Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures

US 8,843,998 B2
Filed: 11/25/2011
Issued: 09/23/2014
Est. Priority Date: 06/27/2011
Status: Active Grant

First Claim

Patent Images

1. A processor-implemented method comprising:

establishing at least one secure tunnel between a first proxy, wherein the first proxy is identified by a first network address and a first port number on a private infrastructure, and a second proxy associated with a distributed computing application executing on a public cloud infrastructure, wherein the second proxy is identified by a second network address and a second port number;

limiting access requests received from the distributed application to at least one selected application service from a plurality of application services available on the private infrastructure, wherein the access requests are initiated using the second network address and second port number, wherein limiting access comprises;

receiving by the first proxy, the access requests from the distributed computing application, wherein the distributed computing application is configured with access information comprising the second network address and the second port number to access the at least one selected application service through the second proxy over the secure tunnel upon verification that the distributed computing application is authorized to access the second network address and second port number, the access requests comprising the first network address and first port number, whereinthe first proxy determines if the access requests are for the at least one selected application service and limits the forwarding of access requests to those access requests specifically directed to the at least one selected service by disabling forwarding of access requests not directed to the at least one selected application service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of apparatus, systems and methods facilitate deployment of distributed computing applications on hybrid public-private infrastructures by facilitating secure access to selected services running on private infrastructures by distributed computing applications running on public cloud infrastructures. In some embodiments, a secure tunnel may be established between proxy processes on the public and private infrastructures and communication between the distributed computing application and the selected services may occur through the proxy processes over the secure tunnel.

52 Citations

View as Search Results

16 Claims

1. A processor-implemented method comprising:
- establishing at least one secure tunnel between a first proxy, wherein the first proxy is identified by a first network address and a first port number on a private infrastructure, and a second proxy associated with a distributed computing application executing on a public cloud infrastructure, wherein the second proxy is identified by a second network address and a second port number;
  
  limiting access requests received from the distributed application to at least one selected application service from a plurality of application services available on the private infrastructure, wherein the access requests are initiated using the second network address and second port number, wherein limiting access comprises;
  
  receiving by the first proxy, the access requests from the distributed computing application, wherein the distributed computing application is configured with access information comprising the second network address and the second port number to access the at least one selected application service through the second proxy over the secure tunnel upon verification that the distributed computing application is authorized to access the second network address and second port number, the access requests comprising the first network address and first port number, whereinthe first proxy determines if the access requests are for the at least one selected application service and limits the forwarding of access requests to those access requests specifically directed to the at least one selected service by disabling forwarding of access requests not directed to the at least one selected application service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The processor-implemented method of claim 1, further comprising:
    - receiving a response to the access request from the at least one selected application service at the first proxy; and
      
      sending the response from the first proxy to the second proxy over the secure tunnel using the second network address and second port number.
  - 3. The processor-implemented method of claim 1, wherein the distributed computing application is a cloud-specific implementation for the public cloud infrastructure, the cloud-specific implementation derived from an infrastructure independent representation of the distributed computing application.
  - 4. The processor-implemented method of claim 3, wherein the cloud-specific implementation of the distributed computing application for the public cloud infrastructure is realized by utilizing a library of program routines that implement system and pattern primitives on the public cloud infrastructure.
  - 5. The processor-implemented method of claim 1, wherein the at least one selected application service comprises one or more of a licensing service, a database access service, a user authentication service, a workflow-integration service, a remote service accessible over http, or a remote service accessible over remote method invocation (“
    - rmi”
      
      ) protocol.
  - 6. The processor-implemented method of claim 1, wherein the secure tunnel between the first proxy and second proxy is established using the https protocol.
  - 7. The processor-implemented method of claim 1, wherein the public cloud infrastructure is one of Amazon EC2, Terremark vCloud, Rackspace Cloudserver, Microsoft Azure, or Savvis.
  - 8. The processor-implemented method of claim 1, wherein the first proxy is configured as a virtual appliance.
  - 9. The processor-implemented method of claim 1, wherein the private infrastructure is protected by a firewall.

10. A system comprising:
- a private infrastructure comprising a processor and memory, the private infrastructure capable of hosting at least one selected application service of a plurality of application services available on the first infrastructure;
  
  a first proxy accessible over a public network, the first proxy being identified by a first network address and a first port number on a private infrastructure;
  
  a secure tunnel between the first proxy and a second proxy associated with a distributed computing application executing on a public cloud infrastructure, wherein the second proxy is identified by a second network address and a second port number;
  
  wherein;
  
  the first proxy receives access requests comprising the first network address and first port number over the secure tunnel from a distributed computing application, wherein the distributed computing application is configured with access information comprising the second network address and the second port number to access at least one selected application service upon verification that the distributed computing application is authorized to access the second network address and second port number, andthe first proxy determines if the access requests are for the at least one selected application service and limits the forwarding of access requests to those directed to the at least one selected application service by disabling forwarding of access requests not directed to the at least one selected application service.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the first proxy and the second proxy are accessible over the Internet.
  - 12. The system of claim 10, wherein the secure tunnel between the first proxy and the second proxy is established using the https protocol.
  - 13. The system of claim 10, wherein:
    - the first proxy receives a response to the access request from the at least one selected application service; and
      
      the first proxy sends the response to the second proxy over the secure tunnel using the second network address and port number.
  - 14. The system of claim 10, wherein the at least one selected application service comprises one or more of a licensing service, a database access service, a user authentication service, a workflow-integration service, a remote service accessible over http, or a remote service accessible over remote method invocation (“
    - rmi”
      
      ) protocol.

15. A non-transitory computer-readable medium comprising instructions, which when executed by a computer perform steps in a method , the computer implemented steps comprising:
- establishing at least one secure tunnel between a first proxy, wherein the first proxy is identified by a first network address and a first port number on a private infrastructure, and a second proxy associated with a distributed computing application executing on a public cloud infrastructure wherein the second proxy is identified by a second network address and a second port number;
  
  limiting access requests by the distributed computing application to at least one selected application service from a plurality of services available on the private infrastructure, wherein the access requests are initiated using the second network address and the second port number, wherein limiting access further comprises;
  
  receiving by the first proxy, the access requests from the distributed computing application, wherein the distributed computing application is configured with access information comprising the second network address and the second port number to access the at least one selected application service through the second proxy over the secure tunnel upon verification that the distributed computing application is authorized to access the second network address and second port number, the access requests comprising the first network address and the first port number, and whereinthe first proxy determines if the access requests are for the at least one selected application service and limits the forwarding of access requests specifically to the to those access requests directed to the at least one selected one application service by disabling forwarding of access requests not directed to the at least one selected application service.
- View Dependent Claims (16)
- - 16. The computer-readable medium of claim 15, further comprising:
    - receiving a response to the access request from the at least one selected application service at the first proxy; and
      
      sending the response from the first proxy to the second proxy over the secure tunnel using the second network address and the second port number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
CliQr Technologies, Inc. (Cisco Systems, Inc.)
Inventors
Fu, Tianying, Manglik, Gaurav, Zhu, Xuefeng
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
LYNCH, SHARON S

Application Number

US13/304,582
Publication Number

US 20120331528A1
Time in Patent Office

1,033 Days
Field of Search

726/7, 718/1
US Class Current

726/3
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 67/10   in which an application is ...

Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links