Patent Grant
10455387
Embodiments of the present disclosure relate to network system, and more particularly, to a secure private networking system and methods of using the private networking system.
Today, if Machine-to-Machine (M2M) and Internet of Things (IoT) customers want secure mobile terminated access to remote cellular modems, these customers are required to purchase hardware and Virtual Private Networking (VPN) licenses, and lease T1 lines or MPLS circuits along with specialized software to access these modems on the cellular carrier's network.
These dedicated communications links 20 may be one or more T1 lines or MPLS Circuits, typically acquired or leased from a communications carrier. In other embodiments, the communication links 20 may be metro-Ethernet connections, Multi-Protocol Label Switching (MPLS), or another fast speed connection. The communications carrier may be a telephone or communications company, such as AT&T or Verizon, among others.
Within the carrier network 30, a private customer subnet 40 may be established. Remote users and machines connect to the customer enterprise network 10 through the use of specialized networking software, such as virtual private networks (VPNs). These VPNs may be terminated on the carrier network 30.
Typically, to implement this architecture, the customer is required to invest in additional hardware, such as routers 11, to connect to BGP AS (Border Gateway Protocol—Autonomous Systems) routers 31 in the carrier network 30. The customer is also required to obtain VPN licenses and to lease the communications links 20. Additionally, it often requires dedicated labor, in the form of consultants, for the customer to attain the desired architecture. Finally, it may take many months to deploy this architecture.
The current method is complex, slow, and costly. Therefore, it would be beneficial if there were a system for creating a private network without the associated costs and complexities and with the speed to match the business needs of the end customer.
An architecture for the creation of a private network for a customer, suitable for use for machine to machine communications and the Internet of Things, is disclosed. The system includes a private networking system, which includes routers for connection to a carrier core network, and VPN servers, capable of securely connecting to a customer's enterprise network, along with firewalls to generate SSL and IPsec tunnels. The private networking system also includes security appliances and a controller to configure and operate the system. Through use of this private networking system, customers may quickly and easily create private networks for their enterprises with a much less expensive operating cost paradigm.
For a better understanding of the present disclosure, reference is made to the accompanying drawings, which are incorporated herein by reference and in which:
As described above, typically, a customer needs to invest in networking infrastructure, such as routers, ASAs (Adaptive Security Appliances), and servers, to implement a private network. In addition, the carrier needs to deploy that private network in their carrier network.
The present disclosure describes a system which dramatically simplifies the deployment of a private network.
However, unlike the prior art, the communications links from the carrier network 30 do not reach the customer enterprise network 10. Rather, these communication links 120 are used to connect to routers 141, such as BPG routers, disposed within the private networking system 140. Thus, rather than installing communication links to the customer enterprise network 10, the communication links 120 are established between the carrier network 30 and the private networking system 140. As stated above, communication between the carrier network 30 and the routers 141, travelling over communication link 120 is encrypted using a first tunnel, such as GRE/IPSec. Also included in the private networking system 140 are one or more VPN servers 142. These VPN servers 142 are used to provide secure connections to the customer enterprise network 10. In certain embodiments, these secure connections are created using other types of equipment, such as firewalls. In other words, a secure connection between the private networking system 140 and the customer enterprise network is created. The particular apparatus used to create this secure connection is an implementation choice. Thus, the VPN servers 142 are used to create a second tunnel between the private networking system 140 and the customer enterprise network 10. Again, the term “VPN server” is used to denote any appliance that is capable of creating a secure connection, such as a VPN between the private networking system 140 and the customer enterprise network 10. Further, the private networking system 140 may include one or more security appliances. In certain embodiments, the private networking system 140 is installed in the carrier network 30, although other embodiments are also possible. For example, the private networking system 140 may be disposed at any physical location and accessible via the cloud.
Thus, an authorized device may send a communication using the carrier network 30. Based on the IP address of the authorized device and the APN, that communication is sent to a specific gateway 32 (see
Thus, the private networking system 140 performs several functions. First, it terminates the first tunnel, which is created in the carrier network 30. Second, it validates the sending device to insure that it is authorized to access a particular customer enterprise network 10. Third, it creates a secure connection, or second tunnel, between the private networking system 140 and each customer enterprise network 10.
