Tunnel interface for securing traffic over a network

US 9,258,280 B1
Filed: 09/26/2015
Issued: 02/09/2016
Est. Priority Date: 09/13/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving, by a service management system (SMS) of a managed security service provider, a request to establish an Internet Protocol (IP) connection between a first location of the managed security service provider and a second location of the managed security service provider; and

establishing, by the SMS, a tunnel between a first service processing switch of the managed security service provider and a second service processing switch of the managed security service provider coupled in communication with the first service processing switch through a public network byassociating a first packet routing node within the first service processing switch with the first location;

associating a second packet routing node within the second service processing switch with the second location;

binding an encryption configuration decision associated with the request with a routing configuration of the first packet routing node, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network by inserting an encryption node of the first service processing switch into a first path between the first location and the second location and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network by inserting a decryption node of the first service processing switch into a second path between the second location and the first location; and

binding the encryption configuration decision with a routing configuration of the second packet routing node, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network by inserting an encryption node of the second service processing switch into the second path and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network by inserting a decryption node of the second service processing switch into the first path.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second location of a first subscriber of the managed security service provider. Responsive to the request, the SMS causes a tunnel to be established between a first and second service processing switch of the service provider which are coupled in communication via a public network and associated with the first location and the second location, respectively.

Citations

18 Claims

1. A method comprising:
- receiving, by a service management system (SMS) of a managed security service provider, a request to establish an Internet Protocol (IP) connection between a first location of the managed security service provider and a second location of the managed security service provider; and
  
  establishing, by the SMS, a tunnel between a first service processing switch of the managed security service provider and a second service processing switch of the managed security service provider coupled in communication with the first service processing switch through a public network byassociating a first packet routing node within the first service processing switch with the first location;
  
  associating a second packet routing node within the second service processing switch with the second location;
  
  binding an encryption configuration decision associated with the request with a routing configuration of the first packet routing node, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network by inserting an encryption node of the first service processing switch into a first path between the first location and the second location and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network by inserting a decryption node of the first service processing switch into a second path between the second location and the first location; and
  
  binding the encryption configuration decision with a routing configuration of the second packet routing node, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network by inserting an encryption node of the second service processing switch into the second path and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network by inserting a decryption node of the second service processing switch into the first path.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the first packet routing node comprises a virtual router of a plurality of virtual routers running within the first service processing switch.
  - 3. The method of claim 1, wherein the second packet routing node comprises a virtual router of a plurality of virtual routers running within the second service processing switch.
  - 4. The method of claim 1, wherein the request to establish the IP connection is received by the SMS from a customer network management (CNM) system associated with the managed security service provider.
  - 5. The method of claim 1, wherein the request to establish the IP connection is received by the SMS via a user interface associated with the SMS.
  - 6. The method of claim 1, wherein the first location and the second location are locations of a first subscriber of a plurality of subscribers of the managed security service provider.

7. A system comprising:
- a service management system (SMS) configured to operate within a network of a managed security service provider;
  
  a first service processing switch configured to operate within the network;
  
  a second service processing switch configured to operate within the network and to be coupled to the first service processing switch via a public network;
  
  wherein the SMS is further configured to;
  
  receive a request to establish an Internet Protocol (IP) connection between a first location of the managed security service provider and a second location of the managed security service provider; and
  
  cause a tunnel to be established between the first service processing switch and the second service processing switch by causing a first packet routing node within the first service processing switch to be associated with the first location;
  
  cause a second packet routing node within the second service processing switch to be associated with the second location;
  
  cause an encryption configuration decision associated with the request to be bound with a routing configuration of the first packet routing node, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network by inserting an encryption node of the first service processing switch into a first path between the first location and the second location and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network by inserting decryption node of the first service processing switch into a second path between the second location and the first location; and
  
  cause the encryption configuration decision to be bound with a routing configuration of the second packet routing node, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network by inserting an encryption node of the second service processing switch into the second path and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network by inserting a decryption node of the second service processing switch into the first path.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the first packet routing node comprises a virtual router of a plurality of virtual routers running within the first service processing switch.
  - 9. The system of claim 7, wherein the second packet routing node comprises a virtual router of a plurality of virtual routers running within the second service processing switch.
  - 10. The system of claim 7, wherein the request to establish the IP connection is received by the SMS from a customer network management (CNM) system associated with the managed security service provider.
  - 11. The system of claim 7, wherein the request to establish the IP connection is received by the SMS via a user interface associated with the SMS.
  - 12. The system of claim 7, wherein the first location and the second location are locations of a first subscriber of a plurality of subscribers of the managed security service provider.

13. A non-transitory computer-readable storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a service management system (SMS) of a managed security service provider, cause the one or more processors to perform a method comprising:
- receiving a request to establish an Internet Protocol (IP) connection between a first location of the managed security service provider and a second location of the managed security service provider; and
  
  causing to be established a tunnel between a first service processing switch of the managed security service provider and a second service processing switch of the managed security service provider coupled in communication with the first service processing switch through a public network by causing a first packet routing node within the first service processing switch to be associated with the first location;
  
  causing a second packet routing node within the second service processing switch to be associated with the second location;
  
  causing an encryption configuration decision associated with the request to be bound with a routing configuration of the first packet routing node, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network by inserting encryption node of the first service processing switch into a first path between the first location and the second location and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network by inserting a decryption node of the first service processing switch into a second path between the second location and the first location; and
  
  causing the encryption configuration decision to be bound with a routing configuration of the second packet routing node, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network by inserting an encryption node of the second service processing switch into the second path and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network by inserting a decryption node of the second service processing switch into the first path.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the first packet routing node comprises a virtual router of a plurality of virtual routers running within the first service processing switch.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the second packet routing node comprises a virtual router of a plurality of virtual routers running within the second service processing switch.
  - 16. The non-transitory computer-readable medium of claim 13, wherein the request to establish the IP connection is received by the SMS from a customer network management (CNM) system associated with the managed security service provider.
  - 17. The non-transitory computer-readable medium of claim 13, wherein the request to establish the IP connection is received by the SMS via a user interface associated with the SMS.
  - 18. The non-transitory computer-readable medium of claim 13, wherein the first location and the second location are locations of a first subscriber of a plurality of subscribers of the managed security service provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Sun, Chih-Tiang, Yum, Kiho, Matthews, Abraham R.
Primary Examiner(s)
LE, CHAU D

Application Number

US14/866,883
Publication Number

US 20160021072A1
Time in Patent Office

136 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/08   Configuration management of...

H04L 41/0895   Configuration of virtualise...

H04L 45/14   Routing performance; Theore...

H04L 61/256   NAT traversal

H04L 61/2592   using tunnelling or encapsu...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

Tunnel interface for securing traffic over a network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Tunnel interface for securing traffic over a network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links