Persistent data communication sessions across WAN

Instead of specifying actual transport layer IP addresses as a basis for a secure tunnel's security association, an approach described herein specifies virtual addresses. Then suitable network appliances intercept and modify packets in order to map between the virtual addresses and actual addresses. The virtual addresses satisfy IPsec or another authentication procedure that checks packets using the security association. The actual addresses are used by transport layer protocols. This overlay approach permits a session to failover from one network connection to another without requiring restoration of the session in a newly created secure tunnel after one of the network interfaces becomes unavailable, thereby obsoleting the security association based in part on the IP address of the now unavailable interface. This innovative approach also allows the use of parallel paths and the use of one-to-many or many-to-one path topologies, which would otherwise not be permitted.

10,965,649, Abstract

Flatnet failover control

Failover controllers help maintain user-perceived continuous connectivity for users of a geographically dispersed flat network when part of that network becomes unavailable, even though flat network packets are not WAN-routable. One such controller has local and remote flat network ports, at least one WAN port, and failover capability to WAN(s) utilizing encapsulation when the flat network is partially or fully unavailable. The failover procedure uses a packet origin table built automatically from incoming packets and from double-tunneled ARP requests. A monitor indicates whether the flat network is fully available (up) or not fully available (down). Controller software updates the packet origin table, and directs packets between ports depending on flatnet status, the packet origin table's content, and any packet handling enhancements such as load balancing, affinity enforcement, quality of service maintenance, packet traffic shaping, packet policy application, firewall operation, reverse firewall operation, encryption/decryption, and/or compression/decompression.

10,164,822, Abstract

VoIP multiline failover

Tools and techniques are provided to provide Voice-over-IP (VoIP) communications. On receiving a user request to initiate a telephonic connection from a local site, at which the user is using a VoIP telecommunication device which has no link failover functionality, a system establishes over wide area network links at least two tunnels between a controller at the local site and another controller. Then the system transmits VoIP traffic over at least one of the tunnels from the controller at the local site to the other controller. The system also detects failure of the primary tunnel during the call and performs failover by changing a data path during the call to transmit packets over at least one non-failed tunnel.

8,995,252, Abstract

Flatnet failover control

Failover controllers help maintain user-perceived continuous connectivity for users of a geographically dispersed flat network when part of that network becomes unavailable, even though flat network packets are not WAN-routable. One such controller has local and remote flat network ports, at least one WAN port, and failover capability to WAN(s) utilizing encapsulation when the flat network is partially or fully unavailable. The failover procedure uses a packet origin table built automatically from incoming packets and from double-tunneled ARP requests. A monitor indicates whether the flat network is fully available (up) or not fully available (down). Controller software updates the packet origin table, and directs packets between ports depending on flatnet status, the packet origin table's content, and any packet handling enhancements such as load balancing, affinity enforcement, quality of service maintenance, packet traffic shaping, packet policy application, firewall operation, reverse firewall operation, encryption/decryption, and/or compression/decompression.

8,780,811, Abstract

VPN secure sessions with dynamic IP addresses

To help maintain secure and convenient connectivity for users when IP addresses change, devices connected between sites by using multiple virtual private network security associations update one another when the security association IP addresses change. The device whose WAN interface IP address changed transmits an address change notification message to the other device over a WAN interface whose IP address did not change. The message indicates which IP address(es) changed and new value(s) to use. The devices can then continue the same secure virtual private network session (from a user point of view above the security association level) by using the new value(s) for the changed IP address(es). Use of the new value for the changed IP address is transparent to (unseen by) VPN applications that are running in the LANs. IPSec sessions and load balancing may be provided.

8,356,346, Abstract

Domain name resolution making IP address selections in response to connection status when multiple connections are present

Methods, configured storage media, and systems are provided for resolving domain names into IP addresses in a path-sensitive manner, namely, a manner that may consider information about a link to a server and/or information about routers and other path components. The IP addresses given in response to domain name resolution requests are selected to provide increased reliability and/or dynamic load-balancing over paths.

