1. Patent Search
  2. Details

MOBILE OVERLAY VIRTUAL ENTERPRISE NETWORK AND VIRTUAL INTERNET FOR ENTERPRISES

20210288907 · 2021-09-16

    Inventors

    Cpc classification

    International classification

    Abstract

    A number of embodiments can comprise a system. The system can comprise an application and one or more software nodes under control of the application, wherein the application is configured to perform: instructing a software node of the one or more software nodes to route data to a target node of the one or more software nodes; analyzing, using a routing engine, associated paths through the one or more software nodes to the target node, wherein the associated paths comprise at least one path traversing both a mobile enterprise network and a virtual enterprise network; selecting one or more candidate next hop nodes of the one or more software nodes based on the analyzing the associated paths; causing the data to be routed to at least one of the one or more candidate next hop nodes, as selected; and repeating the analyzing, the selecting, and the causing until the data reaches a destination. Other embodiments are disclosed here.

    Claims

    1. A system comprising: an application; and one or more software nodes under control of the application, wherein the application is configured to perform: instructing a software node of the one or more software nodes to route data to a target node of the one or more software nodes; analyzing, using a routing engine, associated paths through the one or more software nodes to the target node, wherein the associated paths comprise at least one path traversing both a mobile enterprise network and a virtual enterprise network; selecting one or more candidate next hop nodes of the one or more software nodes based on the analyzing the associated paths; causing the data to be routed to at least one of the one or more candidate next hop nodes, as selected; and repeating the analyzing, the selecting, and the causing until the data reaches a destination.

    2. The system of claim 1, wherein: the routing engine comprises another software node of the one or more software nodes; and the another software node is different from the software node and the target node

    3. The system of claim 1, wherein analyzing, using the routing engine comprises: analyzing, using the routing engine, the associated paths and a real time status of at least one node of the one or more software nodes.

    4. The system of claim 1, wherein the mobile enterprise network comprises a mobile overlay virtual enterprise (MOVE) network.

    5. The system of claim 1, wherein the virtual enterprise network comprises a virtual internet for enterprise (VINE) network.

    6. The system of claim 1, wherein software nodes of the one or more software nodes are connected as traditional networked nodes, as peer-to-peer mesh nodes, or as any combination thereof.

    7. The system of claim 1, wherein the application comprises at least one of: an enterprise application; a software as a service (SaaS); a platform as a service (PaaS); an internet of things (IoT); a cognitive computing application; an artificial intelligence (AI) application; a virtual reality application; an augmented reality application; a gaming application; or an entertainment application.

    8. The system of claim 1, wherein the one or more software nodes are located in a public cloud, in a private cloud, in an Internet, or on end user devices.

    9. The system of claim 1, wherein: the one or more software nodes comprise gateways or session border controllers.

    10. The system of claim 1, wherein the associated paths through the one or more software nodes to the target node are set by one or more triggers.

    11. A method performed by an application using one or more software nodes under control of the application comprising: instructing a software node of the one or more software nodes to route data to a target node of the one or more software nodes; analyzing, using a routing engine, associated paths through the one or more software nodes to the target node, wherein the associated paths comprise at least one path traversing both a mobile enterprise network and a virtual enterprise network; selecting one or more candidate next hop nodes of the one or more software nodes based on the analyzing the associated paths; causing the data to be routed to at least one of the one or more candidate next hop nodes, as selected; and repeating the analyzing, the selecting, and the causing until the data reaches a destination.

    12. The method of claim 11, wherein: the routing engine comprises another software node of the one or more software nodes; and the another software node is different from the software node and the target node

    13. The method of claim 11, wherein analyzing, using the routing engine comprises: analyzing, using the routing engine, the associated paths and a real time status of at least one node of the one or more software nodes.

    14. The method of claim 11, wherein the mobile enterprise network comprises mobile an overlay virtual enterprise (MOVE) network.

    15. The method of claim 11, wherein the virtual enterprise network comprises a virtual internet for enterprise (VINE) network.

    16. The method of claim 11, wherein software nodes of the one or more software nodes are connected as traditional networked nodes, as peer-to-peer mesh nodes, or as any combination thereof.

