Embodiments of the inventive subject matter generally relate to the field of communication networks and, more particularly, to a cloud computing controlled gateway for communication networks.
Local area networks (LANs), such as home or office networks, typically include a router (or gateway) that connects the LAN to a wide area network (WAN) and routes packets between the two networks. Various network devices in the LAN can access and download information from the Internet via the router, and the router can manage the various packet streams from the different network devices accessing the Internet (and other outbound network traffic). The router of the LAN can also provide various security features, such as a firewall, to restrict inbound network traffic and prevent unauthorized or malicious attempts to remotely access the LAN.
Various embodiments are disclosed for implementing a cloud computing controlled router for a LAN. In one embodiment, a secure communication link is established between a router of a LAN and a remote computer system to proxy communications between one or more network devices of the LAN and the remote computer system. Network traffic associated with the secure communication link between the router and the remote computer system is detected at the router. It is determined whether the network traffic received at the router is inbound network traffic or outbound network traffic. If it is determined that the network traffic is inbound network traffic received via the secure communication link from an application running in the remote computer system and destined for the one or more network devices of the LAN, the inbound network traffic is forwarded from the router directly to the one or more network devices on the LAN. If it is determined that the network traffic is outbound network traffic received from the one or more network devices of the LAN and destined for the application running in the remote computer system, the outbound network traffic is forwarded to the application running in the remote computer system via the secure communication link.
The present embodiments may be better understood, and numerous objects, features, and advantages made apparent to those skilled in the art by referencing the accompanying drawings.
The description that follows includes exemplary systems, methods, techniques, instruction sequences and computer program products that embody techniques of the present inventive subject matter. However, it is understood that the described embodiments may be practiced without these specific details. For instance, although examples refer to utilizing the cloud computing controlled routers in home local area networks (LANs), in other examples the cloud computing controlled routers can be used in any suitable type of network, such as an office network, a multi-dwelling network, a university network, etc. In other instances, well-known instruction instances, protocols, structures and techniques have not been shown in detail in order not to obfuscate the description.
Currently, various web-based applications and services exist that take advantage of the network connected home. In network connected homes, various devices such as security camera, digital thermostats, digital video recorder (DVR) boxes, refrigerators, home lighting, etc. are connected to the home LAN along with notebook computers, desktop computers, mobile phones, etc. However, for the web-based applications and services to communicate with the LAN devices, a corresponding LAN-based application or dedicated LAN-based hardware device is typically needed on the LAN. For example, a LAN-based software program may need to be running on a machine (e.g., PC) that is always on, or a dedicated hardware device may need to be added to the LAN that is always on and runs the LAN-based software program. Furthermore, each web-based application and service may need its own corresponding LAN-based application. For example, a web-based service for remotely controlling and viewing video from security cameras typically needs its own LAN-based application running on a LAN computer system that is always on, and a web-based service for remotely controlling a digital thermostat typically needs a separate LAN-based application running locally in the LAN. Therefore, the more network connected devices are added to the LAN, the more LAN-based applications are needed in the LAN for communicating with the corresponding web-based services, which can increase the cost of the network connected devices and/or the cost of setting up and maintaining the LAN. Also, each LAN-based application typically queries the associated device(s) on the local LAN and sends the information via a router (or gateway) to the corresponding web-based service. However, the web-based service usually needs to receive a communication from the LAN-based application first (via the router) in order to send information to the associated devices on the LAN. In other words, the router of the LAN typically does not allow inbound communications from the web-based service on a WAN (e.g., for directly querying the local devices on the LAN) without the router first having sent outbound communications from the LAN-based application to the web-based service on the WAN.
