Automated dynamic tunnel management
First Claim
1. A system, comprising:
- a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;
a memory store in data communication with the data processing apparatus and storing;
tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein;
location data describing, for each of a plurality of locations;
tunnels associated with the location and that provide data communication between the data processing apparatus and the logically independent IP networks; and
security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location unauthenticated;
computer-readable instructions executable by the data processing apparatus and that upon execution cause the data processing apparatus to perform operations comprising;
receiving tunnel packets for the logically independent networks in data communication with the data processing apparatus;
for each received tunnel packet;
determining, from a tunnel identifier received as part of tunnel packet and identifying a tunnel from which the packet was received, whether a session entry in the session data exists for the tunnel;
in response to determining that a session entry does not exist in the session data, then creating a session entry for the tunnel, performing an authentication process to determine a location to be associated with the session entry, and associating an entry in the location data for the location with the session entry, wherein the authentication process comprises marking the tunnel as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction;
in response to determining that a session entry exists in the session data, determining whether an authentication status indicates the tunnel session is authenticated or unauthenticated; and
in response to determining that an authentication expiration event has occurred, changing the authentication status to unauthenticated.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.
123 Citations
23 Claims
-
1. A system, comprising:
- a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;
a memory store in data communication with the data processing apparatus and storing;
tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein;
location data describing, for each of a plurality of locations;
tunnels associated with the location and that provide data communication between the data processing apparatus and the logically independent IP networks; and
security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location unauthenticated;
computer-readable instructions executable by the data processing apparatus and that upon execution cause the data processing apparatus to perform operations comprising;
receiving tunnel packets for the logically independent networks in data communication with the data processing apparatus;
for each received tunnel packet;
determining, from a tunnel identifier received as part of tunnel packet and identifying a tunnel from which the packet was received, whether a session entry in the session data exists for the tunnel;
in response to determining that a session entry does not exist in the session data, then creating a session entry for the tunnel, performing an authentication process to determine a location to be associated with the session entry, and associating an entry in the location data for the location with the session entry, wherein the authentication process comprises marking the tunnel as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction;
in response to determining that a session entry exists in the session data, determining whether an authentication status indicates the tunnel session is authenticated or unauthenticated; and
in response to determining that an authentication expiration event has occurred, changing the authentication status to unauthenticated. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;
-
8. A system, comprising:
- a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;
a memory store in data communication with the data processing apparatus and storing;
tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein;
location data describing, for each of a plurality of locations;
tunnels associated with the location and that provide data communication between the data processing apparatus and the logically independent IP networks; and
security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location;
computer-readable instructions executable by the data processing apparatus and that upon execution cause the data processing apparatus to perform operations comprising;
in response to a tunnel packet arrival, determining for the packet a session entry status and a location entry status in the tunnel session data and the location data, respectively;
in response to determining the existence of a session entry and a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet respectively;
in response to determining the existence of a session entry and an absence of a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet;
in response to determining the absence of a session entry and the existence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction; and
in response to determining the absence of a session entry and the absence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction. - View Dependent Claims (9, 10, 11, 12, 13)
- a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;
-
14. A method performed by a data processing apparatus, comprising:
- accessing tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
accessing location data describing, for each of a plurality of locations;
tunnels associated with the location and that provide data communication between the data processing apparatus in a distributed security system and logically independent Internet Protocol (IP) networks therefrom, wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein, and wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks; and
security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location;
receiving tunnel packets for the logically independent networks in data communication with the data processing apparatus;
for each received tunnel packet;
determining, from a tunnel identifier received as part of tunnel packet and identifying a tunnel from which the packet was received, whether a session entry in the session data exists for the tunnel; and
in response to determining that a session entry does not exist in the session data, then creating a session entry for the tunnel, performing an authentication process to determine a location to be associated with the session entry, and associating an entry in the location data for the location with the session entry, wherein the authentication process comprises marking the tunnel as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction;
in response to determining that a session entry exists in the session data, determining whether an authentication status indicates the tunnel session is authenticated or unauthenticated; and
in response to determining that an authentication expiration event has occurred, changing the authentication status to unauthenticated. - View Dependent Claims (15, 16, 17, 18)
- accessing tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
-
19. A method, comprising:
- accessing tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
accessing location data describing, for each of a plurality of locations;
tunnels associated with the location and that provide data communication between the data processing apparatus in a distributed security system and logically independent Internet Protocol (IP) networks therefrom, wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein, and wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks; and
security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location;
in response to a tunnel packet arrival, determining for the packet a session entry status and a location entry status in the tunnel session data and the location data, respectively;
in response to determining the existence of a session entry and a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet;
in response to determining the existence of a session entry and an absence of a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet;
in response to determining the absence of a session entry and the existence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction; and
in response to determining the absence of a session entry and the absence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction. - View Dependent Claims (20, 21, 22, 23)
- accessing tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
Specification