    17. The method of claim 11, wherein the application comprises at least one of: an enterprise application; a software as a service (SaaS); a platform as a service (PaaS); an internet of things (IoT); a cognitive computing application; an artificial intelligence (AI) application; a virtual reality application; an augmented reality application; a gaming application; or an entertainment application.

    18. The method of claim 11, wherein the one or more software nodes are located in a public cloud, in a private cloud, in an Internet, or on end user devices.

    19. The method of claim 11, wherein: the one or more software nodes comprise gateways or session border controllers.

    20. The method of claim 11, wherein the associated paths through the one or more software nodes to the target node are set by one or more triggers.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0054] FIG. 1 is block diagram illustrating an exemplary embodiment of a mobile overlay virtual network (MOVE) and an exemplary embodiment of a virtual internet for enterprises (VINE).

    [0055] FIG. 2 is block diagram illustrating another exemplary embodiment of the VINE and another exemplary embodiment of the MOVE.

    [0056] FIG. 3 is a flowchart illustrating the steps of a platform routing and session control method, according to an embodiment of the present invention.

    DETAILED DESCRIPTION

    [0057] Disclosed herein is a platform, network and network control plane that enable applications to determine, or at least influence, their own network paths. The application tells the switches and routers how and where to route its packets. The “where” may comprise a global overlay network, which includes endpoints, IP Back to Back User Agents (BBUAs), and management and control instance, that is managed according to the present invention. The global overlay network may be built on an existing endpoint and BBUA software. In one non-limiting embodiment, the global overlay network may be built on the endpoint and IP BBUA software disclosed in U.S. Pat. No. 9,071,607, the entire disclosure of which is incorporated herein by reference. Further, the network of the present invention can continually “negotiate” with the application to dynamically make changes. The present invention can allow application users (people and/or devices), the user's administrative domain (usually a business or organization) and provider (often an ASP), to enact policies and business logic, which control networks that they don't own or manage. The network and network control is essentially embedded inside the application, regardless of where the application is physically launched from. Therefore, applications and application managers can control any network from anywhere, according to their needs and goals, without owning or managing the network.

    [0058] FIGS. 1 and 2 illustrate exemplary embodiments of global overlay networks according to the present invention. One of the global overlay networks may comprise a mobile overlay virtual enterprise (MOVE) network and another global overlay network may comprise a virtual internet for enterprise (VINE). The MOVE network and the VINE are platforms built on any set of networks for enterprise security, policy control, compliance, performance and reliability network capabilities into applications and devices ubiquitously across any and all broadband access, campus LAN and WAN, as illustrated in FIGS. 1 and 2. The MOVE network travels with the applications and devices. The MOVE network has MOVE endpoints M11-M18, and a MOVE backbone M19 in FIG. 1 and MOVE endpoints M21-M25 and a MOVE backbone M26 in FIG. 2, which are software-embedded. The VINE provides enhanced internet performance and security to any application or browser over any internet access, with no software modifications. The MOVE network and the VINE share the same high capability internet-overlay platform that provides: [0059] 1) Better Quality of Experience (QoE) via dynamically optimized utilization of multiple parallel Internet Routes and TCP optimization. [0060] 2) Extremely robust security and network resilience as a Software Defined Perimeter (SDP) per the Cloud Security Alliance (CSA), creating highly secure and trusted end-to-end networks between any IP addressable entities that are highly resilient to network attacks. [0061] 3) On-demand, dynamically provisioned, “airgapped” networks. Enterprise-level management and control.

    [0062] The MOVE network and the VINE can be used for B2E (business-to-employee), B2B (business-to-business), and B2C (business-to-consumer) cloud-distributed communications amongst users, machines, and servers, to provide higher network performance, extreme levels of data-in-motion security, and enterprise-level control.

    [0063] In some embodiments, the MOVE network and the VINE can comprise an “embeddable enterprise network service” that enables a site-less enterprise-managed overlay VPN to be integrated within applications that require a “site-less” capability for enterprise network security and performance, unconstrained by the inflexibility of a site-level WAN or SD WAN that is bound to one or more physical networks. Such applications include without limitation:

    [0064] Enterprise-developed applications.

    [0065] 3rd parry ISVs.

    [0066] SaaS (e.g., CRM, sales force automation, office suites, HR, Finance, ERP, document management, CAD, ITaaS, etc.).

