Method and apparatus for providing security in an intranet network

US 9,699,143 B2
Filed: 06/01/2015
Issued: 07/04/2017
Est. Priority Date: 08/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for providing security in a virtual private network, the method comprising:

defining, by a processor of a customer edge router, a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;

receiving, by the processor, a packet; and

applying, by the processor, an outbound access control list to the packet when the packet is from a server in the protected server group, wherein the outbound access control list comprises an outbound list of internet protocol addresses that the protected server group is allowed to initiate a session with, wherein the applying the outbound access control list comprises;

determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and

blocking a transmission of the packet that is sent without being solicited.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for providing security in an intranet network are disclosed. For example, the method receives a packet at a customer edge router, and applies an inbound access control list by the customer edge router to the packet if the packet is destined to a server in a protected server group, wherein said protected server group identifies one or more servers within the intranet network to be protected. The method applies an outbound access control list by the customer edge router to the packet if the packet is from a server in the protected server group.

Citations

20 Claims

1. A method for providing security in a virtual private network, the method comprising:
- defining, by a processor of a customer edge router, a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;
  
  receiving, by the processor, a packet; and
  
  applying, by the processor, an outbound access control list to the packet when the packet is from a server in the protected server group, wherein the outbound access control list comprises an outbound list of internet protocol addresses that the protected server group is allowed to initiate a session with, wherein the applying the outbound access control list comprises;
  
  determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and
  
  blocking a transmission of the packet that is sent without being solicited.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - allowing the packet to proceed towards its destination when the packet is not to or from the server in the protected server group.
  - 3. The method of claim 1, further comprising:
    - determining whether the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
  - 4. The method of claim 1, further comprising:
    - detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
  - 5. The method of claim 1, wherein the packet is for a stateless session.
  - 6. The method of claim 1, wherein the packet is for a user datagram protocol session.
  - 7. The method of claim 1, wherein the packet is for an internet control message protocol session.

8. A tangible non-transitory computer-readable medium storing a plurality of instructions which, when executed by a processor of a customer edge router, cause the processor to perform operations for providing security in a virtual private network, the operations comprising:
- defining a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;
  
  receiving a packet; and
  
  applying an outbound access control list to the packet when the packet is from a server in the protected server group, wherein the outbound access control list comprises an outbound list of Internet protocol addresses that the protected server group is allowed to initiate a session with, wherein the applying the outbound access control list comprises;
  
  determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and
  
  blocking a transmission of the packet that is sent without being solicited.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, further comprising:
    - allowing the packet to proceed towards its destination when the packet is not to or from the server in the protected server group.
  - 10. The non-transitory computer-readable medium of claim 8, further comprising:
    - determining whether the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
  - 11. The non-transitory computer-readable medium of claim 8, further comprising:
    - detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
  - 12. The non-transitory computer-readable medium of claim 8, wherein the packet is for a stateless session.
  - 13. The non-transitory computer-readable medium of claim 8, wherein the packet is for a user datagram protocol session.
  - 14. The non-transitory computer-readable medium of claim 8, wherein the packet is for an internet control message protocol session.

15. An apparatus for providing security in a virtual private network, the apparatus comprising:
- a processor of a customer edge router; and
  
  a non-transitory computer-readable medium storing a plurality of instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising;
  
  defining a protected server group, wherein the protected server group identifies a subset of all customer endpoint devices in the virtual private network, wherein the subset includes a server within the virtual private network to be protected;
  
  receiving a packet; and
  
  applying an outbound access control list to the packet when the packet is from a server in the protected server group, wherein the outbound access control list comprises an outbound list of internet protocol addresses that the protected server group is allowed to initiate a session with, wherein the applying the outbound access control list comprises;
  
  determining that the packet is from the server in the protected server group and that the packet is sent without being solicited; and
  
  blocking a transmission of the packet that is sent without being solicited.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the operations further comprise:
    - allowing the packet to proceed towards its destination when the packet is not to or from the server in the protected server group.
  - 17. The apparatus of claim 15, wherein the operations further comprise:
    - determining whether the server in the protected server group has been compromised by monitoring a request from the server for creating a session.
  - 18. The apparatus of claim 15, wherein the operations further comprise:
    - detecting a denial of service attack by monitoring a number of half open sessions from a customer endpoint device to the server in the protected server group.
  - 19. The apparatus of claim 15, wherein the packet is for a stateless session.
  - 20. The apparatus of claim 15, wherein the packet is for a user datagram protocol session or an internet control message protocol session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Dargis, Anthony
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/727,457
Publication Number

US 20150264013A1
Time in Patent Office

764 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/1458   Denial of Service

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Method and apparatus for providing security in an intranet network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing security in an intranet network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links