Propagating black hole shunts to remote routers with split tunnel and IPSec direct encapsulation

US 7,873,993 B2
Filed: 11/09/2005
Issued: 01/18/2011
Est. Priority Date: 11/09/2005
Status: Active Grant

First Claim

Patent Images

1. A method for managing a network having a remote router coupled to a head-end location, the method comprising:

identifying a rogue website via a shunt router coupled to said remote router by a split IPSec tunnel;

advertising an address of said rogue website to said remote router to set up a centrally administered policy at said remote router, said head-end location being an enterprise head-end; and

blocking traffic from said rogue website at said remote router by routing packet traffic destined for said rogue website to a black hole shunt at said remote router, said remote router having a Null0 IP route to blackhole traffic destined for said address of said rogue website identified by said shunt router.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Remote routers are configured to block the return path to malicious websites with the use of split tunneling while allowing paths to third party resource websites. The iBGP protocol runs on the agent'"'"'s router, advertises routes and enables the head-end to set up a policy at each remote router. Enterprise policies for blocking access to “blackholed” website addresses are centrally administered but third party website traffic is not routed to the enterprise'"'"'s network resources. Since remote offices may connect directly to third party websites, latency is minimized and network resources at the enterprise are not unduly burdened.

58 Citations

View as Search Results

22 Claims

1. A method for managing a network having a remote router coupled to a head-end location, the method comprising:
- identifying a rogue website via a shunt router coupled to said remote router by a split IPSec tunnel;
  
  advertising an address of said rogue website to said remote router to set up a centrally administered policy at said remote router, said head-end location being an enterprise head-end; and
  
  blocking traffic from said rogue website at said remote router by routing packet traffic destined for said rogue website to a black hole shunt at said remote router, said remote router having a Null0 IP route to blackhole traffic destined for said address of said rogue website identified by said shunt router.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said remote router is coupled to a rogue web server that provides said rogue website using an Internet service provider (ISP).
  - 3. The method of claim 1, further comprising blocking incoming traffic from said rogue website at a firewall.
  - 4. The method of claim 1, further comprising configuring said shunt router to advertise said address of said rogue website to said remote router.
  - 5. The method of claim 1, further comprising configuring a route reflector internal border gateway protocol (iBGP) router to push said address of said rogue website to said remote router.
  - 6. The method of claim 1, wherein said routing packet traffic destined to said rogue website to said Null0 IP route comprises ip route 192.0.2.0 255.255.255.0 Null0 name TEST_NET.
  - 7. The method of claim 1, wherein said remote router has a static IP address.
  - 8. The method of claim 1, wherein said remote router has a dynamic IP address.
  - 9. The method of claim 1, further comprising defining a central policy that identifies websites associated with an email phishing scheme.
  - 10. The method of claim 1, further comprising configuring a route reflector internal border gateway protocol (iBGP) router to advertise said address of said rogue website to at least one peer remote router so that traffic destined to said rogue website is blackholed.

11. A network topology, comprising:
- an enterprise head-end having a shunt router, said shunt router being configured to identify a rogue website;
  
  a remote router coupled to said shunt router by a split IPSec tunnel, said remote router having a Null0 IP route to blackhole traffic destined for a rogue address of said rogue website identified by said shunt router; and
  
  a route reflector coupled to said shunt router, said route reflector being configured to advertise said blackholed traffic destined for said rogue addresses to said remote router.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The network topology of claim 11, wherein said route reflector comprises an internal border gateway protocol (iBGP) router.
  - 13. The network topology of claim 11, wherein said route reflector and said remote router are border gateway protocol (BGP) peers.
  - 14. The network topology of claim 11, wherein said route reflector and said remote router are coupled by said split IPSec tunnel.
  - 15. The network topology of claim 11, wherein traffic between said enterprise head-end and said remote router is sent on said split IPSec tunnel.
  - 16. The network topology of claim 11, wherein said Null0 IP route comprises ip route 192.0.2.0 255.255.255.0 Null0 name TEST_NET.
  - 17. The network topology of claim 11, further comprising means for defining a central policy to block access to websites associated with an email phishing scheme.

18. A network topology, comprising:
- an enterprise head-end having a shunt router, said shunt router being configured to identify a rogue website;
  
  a remote router coupled to said shunt router in said enterprise head-end by a split IPSec tunnel, said remote router having a Null0 IP route to blackhole traffic destined for a rogue address of said rogue website identified by said shunt router; and
  
  means for generating a list of blackholed website addresses, and for advertising said list to peer routers of said remote router.

19. In a network system having a remote router coupled to a peer shunt router by an IPSec split tunnel, a method for blocking access to a malicious website, the method comprising:
- receiving, at said remote router, a central policy that specifies that access to said malicious website is denied for outgoing traffic, said malicious website being identified by said peer shunt router;
  
  sending traffic destined for said malicious website to a black hole shunt at said remote router, said remote router having a Null0 IP route to blackhole traffic destined for said malicious website; and
  
  blocking incoming traffic from said malicious website.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, further comprising:
    - advertising said central policy to said remote router using internal border gateway protocol (iBGP).
  - 21. The method of claim 20, wherein said black hole shunt comprises a route having an address of:
    - ip route 192.0.2.0 255.255.255.0 Null0 name TEST_NET.
  - 22. The method of claim 21, further comprising:
    - establishing a transmission control protocol (TCP) session from said remote router to said malicious website;
      
      propagating said central policy to said shunt router, said central policy comprising a list of blackholed websites; and
      
      entering said route to said malicious website at said shunt router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
King, Joel W.
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US11/270,206
Publication Number

US 20070104197A1
Time in Patent Office

1,896 Days
Field of Search

726/1, 726/6, 726/11, 726/15, 726/22, 726/25
US Class Current

726/11
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/1483   service impersonation, e.g....

Propagating black hole shunts to remote routers with split tunnel and IPSec direct encapsulation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Propagating black hole shunts to remote routers with split tunnel and IPSec direct encapsulation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links