    [0067] B2C services (e.g., eCommerce, Finance, Healthcare, and etc self service, service desks, Points of Sale, Kiosks).

    [0068] laaS, PaaS and APaaS (e.g., AWS, Azure, Google, SalesForce, Softlayer, BlueMix, MBaaS platforms, etc.).

    [0069] IoT implementations (e.g., GE, Telit, PTC, Gemalto, numerous other platforms).

    [0070] Cloud storage (e.g., Box, Dropbox, Egnyte, etc.).

    [0071] cloud security (e.g., Zscaler, Bluecoat, Websense, Cisco Scansafe, etc.).

    [0072] UCaaS.

    [0073] API Service Provider platforms (e.g., Twilio, Kandy, Nexmo, Cisco Tropo, etc.).

    [0074] Entertainment sites.

    [0075] Collaboration platforms (e.g., Webex, Go to Meeting, SFB, etc.).

    [0076] Office application suites (e.g., Microsoft, IBM, Google).

    [0077] The MOVE network and the VINE, thus, add major new GTM channels for enterprise VPNs. For one example from just above, an ASP such as Microsoft Office365 for B2E or GE Predix for IoT, can integrate strong QoE, hyper-secure MOVE network into their application platform, where:

    [0078] The ASP can manage their multi-tenanted MOVE/VINE network as an integral part of their platform service

    [0079] The ASP can provide each enterprise tenant with autonomous control of their own ASP-bound VPN

    [0080] The tenant-level exposure may be fully integrated inside their overall platform management, it may be native white-labeled MOVE/VINE management, or it may be a hybrid.

    [0081] In some embodiments, the MOVE network and the VINE may be operative as a “un-network,” because they make the VPN part of an application or service instead of being a separate network that the application or service has to traverse. 59 The MOVE network and the VINE can operate transparently across a mix of LAN and WAN, private and public, physical and virtual, fixed and mobile networks and network functions that they traverse, as illustrated in FIGS. 1 and 2. The MOVE network and the VINE supplement and relieve the constraints of traditional fixed and Mobile Internet and enterprise WANs and SD WANs.

    [0082] In some embodiments, the MOVE network can comprise an enterprise VPN, which provides the enterprise with autonomous performance and compliance monitoring and control for sessions amongst any of the MOVE endpoints M11-M18 (FIG. 1) and M21-25 (FIG. 2), which are any mix of:

    [0083] Applications using the MOVE SDK.

    [0084] IoT Devices using the MOVE SDK or device driver.

    [0085] Stand-alone MOVE gateways (e.g., M14-M17 in FIG. and M21-M24 in FIG. 2).

    [0086] Public cloud instances of MOVE (MOVE gateway “cloud connect”).

    [0087] Private cloud instances of the MOVE network (e.g., M18 in FIG. 1 and M25 in FIG. 2).

    [0088] Multi-function gateways where a partner has integrated the MOVE network with their own network functions (e.g., Loadbalancers/ADCs, SIP gateways, MCUs, recorders, etc.).

    [0089] Internet “breakout” endpoints via the VINE, such as V11, V12, V21 and V22 as shown.

    [0090] 61 In some embodiments, the MOVE network can be implemented within a multitenant platform such as Office365 or GE Predix, but where the ASP has the ability to provide autonomous enterprise network management to each of their client enterprises, and where each enterprise can be enabled to operate to their own authentication, performance and compliance policy for Office365 or GE Predix communications.

    [0091] In some embodiments, as illustrated in FIGS. 1 and 2, the VINE may comprise a premium overlay shown, for example, as V11-12+V15-18, V21-22 and V25-28.

    [0092] The CE-to-PE connection may be over local underlay public internet access, encrypted such as with TLS or IP Sec or unencrypted. The VINE may require no software changes to the client application M13 or device M12 (FIG. 1). Similar to a CDN, the VINE can be integrated, via DNS Cname addressing. V19 (FIG. 1) and V29 (FIG. 2) may be controllers in the network, which provide full duplex internet session acceleration, hyper-security, and instrumentation, providing:

    [0093] Premium public internet for performant and highly secure web transactions.

    [0094] Optional QoS prioritized physical network routing:

    [0095] On the “backhaul” from the IP BBUAs to public and private cloud endpoints.

    [0096] On the “fronthaul” from the edge endpoints to the IP BBUAs.

