白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Scalable and on-demand multi-tenant and multi region secure network

專利號(hào)
US11888815B2
公開日期
2024-01-30
申請(qǐng)人
CHECK POINT SSE SOLUTIONS LTD.(IL Tel-Aviv)
發(fā)明人
Amit Bareket; Sagi Gidali
IPC分類
H04L9/40; H04L45/02; H04L12/66; H04L61/5007
技術(shù)領(lǐng)域
network,private,or,virtual,ip,cloud,gateways,client,networks,more
地域: Tel-Aviv

摘要

Provided herein are systems and methods for configuring a segmented cloud based network based on separate Internet Protocol (IP) segments, comprising receiving instructions to create one or more additional private virtual networks as respective additional segments in a multi-tenant multi-regional cloud based network segmented to a plurality of segments each mapped by a respective IP address range, calculating one or more non-conflicting new IP address range based on analysis of the IP address range of each of the segments, allocating a respective new IP address range to each additional segment, and deploying automatically one or more gateways. The gateways are configured to connect one or more client devices to the additional segment(s) by assigning each client device an IP address in the respective new IP address range and routing network packets between the client devices and the respective additional segment according to mapping of the respective new IP address range.

說明書

RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No. 16/988,777 filed on Aug. 10, 2020.

FIELD AND BACKGROUND OF THE INVENTION

The present invention, in some embodiments thereof, relates to constructing a segmented multi-tenant multi-region cloud based network, and, more specifically, but not exclusively, to constructing a segmented multi-tenant multi-region cloud based network comprising multiple Internet Protocol (IP) address based private virtual networks to support Layer 3 (L3) up to Layer 7 (L7) networking infrastructure as a service for the private virtual networks.

With the rapid and overwhelming growth of cloud based services, platforms and infrastructures, as well as employees that are working from home and outside the office cloud networking is also gaining a constantly growing share in network deployment for a plurality of applications and infrastructures operated by a plurality of companies, organizations, institutions and/or the like.

Moreover, since cloud networking is offered as a service, for example, Network as a Service (NaaS) by several major information and technology companies, the cloud based networks have long become multi-tenant network environments in which multiple companies, organizations, institutions and/or the like may share the same platform to construct their own private, independent and isolated networks.

Constructing such multi-tenant networks in which each of the tenants may be allocated with private virtual networks that may be exclusively accessed and used by the respective tenant may naturally present major challenges in terms of privacy, security and/or the like.

SUMMARY OF THE INVENTION

權(quán)利要求

1
What is claimed is:1. A system for applying security policies in a cloud based network segmented to a plurality of virtual private networks based on Internet Protocol (IP) segmentation, comprising:at least one processor configured to:receive at least one security policy defined for at least one of a plurality of private virtual networks of at least one multi-tenant multi-regional cloud based network constructed segmented to a plurality of segments each serving as a respective one of the plurality of private virtual networks, each of the plurality of segments is mapped by a respective IP address range which is a low layer IP address range and is non-conflicting with the low layer IP address range of any other of the plurality of segments;deploy automatically at least one security engine configured to apply the at least one security policy for at least one of a plurality of client devices accessing the at least one private virtual network by:intercepting at least one packet transmitted by the at least one client device which is assigned an IP address in the IP address range mapping the respective segment serving as the at least one virtual private network,identifying the IP address of the at least one client device in the at least one intercepted packet, andapplying the at least one security policy according to the identified IP address.2. The system of claim 1, wherein the at least one security engine is a firewall.3. The system of claim 1, wherein the at least one security engine is instantiated in at least one gateway deployed to connect the at least one of client device to the at least one private virtual network.4. The system of claim 1, wherein the at least one of client device is connected to the at least one private virtual network via at least one gateway configured to apply Layer 2 (L2) routing to route the network packets between the at least one client device and the respective segment.5. The system of claim 1, wherein the at least one of client device is connected to the at least one private virtual network via at least one gateway is configured to apply Layer 3 (L3) routing to route the network packets between the at least one client device and the respective additional segment.6. The system of claim 1, wherein at least one of the plurality of segments is further segmented to a plurality of subnets using Classless Inter-Domain Routing (CIDR).7. The system of claim 1, wherein at least one of the plurality of segments is further segmented to a plurality of subnets using at least one firewall configured to route network traffic within the at least one segment according to at least one routing table.8. The system of claim 1, wherein a plurality of gateways are deployed to provide connectivity to at least one of the plurality of segments for a plurality of client devices located at a plurality of geographical regions.9. The system of claim 8, wherein each of the plurality of gateways is deployed in at least one respective edge server connected at an edge of the network in a respective one of the plurality of geographical regions in close network proximity to a respective access point providing network connectivity to the client devices located in the respective geographical region.10. The system of claim 9, wherein the plurality of gateways providing connectivity to the at least one segment for client devices located in the plurality of geographical regions are interconnected via at least one site to site secure connection.11. The system of claim 1, wherein the at least one processor is further configured to deploy automatically at least one additional gateway according to at least one predefined rule in response to a request received from at least one additional client device to connect to at least one of the plurality of segments.12. The system of claim 11, wherein the at least one additional gateway is configured to connect the at least one additional client device to the at least one segment by assigning the at least one additional client device an IP address in the IP address range of the at least one segment and routing network packets between the at least one additional client device and the at least one segment according to the mapping of the IP address range allocated to the at least one segment.13. The system of claim 11, wherein the at least one additional gateway is deployed in at least one of a plurality of geographical regions supported by the at least one cloud based network in which the at least one additional client device is located.14. A computer implemented method of applying security policies in a cloud based network segmented to a plurality of virtual private networks based on Internet Protocol (IP) segmentation, comprising:using at least one processor configured for:receiving at least one security policy defined for at least one of a plurality of private virtual networks of at least one multi-tenant multi-regional cloud based network segmented to a plurality of segments each serving as a respective one of the plurality of private virtual networks, each of the plurality of segments is mapped by a respective IP address range which is a low layer IP address range and is non-conflicting with the low layer IP address range of any other of the plurality of segments;deploying automatically at least one security engine configured to apply the at least one security policy for at least one of a plurality of client devices accessing the at least one private virtual network by:intercepting at least one packet transmitted by the at least one client device which is assigned an IP address in the IP address range mapping the respective segment serving as the at least one virtual private network, andidentifying the IP address of the at least one client device in the at least one intercepted packet, andapplying the at least one security policy according to the identified IP address.15. A computer program with a program code for applying security policies in a cloud based network segmented to a plurality of virtual private networks based on Internet Protocol (IP) segmentation, comprising a non-transitory medium storing thereon computer program instructions which, when executed by at least one hardware processor, cause the at least one hardware processor to:receive at least one security policy defined for at least one of a plurality of private virtual networks of at least one multi-tenant multi-regional cloud based network segmented to a plurality of segments each serving as a respective one of the plurality of private virtual networks, each of the plurality of segments is mapped by a respective IP address range which is a low layer IP address range and is non-conflicting with the low layer IP address range of any other of the plurality of segments;deploy automatically at least one security engine configured to apply the at least one security policy for at least one of a plurality of client devices accessing the at least one private virtual network by:intercepting at least one packet transmitted by the at least one client device which is assigned an IP address in the IP address range mapping the respective segment serving as the at least one virtual private network, andidentifying the IP address of the at least one client device in the at least one intercepted packet, andapplying the at least one security policy according to the identified IP address.
微信群二維碼
意見反饋