Propagating black hole shunts to remote routers with split tunnel and IPSec direct encapsulation
First Claim
1. A method for managing a network having a remote router coupled to a head-end location, the method comprising:
- identifying a rogue website via a shunt router coupled to said remote router by a split IPSec tunnel;
advertising an address of said rogue website to said remote router to set up a centrally administered policy at said remote router, said head-end location being an enterprise head-end; and
blocking traffic from said rogue website at said remote router by routing packet traffic destined for said rogue website to a black hole shunt at said remote router, said remote router having a Null0 IP route to blackhole traffic destined for said address of said rogue website identified by said shunt router.
1 Assignment
0 Petitions
Accused Products
Abstract
Remote routers are configured to block the return path to malicious websites with the use of split tunneling while allowing paths to third party resource websites. The iBGP protocol runs on the agent'"'"'s router, advertises routes and enables the head-end to set up a policy at each remote router. Enterprise policies for blocking access to “blackholed” website addresses are centrally administered but third party website traffic is not routed to the enterprise'"'"'s network resources. Since remote offices may connect directly to third party websites, latency is minimized and network resources at the enterprise are not unduly burdened.
58 Citations
22 Claims
-
1. A method for managing a network having a remote router coupled to a head-end location, the method comprising:
-
identifying a rogue website via a shunt router coupled to said remote router by a split IPSec tunnel; advertising an address of said rogue website to said remote router to set up a centrally administered policy at said remote router, said head-end location being an enterprise head-end; and blocking traffic from said rogue website at said remote router by routing packet traffic destined for said rogue website to a black hole shunt at said remote router, said remote router having a Null0 IP route to blackhole traffic destined for said address of said rogue website identified by said shunt router. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network topology, comprising:
-
an enterprise head-end having a shunt router, said shunt router being configured to identify a rogue website; a remote router coupled to said shunt router by a split IPSec tunnel, said remote router having a Null0 IP route to blackhole traffic destined for a rogue address of said rogue website identified by said shunt router; and a route reflector coupled to said shunt router, said route reflector being configured to advertise said blackholed traffic destined for said rogue addresses to said remote router. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A network topology, comprising:
-
an enterprise head-end having a shunt router, said shunt router being configured to identify a rogue website; a remote router coupled to said shunt router in said enterprise head-end by a split IPSec tunnel, said remote router having a Null0 IP route to blackhole traffic destined for a rogue address of said rogue website identified by said shunt router; and means for generating a list of blackholed website addresses, and for advertising said list to peer routers of said remote router.
-
-
19. In a network system having a remote router coupled to a peer shunt router by an IPSec split tunnel, a method for blocking access to a malicious website, the method comprising:
-
receiving, at said remote router, a central policy that specifies that access to said malicious website is denied for outgoing traffic, said malicious website being identified by said peer shunt router; sending traffic destined for said malicious website to a black hole shunt at said remote router, said remote router having a Null0 IP route to blackhole traffic destined for said malicious website; and blocking incoming traffic from said malicious website. - View Dependent Claims (20, 21, 22)
-
Specification