    [0097] “Internet breakout” to/from MOVE enterprise VPNs.

    [0098] Private application servers “cloud connect” via cloud-based MOVE Gateways providing managed, secure performance and compliance into all major public clouds and optionally private clouds.

    [0099] 63 Application and Device VPNs using TSL or IPsec tunnels over best effort internet are well-established today. The MOVE and the VINE provide a stronger value proposition for commercially-sensitive sessions where Quality of Experience is proportional to revenue and compliance must be rigorously managed. The MOVE network and the VINE provide:

    [0100] Better Quality of Experience:

    TABLE-US-00001 TLS or IP Sec over Internet MOVE and VINE over Internet Best Effort Backbone Dynamically Optimizing Backbone Single static backbone route Aggregating capacities over multiple subject to selected path's parallel backbone paths. capacity and route Deselecting poor performing paths and latency. rolling to better performers Optional QoS prioritized physical network routing On the “backhaul” from the IP BBUAs to public and private cloud endpoints On the “fronthaul” from the edge endpoints to the IP BBUAs

    [0101] Multi-factor hyper-security:

    TABLE-US-00002 TLS or Security IPsec over MOVE over VINE over Function Internet Internet Internet Software Not Applicable SDP as defined by SDP other than Defined Cloud Security the edge Perimeter Alliance endpoint to PE (SDP) PoP Data-in motion Single encrypted Flow fragments Single TLS security tunnel, single spread across tunnel for client route dynamically rolling endpoint to PE Tunnel multiple routes, each PoP. compromise = fragment encrypted PE to PE and data in two separate “air- PE to Cloud is compromise (eg gapped” tunnels. identical to “Heartbleed” Tunnel- compromise MOVE SSL flaw) extremely difficult Endpoint and only partial routings visible Endpoint routings Metadata masked exposed DDOS None High immunity. High immunity protection Rolls from congested routes, accepts traffic from authenticate d endpoints Man in Middle None? High Immunity High Immunity Protection OWASP Partial High Immunity High Immunity Top 10 assuming trusted assuming Protection endpoints trusted Endpoints ARP poisoning None High immunity High Immunity protection Rejects corrupted packets Data None Flow fragments can PE to PE and sovereignty be routed via PE to Cloud is management selected sovereignty identical to domains MOVE

    [0102] Enterprise Monitoring and Control:

    TABLE-US-00003 TLS or IP Sec over Internet MOVE and VINE over Internet Encrypted session Secured session Basic public internet Data sovereignty routing reporting and analytics Direct SDK or 5-Tuple policy control for QoE and Compliance Whitelist Flows Blacklist Flows Greylist Flows SDWAN-like reporting and analytics Hierarchical management rights ASP or MSP level management across enterprises nterprise-level management

    [0103] Various embodiments of the MOVE network, as illustrated in FIG. 1, can have one or more of the following uses, structures, and capabilities:

    [0104] Typical use cases: B2E, B2B, B2C, and IoT enterprise networking.

    [0105] Form Factors/Overlay Network Presentation:

    [0106] MOVE SDKs for integration of Enterprise Network into any application (Android, IoS, others):

    [0107] Direct application SDK.

    [0108] Embeddable SDK for integration into network-enabled SDK functions (eg UCaaS SDKs).

    [0109] MOVE device drivers for integration of Enterprise Network into any LINUX and

    [0110] Windows machines.

    [0111] MOVE Gateway for aggregation of local traffic sources onto the Enterprise Network.

    [0112] One common Virtual Backbone for both MOVE and VINE.

    [0113] Enterprise Overlay Network Application Policy Management:

    [0114] Prioritize and selectively route or block sessions to the overlay network:

    [0115] 5 Tuple resolution: source IP address/port number, destination IP address/port number and the protocol in use,

    [0116] Enterprise Overlay Network Monitoring and Analytics.

    [0117] Heirarchical multi-tenant management, monitoring and analytics to pass network management down the delivery chain:

    [0118] E.g., SaaS provider view=>MSP partner view=>Enterprise Customer view=>Enterprise Department view=>End User view.

    [0119] Transparent interoperability with all mobile broadband access, campus LAN, Data Center LAN, and WAN virtual and physical network functions:

    [0120] Enterprise Switches, routers, firewalls, DPIs, IP VPNs, SD WAN, etc.

