1. Field of the Invention
The present invention relates generally to computer networks and more specifically, to virtual private networks.
2. Description of the Related Art
Computer networking is a widespread and constantly expanding approach to the sharing of data and software among users with a common interest in such resources. Virtually every business, governmental, or other organization with more than a very few computers has those computers networked so that individual workstations can share the resources of one or more common processors or servers. Within a single building or a relatively small geographic area, the network computers can be connected through some form of Local Area Network (LAN).
There is an increasing need for remote access capability between computers and computer networks over larger and larger geographic areas. It is essential for companies with branch offices to have the capability to share computer resources between offices. As more and more employees do substantial work from home, or as they travel away from company offices, there is a need to provide them with access to the company""s computer network with minimal inconvenience while still providing security for data access and transfer. Companies may be in partnership with other companies where there is a desire to share at least some computer resources. It may be expensive, difficult, and perhaps even impossible to network such far-flung computers using traditional approaches.
One solution to the problem of interconnecting remote computers is the use of owned or leased telecommunications lines dedicated to the sole use of a single company to service its remote computing sites. This technique, called a Wide Area Network (WAN), can be expensive depending upon how far and how extensively the lines need to run, and is wasteful of resources since the telecommunications lines may have relatively limited use or, correlatively, substantial unused capacity. In addition, there may be considerable organizational overhead associated with the establishment, expansion, maintenance, and administration of the WAN.
The concept of a virtual private network (VPN) has been developed to satisfy the need for lower cost, efficient networking of dispersed computers. A virtual private network is a private data network that makes use of the public telecommunications infrastructure, maintaining privacy through the use of a tunneling protocol and security procedure. VPNs extend the corporate network out to distant offices, home workers, salespeople, and business partners. VPNs use worldwide IP network services, including thee Internet service provider""s backbones. Remote users can make a local Internet call instead of dialing in at long distance rates. Alternatively, other types of public network connections can be used, such as a frame relay.
One of the keys to a VPN system is its ability to xe2x80x9ctunnelxe2x80x9d through public telecommunications lines so that data or applications are passed only between authorized users. Tunnels are virtual point-to-point connections that offer authentication, encryption, and access control between tunnel endpoints. Tunnels can exist at several protocol layers. Also called xe2x80x9cencapsulation,xe2x80x9d tunneling or xe2x80x9cIP Tunnelingxe2x80x9d encloses one type of data packet into the packet of another protocol, usually TCP/IP. With VPN tunneling, before encapsulation takes place, the packets are encrypted so the data is unreadable to outsiders. The encapsulated packets travel through the internet until they reach their intended destination, then they are separated and returned to their original format. Authentication technology is employed to make sure the client has authorization to contact the server.
VPNs may be either hardware or software based. A hardware based system consists of a dedicated processor running any of a number of commercially available or proprietary VPN software packages that perform the necessary VPN functions, such as encryption/decryption and authentication. Hardware based systems are most appropriate for larger firms because they offer tighter security, and the ability to handle larger volumes of traffic with a dedicated VPN processor. To process even larger volumes of traffic, with greater speed, scalability, redundancy, and reliability, large VPN users can employ multiple VPN devices.
The present invention provides a VPN network flow switch and a method of operation thereof for connecting two or more VPN devices on one side of a virtual private network (VPN) to the authorized servers or users at that network site. A similar clustering arrangement is provided on the other side of the VPN. The clustered VPN devices share a single IP address, without requiring translation of the IP address, and providing bi-directional clustering. The clustering unit, by operating transparently at the ISO layers 2 and 3, enables cross-platform clustering of VPN devices. This means the VPN devices within any single cluster can come from any manufacturer of such hardware or software.
The VPN device clustering system typically includes a plurality of clustering units for redundancy to avoid difficulties that arise with a single point of failure. For example, two clustering units may be used in an active-passive high-availability configuration.
The clustering system operates on outgoing data packets before they go through the transmitting VPN device. Similarly, the clustering system operates on incoming data packets after processing by the VPN device. Thus, the VPN device clustering system operates in a manner that is independent of the VPN hardware and software. The clustering system can therefore operate with any VPN hardware or sofware configuration without affecting the VPN authentication, security, or xe2x80x9ctunnelingxe2x80x9d functions.
In some embodiments, the VPN network flow switch, in addition to routing of the packets, performs load balancing and fault tolerance functions. In these embodiments, a processor of the VPN network flow switch periodically executes a load balancing routine to determine the relative workload of each of the VPN devices. When the VPN network flow switch receives a packet destined to the cluster of VPN devices, the packet is routed to the VPN device with an optimal workload, so as to ensure that the workload is evenly distributed among the VPN devices. In addition, if a failure of a VPN device is detected, a packet addressed to that VPN device is re-routed to a different VPN device by re-writing the Data Link Layer (MAC) destination address of the packet. Since the VPN network flow switch continuously monitors the status of the VPN devices, no lengthy time delay is introduced in point-to-point communications when a VPN device is disabled.
Since the cluster IP header is not modified, the VPN network flow switch of the present invention operates on packets encoded according to any VPN protocol. In addition, the VPN network flow switch can handle re-routing, load balancing and fault tolerance of encrypted packets transparently to users on both sides of the VPN.