IPsec connection to private networks

US 8,972,555 B2
Filed: 03/04/2011
Issued: 03/03/2015
Est. Priority Date: 03/04/2011
Status: Active Grant

First Claim

Patent Images

1. A server hosting system comprising:

a plurality of managed servers;

a first secure communication appliance configured to connect to a tenant appliance at a first tenant using an IPsec tunnel, the first secure communication appliance further configured to route data between a first managed server of the plurality of managed servers and the tenant appliance at the first tenant, the first managed server associated with the first tenant;

a second secure communication appliance configured to connect to a tenant appliance at a second tenant using an IPsec tunnel, the second secure communication appliance further configured to route data between a second managed server of the plurality of managed servers and the tenant appliance at the second tenant, the second managed server associated with the second tenant;

wherein the first secure communication appliance is configured to apply a first tag to data received from the tenant appliance at the first tenant identifying the first tenant, and wherein the second secure communication appliance is configured to apply a second tag to data received from the tenant appliance at the second tenant identifying the second tenant.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server hosting system and method of connecting to managed servers using IPsec are disclosed. The server hosting system includes a plurality of managed servers, and first and second secure communication appliances. The first secure communication appliance is configured to connect to a tenant appliance at a first tenant using an IPsec tunnel, and further configured to route data between a first managed server of the plurality of managed servers and the tenant appliance at the first tenant. The second secure communication appliance is configured to connect to a tenant appliance at a second tenant using an IPsec tunnel, and further configured to route data between a second managed server of the plurality of managed servers and the tenant appliance at the second tenant.

Citations

21 Claims

1. A server hosting system comprising:
- a plurality of managed servers;
  
  a first secure communication appliance configured to connect to a tenant appliance at a first tenant using an IPsec tunnel, the first secure communication appliance further configured to route data between a first managed server of the plurality of managed servers and the tenant appliance at the first tenant, the first managed server associated with the first tenant;
  
  a second secure communication appliance configured to connect to a tenant appliance at a second tenant using an IPsec tunnel, the second secure communication appliance further configured to route data between a second managed server of the plurality of managed servers and the tenant appliance at the second tenant, the second managed server associated with the second tenant;
  
  wherein the first secure communication appliance is configured to apply a first tag to data received from the tenant appliance at the first tenant identifying the first tenant, and wherein the second secure communication appliance is configured to apply a second tag to data received from the tenant appliance at the second tenant identifying the second tenant.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The server hosting system of claim 1, wherein at least one of the first and second managed servers is assigned a tenant virtual local area network (VLAN).
  - 3. The server hosting system of claim 1, wherein the first tag identities a virtual secure gateway associated with the first tenant, and the second tag identifies a second virtual secure gateway associated with a second tenant.
  - 4. The server hosting system of claim 3, wherein the first virtual secure gateway is configured to establish a secure communication connection with at least the first managed server, and wherein the second virtual secure gateway is configured to establish a secure communication connection with at least the second managed server.
  - 5. The server hosting system of claim 4, wherein the secure communication session comprises a Stealth-enabled encrypted communication session.
  - 6. The server hosting system of claim 1, further comprising a switch communicatively connected to the first and second secure communication appliances, the switch configured to route data from the first secure communication appliance to the first managed server based at least in part on the tag identifying the first tenant and to route data from the second secure communication appliance to the second managed server based at least in part of the tag identifying the second tenant.
  - 7. The server hosting system of claim 6, wherein the switch is a virtual local area network (VLAN) switch.
  - 8. The server hosting system of claim 6, further comprising a second switch communicatively connecting the VLAN switch to the first and second secure communication appliances.
  - 9. The server hosting system of claim 1, wherein the second secure communication appliance does not communicate with the tenant appliance at the first tenant, and the first secure communication appliance does not communicate with the tenant appliance at the second tenant.
  - 10. The server hosting system of claim 1, wherein the IPsec tunnel between the first secure communication appliance and the tenant appliance at the first tenant is created using a key shared for authentication and data is encrypted using configured encryption methods with the tenant appliance at the first tenant from the first secure communication appliance.
  - 11. The server hosting system of claim 1, wherein at least one of the first and second managed servers comprises a virtual machine.
  - 12. The server hosting system of claim 1, wherein the first and second managed servers each comprise a different virtual machine, and wherein the first and second managed servers execute on a common computing device.

13. A method of securing communications between a tenant and a server hosting system, the method comprising:
- receiving data at a first secure communication appliance from a tenant appliance at a first tenant;
  
  applying a first tag to the data at the first secure communication appliance, the tag identifying the first tenant as the source of the data;
  
  forwarding the data including the first tag to a first managed server associated with the first tenant;
  
  receiving data at a second secure communication appliance from a tenant appliance at a second tenant separate from the first tenant;
  
  applying a second tag to the data at the first secure communication appliance, the tag identifying the second tenant as the source of the data; and
  
  forwarding the data including the second tag to a second managed server associated with the second tenant.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the first and second managed servers each comprise a different virtual machine, and wherein the first and second managed servers execute on a common computing device.
  - 15. The method of claim 13, wherein the second secure communication appliance does not communicate with the tenant appliance at the first tenant and the first secure communication appliance does not communicate with the tenant appliance at the second tenant.
  - 16. The method of claim 13, wherein one or more of the plurality of managed servers is assigned a tenant virtual local area network (VLAN).
  - 17. The method of claim 13, further comprising sharing an encryption key generated at the first secure communication device with the tenant device at the first tenant.
  - 18. The method of claim 13, wherein receiving data at the first secure communication appliance includes receiving a request for access to data at the first managed server.
  - 19. The method of claim 13, wherein the first secure communication appliance resides within a server hosting system.
  - 20. The method of claim 13, wherein the first managed server is assigned to a first tenant virtual local area network (VLAN), and wherein data including the first tag is forwarded only to the first tenant VLAN.

21. A non-transitory computer storage medium comprising computer-executable instructions, which when executed on a computing device in a server hosting system cause the computing device to provide a first secure communication appliance configured to:
- receive a request to access a managed server from a tenant appliance at a first tenant via an IPsec connection, the first managed server including at least one virtual machine;
  
  applying a tag to the data, the tag identifying a virtual secure gateway associated with a tenant;
  
  route the data including the tag to the managed server associated with the first tenant via a virtual local area network switch and the virtual secure gateway;
  
  receiving data at a second secure communication appliance from a tenant appliance at a second tenant separate from the first tenant;
  
  applying a second tag to the data at the first secure communication appliance, the tag identifying the second tenant as the source of the data; and
  
  forwarding the data including the second tag to a second managed server associated with the second tenant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Johnson, Robert A., Sadhu, Avinash
Primary Examiner(s)
NGUYEN, PHUOC H

Application Number

US13/040,631
Publication Number

US 20120226792A1
Time in Patent Office

1,460 Days
Field of Search

709/203, 709/217, 709/223, 709/238
US Class Current

709/223
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/104   Grouping of entities

H04L 63/164   at the network layer

IPsec connection to private networks

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

IPsec connection to private networks

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links