    [0121] Carrier network MPLS, Ethernet, 3G, 4G and Internet.

    [0122] Cloud networks.

    [0123] Highest levels of data-in-motion security:

    [0124] Cloud Security Alliance Software Defined Perimeter:

    [0125] Rigorous isolation from unsecured network and high resilience to attacks.

    [0126] “Dynamic Spread Transport” of each session as many “fragment-flows” across numerous internet paths prevents man-in-the-middle monitoring.

    [0127] Separately secure encryption of each of two “airgapped” legs comprising each dynamically shifting fragment flow in a session.

    [0128] Detection and discard of corrupted packets.

    [0129] Providing High immunity to DDOS, Man in the Middle, and OWASP Top 10 attacks.

    [0130] Maximum available network bandwidth and performance:

    [0131] “Dynamic Spread Transport” load-balances and multiplexes multiple best available paths across the public internet backbone:

    [0132] Available bandwidth=sum of all the paths.

    [0133] Adaptive congestion and high latency avoidance.

    [0134] Dynamic Spread Transport load-balances and multiplexes across multiple WAN access networks as available to any WLAN/LAN campus or Public or Private Data Center:

    [0135] Available bandwidth=sum of all the access networks.

    [0136] Transport Protocol Optimization:

    [0137] TCP/IP proxy to eliminate TCP/1P sensitivity to WAN latency.

    [0138] MOVE and VINE Interop:

    [0139] MOVE policy management, monitoring and analytics encompass multipoint sessions that include a mix of VINE PoP public internet endpoints and MOVE enterprise network endpoints.

    [0140] Optional QoS Backhaul and QoS Fronthaul with preferred routing via COS-prioritized TCL Tzo WAN:

    [0141] Via Policy selection of preferred routing via QoS IP Back-2-Back Agents:

    [0142] Front Haul to Front Haul QoS for Peer to Peer with QoS.

    [0143] Front Haul to Back Haul QoS for Endpoint to MOVE Cloud.

    [0144] Backhaul QoS alone for QoS “cloud connect” paths:

    [0145] Best effort is only to the closest VINE PoP.

    [0146] Or any mix for multipoint connections.

    [0147] With transparent automated rollover to other available Internet Access if QoS IP Back2Back Agents are impaired.

    [0148] Various embodiments of the VINE, as illustrated in FIG. 2, can have one or more of the following uses, structures, and capabilities:

    [0149] Typical Use Cases: B2C, B2B, B2E public internet connections.

    [0150] Form Factors:

    [0151] Softwareless HTTP or HTTPS/TLS session access via URL.

    [0152] CDN-style DNS address resolution (CName) to a local VINE PoP.

    [0153] One common Virtual Backbone for both the MOVE and the VINE.

    [0154] Transparent internet transport with local PoP accesses across a High security, High Performance inter-PoP Virtual backbone sharing the capabilities of MOVE, above:

    [0155] A VINE PoP is a shared industrial scale MOVE gateway.

    [0156] VINE PoP-to-VINE POP for non-MOVE endpoints (including non-MOVE Clouds).

    [0157] VINE PoP-to-MOVE Cloud using a Move Gateway Cloud Connect.

    [0158] Self-service monitoring, analytics and management of the end to end internet flows.

    [0159] MOVE and VINE Interop:

    [0160] MOVE policy management, monitoring and analytics encompass multipoint sessions that include a mix VINE PoP public internet endpoints and MOVE enterprise network endpoints.

    [0161] 66 In various embodiments, the MOVE/VINE Cloud Connect M18, M25/V14, V24 and Cloud Exchange can have the following use, structure, and capabilities:

    [0162] Use Case: Integrates MOVE/VINE network security, performance, and resilience directly into private and public clouds

    [0163] Cloud Connect=singular cloud connection using a private or dedicated cloud gateway instance

    [0164] Cloud Exchange=on-demand connection to any of many pre-connected clouds via a multi-tenant cloud gateway instance

    [0165] Reduces dependency on less flexible, more costly physical MPLS VPN-based cloud connect

    [0166] Form Factor:

    [0167] VNF (virtual network function) MOVE Gateways for Public and Private Cloud connections to MOVE enterprise WANs and VINE public internet.

