Automated dynamic tunnel management

US 8,458,786 B1
Filed: 08/13/2010
Issued: 06/04/2013
Est. Priority Date: 08/13/2010
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;

a memory store in data communication with the data processing apparatus and storing;

tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;

wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein;

location data describing, for each of a plurality of locations;

tunnels associated with the location and that provide data communication between the data processing apparatus and the logically independent IP networks; and

security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location unauthenticated;

computer-readable instructions executable by the data processing apparatus and that upon execution cause the data processing apparatus to perform operations comprising;

receiving tunnel packets for the logically independent networks in data communication with the data processing apparatus;

for each received tunnel packet;

determining, from a tunnel identifier received as part of tunnel packet and identifying a tunnel from which the packet was received, whether a session entry in the session data exists for the tunnel;

in response to determining that a session entry does not exist in the session data, then creating a session entry for the tunnel, performing an authentication process to determine a location to be associated with the session entry, and associating an entry in the location data for the location with the session entry, wherein the authentication process comprises marking the tunnel as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction;

in response to determining that a session entry exists in the session data, determining whether an authentication status indicates the tunnel session is authenticated or unauthenticated; and

in response to determining that an authentication expiration event has occurred, changing the authentication status to unauthenticated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.

123 Citations

View as Search Results

23 Claims

1. A system, comprising:
- a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;
  
  a memory store in data communication with the data processing apparatus and storing;
  
  tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
  
  wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein;
  
  location data describing, for each of a plurality of locations;
  
  tunnels associated with the location and that provide data communication between the data processing apparatus and the logically independent IP networks; and
  
  security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location unauthenticated;
  
  computer-readable instructions executable by the data processing apparatus and that upon execution cause the data processing apparatus to perform operations comprising;
  
  receiving tunnel packets for the logically independent networks in data communication with the data processing apparatus;
  
  for each received tunnel packet;
  
  determining, from a tunnel identifier received as part of tunnel packet and identifying a tunnel from which the packet was received, whether a session entry in the session data exists for the tunnel;
  
  in response to determining that a session entry does not exist in the session data, then creating a session entry for the tunnel, performing an authentication process to determine a location to be associated with the session entry, and associating an entry in the location data for the location with the session entry, wherein the authentication process comprises marking the tunnel as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction;
  
  in response to determining that a session entry exists in the session data, determining whether an authentication status indicates the tunnel session is authenticated or unauthenticated; and
  
  in response to determining that an authentication expiration event has occurred, changing the authentication status to unauthenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein changing the authentication status to unauthenticated in response to determining that an authentication expiration event has occurred comprises changing the authentication status to unauthenticated when a predetermined number of one or more transactions occur over the tunnel session.
  - 3. The system of claim 1, wherein changing the authentication status to unauthenticated in response to determining that an authentication expiration event has occurred comprises changing the authentication status to unauthenticated when a session timeout for the tunnel session occurs.
  - 4. The system of claim 1, wherein the tunnel sessions are Generic Routing Encapsulation (GRE) tunnel sessions.
  - 5. The system of claim 1, wherein the tunnel sessions are Secure Socket Tunneling Protocol (SSTP) sessions.
  - 6. The system of claim 1, wherein the tunnel identifier associated with a packet comprises a source IP address of the tunnel and a destination IP address of the tunnel.
  - 7. The system of claim 1, wherein the tunnel identifier associated with a packet comprises a location certificate that unique identifies the tunnel over which the IP packet was received.

8. A system, comprising:
- a data processing apparatus in a distributed security system external to a plurality of logically independent internet protocol (IP) networks, wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks;
  
  a memory store in data communication with the data processing apparatus and storing;
  
  tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
  
  wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein;
  
  location data describing, for each of a plurality of locations;
  
  tunnels associated with the location and that provide data communication between the data processing apparatus and the logically independent IP networks; and
  
  security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location;
  
  computer-readable instructions executable by the data processing apparatus and that upon execution cause the data processing apparatus to perform operations comprising;
  
  in response to a tunnel packet arrival, determining for the packet a session entry status and a location entry status in the tunnel session data and the location data, respectively;
  
  in response to determining the existence of a session entry and a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet respectively;
  
  in response to determining the existence of a session entry and an absence of a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet;
  
  in response to determining the absence of a session entry and the existence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction; and
  
  in response to determining the absence of a session entry and the absence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the instructions cause the data processing apparatus to perform operations comprising:
    - in response to a location certificate arrival, determining for the location certificate a session entry status and a location entry status in the tunnel session data and the location data, respectively;
      
      in response to determining the existence of a session entry and an absence of a location entry in the tunnel session data and the location data, respectively, creating a location entry in the location data and requesting a location certificate from a client device associated with the tunnel packet; and
      
      in response to determining the existence of a session entry and the existence of a location entry in the tunnel session data and the location data, respectively, binding the location entry to the session entry.
  - 10. The system of claim 9, wherein the instructions cause the data processing apparatus to perform operations comprising:
    - in response to an inactivity timeout for a session associated with a session entry in the session data and also associated with a location entry in the location data, disassociating the session entry from the location entry;
      
      in response to an inactivity timeout for a session associated with a session entry in the session data and not associated with a location entry in the location data, removing the session entry from the session data; and
      
      in response to an inactivity timeout for a location associated with a location entry in the location data and not associated with a session entry in the tunnel session data, removing the location entry from the location data.
  - 11. The system of claim 8, wherein the instructions cause the data processing apparatus to perform operations comprising:
    - in response to an inactivity timeout for a session associated with a session entry in the session data and also associated with a location entry in the location data, disassociating the session entry from the location entry;
      
      in response to an inactivity timeout for a session associated with a session entry in the session data and not associated with a location entry in the location data, removing the session entry from the session data; and
      
      in response to an inactivity timeout for a location associated with a location entry in the location data and not associated with a session entry in the tunnel session data, removing the location entry from the location data.
  - 12. The system of claim 8, wherein the tunnel session are Secure Socket Tunneling Protocol (SSTP) sessions.
  - 13. The system of claim 8, wherein the tunnel session are Generic Routing Encapsulation (GRE) sessions.

