Protecting network devices by a firewall

US 9,628,444 B1
Filed: 02/25/2016
Issued: 04/18/2017
Est. Priority Date: 02/08/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

in response to a request from a client device, establishing, by a first computer system implementing a first gateway to a private network, a first network tunnel between the client device and the first gateway, wherein the private network comprises one or more network devices;

receiving, by the first computer system, from the client device, a client access list indicating those of the network devices in the private network that are allowed to communicate with the client device; and

starting, for the first network tunnel, a separate firewall service with a separate set of firewall rules on the first computer system for selectively blocking and allowing network traffic between the client device and the one or more network devices in the private network, wherein each of the firewall rules is derived from the client access list.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide for scaling and management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and after establishing the network tunnel, starting a separate firewall service with a separate set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.

100 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- in response to a request from a client device, establishing, by a first computer system implementing a first gateway to a private network, a first network tunnel between the client device and the first gateway, wherein the private network comprises one or more network devices;
  
  receiving, by the first computer system, from the client device, a client access list indicating those of the network devices in the private network that are allowed to communicate with the client device; and
  
  starting, for the first network tunnel, a separate firewall service with a separate set of firewall rules on the first computer system for selectively blocking and allowing network traffic between the client device and the one or more network devices in the private network, wherein each of the firewall rules is derived from the client access list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the separate firewall service is a stateful firewall comprising a state listing for keeping track of states of network connections between the client device and the network devices in the private network.
  - 3. The method of claim 2, further comprising synchronizing by the first computer system, the state listing with the client device.
  - 4. The method of claim 3, further comprising making, by the first computer system, the state listing unalterable by the client device.
  - 5. The method of claim 3, further comprising, in response to a failure of the first network tunnel, implementing, by a second computer system, a second gateway to the private network, the implementing comprising:
    - receiving from the client device a second request to establish a second network tunnel between the client device and the second gateway;
      
      receiving from the client device the state listing;
      
      establishing the second network tunnel between the client device and the second gateway;
      
      after establishing the second network tunnel, starting a second separate firewall service with the separate set of firewall rules on the second computer system for selectively blocking and allowing network traffic between the client device and the one or more network devices in the private network; and
      
      restoring the state of the separate firewall service within the second separate firewall service using the state listing.
  - 6. The method of claim 5, further comprising:
    - in response to the failure of the first network tunnel, receiving, by the second computer system, from the client device, the client access list; and
      
      determining, by the second computer system, from the client access list, firewall rules for the second separate firewall service.
  - 7. The method of claim 1, wherein:
    - the first computer system comprises a plurality of processor cores;
      
      the first computer system is configured to run a process on each processor core; and
      
      the starting the separate firewall service further comprises starting, by the process, a new processing thread for providing the separate firewall service on one of the plurality of processor cores.
  - 8. The method of claim 7, wherein the starting the separate firewall service further comprises selecting one of the plurality of processor cores and thereby the process for running the separate firewall service, and the method further comprising, after starting the separate firewall service, passing payload data from the first network tunnel to the new processing thread.
  - 9. The method of claim 7, further comprising:
    - encrypting, by the new processing thread, payload data for the client device; and
      
      decrypting payload data from the client device.
  - 10. The method of claim 9, wherein the plurality of processor cores comprises hardware acceleration for performing at least one of the encrypting or decrypting.

11. A system, comprising:
- at least one processor core, each core configured to run a process; and
  
  memory storing instructions configured to instruct the at least one processor core to;
  
  in response to a request from a client device, establish a network tunnel between the client device and a gateway to a private network, wherein the private network comprises one or more network devices;
  
  receive from the client device, a client access list indicating those of the network devices in the private network that are allowed to communicate with the client device; and
  
  start, for the network tunnel, a separate firewall service with a separate set of firewall rules for selectively blocking and allowing network traffic between the client device and the one or more network devices in the private network, wherein each of the firewall rules is derived from the client access list.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the starting the separate firewall service further comprises starting, by a first process of a first core of the plurality of processor cores, a new processing thread for providing the separate firewall service on a second core of the plurality of processor cores.
  - 13. The system of claim 12, wherein the second core runs the separate firewall service.
  - 14. The system of claim 13, wherein the instructions are further configured to instruct the at least one processor core to, after starting the separate firewall service, pass payload data from the network tunnel to the new processing thread.
  - 15. The system of claim 11, further comprising memory storing the separate set of firewall rules.

16. A non-transitory computer readable storage medium storing computer-readable instructions, which when executed, cause a first computer system to:
- in response to a request from a client device, establish a first network tunnel between the client device and a first gateway;
  
  receive, by the first computer system, from the client device, a client access list; and
  
  start, for the first network tunnel, a separate firewall service with a separate set of firewall rules on the first computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in a private network, wherein each of the firewall rules is derived from the client access list.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The storage medium of claim 16, wherein the instructions further cause the first computer system to, in response to a failure of the first network tunnel, cause the implementation by a second computer system of a second gateway to the private network, the implementation to establish a second network tunnel between the client device and the second gateway, the implementation further to start a second separate firewall service with the separate set of firewall rules.
  - 18. The storage medium of claim 17, wherein the instructions further cause the first computer system to:
    - in response to the failure of the first network tunnel, cause providing of the client access list to the second computer system.
  - 19. The storage medium of claim 16, wherein the separate firewall service is a stateful firewall comprising a state listing for keeping track of states of network connections between the client device and the network devices.
  - 20. The storage medium of claim 16, wherein the instructions further cause the first computer system to encrypt payload data for the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Original Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Inventors
Cellerier, Thomas Bruno Emmanuel, Valianos, Kosmas, Weber, Tom Viljo, Glazemakers, Kurt, Allansson, Per Johan
Primary Examiner(s)
Revak, Christopher

Application Number

US15/053,422
Time in Patent Office

418 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

Protecting network devices by a firewall

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting network devices by a firewall

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links