    [0168] Optional QoS on the backhaul leg from the IP Back to Back Agents to the cloud and also on the Fronthaul from edge endpoints to the Agents.

    [0169] Cloud Connect: Private gateways for private or dedicated instances in public and private cloud

    [0170] Cloud Exchange: Pre-configured autoscaling multitenant gateways in AWS, Azure/O365, Force.com/SalesForce and other public clouds 67 The MOVE network can be implemented as an endpoint software, which establishes spread-transport flows across a global public internet “spread-transport” backbone, and dynamically spreads each session across multiple public internet pathways similar to how spread-spectrum radios dynamically spread radio links across multiple radio frequencies. The MOVE endpoints M11-M18 (FIG. 1) and M21-M25 (FIG. 2) collaborate to break up/reassemble each flow into multiple fragment-flows that are dynamically load-balanced across highly dispersed public internet pathways:

    [0171] Each of many spread-transport fragment-flow pathways is through a core PoP “IP back-to-back agent” (similar to a SIP Back to Back User Agent):

    [0172] The Cloud Security Alliance Software Defined Periphery (SDP) encompasses a similar “air gapped” transport, but has typically be implemented without spread-transport back2back agents.

    [0173] Each spread-transport fragment-flow pathway is comprised of two independently encrypted separately initiated back to back IP paths, masking the actual endpoint pair members from each other.

    [0174] Spread-transport is extremely secure:

    [0175] Each session is broken into multiple fragment-flows, dynamically routed across independent internet routes:

    [0176] Even data-in-motion metadata is un-monitorable.

    [0177] Each fragment-flow half-path is individually securely encrypted.

    [0178] Corrupted packets are identified and quarantined

    [0179] Providing ARP poisoning immunity.

    [0180] Interception of an entire multi-fragment flow is not possible at any point in the network other than an endpoint, including by Tata Communications. This protects from even meta-data or flow-behavior monitoring:

    [0181] Even interception of one encrypted fragment is highly improbable because the fragment flows dynamically hop across different internet pathways.

    [0182] The IP Back-to-Back agent moves IP address surfaces into the cloud onto a non-impacting attack target.

    [0183] Performance is provided via dynamic load-balancing to utilize the available capacity across the cumulative pathways that the session fragment-flows are spread across:

    [0184] The virtual internet path is not limited by the capacity and other impairments of any one internet path.

    [0185] Performance may be further enhanced via QoS-prioritized physical network routing of fragments on either or both of

    [0186] The backhaul path between cloud endpoints and the IP back to back agents

    [0187] The fronthaul path between edge endpoints and the IP back to back agents

    [0188] Reliability is provided by the same dynamic load balancing:

    [0189] Underperforming internet pathways will be automatically identified and taken out of route:

    [0190] Providing inherent immunity to volumetric DDOS attacks.

    [0191] The following Table, summarizes the uses of the present invention:

