Tunneling using encryption

US 9,276,920 B2
Filed: 08/14/2013
Issued: 03/01/2016
Est. Priority Date: 03/10/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A method for tunneling using encryption, the method comprising:

receiving a data packet at a first access filter in a first internal network, the data packet sent from a client device in the first internal network, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address;

executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor;

encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted, andadds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; and

sending the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter;

verifies that the data packet is from the first access filter as indicated by the new header, andremoves the new header and decrypts the data packet to obtain the original header based on the verification.

View all claims

32 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.

174 Citations

19 Claims

1. A method for tunneling using encryption, the method comprising:
- receiving a data packet at a first access filter in a first internal network, the data packet sent from a client device in the first internal network, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address;
  
  executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor;
  
  encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted, andadds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; and
  
  sending the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter;
  
  verifies that the data packet is from the first access filter as indicated by the new header, andremoves the new header and decrypts the data packet to obtain the original header based on the verification.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein contents of the data packet remain encrypted while passing through the Internet.
  - 3. The method of claim 1, wherein the data packet is associated with one or more other IP addresses of the second internal network, and wherein the other IP addresses remain encrypted while passing through the Internet.
  - 4. The method of claim 3, wherein only the IP addresses of the first and second access filters are unencrypted.

5. A method for tunneling using encryption, the method comprising:
- receiving an encrypted data packet at a first access filter in a first internal network, the data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a new header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet; and
  
  executing instructions stored in memory of the first access filter, wherein execution of the instructions by a processor;
  
  analyzes identification information associated with the data packet to verify that the data packet is from the second access filter,removes the new header of the data packet and decrypts the data packet based on verification that the data packet is from the second access filter as indicated by the new header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and
  
  processes the data packet based on the original header.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein contents of the data packet remain encrypted while passing through the Internet.
  - 7. The method of claim 5, wherein the data packet is associated with one or more other IP addresses of the first internal network, and wherein the other IP addresses remain encrypted while passing through the Internet.
  - 8. The method of claim 7, wherein only the IP addresses of the first and second access filters are unencrypted.

9. A system for tunneling using encryption, the system comprisinga client device in a first internal network;
- anda first access filter in the first internal network, the first access filter comprising;
  
  a communication interface that receives a data packet sent from the client device, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address;
  
  a processor that executes instructions stored in memory, wherein execution of the instructions by the processor;
  
  encrypts the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted,adds a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet;
  
  wherein the communication interface sends the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter;
  
  verifies that the data packet is from the first access filter as indicated by the new header, andremoves the new header and decrypts the data packet to obtain the original header based on the verification.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein contents of the data packet remain encrypted while passing through the Internet.
  - 11. The system of claim 9, wherein the data packet is associated with one or more other IP addresses of the first internal network, and wherein the other IP addresses remain encrypted while passing through the Internet.
  - 12. The system of claim 9, wherein only the IP addresses of the first and second access filters are unencrypted.
  - 13. The system of the claim 9, further comprising the second access filter.

14. A system for tunneling using encryption, the system comprisinga first access filter in a first internal network, the first access filter comprising:
- a communication interface that receives an encrypted data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet; and
  
  a processor that executes instructions stored in memory, wherein execution of the instructions by the processor;
  
  analyzes identification information associated with the data packet to verify that the data packet is from the second access filter,removes the header of the data packet and decrypts the data packet based on verification that the data packet is from the second access filter as indicated by the header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and
  
  processes the data packet based on the original header.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein contents of the data packet remain encrypted while passing through the Internet.
  - 16. The system of claim 14, wherein the data packet is associated with one or more other IP addresses of the second internal network, and wherein the other IP addresses remain encrypted while passing through the Internet.
  - 17. The system of claim 14, wherein only the IP addresses of the first and second access filters are unencrypted.

18. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for tunneling using encryption, the method comprising:
- receiving a data packet at a first access filter in a first internal network, the data packet sent from a client device in the first internal network, wherein the received data packet has an original header specifying an internet protocol (IP) address of the client device as a source address and an IP address of a client device in a second internal network as a destination address;
  
  encrypting the data packet using a certificate shared between the first access filter and a second access filter associated with the destination address of the data packet, wherein the original header of the data packet is also encrypted;
  
  adding a new header specifying that an IP address of the first access filter is a source address and that an IP address of the second access filter is a destination address of the encrypted data packet; and
  
  sending the data packet with the new header to the second access filter, wherein the original header remains encrypted during transmission through the Internet, and wherein the second access filter;
  
  verifies that the data packet is from the first access filter as indicated by the new header, andremoves the new header and decrypts the data packet to obtain the original header based on the verification.

19. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for tunneling using encryption, the method comprising:
- receiving an encrypted data packet at a first access filter in a first internal network, the data packet sent from a second access filter in a second internal network, wherein the encrypted data packet includes a header indicating that the second access filter is a source address and the first access filter is a destination address, wherein an original header of the encrypted data packet remains encrypted during transmission through the Internet;
  
  analyzing identification information associated with the data packet to verify that the data packet is from the second access filter;
  
  removing the header of the data packet and decrypting the data packet based on verification that the data packet is from the second access filter as indicated by the header, wherein the decrypted data packet includes the original header of the data packet, wherein the original header specifies an internet protocol (IP) address in the second internal network as a destination address of the decrypted data packet; and
  
  processing the data packet based on the original header.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
Hannel, Clifford Lee, May, Anthony
Primary Examiner(s)
Hwa, Shyue Jiunn

Application Number

US13/967,205
Publication Number

US 20140047232A1
Time in Patent Office

930 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Tunneling using encryption

First Claim

32 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Tunneling using encryption

First Claim

32 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links