Secure data transfer in a virtual environment

US 8,856,317 B2
Filed: 07/15/2010
Issued: 10/07/2014
Est. Priority Date: 07/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving at one of a plurality of servers, a request from a client for a secure communication session comprising a Secure Socket Layer (SSL) or Transport Layer Security (TLS) session;

establishing said secure communication session directly between one of said plurality of servers and the client;

sharing context information associated with said secure communication session with a virtual context server in communication with said plurality of servers and operable to store said context information, said context information comprising a session identifier, a secret, and a session state, wherein said context information stored at the virtual context server is available to said plurality of servers to allow said secure communication session to move between said plurality of servers; and

moving said secure communication session with said client from one of said plurality of servers to another of said plurality of servers;

wherein said plurality of servers belong to a trusted group configured to have access to said secure communication session and said secret, said secret used in said secure communication session to provide data integrity and confidentiality.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method includes receiving at one of a plurality of servers, a request from a client for a secure communication session, storing context information associated with the secure communication session at a virtual context server in communication with the servers, and establishing the secure communication session between one of the servers and the client. The context information includes a session identifier, a secret, and a session state. The stored context information is available to the servers to allow the secure communication session to move between the servers. An apparatus for secure data transfer in a virtual environment is also disclosed.

7 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving at one of a plurality of servers, a request from a client for a secure communication session comprising a Secure Socket Layer (SSL) or Transport Layer Security (TLS) session;
  
  establishing said secure communication session directly between one of said plurality of servers and the client;
  
  sharing context information associated with said secure communication session with a virtual context server in communication with said plurality of servers and operable to store said context information, said context information comprising a session identifier, a secret, and a session state, wherein said context information stored at the virtual context server is available to said plurality of servers to allow said secure communication session to move between said plurality of servers; and
  
  moving said secure communication session with said client from one of said plurality of servers to another of said plurality of servers;
  
  wherein said plurality of servers belong to a trusted group configured to have access to said secure communication session and said secret, said secret used in said secure communication session to provide data integrity and confidentiality.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein said plurality of servers comprises physical servers located within a cloud network.
  - 3. The method of claim 1 wherein said plurality of servers comprises virtual machines located at one or more of the servers and configured to move between the servers.
  - 4. The method of claim 1 wherein said plurality of servers comprises one or more logical groups of physical servers.
  - 5. The method of claim 1 wherein at least one of said plurality of servers comprises a monitoring device for monitoring traffic over said secure communication session.
  - 6. The method of claim 1 wherein the virtual context server comprises a session context server and a redundant context store.

7. An apparatus comprising:
- a processor for receiving at one of a plurality of servers, a request from a client for a secure communication session comprising a Secure Socket Layer (SSL) or Transport Layer Security (TLS) session, establishing said secure communication session directly between one of said plurality of servers and the client, and sharing context information associated with said secure communication session with a virtual context server in communication with said plurality of servers and operable to store said context information, said context information comprising a session identifier, a secret, and a session state; and
  
  memory for at least temporarily storing said context information;
  
  wherein the virtual context server shares said context information with said plurality of servers to allow said secure communication session to move between said plurality of servers; and
  
  wherein the apparatus is operable to belong to a trusted group comprising said plurality of servers and configured to have access to said secure communication session and said secret, said secret configured for use in said secure communication session to provide data integrity and confidentiality.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The apparatus of claim 7 wherein said plurality of servers comprises physical servers located within a cloud network.
  - 9. The apparatus of claim 7 wherein said plurality of servers comprises virtual machines located at one or more of the servers and configured to move between the servers.
  - 10. The apparatus of claim 7 wherein said plurality of servers comprises one or more logical groups of physical servers.
  - 11. The apparatus of claim 7 wherein at least one of said plurality of servers comprises a monitoring device for monitoring traffic over said server communication session.
  - 12. The apparatus of claim 7 wherein the virtual context server comprises a session context server and a redundant context store.
  - 13. The apparatus of claim 7 wherein the processor is further configured to communicate said context information over a secure data plane containing said plurality of servers.

14. Logic encoded in one or more non-transitory media for execution and when executed operable to:
- receive at one of a plurality of servers, a request from a client for a secure communication session comprising a Secure Socket Layer (SSL) or Transport Layer Security (TLS) session;
  
  establish said secure communication session directly between the client and the server receiving said request; and
  
  share context information associated with said secure communication session with a virtual context server in communication with said plurality of servers and operable to store said context information, said context information comprising a session identifier, a secret, and a session state, wherein said context information stored at the virtual context server is available to said plurality of servers to allow said secure communication session to move between said plurality of servers;
  
  wherein said plurality of servers are operable to belong to a trusted group configured to have access to said secure communication session and said secret, said secret configured for use in said secure communication session to provide data integrity and confidentiality.
- View Dependent Claims (15, 16, 17)
- - 15. The logic of claim 14 wherein the logic is operable to:
    - identify a virtual machine;
      
      obtain new context information; and
      
      continue an existing secure communication session between said virtual machine and another client.
  - 16. The logic of claim 14 wherein said plurality of servers comprises physical servers located within a cloud network.
  - 17. The logic of claim 14 wherein said plurality of servers comprises virtual machines located at one or more of the servers and configured to move between the servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Robertson, Matthew, Hebbani Raghavendra, Rao Sandeep, Li, Qingqing
Primary Examiner(s)
Nguyen, Thu
Assistant Examiner(s)
TRUONG, LAN DAI T

Application Number

US12/804,177
Publication Number

US 20120016977A1
Time in Patent Office

1,545 Days
Field of Search

709/223, 709/224, 709/227, 709/228
US Class Current

709/224
CPC Class Codes

H04L 63/20   for managing network securi...

H04L 67/141   Setup of application sessio...

H04L 67/148   Migration or transfer of se...

Secure data transfer in a virtual environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data transfer in a virtual environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links