US20220078162A1

Movatterモバイル変換

Info

Publication number: US20220078162A1
Application number: US17/527,863
Authority: US
Inventors: Giridhar Sreenivas; Derek SIGURDSON
Original assignee: PRIVACY LABS Inc
Current assignee: PRIVACY LABS Inc
Priority date: 2018-07-25
Filing date: 2021-11-16
Publication date: 2022-03-10
Also published as: US20200036678A1; US11184329B2

Abstract

Disclosed is a system for deploying a secure server that provides one or more network services. Generally stated, a secure server is deployed in a secure environment behind a privacy barrier. The secure server is configured to interact with a service host on a public network outside the privacy barrier. The service host facilitates routing information from the public network through the privacy barrier to the secure server.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application is a divisional of U.S. application Ser. No. 16/045,555, filed Jul. 25, 2018, entitled PRIVACY NETWORK SYSTEM, the disclosure of which is hereby incorporated by reference in its entirety for all purposes.

BACKGROUND INFORMATION

Use of computing devices to consume various web-based or Internet-based services, such as email, has become ubiquitous. Some Internet-based services, such as social media, boast subscriber numbers exceeding a billion users. For this reason, very many people have become dependent upon the use of publicly available network services.

However, with such ubiquitous and public use comes a significant trade-off. More and more, users are expressing discomfort with how much personal information is being collected, stored, and shared by the providers of many network services. The number of instances of data breaches involving network service providers is ever increasing in both frequency and severity. These data breaches expose users of those services to the disclosure of personal information.

For example, one provider of a free email service may boast in excess of a billion users. Because that provider houses the email accounts for so many users, it may be under constant attack by hackers with malicious intent. Users of that provider's service trust it to employ good security procedures. But even the best security may eventually fail under constant siege.

Some argue that the solution to constant attack is for the provider to employ better security. However, an even better solution is to avoid using that provider all together. In other words, if one's email was never stored by provider, then whether the provider's security measures are breached becomes irrelevant.

More and more, individuals realize a need to privatize their personal data. An adequate system that enables an individual to privatize certain network services that would otherwise be vulnerable to large-scale cyber-attacks has eluded those skilled in the art, until now.

SUMMARY OF EMBODIMENTS

This disclosure is generally directed to a privacy network having a secure server that provides one or more network services. Generally stated, the secure server is deployed in a secure environment behind a privacy barrier. The secure server is configured to interact with a service host on a public network outside the privacy barrier. The service host facilitates routing information from the public network through the privacy barrier to the secure server.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a conceptual overview of a network environment in which is deployed a privacy system in accordance with this disclosure

FIG. 2 is a functional block diagram of a preferred embodiment of a secure server deployed in a secure location.

FIG. 3 is a conceptual illustration of the operation of a secure private tunnel, in accordance with embodiments of the disclosure.

FIG. 4 is a functional block diagram of a preferred embodiment of a service host in accordance with this disclosure.

FIG. 5 is a conceptual illustration of an interaction between a domain manager, in accordance with this disclosure, and a domain name server.

FIG. 6 is a conceptual flow diagram of a preferred method of provisioning a domain name for a secure server by a privacy system, in accordance with this disclosure.

FIG. 7 is a conceptual flow diagram of a preferred method for initializing a secure server for use in a privacy system, in accordance with this disclosure.

FIG. 8 is a functional block diagram of an illustrative computing device that may be used in implementations of this disclosure.

DETAILED DESCRIPTION

This disclosure teaches a system for deploying a secure server that provides one or more network services. Generally stated, a secure server is deployed in a secure environment behind a privacy barrier. The secure server is configured to interact with a service host on a public network outside the privacy barrier. The service host facilitates routing information from the public network through the privacy barrier to the secure server.

Various embodiments are described more fully below with reference to the accompanying drawings, which form a part hereof, and which show specific exemplary implementations for practicing this disclosure. However, other embodiments may be implemented in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy formal statutory requirements. Embodiments may be practiced as methods, systems, or devices. Accordingly, embodiments may take the form of a hardware implementation, an entirely software implementation, or an implementation combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.

The logical operations of the various embodiments are implemented (1) as a sequence of computer implemented steps running on a computing system and/or (2) as interconnected machine modules within the computing system. The implementation is a matter of choice dependent on various considerations, such as performance requirements of the computing system implementing the embodiment. Accordingly, the logical operations making up the embodiments described herein may be referred to alternatively as operations, steps or modules.

Turning now to the drawings,FIG. 1 is a conceptual overview of anetwork environment100 in which is deployed a privacy system in accordance with this disclosure. Thenetwork environment100 generally includes networking components and facilities to enable disparate computing systems to communicate and interoperate. Individual components of thenetwork environment100 communicate over a publicly accessible wide area network (public network110), sometimes referred to as a “cloud” or the Internet.

The privacy system is generally embodied in two components—asecure server120 and aservice host140—that communicate with each other and other computing devices over thepublic network110.