14. A method performed by a data processing apparatus, comprising:
- accessing tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
  
  accessing location data describing, for each of a plurality of locations;
  
  tunnels associated with the location and that provide data communication between the data processing apparatus in a distributed security system and logically independent Internet Protocol (IP) networks therefrom, wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein, and wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks; and
  
  security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location;
  
  receiving tunnel packets for the logically independent networks in data communication with the data processing apparatus;
  
  for each received tunnel packet;
  
  determining, from a tunnel identifier received as part of tunnel packet and identifying a tunnel from which the packet was received, whether a session entry in the session data exists for the tunnel; and
  
  in response to determining that a session entry does not exist in the session data, then creating a session entry for the tunnel, performing an authentication process to determine a location to be associated with the session entry, and associating an entry in the location data for the location with the session entry, wherein the authentication process comprises marking the tunnel as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction;
  
  in response to determining that a session entry exists in the session data, determining whether an authentication status indicates the tunnel session is authenticated or unauthenticated; and
  
  in response to determining that an authentication expiration event has occurred, changing the authentication status to unauthenticated.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein changing the authentication status to unauthenticated in response to determining that an authentication expiration event has occurred comprises changing the authentication status to unauthenticated when a predetermined number of one or more transactions occur over the tunnel session.
  - 16. The method of claim 14, wherein the tunnel sessions are Generic Routing Encapsulation (GRE) tunnel sessions.
  - 17. The method of claim 14, wherein the tunnel identifier associated with a packet comprises a source IP address of the tunnel and a destination IP address of the tunnel.
  - 18. The method of claim 14, wherein the tunnel identifier associated with a packet comprises a location certificate that unique identifies the tunnel over which the IP packet was received.

19. A method, comprising:
- accessing tunnel session data storing a session entry for each of a plurality of tunnels sessions for corresponding tunnels, each session entry describing an authentication status, the authentication status for each tunnel session being one of authenticated or unauthenticated;
  
  accessing location data describing, for each of a plurality of locations;
  
  tunnels associated with the location and that provide data communication between the data processing apparatus in a distributed security system and logically independent Internet Protocol (IP) networks therefrom, wherein user requests from the plurality of logically independent IP networks are routed through one of the plurality of tunnels to the distributed security system for processing therein, and wherein at least one or more tunneling communications protocol communications channels are established between the plurality of logically independent IP networks; and
  
  security policies specific to the location and to be applied to traffic communicated over the tunnels associated with the location;
  
  in response to a tunnel packet arrival, determining for the packet a session entry status and a location entry status in the tunnel session data and the location data, respectively;
  
  in response to determining the existence of a session entry and a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet;
  
  in response to determining the existence of a session entry and an absence of a location entry in the tunnel session data and the location data, respectively, requesting a location certificate from a client device associated with the tunnel packet;
  
  in response to determining the absence of a session entry and the existence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction; and
  
  in response to determining the absence of a session entry and the absence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet, wherein the tunnel session is marked as unauthenticated for a predefined period of time while observing the tunnel for a certain number of one or more transactions to determine if one or more conditions are met for authentication, and wherein the predefined period of time is greater than at least one transaction.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, further comprising:
    - in response to a location certificate arrival, determining for the location certificate a session entry status and a location entry status in the tunnel session data and the location data, respectively;
      
      in response to determining the existence of a session entry and an absence of a location entry in the tunnel session data and the location data, respectively, creating a location entry in the location data and requesting a location certificate from a client device associated with the tunnel packet; and
      
      in response to determining the existence of a session entry and the existence of a location entry in the tunnel session data and the location data, respectively, binding the location entry to the session entry.
  - 21. The method of claim 19, further comprising:
    - in response to an inactivity timeout for a session associated with a session entry in the session data and also associated with a location entry in the location data, disassociating the session entry from the location entry;
      
      in response to an inactivity timeout for a session associated with a session entry in the session data and not associated with a location entry in the location data, removing the session entry from the session data; and
      
      in response to an inactivity timeout for a location associated with a location entry in the location data and not associated with a session entry in the tunnel session data, removing the location entry from the location data.
  - 22. The method of claim 19, further comprising:
    - in response to an inactivity timeout for a session associated with a session entry in the session data and also associated with a location entry in the location data, disassociating the session entry from the location entry;
      
      in response to an inactivity timeout for a session associated with a session entry in the session data and not associated with a location entry in the location data, removing the session entry from the session data; and
      
      in response to an inactivity timeout for a location associated with a location entry in the location data and not associated with a session entry in the tunnel session data, removing the location entry from the location data.
  - 23. The method of claim 19, wherein the tunnel session are Secure Socket Tunneling Protocol (SSTP) sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Kailash, Kailash, Raphel, Jose, Devarajan, Srikanth
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Baum, Ronald

Application Number

US12/856,425
Time in Patent Office

1,026 Days
Field of Search

726/14
US Class Current

726/14
CPC Class Codes

H04L 63/0272 Virtual private networks

Automated dynamic tunnel management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

123 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Automated dynamic tunnel management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links