Method and apparatus for providing security in an intranet network
First Claim
Patent Images
1. A method for providing security in a virtual private network, comprising:
- defining, by a processor of a customer edge router, a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;
receiving, by the processor, a packet;
applying, by the processor, an inbound access control list to the packet if the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that may not be accessed by the protected server group, wherein the applying inbound access control list comprises;
determining the packet is destined to the server in the protected server group, and the packet comprises a message which is allowed to proceed to the server in the protected server group; and
creating a bypass entry in an outbound access control list to permit return traffic from the server in the protected server group, wherein the bypass entry is valid for a predetermined period of time for a stateless session; and
applying, by the processor, the outbound access control list to the packet if the packet is from the server in the protected server group, wherein the outbound access control list comprises an outbound list of internet protocol addresses that the protected server group may initiate a session with, wherein the applying the outbound access control list comprises;
determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and
blocking a transmission of the packet that is sent without being solicited.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and an apparatus for providing security in an intranet network are disclosed. For example, the method receives a packet at a customer edge router, and applies an inbound access control list by the customer edge router to the packet if the packet is destined to a server in a protected server group, wherein said protected server group identifies one or more servers within the intranet network to be protected. The method applies an outbound access control list by the customer edge router to the packet if the packet is from a server in the protected server group.
-
Citations
10 Claims
-
1. A method for providing security in a virtual private network, comprising:
-
defining, by a processor of a customer edge router, a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected; receiving, by the processor, a packet; applying, by the processor, an inbound access control list to the packet if the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that may not be accessed by the protected server group, wherein the applying inbound access control list comprises; determining the packet is destined to the server in the protected server group, and the packet comprises a message which is allowed to proceed to the server in the protected server group; and creating a bypass entry in an outbound access control list to permit return traffic from the server in the protected server group, wherein the bypass entry is valid for a predetermined period of time for a stateless session; and applying, by the processor, the outbound access control list to the packet if the packet is from the server in the protected server group, wherein the outbound access control list comprises an outbound list of internet protocol addresses that the protected server group may initiate a session with, wherein the applying the outbound access control list comprises; determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and blocking a transmission of the packet that is sent without being solicited.
-
-
2. The method of claim 1, further comprising:
allowing the packet to proceed towards its destination if the packet is not to or from the server in the protected server group.
-
3. The method of claim 1, further comprising:
determining if the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
-
4. The method of claim 1, further comprising:
detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
-
5. A non-transitory computer-readable medium storing a plurality of instructions which, when executed by a processor of a customer edge router, cause the processor to perform operations for providing security in a virtual private network, the operations comprising:
-
defining a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected; receiving a packet; applying an inbound access control list to the packet if the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that may not be accessed by the protected server group, wherein the applying inbound access control list comprises; determining the packet is destined to the server in the protected server group, and the packet comprises a message which is allowed to proceed to the server in the protected server group; and creating a bypass entry in an outbound access control list to permit return traffic from the server in the protected server group, wherein the bypass entry is valid for a predetermined period of time for a stateless session; and applying the outbound access control list to the packet if the packet is from the server in the protected server group, wherein the outbound access control list comprises an outbound list of internet protocol addresses that the protected server group may initiate a session with, wherein the applying the outbound access control list comprises; determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and blocking a transmission of the packet that is sent without being solicited.
-
-
6. The non-transitory computer-readable medium of claim 5, further comprising:
allowing the packet to proceed towards its destination if the packet is not to or from the server in the protected server group.
-
7. The non-transitory computer-readable medium of claim 5, further comprising:
determining if the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
-
8. The non-transitory computer-readable medium of claim 5, further comprising:
detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
-
9. An apparatus for providing security in a virtual private network, comprising:
-
a processor of a customer edge router; and a computer-readable medium storing a plurality of instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising; defining a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected; receiving a packet; applying an inbound access control list to the packet if the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that may not be accessed by the protected server group, wherein the applying inbound access control list comprises; determining the packet is destined to the server in the protected server group, and the packet comprises a message which is allowed to proceed to the server in the protected server group; and creating a bypass entry in an outbound access control list to permit return traffic from the server in the protected server group, wherein the bypass entry is valid for a predetermined period of time for a stateless session; and applying the outbound access control list to the packet if the packet is from the server in the protected server group, wherein the outbound access control list comprises an outbound list of internet protocol addresses that the protected server group may initiate a session with, wherein the applying the outbound access control list comprises; determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and blocking a transmission of the packet that is sent without being solicited.
-
-
10. The apparatus of claim 9, wherein the method further comprises:
allowing the packet to proceed towards its destination if the packet is not to or from the server in the protected server group.
Specification