7,877,510, Abstract

Selective encryption with parallel networks

Methods, devices, and systems for efficient secure parallel data transmission are disclosed. Data from a local source is divided, with one portion being encrypted and then sent over an open public network, and another portion being sent over a private network without any such supplemental encryption. The portions are thus transmitted at least partially in parallel over networks having different security characteristics, in a manner that helps compensate for the lower security of the open public network without imposing unnecessary encryption overhead on packets being sent over the more secure private network.

7,444,506, Abstract

Tools and techniques for directing packets over disparate networks

Methods, configured storage media, and systems are provided for communications using two or more disparate networks in parallel to provide load balancing across network connections, greater reliability, and/or increased security. It protects the tools and techniques for directing packets over multiple parallel disparate networks, based on address and other criteria. The invention helps companies who are utilizing point-to-point, frame relay or MPLS networks to achieve the highest level of reliability for Wide Area Network (WAN) connectivity by aggregating data lines from private networks with public Internet lines using VPNs and/or other Internet-based networks. The patent protects the methods used to allow frame relay, MPLS and/or point-to-point networks to co-exist with VPN and other Internet-based networks for redundancy and the ability to failover from one disparate network to the other transparently.

7,406,048, Abstract

Combining routers to increase concurrency and redundancy in external network access

A controller is provided for increasing bandwidth between a local area network ("LAN") and other networks by using multiple routers on the given LAN. Data packets are multiplexed between the routers using a novel variation on the standard SYN packet synchronization protocol, and other components. On receiving data destined for an external network, the controller or gateway computer will direct the data to the appropriate router. In addition to providing higher speed connections, the invention provides better fault tolerance in the form of redundant connections from the originating LAN to a wide area network such as the Internet.

7,269,143, Abstract

Tools and techniques for directing packets over disparate networks

Methods, configured storage media, and systems are provided for communications using two or more disparate networks in parallel to provide load balancing across network connections, greater reliability, and/or increased security. A controller provides access to two or more disparate networks in parallel, through direct or indirect network interfaces. When one attached network fails, the failure is sensed by the controller and traffic is routed through one or more other disparate networks. When all attached disparate networks are operating, one controller preferably balances the load between them.

6,775,235, Abstract

Combining routers to increase concurrency and redundancy in external network access

Methods, configured storage media, and systems are provided for increasing bandwidth between a local area network ("LAN") and other networks by using multiple routers on the given LAN. Data packets are multiplexed between the routers using a novel variation on the standard SYN packet synchronization protocol, and other components. On receiving data destined for an external network, a controller or gateway computer will direct the data to the appropriate router. In addition to providing higher speed connections, the invention provides better fault tolerance in the form of redundant connections from the originating LAN to a wide area network such as the Internet.

6,493,341 , Abstract

Combining routers to increase concurrency and redundancy in external network access

Methods, configured storage media, and systems are provided for increasing bandwidth between a local area network ("LAN") and other networks by using multiple routers on the given LAN. Data packets are multiplexed between the routers using a novel variation on the standard address resolution protocol, and other components. On receiving data destined for an external network, a controller or gateway computer will direct the data to the appropriate router. In addition to providing higher speed connections, the invention provides better fault tolerance in the form of redundant connections from the originating LAN to a wide area network such as the Internet.

6,295,276, Abstract

System and method for transmitting a user's data packets concurrently over different telephone lines between two computer networks

Methods and systems are provided for transmitting a user's data between two computer networks over physically separate telephone line connections which are allocated exclusively to the user. The user's data is placed in data packets, which are multiplexed onto the separate connections and sent concurrently to a de-multiplexer. The data packets contain a computer network address such as an Internet protocol address. A dynamic address and sequence table allows the de-multiplexer operation to restore the original order of the data after receiving the packets. The set of connections constitutes a virtual "fat pipe" connection through which the user's data is transmitted more rapidly. Additional users may be given their own dedicated "FatPipe" connections.

6,253,247 , Abstract
Trademarks:, 75241143 2236238 FATPIPE