Thesecure server120 is deployed in asecure location111 that has a private network112. The private network112 typically isolated from thepublic network110 by aprivacy boundary113, such as a network address translation (NAT) gateway (e.g., a router). Thesecure server120 connects through the privacy boundary over thepublic network110 to theservice host140.

In accordance with this disclosure, thesecure server120 makes available a “network service” that is hosted from within thesecure location111. For the purpose of this disclosure, the term “network service” means any computer-to-computer communication over a network for the purpose of providing information, resources, functionality, or applications resident on one computer (a server or host) to another computer (a client). In some instances, the same computer may be both the host of one network service and a client of another network service. It should further be noted that, in some instances, a network service may still be offered from a host computer to a client computer even if the host and client are performing some manner of collaborative or distributed computing environment. One particular embodiment of asecure server120 is illustrated inFIG. 2 and described below.

Theservice host140 is a specially configured computing system accessible over thepublic network110. Theservice host140 provides routing services to thesecure server120 so that requests for the network service may be routed to thesecure server120 through theprivacy boundary113. In most embodiments, theservice host140 accomplishes such routing by acting as an endpoint for a secure tunnel from thesecure server120 through theprivacy boundary113 to theservice host140. One particular embodiment of aservice host140 is illustrated inFIG. 3 and described below.

In addition to the components of the privacy system, many other components are depicted in the network environment ofFIG. 1. For instance, apersonal computer160 is shown that may be connected to thepublic network110. Thepersonal computer160 is merely representative of any computing device that may be used to access thepublic network110. For example, thepersonal computer160 may be a laptop or desktop computer connected to thepublic network110. Alternatively, thepersonal computer160 may be a mobile device, such as a cellular telephone or tablet computer having data access to the public network, perhaps via an intermediate cellular network.Personal computer160 is merely representative of any manner of computing device that communicates over thepublic network110 with other computing devices.

Thepersonal computer160 of the preferred embodiment is configured to take advantage of one or more network services offered over thepublic network110. For example, thepersonal computer160 may include browser software for visiting web pages served up by a web server over thepublic network110. Similarly, thepersonal computer160 may include email client software for sending and receiving email through anemail server165 connected to thepublic network110. Still further, thepersonal computer160 may include file synchronization software that operates to synchronize data files on the personal computer with a file hosting server connected to thepublic network110. Yet even further, thepersonal computer160 may include file transfer software that enables non-synchronized file transfer to any manner of resource server connected to thepublic network110.

Anemail server165 is shown which provides email services to various users. The email server may implement one or more communications protocols that are common in the industry, such as the Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), Post Office Protocol (POP), Messaging Application Program Interface (MAPI), Exchange ActiveSync (EAS), or the like.

A Domain Name System (DNS)server170 operates in thenetwork environment100 to provide domain name resolution services. As is known in the industry, particular sites on the Internet are generally identified by domain names but are accessed by computing systems using Internet Protocol (IP) addresses. Domain names provide a simple, human-readable mechanism for identifying a site or location on the Internet. However, at the machine level, communication occurs between any two components over the Internet using numeric addresses. TheDNS server170 includes mappings of domain names to IP addresses. In this way, any component that seeks to address another component over the Internet by domain name makes a call to a DNS server (e.g., DNS server170) to resolve that domain name to its corresponding IP address. Then the corresponding IP address may be used to route IP packets to the particular component having that IP address. DNS servers are well known in the art.

In operation, various computing devices communicate over thepublic network110 to exchange data. For instance, thepersonal computer160 may communicate with theemail server165 over thepublic network110 to check an email account. Similarly, theemail server165 may communicate with theDNS server170 to resolve domain names associated with other email servers, for instance, to deliver email.

FIG. 2 is a functional block diagram of a preferred embodiment of asecure server220 deployed in asecure location211. Thesecure location211 may be any physical location at which a user exercises a sufficient amount of control that access to thesecure location211 is limited. Very common examples of thesecure location211 include the user's house, apartment, or workplace. Many other examples will become apparent to those skilled in the art in view of this disclosure. Thesecure location211 represents any area where the user has an expectation of privacy.

In many embodiments, aprivate network212 is implemented within thesecure location211. The private network may be a wired network (e.g., ethernet), a wireless network (e.g., WiFi), or some combination of wired and wireless networks. Computing devices within thesecure location211 communicate with each other over theprivate network212. Because theprivate network212 is within thesecure location211, computing devices connected to theprivate network212 may enjoy a heightened level of trust with each other. Likewise, because access to theprivate network212 is somewhat controlled, the user may have a lower fear of security breaches than for computing devices deployed on thepublic network110.

The private network of this disclosure also includes agateway213 between theprivate network212 and thepublic network110. Thegateway213 could also take the form of, or be incorporated into, another network component, such as a router or perhaps a modem (e.g., a DSL or cable modem). Although such a gateway may provide many services, most relevant to this discussion is Network Address Translation (NAT).

