Secure virtual network platform for enterprise hybrid cloud computing environments
First Claim
Patent Images
1. A method comprising:
- providing a virtual network switch coupled between a first network domain and a second network domain, wherein the virtual network switch is separate from the first and second network domains, and the second network domain is separate from the first network domain;
providing a controller coupled to the virtual network switch, the first network domain, and the second network domain;
receiving at a first end point in the first network domain a request to make a connection to a second end point in the second network domain;
determining if the connection should be provided through a virtual network connecting the first network domain with the second network domain;
if the connection should be provided through the virtual network, establishing a virtual network connection between the first end point and the second end point to transmit a payload from the first network domain to the second network domain, wherein the establishing comprises;
initiating by the first end point, as allowed by the controller, first traffic from the first network domain to the virtual network switch, the first traffic being allowed through a first firewall of the first network domain because the first traffic is outbound from the first network domain to the virtual network switch, the first traffic thereby being first outbound traffic;
initiating by the second end point, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic being allowed through a second firewall of the second network domain because the second traffic is outbound from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic; and
placing by the virtual network switch the payload from the first outbound traffic established by the first end point into a reply to the second outbound traffic established by the second end point residing in the second network domain; and
if the connection should not be provided through the virtual network, passing the request outside the virtual network.
1 Assignment
0 Petitions
Accused Products
Abstract
A secure virtual network platform connects two or more different or separate network domains. When a data packet is received at an end point in one network domain, a determination is made as to whether the data packet should be forwarded outside the virtual network platform, or transmitted via the virtual network to a destination in another network domain connected by the virtual network platform.
-
Citations
21 Claims
-
1. A method comprising:
-
providing a virtual network switch coupled between a first network domain and a second network domain, wherein the virtual network switch is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a controller coupled to the virtual network switch, the first network domain, and the second network domain; receiving at a first end point in the first network domain a request to make a connection to a second end point in the second network domain; determining if the connection should be provided through a virtual network connecting the first network domain with the second network domain; if the connection should be provided through the virtual network, establishing a virtual network connection between the first end point and the second end point to transmit a payload from the first network domain to the second network domain, wherein the establishing comprises; initiating by the first end point, as allowed by the controller, first traffic from the first network domain to the virtual network switch, the first traffic being allowed through a first firewall of the first network domain because the first traffic is outbound from the first network domain to the virtual network switch, the first traffic thereby being first outbound traffic; initiating by the second end point, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic being allowed through a second firewall of the second network domain because the second traffic is outbound from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic; and placing by the virtual network switch the payload from the first outbound traffic established by the first end point into a reply to the second outbound traffic established by the second end point residing in the second network domain; and if the connection should not be provided through the virtual network, passing the request outside the virtual network.
-
-
2. The method of claim 1 wherein the passing the request outside the virtual network comprises:
forwarding the request to a local TCP/IP network inside the first network domain.
-
3. The method of claim 1 wherein the passing the request outside the virtual network comprises:
forwarding the request to a physical networking device inside the first network domain.
-
4. The method of claim 1 wherein the determining if the connection should be provided through a virtual network connection comprises:
comparing one or more than one Internet Protocol (IP) addresses associated with the second end point against a list of IP addresses stored at the first end point, wherein when the one or more than one IP addresses associated with the second end point are not listed in the list of IP addresses, the connection should not be provided through the virtual network.
-
5. The method of claim 1 wherein the virtual network comprises:
-
a first control daemon and a first virtual network proxy at the first end point in the first network domain; and a second control daemon and a second virtual network proxy at the second end point in the second network domain, wherein the controller is coupled to the first and second control daemons, wherein the controller upon approving the virtual network connection instructs the first virtual network proxy via the first control daemon to establish a first outbound connection of the virtual network connection to the virtual network switch, instructs the second virtual network proxy via the second control daemon to establish a second outbound connection of the virtual network connection to the virtual network switch, and instructs the virtual network switch to allow the first outbound connection from the first virtual network proxy, to allow the second outbound connection from the second virtual network proxy, to place payloads coming from the first outbound connection into return traffic of the second outbound connection, and to place payloads coming from the second outbound connection into return traffic of the first outbound connection.
-
-
6. The method of claim 1 wherein the first end point, second end point, or both comprises at least one of a physical server, a virtual machine (VM), or a virtual network edge gateway.
-
7. The method of claim 1 wherein the first end point comprises a client component of an application program that issues the request, the second end point comprises a server component of the application program, and the method comprises:
-
computing an identifier of the application program; comparing the identifier with a predetermined identifier associated with a specific version of the application program; and if the identifier does not match the predetermined identifier associated with the specific version of the application program, determining that the connection should not be provided through the virtual network.
-
-
8. The method of claim 1 wherein the first network domain is coupled to the second network domain via the Internet.
-
9. The method of claim 1 comprising:
-
storing a list identifying one or more specific application programs authorized to use the virtual network; determining that the request is from one of the one or more specific application programs authorized to use the virtual network; after the determination that the request is from a specific application program authorized to use the virtual network, seeking permission from the controller for the establishment of the virtual network connection; and receiving an indication that the connection should not be provided through the virtual network, the permission thereby being denied by the controller.
