APPARATUS AND METHOD FOR SECURE ROUTER DEVICE

Abstract

Method, systems, and devices for providing a multi-function router. A router may receive and forward data packets at a physical network interface. The router may also run a virtualized server or router using a logical network interface mapped statically or dynamically to the physical network interface.

Claims

1. A device comprising: a processor configured to run a first virtual machine, wherein the first virtual machine is configured to establish a first IP security (IPSEC) Virtual Private Network (VPN) and receive data, apply a first encryption to the data thereby generating one-layer encrypted data, and send the one-layer encrypted data to a first set of ports; and the processor is further configured to run a second virtual machine, wherein the second virtual machine is configured to establish a second IPSEC VPN and receive the one-layer encrypted data at the first set of ports, apply a second encryption to the one-layer encrypted data thereby generating two-layer encrypted data, and send the two-layer encrypted data to a second set of ports.

2. The device of claim 1, wherein the processor is further configured to run Router Firmware Virtualization Infrastructure (RFVI) for the first virtual machine or the second virtual machine.

3. The device of claim 1, wherein the device sends the two-layer encrypted data connected over the internet to a remote second device via the second set of ports.

4. The device of claim 1, wherein the device receives the data from an external source, or an internal source, wherein the external source comprises a computer, a laptop, a tablet, a cell phone, a cellular base station, wherein the internal source includes a keyboard of the device, a USB port of the device, or a network port of the device.

5. The device of claim 1, wherein the device comprises a set of physical ports mapped to a set of logical ports, wherein the mapping is static or dynamic.

6. The device of claim 1, wherein the first virtual machine or the second virtual machine implements a virtual server, router, or switch to control the sending and receiving of any data.

7. The device of claim 1, wherein the device is a laptop, a computer, a smartphone, or a tablet.

8. The device of claim 1, wherein a set of physical ports includes the first set of ports, wherein a set of logical ports includes the second set of ports.

9. The device of claim 1, wherein the first set of ports include a wired connection and the second set of ports include a wireless connection.

10. The device of claim 1, wherein the device is a component of an apparatus, wherein the apparatus is a laptop, a computer, a smartphone, or a tablet.

11. A method implemented by a device, the method comprising: establishing, by a first virtual machine running on the device, a first IP security (IPSEC) Virtual Private Network (VPN) and receive data; applying, by the first virtual machine running on the device, a first encryption to the data thereby generating one-layer encrypted data; sending, by the first virtual machine running on the device, the one-layer encrypted data to a first set of ports; establishing, by a second virtual machine running on the device, a second IPSEC VPN and receive the one-layer encrypted data at the first set of ports, applying, by the second virtual machine running on the device, a second encryption to the one-layer encrypted data thereby generating two-layer encrypted data, and sending, by the second virtual machine running on the device, the two-layer encrypted data to a second set of ports.

12. The method of claim 11, wherein the processor is further configured to run Router Firmware Virtualization Infrastructure (RFVI) for the first virtual machine or the second virtual machine.

13. The method of claim 11, wherein the device sends the two-layer encrypted data connected over the internet to a remote second device via the second set of ports.

14. The method of claim 11, wherein the device receives the data from an external source, or an internal source, wherein the external source comprises a computer, a laptop, a tablet, a cell phone, a cellular base station, wherein the internal source includes a keyboard of the device, a USB port of the device, or a network port of the device.

15. The method of claim 11, wherein the device comprises a set of physical ports mapped to a set of logical ports, wherein the mapping is static or dynamic.

16. The method of claim 11, wherein the first virtual machine or the second virtual machine implements a virtual server, router, or switch to control the sending and receiving of any data.

17. The method of claim 11, wherein the device is a laptop, a computer, a smartphone, or a tablet.

18. The method of claim 11, wherein a set of physical ports includes the first set of ports, wherein a set of logical ports includes the second set of ports.

19. The method of claim 11, wherein the first set of ports include a wired connection and the second set of ports include a wireless connection.

20. The method of claim 11, wherein the device is a component of an apparatus, wherein the apparatus is a laptop, a computer, a smartphone, or a tablet.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0005] FIG. 1 shows an example of the hardware of a router device;

[0006] FIG. 2 shows a high level diagram of an example router configuration;

[0007] FIG. 3 shows a high level diagram of an example router configuration;

[0008] FIG. 4 shows a high level diagram of an example router configuration; and

[0009] FIG. 5 shows a high level diagram of an example router configuration.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT(S)

[0010] The present application is written with various examples, embodiments, scenarios, and situations that are meant to present non-limiting exemplary descriptions of the present application. Further, it is envisioned that any of the examples, embodiments, scenarios, or situations may be used separately, combined, or in any possible configuration as may be possible despite the description herein.

