Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1999-02-04
2003-03-04
Ton, Dang (Department: 2666)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S395520, C370S911000, C379S093020, C709S225000, C709S226000, C709S227000, C713S152000
Reexamination Certificate
active
06529513
ABSTRACT:
FIELD OF THE INVENTION
This invention relates generally to communications networks and more particular to a virtual private network (VPN).
BACKGROUND OF THE INVENTION
Computer security is fast becoming an important issue. With the proliferation of computers and computer networks into all aspects of business and daily life—financial, medical, education, government, and communications—the concern over secure file access is growing. One method of providing security from unauthorized access to files is by implementing encryption and cipher techniques. These techniques convert data into other corresponding data forms in a fashion that is reversible. Once encrypted, the data is unintelligible unless first decrypted. DES, triple-DES and CAST are known encryption techniques that are currently believed to provide sufficient security for computer communications and files.
Historically, secure networks were achieved by preventing access to data within the network by those outside the network. Networks were formed of a number of computers interconnected by cables. No access to the network was permitted save through the use of one of the interconnected computers. In order to use these computers, it was necessary to be physically located within a building housing the network.
With the proliferation of modems, it became clear that remote access is a powerful tool. In order to provide remote access to network data, dial-up servers were maintained in communication with a public communication network such as a phone network. An individual wishing access to the network, connects to the dial-up server with a computer equipped with a modem or another appropriate communication device, logs into the network, and is then provided access to the network. In this fashion, network data is only communicated over communication channels within the physical network and over dedicated dial-up connections. This was commonly viewed as less secure than the physically isolated computer network, but due to its advantages became commonplace.
With the proliferation of the Internet and Internet-based communications, a need has arisen to provide secure communications via an unsecured public network. Encryption is commonly used to provide this security. For example, PGP (pretty good privacy) is an available encryption software product which implements a private-public key encryption system. Files are encrypted prior to transmission and then decrypted upon reception. The communicated file is secured by the encryption and is as secure as the encryption process used. For occasional file transfers, PGP and similar software products are excellent. Unfortunately, they are not well suited to network access via the public network.
In order to provide SVPNs, IPSEC (Internet Protocol Security) protocol suite was developed. IPSEC is a set of industry-standard extensions to the Internet Protocol (IP) that add security services. The suite contains protocols for an authentication header (AH) assuring data integrity, an encapsulating security payload (ESP) format ensuring data privacy, and a key management and exchange system (IKE). These industry-standard protocols allow for development and implementation of SVPNs.
Unfortunately, many commonly available network features are not available using these protocols alone. Also, flexibility is often compromised to ensure security. It would be advantageous to provide a high degree of flexibility, a broad range of network features, and a high level of security.
OBJECT OF THE INVENTION
It is an object of this invention to provide an SVPN having increased flexibility and increased features over those currently available using the IPSEC protocol suite. In particular it is an object of the invention to provide a method of managing routing and resource availability using pseudo-static information.
In a first aspect, a method of transmitting first data within a secure virtual private network is provided. The method includes the step of storing static map data, the static map data being indicative of static gateways and of resources accessible therethrough, the static map data also including security information for use in authenticating each of the static gateways. The method also includes the step of selecting a resource to which to direct the first data; determining from the static map data a gateway for accessing the selected resource. The method further includes the step of establishing a communication with the determined gateway where certification data is obtained from the determined gateway for use in authenticating the determined gateway. The method further includes the step of authenticating the determined gateway based on the certification data and the security information from the static map data for the determined gateway. The method further includes the step of transmitting the first data to the determined gateway for provision to the selected resource.
The step of storing the static map data may be performed automatically.
The method may further include the step of updating the stored static map data.
The security information of the static map data may further include gateway authentication data.
The static map data may further include gateway forwarding data for accessing the plurality of static gateways.
The static map data may further include resource forwarding data for accessing the resources accessible through the plurality of static gateways.
The step of storing the static map data may further include storing the static map data on a workstation remote to the static gateways for which gateway authentication data and gateway forwarding data is stored within the static map data.
The static map data may further include gateway communication data being indicative of a manner of communicating securely with each of the static gateways
The gateway communication data for the static gateways may include data indicative of whether each of the plurality of static gateways supports tunneling.
The static map data may further include gateway security and communication data for the plurality of static gateways. The gateway security and communication data may be indicative of a security access procedure for accessing the plurality of static gateways securely and a manner of communicating securely with each of the plurality of static gateways. The communication established in the step of establishing the communication with the determined gateway and authenticating the determined gateway may be a secure communication and of a type indicated by the gateway security data and gateway communication data and secured in accordance therewith.
In a second aspect, a method of transmitting first data within a secure virtual private network is provided. The method includes the step of storing static map data, the static map data indicative of at least one static gateway, each static gateway having at least one resource accessible therethrough, the static map data being indicative of every resource accessible through each static gateway and comprising security information for use in authenticating each static gateway, the static map data being stored on a workstation remote from each static gateway. The method also includes the step of selecting a destination resource from a set consisting of every resource accessible through each static gateway, the first data for provisioning to the selected destination resource from the workstation. The method further includes the step of selecting from the stored static map data one static gateway through which to access the selected destination resource. The method further includes the step of establishing a communication between the workstation and the selected static gateway and authenticating the selected static gateway. The method further includes the step of transmitting the first data to the selected static gateway for provisioning to the selected destination resource.
In a third aspect, a method of routing first data within a secure virtual private network is provided. The method includes the step of storing a static map, the static map comprising gateway data
Howard Brett
Kierstead Paul
Pereira Roy
Robison Andrew
Solymar Gabor
Alcatel Canada Inc.
Blake Cassels & Graydon LLP
Hom Shick
Macchione Alfred A.
Ton Dang
LandOfFree
Method of using static maps in a virtual private network does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method of using static maps in a virtual private network, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method of using static maps in a virtual private network will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3029794