Distributed, multi-tenant virtual private network cloud systems and methods for mobile security and policy enforcement
First Claim
1. A network system, comprising:
- plural mobile devices communicatively coupled to one or more networks; and
a node communicatively coupled to each of the plural mobile devices via the one or more networks, wherein the node is configured to perform security analysis and policy enforcement on traffic associated with the plural mobile devices;
a plurality of nodes in addition to the node, wherein the plurality of nodes are communicatively coupled to the one or more networks;
wherein each of the plural mobile devices is automatically resolved to a nearest of the node and the plurality of nodes based on a Domain Name System address;
wherein each of the plural mobile devices is communicatively coupled to the node via a virtual private network connection that provides all browser and application generated traffic associated with each of the plural mobile devices to be inspected without requiring platform-specific applications on each of the plural mobile devices for inspecting the traffic;
wherein the node is part of a distributed security system in a cloud that is located external from the one or more networks associated with each of the plural mobile devices and one or more enterprise networks thereby providing the security analysis and policy enforcement in the cloud and not on the plural mobile devices; and
wherein the distributed security system provides real-time inspection in the cloud for all browser and application generated traffic of each of the plural mobile devices without requiring signature updates on each of the plural mobile devices.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure provides distributed, multi-tenant Virtual Private Network (VPN) cloud systems and methods for mobile security and user based policy enforcement. In an exemplary embodiment, plural mobile devices are configured to connect to one or more enforcement or processing nodes over VPN connections. The enforcement or processing nodes are configured to perform content filtering, policy enforcement, and the like on some or all of the traffic from the mobile devices. The present invention is described as multi-tenant as it can connect to plural clients across different companies with different policies in a single distributed system. Advantageously, the present invention allows smartphone and tablet users to protect themselves from mobile malware, without requiring a security applications on the device. It allows administrators to seamless enforce policy for a user regardless of the device or network they are connecting to, as well as get granular visibility into the user'"'"'s network behavior.
161 Citations
12 Claims
-
1. A network system, comprising:
-
plural mobile devices communicatively coupled to one or more networks; and a node communicatively coupled to each of the plural mobile devices via the one or more networks, wherein the node is configured to perform security analysis and policy enforcement on traffic associated with the plural mobile devices; a plurality of nodes in addition to the node, wherein the plurality of nodes are communicatively coupled to the one or more networks; wherein each of the plural mobile devices is automatically resolved to a nearest of the node and the plurality of nodes based on a Domain Name System address; wherein each of the plural mobile devices is communicatively coupled to the node via a virtual private network connection that provides all browser and application generated traffic associated with each of the plural mobile devices to be inspected without requiring platform-specific applications on each of the plural mobile devices for inspecting the traffic; wherein the node is part of a distributed security system in a cloud that is located external from the one or more networks associated with each of the plural mobile devices and one or more enterprise networks thereby providing the security analysis and policy enforcement in the cloud and not on the plural mobile devices; and wherein the distributed security system provides real-time inspection in the cloud for all browser and application generated traffic of each of the plural mobile devices without requiring signature updates on each of the plural mobile devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A node, comprising:
-
a network interface communicatively coupled to a network and a least one additional node, wherein the node and the at least one additional node are part of a distributed security system in a cloud; a data store; a processor communicatively coupled to the network interface and the data store; wherein the node is configured to; establish virtual private network tunnels between plural mobile devices, wherein each virtual private network tunnel for each of the plural mobile devices is configured to provide all browser and application generated traffic associated with a mobile device to be inspected without requiring platform-specific applications on the mobile device for inspecting the traffic; inspect data from the plural mobile devices to the Internet; and filter data from the Internet to the plural mobile devices; wherein the distributed security system is located external from one or more networks associated with each of the plural mobile devices and one or more enterprise networks thereby providing the security analysis and policy enforcement in the cloud and not on the plural mobile devices; wherein the node is communicatively coupled to a central authority over the network, the central authority configured to provide policy and security information to the node, and the node configured to provide user statistics to the central authority; and wherein the distributed security system provides real-time inspection in the cloud for all browser and application generated traffic of each of the plural mobile devices without requiring signature updates on each of the plural mobile devices.
-
-
11. A method, comprising:
-
obtaining a mobile device; provisioning the mobile device to communicate on a network via a virtual private network tunnel to an enforcement node that is part of a distributed security system in a cloud; sending a data request to an external network via the mobile device, wherein the data request is sent via the virtual private network tunnel to the enforcement node, wherein the distributed security system is located externally from the external network and from one or more networks associated with the mobile device, and wherein the data request comprises one of browser and application generated traffic; and at the enforcement node, enforcing policy on the data request, forwarding the data request to the external network, receiving data responsive to the data request, filtering the data responsive to the data request, and transmitting the data responsive to the data request to the mobile device, wherein the virtual private network tunnel provides all browser and application generated traffic associated with the mobile device to be inspected by the enforcement node without requiring platform-specific applications on the mobile device for inspecting the traffic; and wherein the distributed security system provides real-time inspection in the cloud for all browser and application generated traffic of the mobile device without requiring signature updates on the mobile device. - View Dependent Claims (12)
-
Specification