In some implementations, a router (or gateway) in a LAN may implement a cloud computing based proxy that allows web-based applications and services to directly communicate with the local network devices on the LAN via the router without needing LAN-based software programs locally on the LAN that are associated with the web-based applications and services. The cloud computing based proxy on the router can also allow the web-based applications and services to directly communicate with the local network devices on the LAN (i.e., inbound communications) via the router without having to first receive outbound communications from the LAN devices, as will be further described below with reference to
In some embodiments, the router 110 includes a processor 115 and a cloud connected proxy unit 112 configured to establish a secure connection (also referred to as a secure communication link) with web-based applications and services (e.g., implemented in the cloud 150, 160 and/or 170) to allow the web-based services to directly access and communicate with the local network devices 102 in the LAN 100 via the router 110. The cloud connected proxy unit 112 may allow inbound communications via the secure connection without the need to host various corresponding LAN-based applications on the LAN 100 and without having to first send outbound communications to the web-based services, as will be further described below. In some implementations, the processor 115 and the cloud connected proxy unit 112 may be implemented in a network interface card (or module) of the router 110. In one example, the processor 115 and the cloud connected proxy unit 112 may be implemented in one or more integrated circuits (ICs) in the network interface card (e.g., in a system-on-a-chip (SoCs)). In other implementations, the router 110 may include a plurality of network interface cards and circuit boards (e.g., a motherboard), and the plurality of network interface cards and circuit boards may implement the cloud connected proxy unit 112 and the processor 115 in a distributed fashion. Although not shown in
In some implementations, instead of locally hosting and managing applications (and, in some cases, dedicated hardware devices) in the LAN that are associated with the corresponding web-based services (e.g., LAN security cameras and the corresponding web-based monitoring service), the cloud connected proxy unit 112 of the router 110 allows the applications for the web-based services to be remotely hosted on a cloud computing network (e.g., the cloud 150) via the Internet 120. As shown in
Furthermore, by eliminating the need for a LAN-based software program (and, in some cases, a dedicated hardware device) associated with the web-based service, the cost and complexity of the LAN and of the network devices of the LAN can be reduced. For example, instead of developing LAN-based applications that run in the LAN 100 for querying the LAN devices 102 and for communicating with the web-based service via the router 110, device manufacturers and/or service providers can develop web-based applications (e.g., application 151 that runs in the cloud 150) that can communicate directly with the LAN devices 102 via the cloud connected proxy unit 112 of the router 110. For example, a manufacturer of LAN security cameras can develop web-based applications associated with the web-based monitoring service it provides customers, instead of developing LAN-based applications for the LAN security cameras that need to be run locally in a LAN computer system. In addition to reducing the overall cost and complexity of the LAN and LAN devices, utilizing web-based applications improves the ease of use (and further reduces cost) for customers and the service provider (and/or device manufacturer) by reducing or eliminating software updates on the LAN side and performing most or all of the software updates at the cloud side without affecting the LAN devices.
In some implementations, the user of the LAN devices can provide credentials (e.g., username and password) to the cloud connected proxy unit 112 of the router 110, and the proxy unit 112 can then establish the secure connection with the cloud 150. The cloud connected proxy unit 112 can create the secure connection to solve any firewall and NAT issues associated with inbound communications at the router 110. This allows the web-based application to send inbound communications (e.g., commands, content, etc.) directly to any of the associated LAN devices via the router 110 at any time using the secure connection, and without first needing to receive outbound communications from the LAN devices. As described above, the cloud connected proxy unit 112 also operates as a proxy for communications sent via the secure connection, so that applications running in the cloud 150 appear to be running on the router 110 to the LAN devices. For example, all inbound packets (e.g., IP packets) received from the web-based application via the cloud-based secure connection would be proxied directly to the associated LAN devices 102 on the LAN 100 through this connection. Also, the outbound packets received from LAN devices 102 destined for the web-based application would also be proxied via the router 110 to the web-based application running on one or more servers of the cloud 150.
In some implementations, the web-based application associated with the web-based service can be stored and executed in a cloud computing network managed by the designer and/or developer of the routers with the cloud connected proxy (and/or their business partners). For examine, the server 155 of the cloud 150 shown in
In one example, a security camera manufacturer and service provider can develop web-based applications associated with the web-based monitoring services it provides customers. The web-based monitoring applications and services can allow customers to communicate directly with the LAN security cameras via the cloud connected proxy unit of each of the corresponding routers in the different LANs of the WAN 140 (e.g., proxy unit 112 of router 110). When a user logs in to a website or otherwise accesses the web-based monitoring service, the web-based application associated with the web-based service can send commands and other communications directly to the LAN security cameras via the router 110 using a secure connection that is established between the cloud connected proxy unit 112 of the router 110 and the cloud computing network that hosts the web-based application. In one example, the user can log in to a website hosted in the server network managed by the designer and/or developer of the router 110 (e.g., the cloud computing network 150). In another example, the user can log in to a website hosted by a different server network (e.g., the cloud computing network 160) that is managed by the service provider (and/or LAN device developer), and the cloud 160 can communicate with the cloud 150 that has established the secure connection with the router 110, as was described above. The user can view video from the security cameras and control the security cameras remotely (e.g., turn on or off the cameras, receive security alerts, move the cameras, switch between video from different cameras, etc.). Furthermore, as described above, the web-based application can send the inbound communications to the router 110 of the LAN 100 any time without having to first receive an outbound communication (or without continuously receiving multiple outbound communications) from the LAN devices via the router 110.