The private networking system 140 may also perform other functions. For example, the private networking system 140 may also track statistics for each device that is part of a particular customer enterprise network 10. For example, one such statistic is usage, such as the amount of data used. The private networking system 140 may also limit, prioritize or block certain activities. For example, the customer may wish to deprioritize or block certain activities on its network, such as video or movie playback, iTunes backup or other applications. Further, a customer may wish to limit its total data usage and its peak data usage. This may be done through the use of various policy decisions, which prioritize or deprioritize certain applications, users, and devices.
The carrier network 30 is also in communication with the private networking system 140, which connects to the customer enterprise network 10 via communication links 230. In certain embodiments, VPN tunnels, also referred to as second tunnels, are created over these communication links 230. These tunnels may use, for example, IPSec or SSL, to create the required level of security. Of course, other security protocols may be used to create the communication between the private networking system 140 and the customer enterprise network 10. The communication links 230 may not be dedicated lines, such as is illustrated in
Although not shown in
The architecture illustrated in
Stated differently, the private networking system 140 creates the connection to the carrier network 30 on behalf of many customers. The private networking system 140 also reserves a large number of IP addresses, which may be private static IP address, and are then divided among the various customers. In other words, traffic for all customers serviced by the private networking system 140 travels to routers 141 in first tunnels, which may be GRE/IPSec tunnels. Based on the APN and IP address of the sending device, the router 141 determines the appropriate customer enterprise network 10 that the sending device is part of. A second tunnel is then created between the private networking system 140 and the customer enterprise network 10. The private networking system 140 can support a plurality of different customers. The private networking system 140 can also implement policy, unique to each of those customers in the control logic 144.
Having defined a basic architecture which allows simplified creation of a customer private network, this architecture may be used to customize to incorporate various features.
For example,
The unique architecture described herein allows for a direct connection from the private networking system 140 to a device 211 located on the internet, such as for example, an enterprise's update or maintenance server. The dotted lines in
This solution is enabled by the unique cloud architecture which allows the customer to deploy this device 211 (i.e. an update or maintenance server) on either side of its firewall and allow an external device 241 to gain access to this device 211 without entering the enterprise's secure environment.
This provides the customer with the ability to direct the external device 241 to either side of the firewall and/or to the customer's update servers, if available. In other words, in one embodiment, the update server (i.e. device 211) is located within the customer's enterprise network 10. In this scenario, the external device 241 must use secure tunnels to access the update server. In a second embodiment, the update server is located outside the customer's enterprise network 10. In this embodiment, the external device 241 may access the update server (i.e. device 211) without the need for the same level of security since it never enters the customer's secure environment.
In operation, the external device 241 wakes up and polls the device 211, such as an update server. This session is only initiated by the external device 241. The external device 241 uses a data filled IP address on the device 241 as the address of the device 211.
Referring now to
This unique architecture allows for dual secure tunnels to devices when deployed in a cellular network.
This type of deployment may be utilized when an IPsec tunnel is chosen to service the secure data transfer needs while the SSL tunnel is used to dial into a device to check individual devices and their operation. The dotted line in
IT groups may use this method when they do not wish to support a secure tunnel from smartphones and tablets back thru the enterprise prior to creating the tunnel to the device.
Thus, the present architecture may be used to support both SSL and IPSec tunnels between devices and the private networking system 140. Referring again to
This type of deployment may be utilized when an IPsec tunnel is chosen to terminate to a set of network or cloud based routers 300 that will initiate an MPLS circuit to the customer enterprise network 10. This may be utilized when the customer IT group only allows MPLS terminations. In this embodiment, the VPN servers 142 create a secure second tunnel to the network or cloud based routers 300. The network or cloud based routers 300 then initiate a MPLS circuit to the customer enterprise network 10. Thus, the present architecture allows the second tunnels, which are created by the VPN servers in the private networking system 140, to be terminated at a variety of different destinations and devices.
