunnel packets between secured networks, the method comprising:
-
determining first and second packets received from a first secured network are addressed to a virtual security interface that represents, logically, a plurality of security interfaces to a second secured network; when the first and second packets are addressed to the virtual security interface, establishing at a first one of the plurality of security interfaces, a first secured network connection between the first secured network and the second secured network; responding to a network condition by establishing, at a second one of the plurality of security interfaces, at least one second secured network connection between the first secured network and the second secured network, the at least one second secured network connection being logically the same as the first secured network connection; sending the first and second packets to the second secured network using both the first and the at least one second secured network connections; and wherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network security system to exchange IP packets and IP tunnel packets between secured networks, the system comprising:
-
a virtual security interface configured to determine whether first and second packets received from a first secured network are addressed to the virtual security interface that represents, logically, a plurality of security interfaces to a second secured network; a first security interface configured to;
i) establish a first secured network connection between the first secured network and a second secured network when the first and second packets are addressed to the virtual security, and ii) send the first packet to the second secured network using the first secured network connection;a second security interface configured to;
i) establish a second secured network connection between the first secured network and the second secured network in response to a network condition, the second secured network connection being logically the same as the first secured network connection, and ii) send the second packet to the second secured network using the second secured network connection; andwherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses. - View Dependent Claims (12, 13, 15, 16, 17, 18, 19, 20)
-
-
14. A computer program product comprising:
-
a non-transitory machine-accessible and readable device embodying computer usable code for network security for exchanging IP packets and IP tunnel packets between secured networks, wherein the computer usable code when executed by a computer causes the computer to; determine whether first and second packets received from a first secured network are addressed to a virtual security interface that represents, logically, a plurality of security interfaces to a second secured network; establish at a first one of the plurality of security interfaces, a first secured network connection between the first secured network and the second secured network for the first packet, the first secured network connection being established when the first and second packets are addressed to the virtual security interface; respond to a network condition by establishing, at a second one of the plurality of security interfaces, at least one second secured network connection between the first secured network and the second secured network for the second packet, the at least one second secured network connection being logically the same as the first secured network connection; send the first and second packets to the second secured network using both the first and the at least one second secured network connections; and wherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses.
-
Specification