Virtual private network having automatic reachability updating

Abstract

A unified policy management system for an organization including a central policy server and remotely situated policy enforcers. A central database and policy enforcer databases storing policy settings are configured as LDAP databases adhering to a hierarchical object oriented structure. Such structure allows the policy settings to be defined in an intuitive and extensible fashion. Changes in the policy settings made at the central policy server are automatically transferred to the policy enforcers for updating their respective databases. Each policy enforcer collects and transmits health and status information in a predefined log format and transmits it to the policy server for efficient monitoring by the policy server. For further efficiencies, the policy enforcement functionalities of the policy enforcers are effectively partitioned so as to be readily implemented in hardware. The system also provides for dynamically routed VPNs where VPN membership lists are automatically created and shared with the member policy enforcers. Updates to such membership lists are also automatically transferred to remote VPN clients. The system further provides for fine grain access control of the traffic in the VPN by allowing definition of firewall rules within the VPN. In addition, policy server and policy enforcers may be configured for high availability by maintaining a backup unit in addition to a primary unit. The backup unit become active upon failure of the primary unit.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This application claims the benefit of U.S. provisional applications 60 / 138,849, 60 / 138,850, 60 / 139,033, 60 / 139,034 60 / 139,035, 60 / 139,036, 60 / 139,038, 60 / 139,042, 60 / 139,043, 60 / 139,044, 60 / 139,047, 60 / 139,048, 60 / 139,049, 60 / 139,052, 60 / 139,053, all filed on Jun. 10, 1999, and U.S. provisional application 60 / 139,076, filed on Jun. 11, 1999, the contents of all of which are incorporated herein by reference.FIELD OF THE INVENTION [0002] The present invention relates to computer networks, and more particularly, to devices and methods for providing efficient configuration, management, and updating of virtual private networks extending over remote sites across the Internet. BACKGROUND OF THE INVENTION [0003] The growth and proliferation of computers and computer networks allow businesses to efficiently communicate with their own components as well as with their business partners, customers, and suppliers. However, the flexibility and effic...

AI Technical Summary

Benefits of technology

[0007] The present invention is directed to a unified policy management system allowing the efficient configuration, management, and updating of VPNs extending over remote sites separated by the Internet. The system allows each endpoint in a VPN tunnel to aggregate and abstract out the reachability information of the networks associated with each endpoint. This information is then shared with all the other tunnel endpoints in the same VPN. Furthermore, the system provides a hierarchical organization of VPNs facilitating the creation of fully-meshed VPNs. In addition, access control rules may be defined for a VPN to allow users to have fine grain control over the traffic flowing through the VPN.

[0008] According to one embodiment of the invention, a computer network includes a first edge device coupled to a first private network and a second edge device coupled to a second private network. The first and second edge devices preferably act as VPN tunnel endpoints allowing secure communication between the first and second private networks. In addition, the first edge device is configured to create a first table with information of member networks reachable through the first edge device, and the second edge device is configured to create a second table with information of member networks reachable through the second edge device. The first and edge devices share their membership information with each other, allowing the creation of VPNs whose member lists are dynamically compiled.

[0009] In one particular aspect of the invention, the communication between the first and second private networks is managed according to a security policy associated with the member networks. The security policy is defined for a security policy group, referred to as a VPN cloud, providing hierarchical organization of the group. The VPN cloud includes member networks (hosts), users allowed to access the member networks, and a rule controlling access to the member networks. The hierarchical organization provided by the VPN clouds thus allows the network administrator to create fully meshed VPNs. The network administrator need no longer manually configure each possible connection in the VPN, but only need to create a VPN cloud and specify the sites, users, and rules to be associated with the VPN. Each connection is then configured based on the configuration specified for the VPN cloud. The hierarchical organization thus facilitates the setup of a VPN with a large number of sites.

Problems solved by technology

However, the flexibility and efficiencies provided by such computers and computer networks come with increasing risks, including security breaches from outside the corporation, accidental release of vital information from within it, and inappropriate use of the LAN, WAN, Internet, or extranet.

Furthermore, as an organization grows and spreads across multiple locations, the devices maintained also multiplies, multiplying the associated expenditures and efforts to configure, manage, and monitor the devices.

In fact, there are many obstacles and challenges in adopting such an approach.

One of these challenges is devising a scheme for efficient configuration, management, and updating of VPNs extending over remote sites separated by the Internet.

Encrypting or otherwise tunneling traffic between many sites that have potentially different dynamic routing protocols over an IPSec tunnel can therefore be problematic.

It may also be problematic to set up a fully meshed VPN where every site has full connectivity to every other site if there are a large number of sites.

Furthermore, VPN definitions are typically an association of source and destination network addresses that allow unrestricted access between the networks in the VPN, and providing fine grained access control to such traffic may be difficult.

Images