Tunnel interface for securing traffic over a network

US 9,160,716 B2
Filed: 11/17/2014
Issued: 10/13/2015
Est. Priority Date: 09/13/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving, at a service management system (SMS) of a managed security service provider, a request to establish an Internet Protocol (IP) connection between a first location of a first subscriber of a plurality of subscribers of the managed security service provider and a second location of the first subscriber;

responsive to the request, the SMS causing a tunnel to be established between a first virtual router (VR) of a first service processing switch of the managed service provider that is associated with the first location and a second VR of a second service processing switch of the managed service provider that is associated with the second location, wherein the first service processing switch and the second service processing switch are coupled in communication via a public network, wherein said causing a tunnel to be established comprises;

binding an encryption configuration decision associated with the request with a routing configuration of the first VR, by, when the request is to establish a secure IP connection, configuring, the first VR (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and

binding the encryption configuration decision with a routing configuration of the second VR, by, when the request is to establish a secure IP connection, configuring, the second VR (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second location of a first subscriber of the managed security service provider. Responsive to the request, the SMS causes a tunnel to be established between a first virtual router (VR) and a second VR running on a first and second service processing switch, respectively, of the service provider which are coupled in communication via a public network and associated with the first location and the second location, respectively.

275 Citations

16 Claims

1. A method comprising:
- receiving, at a service management system (SMS) of a managed security service provider, a request to establish an Internet Protocol (IP) connection between a first location of a first subscriber of a plurality of subscribers of the managed security service provider and a second location of the first subscriber;
  
  responsive to the request, the SMS causing a tunnel to be established between a first virtual router (VR) of a first service processing switch of the managed service provider that is associated with the first location and a second VR of a second service processing switch of the managed service provider that is associated with the second location, wherein the first service processing switch and the second service processing switch are coupled in communication via a public network, wherein said causing a tunnel to be established comprises;
  
  binding an encryption configuration decision associated with the request with a routing configuration of the first VR, by, when the request is to establish a secure IP connection, configuring, the first VR (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and
  
  binding the encryption configuration decision with a routing configuration of the second VR, by, when the request is to establish a secure IP connection, configuring, the second VR (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the request to establish the IP connection is received by the SMS from a customer network management (CNM) system of the first subscriber.
  - 3. The method of claim 1, wherein the request to establish the IP connection is received by the SMS via a user interface associated with the SMS.
  - 4. The method of claim 1, further comprising:
    - receiving, by the first VR, a data packet that is to be sent to the second VR;
      
      generating an encrypted data packet by passing the data packet to an encryptor for encryption using a pre-defined encryption method; and
      
      routing the encrypted data packet to the second VR.
  - 5. The method of claim 4, further comprising:
    - examining, by the first VR, the data packet to determine whether it is to be encrypted;
      
      when the data packet is to be encrypted, sending the data packet to the encryptor for encryption.
  - 6. The method of claim 4, wherein the encryptor is dedicated to the first VR.
  - 7. The method of claim 4, wherein the encryptor is shared by a plurality of VRs executing on the first service processing switch.
  - 8. The method of claim 1, wherein the first VR further provides security services to the first subscriber at the first location and the second VR further provides security services to the first subscriber at the second location.

9. A system comprising:
- a service management system (SMS) residing within a network of a managed security service provider;
  
  a plurality of service processing switches within the network, each executing a plurality of virtual routers (VRs);
  
  wherein, responsive to receipt of a request, by the SMS, to establish an Internet Protocol (IP) connection between a first location of a first subscriber of a plurality of subscribers of the managed security service provider and a second location of the first subscriber, the SMS causes a tunnel to be established between a first VR, associated with the first location, of a first service processing switch of the plurality of service processing switches and a second VR, associated with the second location, of a second service processing switch of the plurality of service processing switches;
  
  wherein the first service processing switch and the second service processing switch are coupled in communication via a public network; and
  
  wherein the tunnel is established between the first VR and the second VR by;
  
  binding an encryption configuration decision associated with the request with a routing configuration of the first VR, by, when the request is to establish a secure IP connection, configuring, the first VR (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and
  
  binding the encryption configuration decision with a routing configuration of the second VR, by, when the request is to establish a secure IP connection, configuring, the second VR (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the request to establish the IP connection is received by the SMS from a customer network management (CNM) system of the first subscriber.
  - 11. The system of claim 9, wherein the request to establish the IP connection is received by the SMS via a user interface associated with the SMS.
  - 12. The system of claim 9, wherein responsive to receiving, by the first VR, a data packet that is to be sent to the second VR:
    - (i) generating an encrypted data packet by passing the data packet to an encryptor for encryption using a pre-defined encryption method; and
      
      (ii) routing the encrypted data packet to the second VR.
  - 13. The system of claim 12, wherein the first VR examines the data packet to determine whether it is to be encrypted and when the data packet is to be encrypted, the first VR sends the data packet to the encryptor for encryption.
  - 14. The system of claim 12, wherein the encryptor is dedicated to the first VR.
  - 15. The system of claim 12, wherein the encryptor is shared by the plurality VRs of the first service processing switch.
  - 16. The system of claim 9, wherein the first VR further provides security services to the first subscriber at the first location and the second VR further provides security services to the first subscriber at the second location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Sun, Chih-Tiang, Yum, Kiho, Matthews, Abraham R.
Primary Examiner(s)
LE, CHAU D

Application Number

US14/543,797
Publication Number

US 20150095636A1
Time in Patent Office

330 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/08   Configuration management of...

H04L 41/0895   Configuration of virtualise...

H04L 45/14   Routing performance; Theore...

H04L 61/256   NAT traversal

H04L 61/2592   using tunnelling or encapsu...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

Tunnel interface for securing traffic over a network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

275 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Tunnel interface for securing traffic over a network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

275 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others