In some implementations, the cloud computing network that hosts the web-based application that interfaces with the router 100 (e.g., the cloud 150 managed by the router designer/developer) may implement an Application Programming Interface (API) to allow third party application developers to write applications to talk to the cloud 150. As long as the owner of the router 110 provides these third applications with the credentials to establish the secure connection at the cloud 150 with the router 110, the third party applications can directly access the LAN devices via secure connection between the cloud 150 and the cloud connected proxy unit 112 of router 110. This way, third party developers can write applications that appear to be running on the router 110 of the user's LAN 100, even though the applications are running in the cloud 150 or at the third party cloud 160. In some implementations, the cloud 150 may also implement a Java® Virtual Machine (JVM) and the Android™ environment to allow third party developers to write Android applications. Users can then “download” the third party applications from the LANs and run them on their cloud connected gateway accounts associated with the cloud 150. In other words, instead of downloading the applications to a LAN device or to the router, the user can gain access or subscribe to use the application via their cloud connected gateway account. Similarly as was described above, the cloud 150 can proxy all IP traffic through the routers (e.g., router 110 of LAN 100), so it appears that the applications are running on the router 110, even though the applications are running on the cloud 150 without CPU or memory limitations. It may also appear to the users of the LAN that the third party applications are running on their routers/LAN. It is noted that in other implementations the cloud 150 may also implement other types of operating system environments to allow third party developers to write applications for other mobile operating systems in addition to Android.
At block 404, it is determined whether network traffic associated with the secure communication link is detected at the router 110. In one implementation, the cloud connected proxy unit 112 detects network traffic received at the router 110 that is associated with the secure communication link between the router 110 and the cloud 150. For example, in order to detect network traffic associated with the secure communication link, the cloud connected proxy unit 112 detects packets associated with the network addresses (source and/or destination network addresses) and port numbers of the LAN devices and of the corresponding web-based application associated with the web-based service (and/or other packet header information). If the cloud connected proxy unit 112 does not detect network traffic associated with the secure communication link, the flow loops back to block 404 to continue monitoring the network traffic received at the router. If the cloud connected proxy unit 112 detects network traffic associated with the secure communication link (e.g., based on the network addresses, port numbers, etc.), the flow continues to block 406.
At block 406, it is determined whether the network traffic associated with the secure communication link that is detected at the router is inbound network traffic or outbound network traffic with respect to the LAN 100. In one implementation, the cloud connected proxy unit 112 determines whether the detected network traffic is inbound or outbound network traffic based, at least in part, on the source and destination network addresses and port numbers associated with the received packets. For example, if the cloud connected proxy unit 112 detects packets with the IP address of one or more of the servers of the cloud 150 that run the web-based application (or an Internet socket address comprising the IP address and a port number associated with communications between the web-based application running in the cloud 150 and the router 110 (and/or the corresponding LAN devices)), the cloud connected proxy unit 112 determines the network traffic is inbound network traffic with respect to the LAN 100. As described above, the router 110 can also detect other packet header information in the network packets to detect inbound communications, e.g., the network address of the LAN devices as the destination address and/or device identifiers associated with the LAN devices. If the router 110 determines the network traffic is inbound network traffic, the flow continues at block 408. In one embodiment, if the cloud connected proxy unit 112 detects (1) packets with the source network address of the LAN devices, (2) the destination address as the IP address of one or more of the servers of the cloud 150 that run the web-based application, and/or (3) other relevant information in the packets (e.g., port number), the cloud connected proxy unit 112 determines the network traffic is outbound network traffic with respect to the LAN 100. If the router 110 determines the network traffic is outbound network traffic, the flow continues at block 410.
At block 408, if inbound network traffic associated with the secure communication link is detected at the router 110, the inbound network traffic received from the web-based application associated with the web-based service is forwarded directly to the corresponding LAN devices. In one implementation, the cloud connected proxy unit 112 can operate as a proxy to forward the inbound network traffic (e.g., commands, content, etc.) directly to the corresponding LAN devices (e.g., the LAN devices that implement the web-based service). For example, if the inbound network traffic includes commands from a web-based service for remotely monitoring security cameras, the cloud connected proxy unit 112 can forward the commands directly to the security cameras in the LAN, instead of first sending the commands to a local monitoring application being executed in a computer or a dedicated hardware device in the LAN, which then sends the commands to the security cameras. Furthermore, as described above, by serving as a proxy to the inbound network traffic associated with secure communication link, the cloud connected proxy unit 112 can allow the web-based application to directly communicate with any of the LAN devices at any time via the router 110 without the web-based application on the WAN side having to first receive outgoing communications from the LAN devices (via the router 110). While operating as a proxy for the inbound communications, the cloud connected proxy unit 112 can establish the secure communication link to solve any firewall and network address translation (NAT) issues (and/or other security issues) associated with inbound communications at the router 110. The web-based application can send any types of inbound packets to the LAN 100 via the secure communication link (e.g., IP packets, non-IP packets, broadcast packets, multicast, etc.). After the inbound traffic is forwarded to the corresponding LAN device(s), the flow loops back to block 404 to continue monitoring the network traffic received at the router 110.