Generally stated, NAT involves thegateway213 handling network traffic between any computing device on theprivate network212 and any computing device on thepublic network110. In essence, thegateway213 assigns a private IP address to each computing device on theprivate network212. Thegateway213 also has a public IP address on thepublic network110. Network traffic initiated by a computing device on theprivate network212, such aspersonal computer260, to another computing device on thepublic network110, such asemail server165, is routed by thegateway213.

In other words, network traffic initiated by, for example, thepersonal computer260 and intended for theemail server165 is presented to thegateway213 for delivery. Thegateway213 forwards that network traffic to theemail server165 using the gateway's public IP address as the originating IP address. Theemail server165 then responds to thegateway213 using the gateway's public IP address. Thegateway213 maintains state information which it may then use to route the response from theemail server165 back to thepersonal computer260. However, theemail server165 is not made aware of the personal computer's IP address on theprivate network212.

By performing NAT, thegateway213 isolates network traffic on theprivate network212 from network traffic on thepublic network110. Typically, computing devices on thepublic network110 may not discover private IP addresses for any computing devices on theprivate network212; rather, only thegateway213 has a publicly addressable IP address. The only network traffic that may be sent directly to a computing device on theprivate network212 is in response to a network session initiated from within theprivate network212. There are exceptions to this rule, but those exceptions are atypical and difficult for a layperson to implement.

NAT acts as an effective bar to inbound unsolicited network traffic. For this reason, NAT is a very effective security measure. Generally speaking, malicious elements cannot target computing devices on theprivate network212 unless those computing devices initiate a network session with those malicious elements. However, absent the teachings of this disclosure, NAT also operates to prevent a computing device on the private network from offering a network service on thepublic network110 where unsolicited inbound network traffic would be expected.

Another common feature of gateways that renders it difficult to host a server within theprivate network212 is dynamic IP addressing. Generally stated, IP addresses assigned to network hardware can be either dynamic or static. Static IP addresses do not change over time so network services hosted at those IP addresses can be reliably located by consumers of those network services (e.g., email clients, email servers, file synchronization software, or the like). However, if a network service server has an IP address that changes over time, as is the case with dynamic IP addresses, that server cannot be reliably located from session to session. Dynamic IP addresses are the norm with non-commercial and personal private networks. In this particular embodiment, thegateway213 has a dynamic public IP address that changes over time.

Also illustrated inFIG. 2 is asecure server220. Thesecure server220 is a special purpose computing device configured to host and serve some network service, such as an email service, a file hosting or synchronization service, a music streaming service, or the like.

Thesecure server220 may include a number of components which cooperate to provide the network service. In one specific embodiment, thesecure server220 includes acommunication module221, acommunication handler222 withconfiguration data223, anauthenticator module224, aserver component225, and adata store226.

Thecommunication module221 of thesecure server220 enables bidirectional network communication between thesecure server220 and other computing devices over a network. The communication module may be configured to communicate using any appropriate network protocol, such as Ethernet, 802.11, or the like. The communication module may include a wired connection, wireless connection, or both. Thecommunication module221 is configured to establish and maintain an ordinary communication link between thesecure server220 and other computing devices through theprivate network212.

Theserver component225 operates to host and serve the network service specific to thesecure server220. For example, if thesecure server220 is configured as a web server, theserver component225 may be web server software, such as Apache or the like. Alternatively, if thesecure server220 is configured as an email server, the server component may be email hosting software, such as Postfix or the like. In yet another alternative, if thesecure server220 is configured as a file synchronization server, the server component may be a file synchronization host, such as OwnCloud or the like. Many other examples of types of services that may be provided by the server component will be apparent to those skilled in the art.

Thedata store226 represents a storage location in which may be stored data that is served by theserver component226. For instance, if theserver component225 provides an email service, thedata store226 may contain email messages and configuration data.

Authentication for thesecure server220 may be performed by anauthentication component224. It will be appreciated that access to data hosted by thesecure server220 may be protected by various access restriction mechanisms, such as user ID/password pairs. More sophisticated access restriction mechanisms may also be employed. Theauthentication component224 is configured to authenticate access to data on thesecure server220.

In accordance with this disclosure, thecommunication handler222 is specially configured to enable access to thesecure server220 from thepublic network110 in cooperation with a service host. For instance, thecommunication handler222 may include special purpose components that initiate or establish a secure link, such as a virtual private network (VPN), over an otherwise ordinary network connection, such as a TCP or UDP connection. In one specific embodiment, thecommunication handler222 includes a VPN client that is configured, viaconfiguration data223, to initiate a VPN tunnel between thesecure server220 and a remote service host over an ordinary communication link established by thecommunication module221. As will be appreciated by those skilled in the art, a VPN tunnel operates to functionally connect two different networks (or computing devices) in such a manner that one network (or computing device) operates as if it were in fact connected directly to the other network.

