Method and system for VPN isolation using network namespaces

US 9,253,309 B2
Filed: 10/14/2014
Issued: 02/02/2016
Est. Priority Date: 11/22/2011
Status: Active Grant

First Claim

Patent Images

1. A computer executable method for providing exclusive access to a virtual private network (VPN) connection to an authorized application, comprising:

creating a unique network namespace of a host system;

placing a virtual device associated with the VPN connection into the unique network namespace;

placing at least one socket for the authorized application into the unique network namespace; and

precluding all unauthorized applications on the host system from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.

41 Citations

View as Search Results

20 Claims

1. A computer executable method for providing exclusive access to a virtual private network (VPN) connection to an authorized application, comprising:
- creating a unique network namespace of a host system;
  
  placing a virtual device associated with the VPN connection into the unique network namespace;
  
  placing at least one socket for the authorized application into the unique network namespace; and
  
  precluding all unauthorized applications on the host system from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the unique network namespace is different from a default network namespace of the host system.
  - 3. The method of claim 1, wherein placing the virtual device associated with the VPN connection into the network namespace comprises moving the virtual device from a default network namespace of the host system to the unique network namespace.
  - 4. The method of claim 1, wherein the virtual device comprises a pseudo network interface.
  - 5. The method of claim 1, wherein the authorized application is a virtual machine.
  - 6. The method of claim 5, further comprising:
    - intercepting a socket-creation request from an application on the virtual machine; and
      
      creating a socket of the at least one socket on the host system on behalf of the virtual machine.
  - 7. The method of claim 1, further comprising establishing the VPN connection by a VPN client which resides in a default network namespace of the host system.
  - 8. The method of claim 1, further comprising receiving a set of network parameters by a VPN client and passing the network parameters to a connectivity service on the host system.
  - 9. The method of claim 1, further comprising applying a set of network parameters received via the VPN connection to the virtual device.
  - 10. The method of claim 1, wherein the host system comprises a mobile device.

11. A computer readable non-transitory storage medium storing instructions which when executed by a computer cause the computer to perform a method, the method comprising:
- creating a unique network namespace of a host system on the computer;
  
  placing a virtual device associated with the VPN connection into the unique network namespace;
  
  placing at least one socket for the authorized application into the unique network namespace; and
  
  precluding all unauthorized applications on the host system from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer readable non-transitory storage medium of claim 11, wherein the unique network namespace is different from a default network namespace of the host system.
  - 13. The computer readable non-transitory storage medium of claim 11, wherein placing the virtual device associated with the VPN connection into the network namespace comprises moving the virtual device from a default network namespace of the host system to the unique network namespace.
  - 14. The computer readable non-transitory storage medium of claim 11, wherein the virtual device comprises a pseudo network interface.
  - 15. The computer readable non-transitory storage medium of claim 11, wherein the authorized application is a virtual machine.

16. A computing system for providing exclusive access to a virtual private network (VPN) connection to an authorized application, comprising:
- a network namespace creation mechanism configured to create a unique network namespace of a host system;
  
  a connectivity service configured to place a virtual device associated with the VPN connection into the unique network namespace; and
  
  a socket management mechanism configured to place at least one socket for the authorized application into the unique network namespace;
  
  wherein all unauthorized applications on the host system are precluded from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computing system of claim 16, wherein the unique network namespace is a different from a default network namespace of the host system.
  - 18. The computing system of claim 16, wherein placing the virtual device associated with the VPN connection into the network namespace comprises moving the virtual device from a default network namespace of the host system to the unique network namespace.
  - 19. The computing system of claim 16, wherein the virtual device comprises a pseudo network interface.
  - 20. The computing system of claim 16, wherein the computing system comprises a mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Fainkichen, Alexander, Newell, Craig
Primary Examiner(s)
Zee, Edward

Application Number

US14/513,783
Publication Number

US 20150033324A1
Time in Patent Office

476 Days
Field of Search
US Class Current

1/1
CPC Class Codes

C09J 7/21   Paper; Textile fabrics

C09J 7/30   characterised by the adhesi...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 9/445   Program loading or initiati...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45529   Embedded in an application,...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/46   Multiprogramming arrangements

H04L 63/0272   Virtual private networks

H04L 67/10   in which an application is ...

H04L 67/34   involving the movement of s...

H04N 21/443   OS processes, e.g. booting ...

H04N 21/4437   Implementing a Virtual Mach...

H04W 12/37   Managing security policies ...

H04W 4/50   Service provisioning or rec...

H04W 4/60   Subscription-based services...

H04W 76/10   Connection setup

H04W 8/22 : Processing or transfer of t...

Y10T 428/14 : Layer or component removabl...

View All

Method and system for VPN isolation using network namespaces

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for VPN isolation using network namespaces

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links