-
-
10. The method of claim 1 wherein the establishing a virtual network connection between the first end point and the second end point comprises:
-
creating at the first end point a first dynamic routing table having first routing information, the first routing information comprising a first session identifier for the virtual network connection; and forwarding the first routing information to the virtual network switch between the first and second network domains, wherein the virtual network switch consults a second dynamic virtual routing table having second routing information, the second routing information comprising a second session identifier, wherein when the second session identifier matches the first session identifier, the virtual network switch places a first payload of a first data packet from the first end point into return traffic to the second end point according to the second routing information.
-
-
11. The method of claim 1 wherein the virtual network switch uses a packet switched protocol.
-
12. A method comprising:
-
providing a virtual network switch coupled between a first network domain and a second network domain, wherein the virtual network switch is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a controller coupled to the virtual network switch, the first network domain, and the second network domain; storing a list identifying one or more specific application programs that are allowed to use a virtual network connecting the first network domain with the second network domain; receiving at a first end point in the first network domain a request from a client component of an application program to make a connection to a server component of the application program, the server component of the application program being at a second end point in the second network domain; determining from the list if the application program is one of the one or more specific application programs that are allowed to use the virtual network; if allowed, establishing for the application program a virtual network connection between the first end point and the second end point to transmit a payload from the first network domain to the second network domain, wherein the establishing comprises; initiating by the first end point, as allowed by the controller, first traffic from the first network domain to the virtual network switch, the first traffic thereby being first outbound traffic from the first network domain; initiating by the second end point, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic from the second network domain; and placing the payload of the first outbound traffic coming from the first network domain into a reply to the second outbound traffic from the second network domain; and if not allowed, not establishing the virtual network connection.
-
-
13. The method of claim 12 wherein one of the first or second network domains comprises a private network domain, and another of the first or second network domains comprises a public network domain.
-
14. The method of claim 12 wherein the one or more specific application programs comprises at least one of a GDB Debug Application, a VNC Access and Collaboration Application, or a Zshell Secure Access Application.
-
15. The method of claim 12 wherein the virtual network comprises a virtual routing table, wherein the virtual network switch receives a first data packet from the first end point, and based on the virtual routing table, forwards a first payload in the first data packet to the second end point in the second network domain.
-
16. The method of claim 12 comprising:
-
comparing an identifier associated with the application program to the list identifying the one or more specific application programs that are allowed to use the virtual network; if the identifier associated with the application program matches an identifier in the list, determining that the application program is one of the one or more specific application programs that are allowed to use the virtual network; and if the identifier associated with the application program does not match an identifier in the list, determining that the application program is not one of the one or more specific application programs that are allowed to use the virtual network, and passing the request to a local TCP/IP network inside the first network domain.
-
-
17. The method of claim 12 wherein the establishing for the application program a virtual network connection comprises:
-
creating at the first end point a first dynamic routing table having first routing information, the first routing information comprising a first session identifier for the virtual network connection; and forwarding the first routing information to the virtual network switch between the first and second network domains, wherein the virtual network switch consults a second dynamic virtual routing table having second routing information, the second routing information comprising a second session identifier, wherein when the second session identifier corresponds to the first session identifier, the virtual network switch forwards a first payload of a first data packet from the client component to the server component according to the second routing information.
-
-
18. A method comprising:
-
providing a virtual network switch coupled to a first network domain and a second network domain, wherein the virtual network switch is separate from the first and second network domains, and the second network domain is separate from the first network domain; providing a controller coupled to the virtual network switch, the first network domain, and the second network domain; storing at a first end point in the first network domain a static routing table comprising a list of virtual destination Internet Protocol (IP) addresses; receiving at the first end point a request from a client to connect to a destination; scanning the static routing table to determine whether an IP address of the destination is listed in the static routing table; if the IP address is not listed, passing the request to a TCP/IP network that is local to the first network domain; if the IP address is listed, seeking permission to use a virtual network connecting the first network domain to the second network domain, the destination being in the second network domain; and upon a determination that use of the virtual network is permitted, establishing for the client a virtual network connection between the first end point and the destination to transmit a payload of the client from the first network domain to the second network domain, wherein the establishing comprises; initiating by the first end point, as allowed by the controller, first traffic from the first network domain to the virtual network switch, the first traffic thereby being first outbound traffic from the first network domain; initiating by the destination, as allowed by the controller, second traffic from the second network domain to the virtual network switch, the second traffic thereby being second outbound traffic from the second network domain; and placing the payload from the first network domain into a reply to the second outbound traffic from the second network domain.
-
-
19. The method of claim 18 comprising upon the determination that use of the virtual network is permitted, creating at the first end point a first dynamic routing table having first routing information, the first routing information comprising a first identifier that identifies the virtual network connection;
- and
forwarding the first routing information to the virtual network switch between the first and second network domains, wherein the virtual network switch consults a second dynamic virtual routing table having second routing information, the second routing information comprising a second identifier, wherein when the second identifier corresponds to the first identifier, the virtual network switch forwards a first payload of a first data packet from the client to the destination according to the second routing information.
- and
-
20. The method of claim 19 wherein the second dynamic virtual routing table is provisioned by the controller after the controller determines that use of the virtual network is permitted.
-
21. The method of claim 18 wherein the controller that grants or denies permission to use the virtual network, wherein when the controller grants permission to use the virtual network, the controller provisions an entry in a dynamic virtual routing table at the virtual network switch between the first and second network domains, and wherein the entry comprises a virtual IP address associated with the client, a virtual IP address associated with the destination, and a session identifier for the virtual network connection.
Specification