By way of illustration, and turning briefly toFIG. 3, a first (local) network environment (private network312) is shown connected to a second (remote) network (public network310) over an ordinary communication link (represented as “network connection301”). In this example, network traffic from theprivate network312 to thepublic network310 is referred to as “outbound” traffic. Conversely, network traffic from thepublic network310 to theprivate network312 is referred to as “inbound” traffic.

Agateway313 is used to negotiate traffic between theprivate network312 and thepublic network310. Outbound traffic may generally flow freely from the private network to the public network through thegateway313, but unsolicited inbound traffic is prevented by thegateway313. As noted above, a number of mechanisms operate either individually or in combination to stop inbound traffic, such as NAT or a firewall. In addition, the IP address of thegateway313 on thepublic network310 may change from time to time, rendering it difficult to reliably locate theprivate network312, such as with a domain name.

AVPN client310 within the first network establishes an end-to-end communication link, called atunnel311, between the VPN client and a VPN server315 (sometimes referred to as a Remote Access Server or RAS) on thepublic network310. Thetunnel311 is established over an existingordinary communication link301, such as an ordinary Internet connection. TheVPN client310 andVPN server315 cooperate to essentially create a persistent connection between theVPN client310 and theVPN server315 that simulates a direct network connection. In other words, while connected, theVPN client310 is functionally just another node on the same network as theVPN server315.

In addition, because thetunnel311 is insulated from the ordinary communication link, and because theVPN client310 initiates thetunnel311 from within theprivate network312, thetunnel311 overcomes the limitations imposed by both NAT and firewalls. In other words, network traffic (e.g., VPN traffic) intended for theVPN client310 may be routed to theVPN server315 rather than thegateway313. TheVPN server315 then reroutes that VPN traffic to theVPN client310 over thetunnel311 rather than through theordinary communication link301. In this way, thegateway313 does not interfere with unsolicited inbound traffic (e.g., VPN traffic). In addition, the IP address of thegateway313 can freely change without impacting traffic flowing from theVPN server315 to theVPN client310.

Returning now briefly toFIG. 2, thecommunication handler222 of the preferred embodiment of thesecure server220 implements a VPN client which is configured, viaconfiguration data223, to establish a VPN tunnel through thegateway213 to a VPN server hosted by a remote service host. Because thecommunication handler222 initiates the tunnel connection from within theprivate network212, thegateway213 does not block traffic on that connection. In addition, once the tunnel is established, thesecure server220 is in effect just another node on the same network as the remote service host, e.g., thepublic network110.

FIG. 4 is a functional block diagram of a preferred embodiment of aservice host440 in accordance with this disclosure. Theservice host440 may execute in a virtual computing system or in an actual dedicated computing device. In addition, the functions of theservice host440 may be implemented on a single computing system or be distributed over multiple computing systems, such as for redundancy, load balancing, localization, or the like.

In one preferred embodiment, theservice host440 includes acommunication component410 and at least aportal component435. Thecommunication component410 is configured to provide ordinary network connectivity, such as by establishing a TCP or UDP connection with other computing devices over an Ethernet communication link, or the like. In the preferred embodiment, thecommunication component410 connects theservice host440 to apublic network110, such as the Internet. In addition, thecommunication component410 of the preferred embodiment has a static IP address on thepublic network110, which does not change unpredictably. For that reason, theservice host440 may be reliably accessed by other computing devices over time.

In the preferred embodiment, theportal component435 is configured to provide a routing service for a secure server operating within a private network (e.g., secure server220). Theportal component435 of the preferred embodiment includes aVPN server463, arouting engine461, and routing tables462. The VPN server436 is a component that provides an endpoint for a VPN tunnel that may be established by a remote VPN client (e.g., VPN client310). By acting as the endpoint of a VPN tunnel, the VPN server436 may operate to effectively couple the remote VPN client (e.g., VPN client310) to the same network (e.g., the public network110) to which theservice host440 is connected.

Theservice host440 may service multiple customers, each customer hosting its own secure server. Therefore, the VPN server436 may host a different VPN tunnel for each subscribed customer. The result may be multiple simultaneously hosted VPN tunnels. To address that situation, the portal435 may include arouting engine461 that maintains routing tables462. Therouting engine461 may direct network traffic to particular VPN tunnels established by each of the different VPN clients. In one embodiment, the routing tables462 include information that maps customers to current VPN tunnels. In that way, persistent configuration information for each customer can be easily mapped to the current instance of a VPN tunnel associated with that customer.

In various embodiments, theservice host440 may also include amanagement component432 with anadmin manager433 and adomain manager434. In one preferred embodiment, theadmin manager433 may provide a user interface to enable a user to administer several features or functions of theservice host440. For instance, theadmin manager433 may allow a customer to access account information about the customer's account, such as perhaps domain information, billing information, contact information, options for service features, options pertaining to any service the remote secure server may offer, and the like. Theadmin manager433 may be implemented as a web-based admin dashboard, it may expose an Application Programming Interface (API) to enable administrative management from a remote device, or the like.

