Securing applications on public facing systems

US 9,749,291 B2
Filed: 07/15/2011
Issued: 08/29/2017
Est. Priority Date: 07/15/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing secured access to an intranet application via an external network, the computer-implemented method comprising:

configuring a dummy interface on a virtual machine (VM) instance being hosted in a computing cloud and including virtualized hardware, the VM instance having an external interface accessible via the external network, wherein the intranet application executes on the VM instance, wherein the dummy interface is assigned a network address that is inaccessible from the external interface, wherein the dummy interface provides an interface for a virtual network that exists only on the VM instance;

binding the intranet application to the dummy interface and by operation of one or more computer processors; and

establishing, over the external network, a virtual private network (VPN) connection between a VPN server on the VM instance and a VPN client executing on a remote computing system, wherein a VPN interface on the VPN client is assigned a network address that is routable to the dummy interface, whereafter a client application, executing on the VPN client, forwards packets to the intranet application bound to the dummy interface over the VPN connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for configuring a virtual machine instance accessed over a publically routable network address to host intranet applications. A virtual (or “dummy”) interface on the virtual machine instance is assigned an IP address that is inaccessible from the public interface. An application executed on the virtual machine instance is bound to a port on the network address assigned to this dummy interface. A virtual private network server assigns client'"'"'s IP addresses that can be routed to the dummy interface. When a client computing system connects to the VPN server over the virtual machine instance'"'"'s public interface, the client forwards traffic destined for the dummy interface'"'"'s inaccessible network over the VPN connection.

Citations

25 Claims

1. A computer-implemented method of providing secured access to an intranet application via an external network, the computer-implemented method comprising:
- configuring a dummy interface on a virtual machine (VM) instance being hosted in a computing cloud and including virtualized hardware, the VM instance having an external interface accessible via the external network, wherein the intranet application executes on the VM instance, wherein the dummy interface is assigned a network address that is inaccessible from the external interface, wherein the dummy interface provides an interface for a virtual network that exists only on the VM instance;
  
  binding the intranet application to the dummy interface and by operation of one or more computer processors; and
  
  establishing, over the external network, a virtual private network (VPN) connection between a VPN server on the VM instance and a VPN client executing on a remote computing system, wherein a VPN interface on the VPN client is assigned a network address that is routable to the dummy interface, whereafter a client application, executing on the VPN client, forwards packets to the intranet application bound to the dummy interface over the VPN connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the VPN server is accessed using a public network address assigned to a virtual network interface on the VM instance.
  - 3. The computer-implemented method of claim 2, wherein the VPN connection encrypts network packets forwarded over a public network address of the remote computing system to the public network address of the VM instance.
  - 4. The computer-implemented method of claim 1, wherein the VPN server is configured to authenticate a request to establish the VPN connection.
  - 5. The computer-implemented method of claim 1, wherein the remote computing system is a VPN gateway.
  - 6. The computer-implemented method of claim 5, wherein the VPN gateway is part of a private network subnet, wherein network packets addressed to the dummy interface on the VM instance are routed to the VPN gateway.
  - 7. The computer-implemented method of claim 1, further comprising:
    - metering use of the VM instance associated with a request; and
      
      generating an invoice based on the metered use.

8. A system to provide secured access to an intranet application via an external network, the system comprising:
- one or more computer processors; and
  
  a memory storing a hypervisor configured to execute a virtual machine (VM) instance by operation of the one or more computer processors to perform an operation, the VM instance being hosted in a computing cloud and including virtualized hardware, the operation comprising;
  
