Method and systems for routing packets from a gateway to an endpoint
First Claim
Patent Images
1. A method for routing packets from a gateway to an endpoint, the method comprising:
- (a) assigning, by an addressing element executing in user mode memory space of a gateway, a private internet protocol (IP) address of a private network to an endpoint having a public IP address, the gateway not providing the private IP address to the endpoint;
(b) capturing, by a driver executing in kernel mode memory space of the gateway at a Media Access Control (MAC) layer, a packet from a server on the private network destined for an application of the endpoint communicated via a first transport layer connection between the gateway and the server, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to the private IP address of the endpoint arrives from the server;
(c) applying, by a policy engine executing in user mode memory space of the gateway and in communication with the management process, a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source;
(d) modifying, by the addressing element executing in user mode memory space, responsive to the determination, the packet to be addressed to the public IP address of the endpoint; and
(e) transmitting, by the gateway, the packet to the public IP address of the endpoint via a second transport layer connection between the gateway and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application.
7 Assignments
0 Petitions
Accused Products
Abstract
A method for routing packets from a gateway to an endpoint includes the step of associating a private internet protocol (IP) address with an endpoint having a public IP address. A packet addressed to the private IP address of the endpoint is captured. A policy is applied to the packet. The packet is transmitted to the public IP address of the endpoint, responsive to the application of the policy to the packet.
687 Citations
33 Claims
-
1. A method for routing packets from a gateway to an endpoint, the method comprising:
-
(a) assigning, by an addressing element executing in user mode memory space of a gateway, a private internet protocol (IP) address of a private network to an endpoint having a public IP address, the gateway not providing the private IP address to the endpoint; (b) capturing, by a driver executing in kernel mode memory space of the gateway at a Media Access Control (MAC) layer, a packet from a server on the private network destined for an application of the endpoint communicated via a first transport layer connection between the gateway and the server, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to the private IP address of the endpoint arrives from the server; (c) applying, by a policy engine executing in user mode memory space of the gateway and in communication with the management process, a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source; (d) modifying, by the addressing element executing in user mode memory space, responsive to the determination, the packet to be addressed to the public IP address of the endpoint; and (e) transmitting, by the gateway, the packet to the public IP address of the endpoint via a second transport layer connection between the gateway and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A device for routing packets as a gateway to an endpoint, the device comprising:
-
an addressing element, executing in user mode memory space of the device, assigning a private IP address of a private network to an endpoint having a public IP address, the addressing element not providing the private IP address to the endpoint; a receiver executing in kernel mode memory space, intercepting at a Media Access Control (MAC) layer of the device, a packet from the server destined for an application of the endpoint, to forward to a management process executing in user mode memory space, the management process having requested notification from the receiver when a packet addressed to the private IP address of the endpoint arrives from a server on the private network, the receiver intercepting the packet communicated via a first transport layer connection between the device and the server; a policy engine executing in user mode memory space in communication with the management process, receiving the packet, and applying a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source, wherein the addressing element executing in user mode memory space modifies the packet to be addressed to the public IP address of the endpoint responsive to the determination; and a transmitter in communication with the addressing element, transmitting the packet to the endpoint via a second transport layer connection between the device and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system for routing packets from a gateway to an endpoint, the system comprising:
-
a gateway, in communication with an endpoint on a public network and a server on a private network, an addressing element, executing in user mode memory space of the gateway, assigning a private internet protocol (IP) address of the private network with a public IP address of the endpoint on the public network and establishing a first transport layer connection with the server, the gateway not providing the private IP address to the endpoint; a driver executing in kernel mode memory space of the gateway, intercepting at a Media Access Control (MAC) layer, a packet from a server destined for an application of the endpoint, the packet communicated via the first transport layer connection, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to the private IP address of the endpoint arrives from the server; a policy engine executing in user mode memory space of the gateway and in communication with the management process, applying a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source; and wherein the addressing element executing in user mode memory space modifies the packet to be addressed to the public IP address of the endpoint responsive to the determination, and the gateway transmits the packet to the public IP address of the endpoint via a second transport layer connection between the gateway and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application. - View Dependent Claims (28, 29, 30, 31, 32)
-
-
33. A method for routing packets from a gateway to an endpoint, the method comprising:
-
(a) receiving, by a gateway, a request to a server from an application of an endpoint, the application terminating a first transport layer connection with a client application at the endpoint, the client application having a second transport layer connection with the gateway, the gateway having a third transport layer connection with the server in a private network; (b) capturing, by a driver executing in kernel mode memory space of the gateway at a Media Access Control (MAC) layer, a packet from the server communicated via the third transport layer connection, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to a private internet protocol (IP) address of the endpoint arrives from the server; (c) applying, by a policy engine executing in user mode memory space of the gateway and in communication with the management process, a policy to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source; (d) modifying, by an addressing element executing in user mode memory space of the gateway, the packet to be addressed to a public IP address of the endpoint responsive to the determination; and (e) transmitting, by the gateway via the second transport layer connection, the packet to the public IP address of the endpoint responsive to the modification, the packet destined for the application via the first transport layer connection, wherein the addressing element assigns the public IP address to the endpoint having the private IP address and does not provide the private IP address to the endpoint.
-
Specification