Themanagement component432 of a preferred embodiment may further include adomain manager434. In one implementation, thedomain manager434 is configured to create or alter domain name records for certain domain names. For instance, if a new customer of theservice host440 desires a domain name to be used in association with the customer's particular secure server, thedomain manager434 may acquire such a domain name on behalf of the customer as part of a provisioning process or function. Alternatively, if the new customer has an existing domain name that the customer desires to use with a new secure server, thedomain manager434 may alter domain name records associated with the existing domain name to facilitate use of the existing domain name with the service host.

Turning now briefly toFIG. 5, it will be appreciated by those skilled in the art that thedomain manager434 may be configured to interact with a DNS server (frequently referred to as a “name server”). As noted above, a DNS server is a repository of information about domain names. In many embodiments, theDNS server501 implements the equivalent of a lookup table511 that includes a mapping of domain names to their associated IP addresses. Through the use of alookup module513, other computing devices may query theDNS server501 for IP addresses associated with a particular domain name.

In addition to the DNS lookup function, theDNS server501 may also include arecords manager515 that is configured to administerDNS records517 for one ormore domains519. As is known in the industry, a domain may have a number of associated DNS records. For example, a domain may have “A” records, which point the domain or a subdomain to a particular IP address; “CNAME” records, which specify alias domain names; “MX” records, which identify a mail server to handle email messages directed to the domain, and other types of DNS records. Therecords manager515 is responsible for creating and/or editing each of theseveral DNS records517 for each of thedomains519.

In one preferred embodiment, thedomain manager434 is configured to interact with one or both of thelookup module513 and therecords manager515. For example, the domain manager may interact with thelookup module513 for the purpose of identifying IP addresses for domain names, such as in response to HTTP queries. In another example, the domain manager may interact with therecords manager515 for the purpose of creating, altering, or perhaps deleting DNS records for one or more domains.

In one preferred embodiment, thedomain manager434 is configured to interact with therecords manager515 to create new DNS records for a domain associated with a secure server. For instance, if the secure server is an email server intended to be hosted by a user at the “example.com” domain, thedomain manager434 may interact with therecords manager515 to create an MX record indicating that email messages intended for the example.com domain should be handled by a server having, for example, the mail.example.com fully qualified domain name. In addition, thedomain manager434 may further cause therecords manager515 to create an A record that points the mail.example.com subdomain to a particular IP address at which can be found the secure server. Alternatively, therecords manager515 may modify existing DNS records to reflect the desired settings.

Returning now toFIG. 4, themanagement component432 may be further configured to secure a new domain name for a customer. For instance, as part of an initial setup or provisioning process, theadmin manager component433 may prompt a customer with an option to use the customer's existing domain name, to use a domain name provided by theservice host440, or to secure a new domain name for use with a secure server. For those customers who choose to use an existing domain name (either the customer's or one provided by the service host440), thedomain manager434 may perform operations as described in conjunction withFIG. 5 to create or edit existing DNS records. In situations where the customer desires to secure a new domain name, themanagement component432 may programmatically interact with one or more domain name registrars to acquire a new domain name on behalf of the customer. At that point, themanagement component432 may perform operations to create or editDNS records517 for the new domain name as just described in conjunction withFIG. 5.

Turning now toFIG. 6, a preferred method of provisioning a domain name for asecure server620 by a privacy system is shown and will be described in conjunction with the components ofFIG. 1. Theprovisioning process600 may be performed by a privacy system including asecure server620 and aservice host640 to establish a trust relationship between them. Thesecure server620 may be configured to host a network service that benefits from access over apublic network110. However, thesecure server620 is deployed on a private network612.

Theprovisioning process600 begins when thesecure server620 is initialized atstep601. At this stage, thesecure server620 has not yet established a trust relationship with theservice host640. For example, thesecure server620 may be brand new and not yet put into service. In another example, thesecure server620 may have undergone a significant upgrade or restoration and require provisioning again.

Theprovisioning process600 begins atstep601, where thesecure server620 is first started or otherwise put into service initially. Alternatively, thesecure server620 may provide an option for re-provisioning simply because the customer desires it. Thesecure server620 begins by sending a communication to a service host to announce that thesecure server620 is ready for service. Thesecure server620 may be pre-configured with contact information for theservice host640 or thesecure server620 may prompt the customer for that contact information.

Once thesecure server620 has announced itself to the service host, atstep602 the service host begins to build a profile for thesecure server620. For example, theservice host640 may assign a static IP address to the profile for thesecure server620.

Atstep603, theservice host640 may prompt thesecure server620 for information to include in the profile. For instance, theservice host640 may prompt thesecure server620 for information about whether to use an existing domain name, to use a domain name controlled by theservice host640, or perhaps to acquire a new domain name. Theservice host640 may additionally prompt thesecure server620 for account or billing specific information, such as, perhaps, a payment method should the customer be purchasing a premium service, or the like.

