Virtual security interface

US 8,104,082 B2
Filed: 09/29/2006
Issued: 01/24/2012
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A network security method for exchanging IP packets and IP tunnel packets between secured networks, the method comprising:

determining first and second packets received from a first secured network are addressed to a virtual security interface that represents, logically, a plurality of security interfaces to a second secured network;

when the first and second packets are addressed to the virtual security interface, establishing at a first one of the plurality of security interfaces, a first secured network connection between the first secured network and the second secured network;

responding to a network condition by establishing, at a second one of the plurality of security interfaces, at least one second secured network connection between the first secured network and the second secured network, the at least one second secured network connection being logically the same as the first secured network connection;

sending the first and second packets to the second secured network using both the first and the at least one second secured network connections; and

wherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some networking situations, securing an inner packet of a tunnel packet requires an intermediary networking device knowing a destination address of the secured inner packet. Consequently, an identity of a secured network is known to others and presents a security risk. The provided technique addresses this risk by: i) establishing at a first security interface a first secured network connection between a first and second secured network, the connection established for a first packet addressed to a virtual security interface and destined for the second secured network; and ii) responding to a network condition by establishing at a second security interface at least one second secured network connection between the first and second secured network, the connection established for a second packet addressed to the virtual security interface and destined for the second secured network.

59 Citations

View as Search Results

20 Claims

1. A network security method for exchanging IP packets and IP tunnel packets between secured networks, the method comprising:
- determining first and second packets received from a first secured network are addressed to a virtual security interface that represents, logically, a plurality of security interfaces to a second secured network;
  
  when the first and second packets are addressed to the virtual security interface, establishing at a first one of the plurality of security interfaces, a first secured network connection between the first secured network and the second secured network;
  
  responding to a network condition by establishing, at a second one of the plurality of security interfaces, at least one second secured network connection between the first secured network and the second secured network, the at least one second secured network connection being logically the same as the first secured network connection;
  
  sending the first and second packets to the second secured network using both the first and the at least one second secured network connections; and
  
  wherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising sharing a security policy between the plurality of security interfaces, the first secured network connection and the at least one second secured network connection established according to the shared security policy.
  - 3. The method of claim 1 wherein the responding includes offloading a network security burden from the first secured network connection to the at least one second secured network connection.
  - 4. The method of claim 1 wherein the responding includes balancing a network load from the first secured network connection to the at least one second secured network connection.
  - 5. The method of claim 1 wherein the responding includes resiliently routing from the first secured network connection to the at least one second secured network connection.
  - 6. The method of claim 1 wherein the establishings includes securing a packet from the first secured network to the second secured network.
  - 7. The method of claim 6 wherein the securing includes de-encrypting and authenticating a packet from a secured network according a security policy.
  - 8. The method of claim 6 wherein the securing includes encrypting and authenticating a packet from a secured network according a security policy.
  - 9. The method of claim 1 wherein the establishing at the first one of the plurality of security interfaces includes de-encapsulating a tunnel packet addressed to the virtual security interface.
  - 10. The method of claim 1 wherein the establishing at the second one of the plurality of security interfaces includes encapsulating a packet with a tunnel header addressed from the virtual security interface

11. A network security system to exchange IP packets and IP tunnel packets between secured networks, the system comprising:
- a virtual security interface configured to determine whether first and second packets received from a first secured network are addressed to the virtual security interface that represents, logically, a plurality of security interfaces to a second secured network;
  
  a first security interface configured to;
  
  i) establish a first secured network connection between the first secured network and a second secured network when the first and second packets are addressed to the virtual security, and ii) send the first packet to the second secured network using the first secured network connection;
  
  a second security interface configured to;
  
  i) establish a second secured network connection between the first secured network and the second secured network in response to a network condition, the second secured network connection being logically the same as the first secured network connection, and ii) send the second packet to the second secured network using the second secured network connection; and
  
  wherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses.
- View Dependent Claims (12, 13, 15, 16, 17, 18, 19, 20)
- - 12. The network security system of claim 11 wherein the first and second security interfaces each includes:
    - an encapsulator configured to add to a packet a tunnel header addressed from the virtual security interface;
      
      a de-encapsulator configured to remove from a tunnel packet a tunnel header addressed to the virtual security interface;
      
      an encryptor operative coupled to the encapsulator, the encryptor configured to encrypt a packet from a secured network;
      
      an de-encryptor operative coupled to the de-encapsulator, the de-encryptor configured to de-encrypt a packet; and
      
      an authenticator operatively coupled to the encryptor and the de-encryptor configured to authenticate a packet.
  - 13. The network security system of claim 11 further comprising a proxy configured to answer requests for an address of the virtual security interface with addresses of the first and second security interfaces.
  - 15. The network security system of claim 11 wherein the virtual security interface is further configured to share a security policy between the plurality of security interfaces, the first secured network connection and the at least one second secured network connection established according to the shared security policy.
  - 16. The network security system of claim 11 wherein the virtual security interface is further configured to offload a network security burden from the first secured network connection to the at least one second secured network connection.
  - 17. The network security system of claim 11 wherein the virtual security interface is further configured to balance a network load from the first secured network connection to the at least one second secured network connection.
  - 18. The network security system of claim 11 wherein the virtual security interface is further configured to resiliently route from the first secured network connection to the at least one second secured network connection.
  - 19. The network security system of claim 11 wherein the virtual security interface is further configured to secure a packet from the first secured network to the second secured network.
  - 20. The network security system of claim 19 wherein the virtual security interface is configured to secure the packet by encrypting and authenticating the packet from a secured network according a security policy.

14. A computer program product comprising:
- a non-transitory machine-accessible and readable device embodying computer usable code for network security for exchanging IP packets and IP tunnel packets between secured networks, wherein the computer usable code when executed by a computer causes the computer to;
  
  determine whether first and second packets received from a first secured network are addressed to a virtual security interface that represents, logically, a plurality of security interfaces to a second secured network;
  
  establish at a first one of the plurality of security interfaces, a first secured network connection between the first secured network and the second secured network for the first packet, the first secured network connection being established when the first and second packets are addressed to the virtual security interface;
  
  respond to a network condition by establishing, at a second one of the plurality of security interfaces, at least one second secured network connection between the first secured network and the second secured network for the second packet, the at least one second secured network connection being logically the same as the first secured network connection;
  
  send the first and second packets to the second secured network using both the first and the at least one second secured network connections; and
  
  wherein the first and the at least one second secured network connections are established using the address of the virtual security interface to which the first and second packets are addressed rather than using the addresses of the first and second security interfaces to conserve addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
McAlister, Donald
Primary Examiner(s)
ZIA, SYED

Application Number

US11/540,496
Publication Number

US 20080104692A1
Time in Patent Office

1,943 Days
Field of Search

None
US Class Current

726/15
CPC Class Codes

H04L 63/20 for managing network securi...

Virtual security interface

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual security interface

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links