Method and apparatus for providing security in an intranet network

US 9,049,172 B2
Filed: 05/06/2014
Issued: 06/02/2015
Est. Priority Date: 08/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for providing security in a virtual private network, comprising:

defining, by a processor of a customer edge router, a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;

receiving, by the processor, a packet; and

applying, by the processor, an inbound access control list to the packet when the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that are not allowed to be accessed by the protected server group, wherein the applying inbound access control list comprises;

determining the packet is destined to the server in the protected server group, and that the packet comprises a message which is allowed to proceed to the server in the protected server group.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for providing security in an intranet network are disclosed. For example, the method receives a packet at a customer edge router, and applies an inbound access control list by the customer edge router to the packet if the packet is destined to a server in a protected server group, wherein said protected server group identifies one or more servers within the intranet network to be protected. The method applies an outbound access control list by the customer edge router to the packet if the packet is from a server in the protected server group.

Citations

20 Claims

1. A method for providing security in a virtual private network, comprising:
- defining, by a processor of a customer edge router, a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;
  
  receiving, by the processor, a packet; and
  
  applying, by the processor, an inbound access control list to the packet when the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that are not allowed to be accessed by the protected server group, wherein the applying inbound access control list comprises;
  
  determining the packet is destined to the server in the protected server group, and that the packet comprises a message which is allowed to proceed to the server in the protected server group.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - allowing the packet to proceed towards its destination when the packet is not to or from the server in the protected server group.
  - 3. The method of claim 1, further comprising:
    - determining if the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
  - 4. The method of claim 1, further comprising:
    - detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
  - 5. The method of claim 1, wherein the packet is for a stateless session.
  - 6. The method of claim 1, wherein the packet is for a user datagram protocol session.
  - 7. The method of claim 1, wherein the packet is for an internet control message protocol session.

8. A non-transitory computer-readable medium storing a plurality of instructions which, when executed by a processor of a customer edge router, cause the processor to perform operations for providing security in a virtual private network, the operations comprising:
- defining a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;
  
  receiving a packet; and
  
  applying an inbound access control list to the packet when the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that are not allowed to be accessed by the protected server group, wherein the applying inbound access control list comprises;
  
  determining the packet is destined to the server in the protected server group, and that the packet comprises a message which is allowed to proceed to the server in the protected server group.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, further comprising:
    - allowing the packet to proceed towards its destination when the packet is not to or from the server in the protected server group.
  - 10. The non-transitory computer-readable medium of claim 8, further comprising:
    - determining if the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
  - 11. The non-transitory computer-readable medium of claim 8, further comprising:
    - detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
  - 12. The non-transitory computer-readable medium of claim 8, wherein the packet is for a stateless session.
  - 13. The non-transitory computer-readable medium of claim 8, wherein the packet is for a user datagram protocol session.
  - 14. The non-transitory computer-readable medium of claim 8, wherein the packet is for an internet control message protocol session.

15. An apparatus for providing security in a virtual private network, comprising:
- a processor of a customer edge router; and
  
  a computer-readable medium storing a plurality of instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising;
  
  defining a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;
  
  receiving a packet; and
  
  applying an inbound access control list to the packet when the packet is destined to a server in the protected server group, wherein the inbound access control list comprises an inbound list of internet protocol addresses that are not allowed to be accessed by the protected server group, wherein the applying inbound access control list comprises;
  
  determining the packet is destined to the server in the protected server group, and that the packet comprises a message which is allowed to proceed to the server in the protected server group.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the operations further comprise:
    - allowing the packet to proceed towards its destination when the packet is not to or from the server in the protected server group.
  - 17. The apparatus of claim 15, wherein the operations further comprise:
    - determining if the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
  - 18. The apparatus of claim 15, wherein the operations further comprise:
    - detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
  - 19. The apparatus of claim 15, wherein the packet is for a stateless session.
  - 20. The apparatus of claim 15, wherein the packet is for a user datagram protocol session or an internet control message protocol session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Dargis, Anthony
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/271,167
Publication Number

US 20140245426A1
Time in Patent Office

392 Days
Field of Search

709/224, 709/225, 709/229, 726/1, 726/2, 726/13, 726/23, 726/15
US Class Current

1/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/1458   Denial of Service

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Method and apparatus for providing security in an intranet network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing security in an intranet network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links