Atstep604, thesecure server620 responds to theservice host640 with whatever information has been requested. For example, thesecure server620 may return domain information about whether to use an existing domain or to acquire a new domain. If an existing domain is to be used, thesecure server620 may provide credentials associated with a DNS management account for that domain. Alternatively, thesecure server620 may respond that a new domain name is desired and instruct the service host to acquire the new domain name.

If thesecure server620 indicates that a new domain name is desired, atstep605 the service host performs a set of operations to acquire a new domain name on behalf of thesecure server620. It should be appreciated that several interactions between theservice host640 and thesecure server620 may be necessary to complete the acquisition of the new domain name. For instance, theservice host640 may prompt thesecure server620 for contact information and payment information to complete the acquisition of the new domain name. In addition, theservice host640 may also interact with a third party, such as adomain name registrar660, to acquire the new domain name.

If thesecure server620 indicates that an existing domain name is to be used, or after a new domain name has been acquired, atstep606 theservice host640 may perform several operations to make the existing domain name usable with the service. For instance, the service host may create new DNS records to point the domain name to the IP address associated with thesecure server620. In one specific example, if thesecure server620 provides email service, theservice host640 may create new MX records to indicate that thesecure server620 handles email messages for the domain name. In another example, if thesecure server620 is configured to provide file synchronization services, theservice host640 may create new A records to point other TCP traffic to thesecure server620. Many other alternatives will become apparent to those skilled in the art.

Atstep607, thesecure server620 and theservice host640 may exchange information sufficient to establish a secure connection, such as a VPN tunnel, between the two. For example, theservice host640 may transmit to the secure server620 (or vice versa) a secure code, such as a token or digital certificate or key, that may be used to establish a VPN tunnel between thesecure server620 and theservice host640.

As part of the provisioning process, theservice host640 writes information to the profile that describes thesecure server620. For example, the information obtained from thesecure server620 atstep604 may be stored in the profile. In addition, the domain name and a public IP address associated with that domain name may be stored in the profile. Still further, the secure code(s) exchanged atstep607 may be stored in the profile. Billing information, if applicable, may also be stored in the profile.

Once thesecure server620 and the service host have undergone theprovisioning process600, thesecure server620 is accessible from other computing devices using the domain name and IP address set up for thesecure server620. Accordingly, any network service offered by thesecure server620 is available over the public network.

Turning now toFIG. 7, apreferred method700 for initializing asecure server720 for use in a privacy system is shown and will be described in conjunction with the components ofFIG. 1. Themethod700 begins when thesecure server720 is being put into use, such as when it is being powered on. In accordance with this embodiment, thesecure server720 is a computing device configured to provide a network service to other computing devices connected to apublic network710.

Atstep701, thesecure server720 acquires an IP address so that it may communicate with other computing devices on a private network. As is known in the industry, the secure server may implement a Dynamic Host Configuration Protocol (DHCP) client that requests a dynamic IP address from a DHCP server that is responsible for administering dynamic IP addresses on theprivate network712. To do so, thesecure server720 initiates a communication with alocal gateway713 to request an IP address.

Atstep702, thelocal gateway713, which may implement a DHCP server, responds to the secure server request by returning a dynamic IP address to thesecure server720. The dynamic IP address enables thesecure server720 to communicate with other computing devices on theprivate network712.

It will be appreciated that both

steps

701 and702 may be avoided if thesecure server720 is pre-configured with a static IP address on theprivate network712 rather than a dynamic IP address. In such embodiment, thesecure server720 may, but need not, omit the DHCP client, and thelocal gateway713 may, but need not, omit the DHCP server.

Atstep703, thesecure server720 initializes a secure connection to aservice host740. In one preferred embodiment, thesecure server720 may implement a VPN client that initializes a VPN tunnel to theservice host740. In many embodiments, thelocal gateway713 isolates theprivate network712 from thepublic network710 through NAT. Accordingly, thesecure server720 initializes the connection to theservice host740 by first communicating with thelocal gateway713.

Atstep704, thelocal gateway713 passes the secure server's connection request to theservice host740. The connection request may include data sufficient to authenticate thesecure server720 to theservice host740.

Atstep705, in response to the secure server request, theservice host740 accepts the VPN tunnel and returns confirmation of that acceptance to thelocal gateway713, which in turn returns that confirmation to thesecure server720 atstep706.

At this point, the VPN tunnel has been established. Theservice host740 may then associate the endpoint of the VPN tunnel with a public IP address. In this way, network traffic targeted at the public IP address may be routed directly to thesecure server720 over the VPN tunnel.

Athird party760 may direct communications to thesecure server720 using a domain name which resolves to the public IP address provided by theservice host740. Accordingly, messages targeted at the domain name go to the IP address identified by theservice host740. Theservice host740, in turn, routes the traffic directed to that domain name or IP address to thesecure server720.

