Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-10-28
2002-10-29
Lee, Thomas (Department: 2185)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S162000, C713S150000, C709S223000, C709S229000
Reexamination Certificate
active
06473863
ABSTRACT:
TECHNICAL FIELD
The present invention relates in general to networked data processing systems, and in particular to virtual private network (VPN) systems and other network systems using tunneling or encapsulating methods.
BACKGROUND INFORMATION
A virtual private network (VPN) is an extension of a private intranet network across a public network, such as the Internet, creating a secure private connection. This effect is achieved through an encrypted private tunnel, as describe below. A VPN securely conveys information across the Internet connecting remote users, branch offices, and business partners into an extended corporate network.
Tunneling, or encapsulation, is a common technique in packet-switched networks. A packet from a first protocol is “wrapped” in a second packet from a second protocol. That is, a new header from a second protocol is attached to the first packet. The entire first packet becomes the payload of the second one. Tunneling is frequently used to carry traffic of one protocol over a network that does not support that protocol directly. For example, a Network Basic Input/Output System (NetBIOS) or Internet Packet Exchange (IPX) packet can be encapsulated in an Internet Protocol (IP) packet to carry it over a Transmission Control Protocol/Internet Protocol (TCP/IP) network. If the encapsulated first packet is encrypted, an intruder or hacker will have difficulty figuring out the true destination address of the first packet and the first packet's data contents.
The use of VPNs raises several security concerns beyond those that were present in traditional corporate intranet networks. A typical end-to-end data path might contain several machines not under the control of the corporation, for example, the Internet Service Provider (ISP) access computer, a dial-in segment, and the routers within the Internet. The path may also contain a security gateway, such as a firewall or router, that is located at the boundary between an internal segment and an external segment. The data path may also contain an internal segment which serves as a host or router, carrying a mix of intra-company and inter-company traffic. Commonly, the data path will include external segments, such as the Internet, which will carry traffic not only from the company network but also from other sources.
In this heterogeneous environment, there are many opportunities to eavesdrop, to change a datagram's contents, to mount denial-of-service (DOS) attacks, or to alter a datagram's destination address. Current encryption algorithms are not perfect, and even encrypted packets can be read given sufficient time. The use of a VPN within this environment gives a would-be intruder or hacker a fixed target to focus upon in that the end points of the VPN do not change, nor do the encryption methods and keys. The instant invention addresses the security concerns inherent in this system.
SUMMARY OF THE INVENTION
The instant invention is an apparatus and method for pre-negotiation and partial random generation of a secondary configuration of a VPN or other tunneled network for use in case the security of a main VPN is compromised. Configuration features such as the source and destination addresses of the nodes, their encryption keys, and their encryption algorithms are typically exchanged in order to establish a main VPN or tunneled network. In the instant invention, a set of usable addresses, usable encryption methods, along with randomly-generated keys are exchanged between the nodes in anticipation of a compromise of the main VPN or tunneled network. The tunneled nodes are configured to take advantage of one of the possible secondary VPN networks represented by these secondary configurations, should a compromise or attempted compromise be detected on the main VPN.
A compromise of the VPN or tunneled network may be detected through any one of several means known in the art, such as an alert from the server. In the instant invention, the secondary configurations exchanged between the nodes can be used to automatically establish a second VPN or tunneled network as the use of the main VPN or tunneled network is abandoned or fed with false data.
The foregoing outlines broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the invention will be described hereinafter which form the subject of the claims of the invention.
REFERENCES:
patent: 5825891 (1998-10-01), Levesque et al.
patent: 6092200 (2000-07-01), Muniyappa et al.
patent: 6175917 (2001-06-01), Arrow et al.
patent: 6243815 (2001-06-01), Antur et al.
Genty Denise Marie
McBrearty Gerald Francis
Mullen Shawn Patrick
Shieh Johnny Meng-Han
Unnikrishnan Ramachandran
Donoughue Timothy M.
Emile Volel
International Business Machines - Corporation
Lee Thomas
Patel N C
LandOfFree
Automatic virtual private network internet snoop avoider does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Automatic virtual private network internet snoop avoider, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Automatic virtual private network internet snoop avoider will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2954073