[0011] FIG. 1 shows an example router. The router 101 may have one or more hardware components such as one or more processors 102 and/or microcontrollers operatively connected to memory (e.g., storage mediums, hard drives, solid state drives, ROM, RAM, etc.) 103, 104 and a physical interface. The memory 103 may contain computer code that may be executed by the processor and utilize the hardware of the router 101. The physical interface may have one or more I/O ports 105 such as: a USB port (e.g. USB 1.0, 2.0, 3.0, 3.1, Type-C, etc.), a serial port (e.g. RS-232), parallel port, Small Computer Systems Interface port (SCSI), FireWire (i.e. IEEE 1394), Thunderbolt (e.g. Thunderbolt 1, 2, 3), Peripheral Component Interconnect (PCI), PCI express (PCIe), Coaxial port, network interface controller (NIC) (e.g. Ethernet RJ-45), modem port (i.e. telephone jack RJ-11), wireless card (e.g., WIFI IEEE 802.11 standards, Bluetooth, NFC, cell phone modem based on 3GPP standards, etc.), optical data port (laser, infrared, etc.), audio ports, display ports (e.g. HDMI, VGA, DisplayPort, etc.), and human interface ports (e.g. keyboard, mouse, PS/2, etc.). For example, a networking port may be an Ethernet port. There may be multiple iterations of one type of port, such as a set of networking ports which include at least two Ethernet ports. A set of networking ports may comprise a set of the same type or different types of ports.

[0012] FIG. 2 shows a high level diagram of an example router configuration. In one embodiment the router hardware 201 may run router firmware 202, software 203, operating systems (OS) 204, and/or applications. The router 201 may run firmware 202 that supports/enables/executes router firmware virtualization infrastructure (RFVI) 203 that creates one or more virtualized environments 204. The RFVI 203 may support/enable/execute one or more virtual machines 204 such as a virtualized guest operating system (OS), firmware, and/or software. The virtual machine 204 may be an operating system based on Microsoft Windows, Linux, Unix, MacOS, or the like. In one example the virtual machine 204 may be a software OS performing the role of a Domain Controller. In one example the RFVI 203 may be an application specific server. The operating system 204 may run software that performs specific functionalities and/or emulates the functionality of a specialized device, such as a virtual server or router. The router 201 and/or virtual server 204 may be connected to one or more logical or physical networks, such as the internet, and may assist in the management and/or forwarding of data packets within and/or between networks, and/or virtual machines, and or hardware.

[0013] FIG. 3 shows a high level diagram of an example router configuration. In one embodiment the one or more virtual machines 304 may have virtual interfaces, also known as logical interfaces 305, connected to the physical interfaces 306, as described herein. The RFVI 301 via the router firmware 302 may facilitate a connection between the logical interface 305 and the physical interface 306. The logical interface 305 may include a virtualized version of physical interface ports 306. Additionally/alternatively, the virtual machine logical interface 305 may connect with a host router firmware logical interface.

[0014] FIG. 4 shows a high level diagram of an example router configuration. In one embodiment the physical interface may be a Physical Network Interface (PNI) 406, which is a wired and/or wireless port such as those described herein. The logical interface may be a virtualized network interface, also known as a Logical Network Interface (LNI) 405, which may simulate a wired or wireless network port such as any of those described herein. The PNI 406 may be used by the RFVI 403 via the router firmware 402 to facilitate a connection to the LNI 405.

[0015] FIG. 5 shows a high level diagram of an example router configuration. In one embodiment the virtual machine 504 communicates with the PNI 506. The operating system of the virtual machine 504 may see a LNI 505 and treat is as a PNI 506 without knowing that it is virtualized. The RFVI 503 may also have a Logical Network Bridge (LNB) 507 that bridges one or more connections within the router 501. The RFVI 503 may be configured to have a static mapping of a specific LNI 505 to a specific PNI 506 and/or may have a dynamic mapping of one or more LNIs 505 to one or more PNIs 506. The routing of information from the ports of the PNI 506 and/or LNI 505 may happen simultaneously or near simultaneously.

[0016] The router 101 may implement directly and/or indirectly various levels of security. The router 101 may be used in a Commercial Solutions for Classified (CSfC) program as instituted by the National Security Agency (NSA). CSfC provides secure solutions leveraging layered encryption solutions to provide adequate protection of classified data. The router 101 may be used as, in conjunction with, or may assist with: IPsec Virtual Private Network (VPN) Gateway, IPsec VPN Gateway, WLAN Access System, Certificate Authority, IPSec VPN Client, Wireless Local Area Network (WLAN) Client, Session Initiation Protocol (SIP) Server, Mobile Platform, Mobile Device Management (MDM), Software Full Drive Encryption (SW FDE), Hardware Full Drive Encryption, VoIP Applications, Transport Layer Security (TLS) Software Applications; E-mail Clients; Internet Protocol Security (IPS), Traffic Filtering Firewall, Web Browsers, File Encryption, TLS Protected Servers, Session Border Controller, Authentication Server, Medium Access Control Security (MACSEC) Ethernet Encryption Devices, and/or Virtualized Servers.

[0017] In one embodiment the router 101 may run a first IPSEC VPN alongside a second virtualized IPSEC VPN thereby providing two functions in one device that reduces costs and increases efficiency of one device solution. In this embodiment the first IPSEC VPN may be mapped to a first set of networking ports of a PNI 105 of the router 101 and the second virtualized IPSEC VPN may be mapped to a second set of networking ports of the PNI 105 of the router 101.

[0018] In another embodiment a router 101 may host software to facilitate network access to an eNodeB (eNB) that results in two functionalities in one hardware solution in support of network access to an eNodeB.