At block 410, if outbound network traffic associated with the secure communication link is detected at the router 110, the outbound network traffic received from the LAN devices is forwarded directly to the web-based application associated with the web-based service. In one implementation, the cloud connected proxy unit 112 can operate as a proxy to forward the outbound network traffic directly to the web-based application running in the corresponding remote network (e.g., the cloud 150). In one implementation, the cloud connected proxy unit 112 can also keep track of the listeners on the WAN side, such as the different web-based applications running on the cloud 150 that are associated with various web-based services (e.g., security camera monitoring, temperature control, DVR control, etc.). When the cloud connected proxy unit 112 receives outbound communications from one or more of the LAN devices, the cloud connected proxy unit 112 can determine if there is a listener associated with the outbound communications. In other words, the cloud connected proxy unit 112 can determine if one of the available web-based applications on the WAN side are associated with the outbound network traffic. For example, if the outbound network traffic is associated with the LAN security cameras and the web-based service for remote monitoring of the security cameras, the cloud connected proxy unit 112 can detect the outbound network traffic is from the LAN security cameras and determine if there is an associated web-based application on the WAN side with an established secure communication link to the router 110. If the cloud connected proxy unit 112 identifies a web-based application associated with the outbound communications, the cloud connected proxy unit 112 proxies the communications to the WAN side (e.g., to the corresponding application on the cloud 150). The cloud connected proxy unit 112 may drop the outbound packets if it does not identify a listener in the WAN side (i.e., it does not detect a secure communication link with a corresponding web-based application, detects the web-based application is down, etc.). The network devices can send any types of outbound packets to the cloud 150 via the secure communication link, for example, IP packets, non-IP packets, broadcast packets, etc. After the outbound traffic is forwarded to the corresponding web-based application associated with the web-based service, the flow loops back to block 404 to continue monitoring the network traffic received at the router 110.
It should be understood that
As will be appreciated by one skilled in the art, aspects of the present inventive subject matter may be embodied as a system, method, or computer program product. Accordingly, aspects of the present inventive subject matter may take the form of an entirely hardware embodiment, a software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present inventive subject matter may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a nontransitory computer readable signal medium or computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present inventive subject matter may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present inventive subject matter are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the inventive subject matter. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
Any one of these functionalities may be partially (or entirely) implemented in hardware and/or on the processor unit 502. For example, the functionality may be implemented with one or more application specific integrated circuits, one or more system-on-a-chip (SoC), or other type of integrated circuit(s), in logic implemented in the processor unit 502, in a co-processor on a peripheral device or card, in a distributed fashion between the processor 514 (and memory) implemented within the network interface 508 and the processor unit 502 (and memory unit 506), etc. Further, realizations may include fewer or additional components not illustrated in
While the embodiments are described with reference to various implementations and exploitations, it will be understood that these embodiments are illustrative and that the scope of the inventive subject matter is not limited to them. In general, techniques for implementing a cloud computing controlled router with a cloud connected proxy for a communication network as described herein may be implemented with facilities consistent with any hardware system or hardware systems. Many variations, modifications, additions, and improvements are possible.
Plural instances may be provided for components, operations or structures described herein as a single instance. Finally, boundaries between various components, operations and data stores are somewhat arbitrary, and particular operations are illustrated in the context of specific illustrative configurations. Other allocations of functionality are envisioned and may fall within the scope of the inventive subject matter. In general, structures and functionality presented as separate components in the exemplary configurations may be implemented as a combined structure or component. Similarly, structures and functionality presented as a single component may be implemented as separate components. These and other variations, modifications, additions, and improvements may fall within the scope of the inventive subject matter.
This application claims the priority benefit of U.S. Provisional Application Ser. No. 61/584,628 filed on Jan. 9, 2012.
Number | Date | Country | |
---|---|---|---|
61584628 | Jan 2012 | US |