Methods, systems, and computer program products for providing a virtual private gateway between user devices and various networks

US 9,021,251 B2
Filed: 11/02/2009
Issued: 04/28/2015
Est. Priority Date: 11/02/2009
Status: Active Grant

First Claim

Patent Images

1. A method of operating a communication network, comprising:

receiving traffic from a user device at a gateway device associated with a gateway service provider;

applying a traffic policy to the traffic at the gateway device, the traffic policy being associated with a secure network;

determining if the traffic is destined for the secure network;

routing the traffic to the secure network using a security protocol associated with the secure network responsive to determining that the traffic is destined for the secure network;

decrypting the traffic responsive to receiving the traffic using a first cryptographic technique;

encrypting the traffic using a second cryptographic technique different than the first cryptographic technique; and

routing the traffic to an unsecure network without passing through the secure network responsive to determining that the traffic is not destined for the secure network;

wherein the traffic encrypted using the first cryptographic technique cannot be decrypted using the second cryptographic technique;

wherein the secure network and the unsecure network are distinct physical networks separated from each other; and

wherein the user device is not part of the secure network and not part of the unsecure network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication network is operated by receiving traffic from a user device at a gateway device associated with a gateway service provider, which manages gateways to both secure and insecure networks. The gateway uses security policies to determine if traffic is destined to the secure or insecure network and applies appropriate policies which cause the traffic to be routed, dropped, or analyzed.

Citations

15 Claims

1. A method of operating a communication network, comprising:
- receiving traffic from a user device at a gateway device associated with a gateway service provider;
  
  applying a traffic policy to the traffic at the gateway device, the traffic policy being associated with a secure network;
  
  determining if the traffic is destined for the secure network;
  
  routing the traffic to the secure network using a security protocol associated with the secure network responsive to determining that the traffic is destined for the secure network;
  
  decrypting the traffic responsive to receiving the traffic using a first cryptographic technique;
  
  encrypting the traffic using a second cryptographic technique different than the first cryptographic technique; and
  
  routing the traffic to an unsecure network without passing through the secure network responsive to determining that the traffic is not destined for the secure network;
  
  wherein the traffic encrypted using the first cryptographic technique cannot be decrypted using the second cryptographic technique;
  
  wherein the secure network and the unsecure network are distinct physical networks separated from each other; and
  
  wherein the user device is not part of the secure network and not part of the unsecure network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - wherein routing the traffic to the secure network comprises encapsulating the traffic.
  - 3. The method of claim 2, wherein the first cryptographic technique is public-key decryption using keys associated with the gateway service provider.
  - 4. The method of claim 1, wherein the traffic policy comprises a security policy.
  - 5. The method of claim 1, further comprising:
    - assembling packets comprising the traffic into a session; and
      
      applying a session policy to the assembled packets, the session policy being associated with an application layer protocol level.
  - 6. The method of claim 1, further comprising:
    - receiving traffic destined for the user device at the gateway device;
      
      determining if the traffic destined for the user device is secure traffic;
      
      removing security from the traffic destined for the user device responsive to determining that the traffic destined for the user device is secure;
      
      applying a traffic policy to the traffic destined for the user device at the gateway device; and
      
      routing the traffic destined for the user device to the user device using a security protocol associated with the user device.
  - 7. The method of claim 6, wherein removing security from the traffic destined for the user device comprises:
    - determining if the traffic destined for the user device is encrypted; and
      
      decrypting the received traffic destined for the user device via public key encryption using keys associated with the secure network responsive to determining that the traffic destined for the user device is encrypted.
  - 8. The method of claim 7, wherein removing security from the traffic destined for the user device comprises:
    - removing encapsulation from the traffic destined for the user device responsive to determining that the traffic destined for the user device is not encrypted.
  - 9. The method of claim 6, further comprising:
    - assembling packets comprising the traffic destined for the user device into a session; and
      
      applying a session policy to the assembled packets, the session policy being associated with the application layer protocol level.
  - 10. The method of claim 6, wherein the security protocol associated with the user device is public key encryption using keys associated with the gateway service provider.

11. A computer program product for operating a communication network, comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therein, the computer readable program code when executed by a processor causing the processor to perform operations comprising;
  
  receiving traffic from a user device at a gateway device associated with a gateway service provider;
  
  applying a traffic policy to the traffic at the gateway device, the traffic policy being associated with a secure network;
  
  determining if the traffic is destined for the secure network;
  
  routing the traffic to the secure network using a security protocol associated with the secure network responsive to determining that the traffic is destined for the secure network;
  
  decrypting the traffic responsive to receiving the traffic using a first cryptographic technique;
  
  encrypting the traffic using a second cryptographic technique different than the first cryptographic technique; and
  
  routing the traffic to an unsecure network without passing through the secure network responsive to determining that the traffic is not destined for the secure network;
  
  wherein the traffic encrypted using the first cryptographic technique cannot be decrypted using the second cryptographic technique;
  
  wherein the secure network and the unsecure network are distinct physical networks separated from each other; and
  
  wherein the user device is not part of the secure network and not part of the unsecure network.

12. A switching apparatus, comprising:
- a processor; and
  
  a memory coupled to the processor and comprising computer readable program code that when executed by the processor causes the processor to perform operations comprising;
  
  receiving traffic from a user device at a gateway device associated with a gateway service provider;
  
  applying a traffic policy to the traffic at the gateway device, the traffic policy being associated with a secure network;
  
  determining if the traffic is destined for the secure network;
  
  routing the traffic to the secure network using a security protocol associated with the secure network responsive to determining that the traffic is destined for the secure network;
  
  decrypting the traffic responsive to receiving the traffic using a first cryptographic technique;
  
  encrypting the traffic using a second cryptographic technique different than the first cryptographic technique; and
  
  routing the traffic to an unsecure network without passing through the secure network responsive to determining that the traffic is not destined for the secure network;
  
  wherein the traffic encrypted using the first cryptographic technique cannot be decrypted using the second cryptographic technique;
  
  wherein the secure network and the unsecure network are distinct physical networks separated from each other; and
  
  wherein the user device is not part of the secure network and not part of the unsecure network.
- View Dependent Claims (13, 14, 15)
- - 13. The switching apparatus of claim 12, wherein routing the traffic to the secure network comprises encapsulating the traffic.
  - 14. The switching apparatus of claim 12, wherein the operations further comprise:
    - assembling packets comprising the traffic into a session; and
      
      applying a session policy to the assembled packets, the session policy being associated with the application layer protocol level.
  - 15. The switching apparatus of claim 12, wherein the operations further comprise:
    - receiving traffic destined for the user device at the gateway device;
      
      determining if the traffic destined for the user device is secure traffic;
      
      removing security from the traffic destined for the user device responsive to determining that the traffic destined for the user device is secure;
      
      applying a traffic policy to the traffic destined for the user device at the gateway device; and
      
      routing the traffic destined for the user device to the user device using a security protocol associated with the user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chawla, Deepak, Beckett, William R. III
Primary Examiner(s)
Dinh, Minh

Application Number

US12/610,746
Publication Number

US 20110107413A1
Time in Patent Office

2,003 Days
Field of Search

None
US Class Current

713/153
CPC Class Codes

H04L 45/30 Routing of multiclass traffic

H04L 63/0227 Filtering policies mail mes...

Methods, systems, and computer program products for providing a virtual private gateway between user devices and various networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer program products for providing a virtual private gateway between user devices and various networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links