Network architecture for secure data communications

US 8,631,134 B2
Filed: 07/30/2008
Issued: 01/14/2014
Est. Priority Date: 07/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method for secure data communications, comprising:

receiving an indication of a data communication from a device in an external network to a perimeter network, wherein the perimeter network includes one or more external edge nodes, one or more internal edge nodes and a plurality of proxy servers connected between the one or more external edge nodes and the one or more internal edge nodes;

selecting one of the plurality of proxy servers to receive the data communication via a first secure connection, wherein each of the plurality of proxy servers in the plurality of proxy servers is configured with configuration information such that the device connected to the external network is unable to discern said proxy server from the other of said plurality of proxy servers;

receiving a portion of the data communication over the first secure connection via the one or more external edge nodes and the selected proxy server;

establishing a second secure connection between the selected proxy server and an internal network, wherein establishing the second secure connection comprises providing the associated configuration information by the selected proxy server to the internal network via the one or more internal edge nodes;

transmitting the portion of the data communication from the selected proxy server to the internal network over the second secure connection;

determining that the selected proxy server is unavailable;

selecting another proxy server of the plurality of proxy servers to receive a remaining portion of the data communication over the first secure connection; and

transmitting the remaining portion of the data communication from the another proxy server to the internal network over the second secure connection,wherein the configuration information includes a digital certificate in each of the plurality of proxy servers and wherein the method further compriseswhen the first secure connection or the second secure connection is not successfully established, determining whether one of the plurality of proxy servers is unavailable;

when one of the plurality of proxy servers is unavailable, removing the unavailable proxy server from a list of available proxy servers; and

establishing the first secure connection or the second secure connection with one of the plurality of proxy servers on the list of available proxy servers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network architecture includes a perimeter network connected between an internal network and an external network. The perimeter network includes one or more external edge nodes that are connected to the external network and a plurality of proxy servers that are each connected to one or more of the external edge nodes. One or more internal edge nodes are connected between the plurality of proxy servers and the internal network. The proxy servers are operable to establish a first secure connection between a destination through the external network and a second secure connection to a destination in the internal network. Each of the plurality of proxy servers provide a substantially identical identification for authentication when establishing the first and second secure connections.

Citations

21 Claims

1. A method for secure data communications, comprising:
- receiving an indication of a data communication from a device in an external network to a perimeter network, wherein the perimeter network includes one or more external edge nodes, one or more internal edge nodes and a plurality of proxy servers connected between the one or more external edge nodes and the one or more internal edge nodes;
  
  selecting one of the plurality of proxy servers to receive the data communication via a first secure connection, wherein each of the plurality of proxy servers in the plurality of proxy servers is configured with configuration information such that the device connected to the external network is unable to discern said proxy server from the other of said plurality of proxy servers;
  
  receiving a portion of the data communication over the first secure connection via the one or more external edge nodes and the selected proxy server;
  
  establishing a second secure connection between the selected proxy server and an internal network, wherein establishing the second secure connection comprises providing the associated configuration information by the selected proxy server to the internal network via the one or more internal edge nodes;
  
  transmitting the portion of the data communication from the selected proxy server to the internal network over the second secure connection;
  
  determining that the selected proxy server is unavailable;
  
  selecting another proxy server of the plurality of proxy servers to receive a remaining portion of the data communication over the first secure connection; and
  
  transmitting the remaining portion of the data communication from the another proxy server to the internal network over the second secure connection,wherein the configuration information includes a digital certificate in each of the plurality of proxy servers and wherein the method further compriseswhen the first secure connection or the second secure connection is not successfully established, determining whether one of the plurality of proxy servers is unavailable;
  
  when one of the plurality of proxy servers is unavailable, removing the unavailable proxy server from a list of available proxy servers; and
  
  establishing the first secure connection or the second secure connection with one of the plurality of proxy servers on the list of available proxy servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein selecting one of the plurality proxy servers to receive the data communication via the first secure connection comprises:
    - selecting one of a plurality of proxy servers to receive the data communication based on a list of available proxy servers for load balancing and a load balancing algorithm between the plurality of proxy servers.
  - 3. The method of claim 2, further comprising:
    - maintaining the list of available proxy servers for load balancing; and
      
      when one of the plurality of proxy servers becomes unavailable, removing the unavailable proxy server from the list of available proxy servers for load balancing.
  - 4. The method of claim 3, wherein each of the one or more external edge nodes maintains the list of available proxy servers for load balancing and selects one of the plurality of proxy servers to receive the data communication based on the list of available proxy servers for load balancing and a load balancing algorithm.
  - 5. The method of claim 3, wherein one or more load balancing nodes connected between the one or more external edge nodes and the plurality of proxy servers maintains the list of available proxy servers for load balancing and selects one of the plurality of proxy servers to receive the data communication based on the list of available proxy servers for load balancing and a load balancing algorithm.
  - 6. The method of claim 3, wherein each of the plurality of proxy servers includes a cluster management module that maintains the list of available proxy servers for load balancing and selects one of the plurality of proxy servers to receive the data communication based on the list of available proxy servers for load balancing and a load balancing algorithm.
  - 7. The method of claim 1 wherein the first secure connection is formed using a secure connection protocol that includes encryption.
  - 8. The method of claim 7 wherein the configuration information further comprises an identity of the proxy server forming the first secure connection and the proxy server'"'"'s public encryption key.
  - 9. The method of claim 1 wherein the second secure connection is established using a secure connection protocol with mutual authentication and encryption.
  - 10. The method of claim 9, further comprising:
    - monitoring the status of an unavailable proxy server; and
      
      adding the proxy server back to the list of available proxy servers when the proxy server becomes available again.