Because thesecure server720 and theservice host740 are connected by a VPN tunnel, thelocal gateway713 does not block traffic from theservice host740 to thesecure server720. In this way, the NAT feature of thelocal gateway713 does not prevent inbound traffic directed to thesecure server720 from random computing devices on thepublic network110.

To illustrate the point, atstep707 thethird party760 issues a communication directed to thesecure server720. For example, thesecure server720 may implement an email service. In such a case, thethird party760 may issue a request to check an email account, for example. Alternatively, thethird party760 may transmit an intent to deliver an email message either to thesecure server720 or using thesecure server720 as an outbound email server. Because of the VPN tunnel between theservice host740 and thesecure server720, the communication from thethird party760 is routed directly to thesecure server720. Theservice host740 merely operates as another “hop” in the network traffic.

Atstep708, the secure server may then issue a response message directly to thethird party760. In one example, thesecure server720 may implement an email server. In such a case, thethird party760 may be another email server attempting to deliver email messages to or retrieve email messages from thesecure server760. In another example, thesecure server720 may implement a file synchronization service. In such a case, thethird party760 may be a remote user of the file synchronization service connecting to thesecure server720 to send or receive data file changes, or the like.

As has been shown, the disclosure is directed to a privacy system in which a secure server provides a network service from behind a privacy boundary. The service host enables and facilitates public access to the secure server. The service host may perform one or more of a number of operations to accomplish this, such as securing domain names on behalf customers, securing static, public IP addresses for use in providing network services, automating the process of setting up domain name records for one or more customer domains, hosting an endpoint for a secure tunnel from a customer's secure server, and establishing a route for traffic from external third parties to the customer's secure server.

Embodiments of the foregoing disclosure may be implemented using one or more computing devices. The computing devices in which embodiments are implemented may take one or more of several different configurations. For instance, physical computing hardware may be used as well as virtual computing environments. In addition, both fixed location and mobile devices may be used. Any combination of computing devices may be used to implement embodiments. However, once implemented, the embodiments of this disclosure transform the host computing device into a special purpose machine specially configured to accomplish the goals of this disclosure.

By way of example,FIG. 8 illustrates anexample computing device800. In some examples, components illustrated inFIG. 8 may be distributed across multiple computing devices. However, for the sake of example, the components are shown and described as part of oneexample computing device800. Thecomputing device800 may be or include a mobile device (such as a mobile phone), desktop computer, laptop computer, email/messaging device, tablet computer, or similar device that may be configured to perform the functions described herein. Generally, thecomputing device800 may be any type of computing device or transmitter that is configured to transmit data or receive data in accordance with methods and functions described herein.

Thecomputing device800 may include aninterface802, awireless communication component804, a cellularradio communication component806, a global positioning system (GPS)receiver808, sensor(s)810,data storage812, and processor(s)814. Components illustrated inFIG. 8 may be linked together by a communication link816. Thecomputing device800 may also include hardware to enable communication within thecomputing device800 and between thecomputing device800 and other computing devices (not shown), such as a server entity. The hardware may include transmitters, receivers, and antennas, for example.

Theinterface802 may be configured to allow thecomputing device800 to communicate with other computing devices (not shown), such as a server. Thus, theinterface802 may be configured to receive input data from one or more computing devices, and may also be configured to send output data to the one or more computing devices. Theinterface802 may be configured to function according to a wired or wireless communication protocol. In some examples, theinterface802 may include buttons, a keyboard, a touchscreen, speaker(s)818, microphone(s)820, and/or any other elements for receiving inputs, as well as one or more displays, and/or any other elements for communicating outputs.

Thewireless communication component804 may be a communication interface that is configured to facilitate wireless data communication for thecomputing device800 according to one or more wireless communication standards. For example, thewireless communication component804 may include a Wi-Fi communication component that is configured to facilitate wireless data communication according to one or more IEEE 802.11 standards. As another example, thewireless communication component804 may include a Bluetooth communication component that is configured to facilitate wireless data communication according to one or more Bluetooth standards. Other examples are also possible.

The cellularradio communication component806 may be a communication interface that is configured to facilitate wireless communication (voice and/or data) with a cellular wireless base station to provide mobile connectivity to a network. The cellularradio communication component806 may be configured to connect to a base station of a cell in which thecomputing device800 is located, for example.

TheGPS receiver808 may be configured to estimate a location of thecomputing device800 by precisely timing signals sent by GPS satellites.

The sensor(s)810 may include one or more sensors, or may represent one or more sensors included within thecomputing device800. Example sensors include an accelerometer, gyroscope, pedometer, light sensor, microphone, camera(s), infrared flash, barometer, magnetometer, Wi-Fi, near field communication (NFC), Bluetooth, projector, depth sensor, temperature sensor, or other location and/or context-aware sensors.

Thedata storage812 may storeprogram logic822 that can be accessed and executed by the processor(s)814. Thedata storage812 may also store data collected by the sensor(s)810, or data collected by any of thewireless communication component804, the cellularradio communication component806, and theGPS receiver808.