    TABLE-US-00004 WAN Manager Edge Cloud Comments Enterprise as “prime” B2E MOVE SDK enterprise - MOVE Gateway Sessions include developed apps fronting enterprise Edge to Cloud MOVE wrappers for off- private and public Edge to Edge (eg VoIP) the-shelf apps, eg SFB cloud apps Multiple Edges (eg MOVE drivers for PCs Connect dedicated collaboration) and user appliances instances Multiple Edges and Cloud VINE via Browser TL Cloud Exchange For Wrappers- MOVE Gateway for Site multi-tenant instances OEM from someone like aggregation OpenPeak Partner with MDM/MAM players B2C VINE via Browser T MOVE Sessions include MOVE SDK Gateway fronting Edge to Cloud enterprise - developed enterprise private and Edge to Edge (eg VoIP) apps public cloud apps Multiple Edges (eg Cloud collaboration) Connect Multiple Edges and Cloud Cloud Exchange B2B MOVE to SD WAN, NA Federated entities Federation MOVE to WAN or independently manage the MOVE to MOVE back to federated SD WANs, with back Gateway agreed policy control of ingress/egress via the GW IoT MOVE devices MOVE MOVE IOT aggregators Gateway fronting with local processing enterprise private and IoT LAN to MOVE public cloud apps Gateway Enterprise as a MOVE-integrated MOVE Gateway Enterprise Tenant Instance SaaS network SaaS client fronting SaaS will ideally be managed “tenant” Browser TLS to VINE provider fully integrated within the SaaS management Provisioning, authentication, policy, etc Additional reporting may be required SaaS/PaaS provider User Apps MOVE-integrated SaaS MOVE Gateway SaaS provider multi-tenant client fronting SaaS MOVE management Browser TLS to VINE provider Enterprise Tenant Instance will ideally be managed fully integrated within the SaaS management IoT MOVE-integrated Device MOVE Gateway SaaS/PaaS provider multi- MOVE-integrated IOT fronting SaaS/PaaS tenant MOVE management aggregator MOVE provider Enterprise Tenant Instance Gateway will ideally be managed fully integrated within the SaaS/PaaS management TCL UC Provider Edge MOVE NA Service Gateways fronting Infrastructure Network functions such as SBC and Load Balancers MOVE- Integrated Network Functions TCL VINE as an extension of NA Network IZO WAN Service MOVE/VINE Infrastructure integration with TCL CDN MOVE as an out-of-band management network Network MOVE integration within NA MOVE management will Function Physical and Virtual ideally be integrated within Providers Network Functions such the network function as SBC, ADC/Load management Candidates: balancers, and SD Sonus, Citrix Netscaler WAN edge devices (?) API Platform MOVE SDK embedded MOVE Gateway “Native” direct enterprise Services with other SDK fronting enterprise MOVE management Providers functions, eg WEB RTC private and public or cloud apps MOVE management MOVE Gateway integrate within the fronting SaaS or PaaS “parent” SDK function platform management Candidates: Twilio, Kandy, Cisco Tropo SD WAN MOVE Gateway back to MOVE Gateway SD WAN Cloud Connect Cloud Connect back with SD WAN edge fronting enterprise and Cloud Exchange and Cloud function private and public Requires coherent Exchange cloud apps orchestration and MOVE Gateway management across both fronting the SD WAN and MOVE SaaS or PaaS One SD WAN to MOVE platform (CE or PE) interconnect provides all MOVE Cloud Connects (including QoS fronthaul + backhaul option from PE to Cloud) SD WAN SD Each SD WAN maintains Exchange WAN1←.fwdarw.MOVE←.fwdarw. autonomous management, SD WAN2 including policy at the SD WAN exchange edge. MOVE Exchange edge policy is “standardized” and published to all.

    [0192] 69 In still further embodiments of the present invention, extended managed services with monitoring and management can be coherently integrated in the same multi-tier multi-tenant platforms that monitor and manage the MOVE network and the VINE. These may be peer services to the MOVE network and the VINE, or have the MOVE network and the VINE integrated within them.

    TABLE-US-00005 Integrated Candidate Managed technology Service Description providers Mobile Assured and Trusted MOVE edge Zimperium Device devices ZiAP SDK Protection MOVE and VINE only assure data-in- integrated with motion MOVE SDK Enterprise Compliance on the edge ZiPS full device requires protection Secured app and data-on- device (app developer responsibility) secured device secured data-in-motion Cloud Server Assured and Trusted Cloud Servers Cloud Passage Protection under and behind the Cloud MOVE Amazon cloud Gateway assurance MOVE and VINE only assure data-in- frameworks motion Etc Enterprise Compliance on the cloud- based server(s) requires Secured app and data-on-device (app developer responsibility) secured servers and other cloud infrastructure secured data-in-motion SIP Trunking Multimodal sessions over MOVE/VINE TCL Multimodal Video, voice, messaging, and shared TCL and others collaboration desktop services over MOVE/VINE services UC PaaS Unified Communications Platform-as-a- Kandy, Twilio, Service over MOVE/VINE others Distributed Secure data store behind MOVE/VINE Dispersive Cloud Technologies Storage Storage CASB Cloud Access Security Management Palerra, Skyhigh, with and behind MOVE/VINE Netskope, vArmour, etc

