Method and system for VPN isolation using network namespaces
First Claim
Patent Images
1. A computer executable method for providing access to a virtual private network (VPN) connection to an authorized application, comprising:
- creating a unique network namespace of a host system that contains a network resource for the authorized application;
placing a pseudo tunnel interface associated with the VPN connection into the unique network namespace by moving the pseudo tunnel interface from a default network namespace into the unique network namespace, wherein a routing table corresponding to the pseudo tunnel interface is inaccessible from the default network namespace; and
precluding unauthorized applications on the host system from accessing the unique network namespace, thereby facilitating the access to the VPN connection by the authorized application.
2 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.
50 Citations
17 Claims
-
1. A computer executable method for providing access to a virtual private network (VPN) connection to an authorized application, comprising:
-
creating a unique network namespace of a host system that contains a network resource for the authorized application; placing a pseudo tunnel interface associated with the VPN connection into the unique network namespace by moving the pseudo tunnel interface from a default network namespace into the unique network namespace, wherein a routing table corresponding to the pseudo tunnel interface is inaccessible from the default network namespace; and precluding unauthorized applications on the host system from accessing the unique network namespace, thereby facilitating the access to the VPN connection by the authorized application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer readable non-transitory storage medium storing instructions which when executed by a computer cause the computer to perform a method, the method comprising:
-
creating a unique network namespace of a host system on the computer that contains a network resource for an authorized application; placing a pseudo tunnel interface associated with a VPN connection into the unique network namespace by moving the pseudo tunnel interface from a default network namespace into the unique network namespace, wherein a routing table corresponding to the pseudo tunnel interface is not visible within the default network namespace; and precluding unauthorized applications on the host system from accessing the unique network namespace, thereby facilitating access to the VPN connection by the authorized application. - View Dependent Claims (13, 14)
-
-
15. A computing system for providing access to a virtual private network (VPN) connection to an authorized application, comprising:
-
a network namespace creation mechanism configured to create a unique network namespace of a host system that contains a network resource for the authorized application, wherein the network resource comprises a pseudo tunnel interface associated with the VPN connection that is placed into the unique network namespace by moving the pseudo tunnel interface from a default network namespace of the host system into the unique network namespace and a routing table corresponding to the pseudo tunnel interface is inaccessible from the default network namespace; wherein unauthorized applications on the host system are precluded from accessing the unique network namespace, thereby facilitating the access to the VPN connection by the authorized application. - View Dependent Claims (16, 17)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeVmware LLC (Broadcom, Inc.)
-
Original AssigneeVMware, Inc. (Broadcom, Inc.)
-
InventorsFainkichen, Alexander, Newell, Craig
-
Primary Examiner(s)Zee, Edward
-
Application NumberUS14/994,383Publication NumberTime in Patent Office615 DaysField of SearchUS Class CurrentCPC Class CodesC09J 7/21 Paper; Textile fabricsC09J 7/30 characterised by the adhesi...G06F 2009/4557 Distribution of virtual mac...G06F 2009/45587 Isolation or security of vi...G06F 2009/45595 Network integration; Enabli...G06F 9/445 Program loading or initiati...G06F 9/455 Emulation; Interpretation; ...G06F 9/45529 Embedded in an application,...G06F 9/45533 Hypervisors; Virtual machin...G06F 9/45558 Hypervisor-specific managem...G06F 9/46 Multiprogramming arrangementsH04L 63/0272 Virtual private networksH04L 67/10 in which an application is ...H04L 67/34 involving the movement of s...H04N 21/443 OS processes, e.g. booting ...H04N 21/4437 Implementing a Virtual Mach...H04W 12/37 Managing security policies ...H04W 4/50 Service provisioning or rec...H04W 4/60 Subscription-based services...H04W 76/10 Connection setupView All
