Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-11-09
2004-03-02
Sheikh, Ayaz (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S245000, C709S249000
Reexamination Certificate
active
06701437
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to the field of data communications. More specifically, the present invention relates to a device for processing communications and a method of configuring such a device to selectively encrypt communications depending upon whether they are being passed between members of a virtual private network.
BACKGROUND
Organizations rely heavily upon their ability to communicate data electronically between their members, representatives, employees, etc. Such communications typically include electronic mail and some form of file sharing or file transfer. In a centralized, single site organization, these communications are most commonly facilitated by a local area network (LAN) installed and/or operated by the organization.
Preventing unauthorized access to data traversing an enterprise's single site LAN is relatively straightforward. As long as intelligent network management and adequate physical security are maintained, unauthorized access to the data passing across the LAN can be prevented. It is when the enterprise spans multiple sites that external security threats become a considerable problem.
For distributed enterprises wishing to communicate data electronically, several options exist but each has associated disadvantages. One option is to interconnect the various offices or sites with dedicated, or private, communication connections, often referred to as leased lines. This is a traditional method used by organizations to implement a wide area network (WAN). The disadvantages of implementing an enterprise-owned and controlled WAN are obvious: they are expensive, cumbersome and frequently underutilized if configured to handle the peak capacity requirements of the enterprise. The obvious advantage is that the lines are dedicated for use by the enterprise and are therefore reasonably secure from eavesdropping or tampering by other parties.
One alternative to using dedicated communication lines is to exchange data communications over the emerging public network space. For example, in recent years the Internet has evolved from a tool primarily used by scientists and academics into an efficient mechanism for global communications. The Internet provides electronic communication paths between millions of computers by interconnecting the various networks upon which those computers reside. It has become commonplace, even routine, for enterprises (including those in non-technical fields) to provide Internet access to at least some portion of the computers within the enterprises. For many organizations, Internet access facilitates communications with customers and potential business partners and promotes communications between geographically distributed members of the organization as well.
Distributed enterprises have discovered that the Internet is a convenient mechanism for enabling electronic communications between their geographically-separated members. For example, even remote sites within an enterprise can connect to the Internet through Internet Service Providers (ISP). Once they have access to the Internet, the various members of the enterprise can communicate among the enterprise's distributed sites and with other Internet sites as well. A significant disadvantage of using this form of intra-enterprise communications is the general lack of security afforded communications traversing public networks such as the Internet. The route by which a data communication travels from one point on the Internet to another point can vary on a per packet basis, and is therefore essentially indeterminate. Furthermore, the data protocols for transmitting information over the constituent networks of the Internet are widely known, thus leaving electronic communications susceptible to interception and eavesdropping, the danger of which increases as packets are replicated at most intermediate hops. Of potentially greater concern is the fact that communications can be modified in transit or even initiated by or routed to an impostor. With these disconcerting risks, most enterprises are unwilling to subject their proprietary and confidential communications to the exposure of the public network space. For many organizations, therefore, it is common to not only have Internet access available at each site, but also to maintain existing dedicated communications paths for internal enterprise communications, with all of the attendant disadvantages described above.
To address the need for means of passing secure communications, “virtual private networks” (VPNs) have been developed. A VPN allows an organization to communicate securely across an underlying public network, such as the Internet, even with remote sites. Virtual private networks typically include one or more virtual private network units, sometimes known as VPN service units or VSUs. VPN service units translate or exchange data packets between the public network and the organization's private WAN or LAN. Virtual private network units may reside in a number of locations, such as within an ISP or telephone company network or on the WAN or LAN side of a routing apparatus that connects the enterprise's network to the Internet. Thus, VPN units in known forms of virtual private networks generally receive and process all data traffic passed between an enterprise site (whether local or remote) and the public network. Within one enterprise network, a VSU may serve multiple network segments.
To ensure secure data communications between members of a single VPN, which may comprise one or more VPN groups, a VPN unit operates according to a number of parameters. The parameters include various compression, encryption, decryption and authentication algorithms, as well as parameters concerning security associations and access control. Parameters in effect for one VPN may differ from those used in another VPN, and may also vary between different groups within each VPN.
As described above, known VPN units typically form part of the data path connecting an enterprise's private LAN to the public network over which secure data communications are to be passed. This mode of operation presents at least two problems, however. First, because it forms part of the path along which all inter-network traffic travels, such a VPN unit constitutes a single point of failure. In other words, if a VPN unit fails all communications between the private and public networks connected to the unit are disrupted, not just the VPN traffic. As a second consequence of being part of the path for all data communications, those communications that need not be secured are still received and processed by the VPN unit, even though they are not VPN traffic. Therefore, current VPN unit configurations cannot help delaying all data communications, including those that are not being passed between members of a VPN.
An additional disadvantage to the current method of configuring VPNs and VPN units is that a VPN unit cannot be “hot-swapped.” In other words, an installed VPN unit cannot be replaced without disrupting all data communications between the private and public networks. Further, each individual VPN unit is presently capable of processing communications for only a single private network that is connected to a public network through the VPN unit. A separate VPN unit is thus generally required for each private network.
There is, therefore, a need in the art for a VPN unit that can be configured to operate as part of a virtual private network without receiving and processing all data communications passing between the interconnected public and private networks. There also exist requirements for a VPN unit that can be replaced without disrupting all data communications and a VPN unit capable of serving multiple private networks. Methods of operating VPN units such as these, and methods of operating a VPN comprising such VPN units are also needed.
SUMMARY
The present invention provides a virtual private network (VPN) unit for selectively processing secure communications for members of a virtual private network. One embodiment of th
Arrow Leslie J.
Hoke Mark R.
Park Vaughan & Fleming LLP
Revak Christopher
Sheikh Ayaz
VPNet Technologies, Inc.
LandOfFree
Method and apparatus for processing communications in a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for processing communications in a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for processing communications in a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3242422