This type of deployment is utilized when an IPsec tunnel is chosen to service the secure data transfer needs to a cloud based server 400 hosted by a third party, that provides hosting services for enterprises IT services. The hosting cloud service will allow dial into the server 400 from the customer enterprise network 10 or the data will be transferred to the customer enterprise network 10 using a separate method. Thus, as also shown in
This embodiment allows enterprises to offer WiFi services, such as hot spots, while maintain some amount of control over the data usage and visited websites. As an example, a library may offer free WiFi services. To limit the amount of data that patrons use, the library may implement a set of policies in the private networking system 140, that restrict data usage, such as by prohibiting certain activities, like HD video playback. The library may also implement policies that prohibit patrons from accessing certain websites, which the library has determined to be inappropriate. Of course, other embodiments are also possible.
Thus, in this embodiment, the private networking system 140 is not providing a pathway to a customer enterprise network. Rather, the private networking system 140 is used to implement a set of policies for a customer. Multiple customers may utilize this embodiment, each with its own set of policies.
In certain embodiments, the first carrier network 30 and the second carrier network 530 may be from different providers, such as AT&T, Verizon, Sprint, T-Mobile, etc. Thus, the first carrier network 30 may be from a first provider, while the second carrier network 530 may be from a second provider.
In other embodiments, the first carrier network and the second carrier network may be from the same provider. For example, the second subnet 540 may be designated to a gateway 532 having a different APN than the first subnet 40. In one example, the first carrier network 30, first subnet 40, the APN and gateway 32 is provided directly by a carrier. The second gateway 530, the second subnet 540 and the second APN are provided by a partner of that carrier, which is authorized to utilize the core network of the carrier.
Thus, the private networking system is able to connect to various carrier networks, as well as to various customer enterprise networks. By being disposed between the carrier networks and the customer enterprise networks, the private networking system is also to offer a plurality of features and benefits. Further, the private networking system offers ease and convenience that are not previously available to customers wishing to implement private subnets.
The present disclosure is not to be limited in scope by the specific embodiments described herein. Indeed, other various embodiments of and modifications to the present disclosure, in addition to those described herein, will be apparent to those of ordinary skill in the art from the foregoing description and accompanying drawings. Thus, such other embodiments and modifications are intended to fall within the scope of the present disclosure. Furthermore, although the present disclosure has been described herein in the context of a particular implementation in a particular environment for a particular purpose, those of ordinary skill in the art will recognize that its usefulness is not limited thereto and that the present disclosure may be beneficially implemented in any number of environments for any number of purposes. Accordingly, the claims set forth below should be construed in view of the full breadth and spirit of the present disclosure as described herein.