    [0193] The three part combination of Mobile Device Protection, MOVE/VINE data in motion protection, and Cloud Server protection provides a highly secure end-2-end platform for B2E, B2C IoT, and other business applications. 71 FIG. 3 is a flowchart illustrating the steps of a platform routing and session control method, according to an embodiment of the present invention. In block 100, the application, device or third party platform (hereinafter “application”) instructs one of the software nodes of the global overlay network of the present invention (e.g., a MOVE or a VINE endpoint) to initially route packets to a policy-defined target node of an underlying access network (by DNS name, IP address, or policy match). The underlying network comprises wire, and lower layer switches and routers, which transport the packets to the destination. The target node of the underlying network is selected according to the needs of the application and one or more various identities including, but not limited to user identities, application identities, thing (IoT) identities, and silicon/chip/hardware identities. The packets can be an entire application stream, parts of the stream, or packet by packet routing. At the target node, in block 110, an analysis is performed, which may consider one or more of the needs of the application (the policies, business needs and the like describe above) and the real time status of: 1) each candidate next hop node of the underlying network; 2) the path to each candidate next hop node of the underlying network; and 3) the paths from each candidate next hop node of the underlying network to other nodes in that network. This analysis may be made locally with another software node of the global overlay network (e.g., a MOVE or a VINE endpoint) associated with the initial target node, or alternatively, the software node may query a routing engine to perform the analysis to determine the next hop node. The software node and/or the routing engine contains one or more optimization algorithms to perform the analysis. In some embodiments, the software node and/or routing engine can also use machine learning to continuously make changes to preferred routes, networks to be traversed, preferred next hop, or any other of the parameters discussed above. In block 120, one of the candidate next hop nodes of the underlying network is selected by the software node, which best meets the needs of the application based on the analysis performed in block 110 or the routing engine selects one of the candidate next hop nodes of the underlying network, which best meets the needs of the application based on the analysis performed in block 110 in response to the query of the software node and communicates the selection to the software node. In block 130, the software node instructs the initial target node of the underlying network to forward the packets to the candidate next hop node selected in block 120. In block 140, the initial target node forwards the packets to the selected candidate next hop node. In block 150, the blocks 110-140 are repeated along the path until the “packets” reach their destination.

    [0194] In some embodiments, upon receipt of or the determination of the selected next hop node, the software node may forward the packets to another device and provide that device with the address of the selected next hop node (the new target node). In other embodiments, the software node managing and controlling the target node and any of the software nodes along the path may pass instructions to the application, directly or indirectly, including potentially providing the application with a replacement target node (a new DNS name or IP address to replace this target). The instructions may instruct the application to change its behavior for reasons, such as security, compliance or quality, or prompt the user for a decision. The software nodes of the network may also function as gateways, or insert gateways into the path, for example to do signaling or media interworking, or to encrypt/decrypt streams. The platform of the present invention has the capability to instantly and programmatically (no human involvement) deploy new software nodes (during the current application session) if necessary to meet the current or anticipated (according to machine learning or other algorithms) needs of the application or service. Each of the software network nodes of the global overlay network is acting according to instructions, identities, policies and feedback from the application, and the application managers, such that the application needs are determining the selected nodes of the underlying network, and the transport links between them. Whereas today's networks connect nodes according to the network's policies, the present invention connects applications and services according to their identities, policies and needs.

    [0195] The global overlay network is integrated with the platform and application technology described above. The software nodes of the global overlay network may be connected as traditional networked nodes, and/or as peer-to-peer mesh nodes, and/or combinations of both. Unlike public Internet nodes, they do not all need to have public addresses or use standard Internet protocols and methods. The software nodes of the global overlay network are agnostic to the underlying network technology and network ownership. The software nodes can be located in public cloud, private cloud and Internet backbone environments, and on end user devices as describe earlier (e.g., MOVE and VINE). The software nodes may be applications, VNFs, standalone devices running on commodity compute, purpose built appliances, or services embedded in network infrastructure such as gateways and session border controllers.

    [0196] Any and all of the above methodologies may be applied differently for different sets of data to be transmitted by the same application. For example, the same application may have different policies and requirements, and thus issue different instructions to the software nodes, for different types of data or for the same data transmitted at different times or to different recipients.

    [0197] While exemplary drawings and specific embodiments of the present disclosure have been described and illustrated, it is to be understood that that the scope of the invention as set forth in the claims is not to be limited to the particular embodiments discussed. Thus, the embodiments shall be regarded as illustrative rather than restrictive, and it should be understood that variations may be made in those embodiments by persons skilled in the art without departing from the scope of the invention as set forth in the claims that follow and their structural and functional equivalents.