In another instance, the processor(s)814 may use a location-determination algorithm to determine a location of thecomputing device800 based on nearby cellular base stations. For example, the cellularradio communication component806 may be configured to identify a cell from which thecomputing device800 is receiving, or last received, signal from a cellular network. The cellularradio communication component806 may also be configured to measure a round trip time (RTT) to a base station providing the signal, and combine this information with the identified cell to determine a location estimate. In another example, thecellular communication component806 may be configured to use observed time difference of arrival (OTDOA) from three or more base stations to estimate the location of thecomputing device800.

In some implementations, thecomputing device800 may include a device platform (not shown), which may be configured as a multi-layered Linux platform. The device platform may include different applications and an application framework, as well as various kernels, libraries, and runtime entities. In other examples, other formats or operating systems may operate thecomputing g device800 as well.

The communication link816 is illustrated as a wired connection; however, wireless connections may also be used. For example, the communication link816 may be a wired serial bus such as a universal serial bus or a parallel bus, or a wireless connection using, e.g., short-range wireless radio technology, or communication protocols described in IEEE 802.11 (including any IEEE 802.11 revisions), among other possibilities.

Thecomputing device800 may include more or fewer components. Further, example methods described herein may be performed individually by components of thecomputing device800, or in combination by one or all of the components of thecomputing device800.

Many other uses and alternatives of the disclosure will become apparent from the foregoing teachings. In this detailed description, numerous examples have been set forth to provide a thorough understanding of the described embodiments. On the other hand, some well-known features have not been described in detail in order to not obscure the description.

A person skilled in the art in view of this description, taken as a whole, will be able to implement various preferred embodiments. However, the specific preferred embodiments disclosed and illustrated herein are not to be considered in a limiting sense. Indeed, it should be readily apparent to those skilled in the art that what is described herein may be modified in numerous ways. Such ways can include equivalents to what is described herein. In addition, embodiments may be practiced in combination with other systems. The following claims define certain combinations and subcombinations of elements, features, steps, and/or functions, which are regarded as novel and non-obvious. Additional claims for other combinations and subcombinations may be presented in this or a related document.

Claims

What is claimed is:

1. A method for providing a network service, comprising:

receiving a notice that a secure server is requesting to be provisioned;

creating a profile for the secure server;

associating a public Internet protocol (IP) address with the secure server;

storing the public IP address in the profile;

ascertaining a domain name with which to associate the secure server;

associating the secure server with the domain name such that traffic on a public network resolves to the domain name;

establishing a trust relationship in the profile between the secure server and a service host sufficient to provide a secure network tunnel between the secure server and the service host;

notifying the secure server of information describing the trust relationship;

receiving a request to establish the secure network tunnel, the request being based on the information describing the trust relationship;

establishing the secure network tunnel with the secure server;

associating the IP address with the secure network tunnel;

wherein network traffic directed at the domain name resolves to the public IP address and is routed to the secure server over the secure network tunnel; and

further wherein the secure network tunnel enables network traffic to flow to the secure server without being requested by the secure server.

2. The method recited inclaim 1, wherein the secure network tunnel comprises a Virtual Private Network tunnel.

3. The method recited inclaim 1, wherein the service host comprises a Virtual Private Network server.

4. The method recited inclaim 1, wherein the secure server implements an email service, and wherein the service host is further configured to create an MX record that associates the domain name with the secure server.

5. The method recited inclaim 1, wherein associating the IP address with the secure network tunnel comprises creating a DNS “A” record that associates the public IP address with the domain name.

6. The method recited inclaim 1, wherein the secure server implements a file synchronization service.

7. A system for providing a network service, comprising:

means for receiving a notice that a secure server is requesting to be provisioned;

means for creating a profile for the secure server;

means for associating a public Internet protocol (IP) address with the secure server;

means for storing the public IP address in the profile;

means for ascertaining a domain name with which to associate the secure server;

means for associating the secure server with the domain name such that traffic on a public network resolves to the domain name;

means for establishing a trust relationship in the profile between the secure server and a service host sufficient to provide a secure network tunnel between the secure server and the service host;

means for notifying the secure server of information describing the trust relationship;

means for receiving a request to establish the secure network tunnel, the request being based on the information describing the trust relationship;

means for establishing the secure network tunnel with the secure server;

means for associating the IP address with the secure network tunnel;

8. The system recited inclaim 7, wherein the secure network tunnel comprises a Virtual Private Network tunnel.

9. The system recited inclaim 7, wherein the service host comprises a Virtual Private Network server.

10. The system recited inclaim 7, wherein the secure server implements an email service, and wherein the service host is further configured to create an MX record that associates the domain name with the secure server.

11. The system recited inclaim 7, wherein the means for associating the IP address with the secure network tunnel comprises means for creating a DNS “A” record that associates the public IP address with the domain name.

12. The system recited inclaim 7, wherein the secure server implements a file synchronization service.