This application claims priority of U.S. Provisional Patent Application 62/160,964, filed May 13, 2015, the disclosure of which is incorporated by reference in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6339595 | Rekhter et al. | Jan 2002 | B1 |
| 7634230 | Ji et al. | Dec 2009 | B2 |
| 7810149 | Islam et al. | Oct 2010 | B2 |
| 7826381 | Kastuar et al. | Nov 2010 | B1 |
| 7849217 | Meier | Dec 2010 | B2 |
| 7882247 | Sturniolo et al. | Feb 2011 | B2 |
| 8316152 | Geltner et al. | Nov 2012 | B2 |
| 8837318 | Anthony et al. | Sep 2014 | B2 |
| 8855012 | Suri | Oct 2014 | B1 |
| 8918503 | Luna | Dec 2014 | B2 |
| 8934414 | Luna | Jan 2015 | B2 |
| 8953446 | Wang et al. | Feb 2015 | B1 |
| 8976963 | Islam et al. | Mar 2015 | B2 |
| 9014023 | Anthony et al. | Apr 2015 | B2 |
| 9059941 | Oweis et al. | Jun 2015 | B1 |
| 9179447 | Holm et al. | Nov 2015 | B2 |
| 9198021 | Tomici et al. | Nov 2015 | B2 |
| 9621460 | Mehta et al. | Apr 2017 | B2 |
| 9973489 | Barton | May 2018 | B2 |
| 20020099826 | Summers | Jul 2002 | A1 |
| 20040037260 | Kakemizu et al. | Feb 2004 | A1 |
| 20040208175 | McCabe | Oct 2004 | A1 |
| 20050089015 | Tsuge et al. | Apr 2005 | A1 |
| 20050237982 | Pankajakshan | Oct 2005 | A1 |
| 20050249218 | Biggs | Nov 2005 | A1 |
| 20080037498 | Narayanan | Feb 2008 | A1 |
| 20080101366 | Venkitaraman | May 2008 | A1 |
| 20100033573 | Malinovski | Feb 2010 | A1 |
| 20100097981 | Kant | Apr 2010 | A1 |
| 20100111049 | Siegel | May 2010 | A1 |
| 20100296414 | Vohra et al. | Nov 2010 | A1 |
| 20100318918 | Mahmoodshahi | Dec 2010 | A1 |
| 20120002813 | Wei | Jan 2012 | A1 |
| 20120005476 | Wei | Jan 2012 | A1 |
| 20120005477 | Wei | Jan 2012 | A1 |
| 20120005746 | Wei | Jan 2012 | A1 |
| 20120246325 | Pancorbo Marcos | Sep 2012 | A1 |
| 20120250516 | Aggarwal et al. | Oct 2012 | A1 |
| 20130054763 | Van der Merwe | Feb 2013 | A1 |
| 20130238816 | Skog | Sep 2013 | A1 |
| 20140165134 | Goldschlag | Jun 2014 | A1 |
| 20140269564 | Tie et al. | Sep 2014 | A1 |
| 20140286237 | Bhalla | Sep 2014 | A1 |
| 20140317276 | Tie et al. | Oct 2014 | A1 |
| 20140359704 | Chen | Dec 2014 | A1 |
| 20140364159 | Murray et al. | Dec 2014 | A1 |
| 20150098334 | Luna | Apr 2015 | A1 |
| 20150128205 | Mahaffey et al. | May 2015 | A1 |
| 20150163213 | Chen | Jun 2015 | A1 |
| 20150188949 | Mahaffey | Jul 2015 | A1 |
| 20150195270 | Chen | Jul 2015 | A1 |
| 20150249642 | Burns et al. | Sep 2015 | A1 |
| 20150249672 | Burns | Sep 2015 | A1 |
| 20150263886 | Wang et al. | Sep 2015 | A1 |
| 20150288678 | Chen | Oct 2015 | A1 |
| 20150365278 | Chakrabarti | Dec 2015 | A1 |
| 20160006815 | Dong | Jan 2016 | A1 |
| 20160006837 | Reynolds | Jan 2016 | A1 |
| 20160007193 | Zhang | Jan 2016 | A1 |
| 20160014154 | Huang | Jan 2016 | A1 |
| 20160066186 | Kim | Mar 2016 | A1 |
| 20160087933 | Johnson | Mar 2016 | A1 |
| 20160164728 | Chakrabarti | Jun 2016 | A1 |
| 20160278147 | Adrangi | Sep 2016 | A1 |
| 20160352682 | Chang et al. | Dec 2016 | A1 |
| 20160380823 | Shen et al. | Dec 2016 | A1 |
| 20170019750 | Palanisamy | Jan 2017 | A1 |
| 20180152541 | Mathison | May 2018 | A1 |
| 20180220285 | Nicholson et al. | Aug 2018 | A1 |
| Number | Date | Country |
|---|---|---|
| 2879344 | Jun 2015 | EP |
| 2012178055 | Dec 2012 | WO |
| 2014064232 | May 2014 | WO |
| Entry |
|---|
| Office action dated Jan. 22, 2019 in co-pending U.S. Appl. No. 15/936,929. |
| Notice of allowance dated Aug. 6, 2019 in co-pending U.S. Appl. No. 15/936,929. |
| Number | Date | Country | |
|---|---|---|---|
| 20160337784 A1 | Nov 2016 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62160964 | May 2015 | US |