  configuring a dummy interface on the VM instance, the VM instance having an external interface accessible via the external network, wherein the intranet application executes on the VM instance, wherein the dummy interface is assigned a network address that is inaccessible from the external interface, wherein the dummy interface creates an interface for a virtual network that exists only on the VM instance,binding the intranet application to the dummy interface, andestablishing, over the external network, a virtual private network (VPN) connection between a VPN server on the VM instance and a VPN client executing on a remote computing system, wherein a VPN interface on the VPN client is assigned a network address that is routable to the dummy interface, whereafter a client application, executing on the VPN client, forwards packets to the intranet application bound to the dummy interface over the VPN connection.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The system of claim 8, wherein the system is of providing secured access to the intranet application via the external network and without requiring modification to the intranet application, wherein the network address assigned to the dummy interface is inaccessible from the external network, wherein the dummy interface comprises a virtual network interface.
  - 16. The system of claim 8, wherein the VPN server is accessed using a public network address assigned to a virtual network interface on the VM instance.
  - 17. The system of claim 16, wherein the VPN connection encrypts network packets forwarded over a public network address of the remote computing system to the public network address of the VM instance.
  - 18. The system of claim 8, wherein the VPN server is configured to authenticate a request to establish the VPN connection.
  - 19. The system of claim 8, wherein the remote computing system is a VPN gateway.
  - 20. The system of claim 19, wherein the VPN gateway is part of a private network subnet, wherein network packets addressed to the dummy interface on the VM instance are routed to the VPN gateway.
  - 21. The system of claim 8, the intranet application and the client application are distinct applications, wherein the intranet application was designed to be accessed from the intranet, wherein the intranet application was not designed to be accessed over the external network, wherein the operation further comprises:
    - enforcing a predefined security policy, by at least one of the VPN server and the VPN client, in order to provide secured access to the intranet application via the external network and without requiring modification to the intranet application.
  - 22. The system of claim 21, wherein the VPN server is accessed using a first public network address assigned to a virtual network interface on the VM instance;
    - wherein the VPN connection encrypts network packets forwarded over a second public network address of the remote computing system to the first public network address of the VM instance.
  - 23. The system of claim 22, wherein the VPN server is configured to authenticate a request to establish the VPN connection, wherein the intranet application is bound to the dummy interface for one or more specified network ports.
  - 24. The system of claim 23, wherein the remote computing system is a VPN gateway, wherein the VPN gateway is part of a private network subnet, wherein network packets addressed to the dummy interface on the VM instance are routed to the VPN gateway.
  - 25. The system of claim 24, the operation further comprising:
    - receiving, by the VPN server, from the intranet application, one or more network packets addressed to the network address assigned to the VPN interface on the remote computing system;
      
      forwarding, over the VPN connection, the one or more network packets to a public network address of the remote computing system;
      
      metering use of the VM instance associated with a request; and
      
      generating an invoice based on the metered use.

9. A non-transitory computer-readable medium containing a program executable to perform an operation for providing secured access to an intranet application via an external network, the operation comprising:
- configuring a dummy interface on a virtual machine (VM) instance being hosted in a computing cloud and including virtualized hardware, the VM instance having an external interface accessible via the external network, wherein the intranet application executes on the VM instance, wherein the dummy interface is assigned a network address that is inaccessible from the external interface, wherein the dummy interface provides an interface for a virtual network that exists only on the VM instance;
  
  binding the intranet application to the dummy interface and by operation of one or more computer processors; and
  
  establishing, over the external network, a virtual private network (VPN) connection between a VPN server on the VM instance and a VPN client executing on a remote computing system, wherein a VPN interface on the VPN client is assigned a network address that is routable to the dummy interface, whereafter a client application, executing on the VPN client, forwards packets to the intranet application bound to the dummy interface over the VPN connection.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The non-transitory computer-readable medium of claim 9, wherein the VPN server is accessed using a public network address assigned to a virtual network interface on the VM instance.
  - 11. The non-transitory computer-readable medium of claim 9, wherein the VPN connection encrypts network packets forwarded over a public network address of the remote computing system to the public network address of the VM instance.
  - 12. The non-transitory computer-readable medium of claim 9, wherein the VPN server is configured to authenticate a request to establish the VPN connection.
  - 13. The non-transitory computer-readable medium of claim 9, wherein the remote computing system is a VPN gateway.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the VPN gateway is part of a private network subnet, wherein network packets addressed to the dummy interface on the VM instance are routed to the VPN gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Fork, Michael J., Gloe, Christopher T., Paterson, Kevin G.
Primary Examiner(s)
Zeender, Ryan
Assistant Examiner(s)
Racic, Milena

Application Number

US13/183,884
Publication Number

US 20130018765A1
Time in Patent Office

2,237 Days
Field of Search

709224
US Class Current
CPC Class Codes

G06F 9/45558   Hypervisor-specific managem...

H04L 61/2578   without involvement of the ...

H04L 61/2592   using tunnelling or encapsu...

H04L 63/0272   Virtual private networks

H04L 67/10   in which an application is ...

Securing applications on public facing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Securing applications on public facing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links