11. A network system, comprising:
- one or more external edge nodes connected to an external network;
  
  one or more internal edge nodes connected to an internal network; and
  
  a plurality of proxy servers connected between the external edge nodes and the internal edge nodes, wherein the system is configured to;
  
  receive an indication of a data communication from a device in the external network to a perimeter network, wherein the perimeter network includes the one or more external edge nodes, the one or more internal edge nodes and the plurality of proxy servers connected between the one or more external edge nodes and the one or more internal edge nodes;
  
  select one of the plurality of proxy servers to receive the data communication via a first secure connection, wherein each of the plurality of proxy servers in the plurality of proxy servers is configured with configuration information such that the device connected to the external network is unable to discern said proxy server from the other of said plurality of proxy servers;
  
  establish the first secure connection between the selected proxy server and the external network, wherein establishing the first secure connection comprises identifying the selected proxy server to the external network by providing the associated configuration information to the external network via the one or more external edge nodes;
  
  receive a portion of the data communication over the first secure connection via the one or more external edge nodes and the selected proxy server;
  
  establish a second secure connection between the selected proxy server and an internal network, wherein establishing the second secure connection comprises providing the associated configuration information by the selected proxy server to the internal network via the one or more internal edge nodes;
  
  transmit the portion of the data communication from the selected proxy server to the internal network over the second secure connection;
  
  determine that the selected proxy server is unavailable during receiving at least the portion of the data communication over the first secure connection;
  
  select another proxy server of the plurality of proxy servers to receive a remaining portion of the data communication over the first secure connection; and
  
  transmit the remaining portion of the data communication from the another proxy server to the internal network over the second secure connection,wherein the configuration information includes a digital certificate in each of the plurality of proxy servers and wherein the system is further configured to;
  
  when the first secure connection or the second secure connection is not successfully established, determine whether one of the plurality of proxy servers is unavailable;
  
  when one of the plurality of proxy servers is unavailable, remove the unavailable proxy server from a list of available proxy servers; and
  
  establish the first secure connection or the second secure connection with one of the plurality of proxy servers on the list of available proxy servers.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The network system of claim 11, wherein each of the one or more external edge nodes is configured to maintain a list of available proxy servers for load balancing and to select one of the plurality of proxy servers to receive the data communications over the first secure connection based on the list of available proxy servers for load balancing and a load balancing algorithm.
  - 13. The network system of claim 12, wherein each of the one or more external edge nodes is operable to monitor the status of the plurality of proxy servers and, when one of the plurality of proxy servers becomes unavailable, to remove the unavailable proxy server from the list of available proxy servers for load balancing.
  - 14. The network system of claim 13, wherein each of the one or more internal edge nodes is configured to maintain a list of available proxy servers for load balancing and to select one of the plurality of proxy servers to receive the data communications over the second secure connection based on the list of available proxy servers for load balancing and a load balancing algorithm.
  - 15. The network system of claim 11, further comprising:
    - a first one or more load balancing nodes connected between the one or more external edge nodes and the plurality of proxy servers, wherein the first one or more load balancing nodes are configured to maintain a list of available proxy servers for load balancing and to select one of the plurality of proxy servers to receive the data communications over the first secure connection based on the list of available proxy servers for load balancing and a load balancing algorithm.
  - 16. The network system of claim 15, further comprising:
    - a second one or more load balancing nodes connected between the plurality of proxy servers and the one or more internal edge nodes, wherein the second one or more load balancing nodes are configured to maintain a list of available proxy servers for load balancing and to select one of the plurality of proxy servers to receive the data communications over the second secure connection based on the list of available proxy servers for load balancing and a load balancing algorithm.
  - 17. The network system of claim 11, wherein each of the plurality of proxy servers includes a cluster management module that maintains a list of available proxy servers and selects one of the plurality of proxy servers to receive data communications based on the list of available proxy servers.
  - 18. The network system of claim 11, further comprising:
    - a management server connected to the plurality of proxy servers, wherein the management server is operable to configure each of the plurality of proxy servers with the configuration information for establishing the first and second secure connections.
  - 19. The network system of claim 18, wherein the management server includes:
    - a configuration database that stores the configuration information for each of the plurality of proxy servers; and
      
      a directory database of authorized users of the internal network.
  - 20. The network system of claim 19 wherein the management server provides audit trails and reports on the secure communications with the plurality of proxy servers.
  - 21. The network system of claim 18 wherein the selected proxy server provides status indications relating to the first and second secure connections to the management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa USA, Inc. (Visa, Inc.)
Original Assignee
Visa USA, Inc. (Visa, Inc.)
Inventors
Ceragioli, Dennis M., Jeyaraj, Melvin
Primary Examiner(s)
Swearingen, Jeffrey R
Assistant Examiner(s)
ELFERVIG, TAYLOR A

Application Number

US12/182,613
Publication Number

US 20100030839A1
Time in Patent Office

1,994 Days
Field of Search

709/201, 709/225, 709/227, 709/238, 709/245
US Class Current

709/227
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0281   Proxies

H04L 63/0471   applying encryption by an i...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/1036   Load balancing of requests ...

Network architecture for secure data communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Network architecture for secure data communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links