Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-09-07
2004-11-23
Sheikh, Ayaz (Department: 2136)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S227000, C709S228000, C709S229000
Reexamination Certificate
active
06823462
ABSTRACT:
TECHNICAL FIELD
The present invention relates to the field of data communications, and more particularly to a virtual private network with multiple tunnels associated with a group of users where the server node in the virtual private network has a single tunnel definition and a single security policy for the multiple tunnels associated with the group.
BACKGROUND INFORMATION
Security is a significant concern in the communication between computer networks over a public network, e.g., institutional intranets and Internet. Public networks provide the capability for a large number of diverse users to establish communication links between each other. A series of servers and switching systems route packets of data between various users based upon addresses using communication protocols such as TCP/IP. Unfortunately, packets of data move between senders and recipients through various pathways that are unsecured, i.e., third parties may gain access to data sent between authorized senders and recipients.
One solution to secure the transfer of data between senders and recipients over a public network is through a virtual private network. A virtual private network (VPN) is an extension of an enterprise's private intranet across a public network such as the Internet, creating a secure private connection, commonly referred as a “tunnel.” For example, virtual private networks may be established between an enterprise's private intranet and remote users, branch offices or business partners. The secure private connection, i.e., tunnel, is established between sites, commonly referred to as “nodes.” Once the tunnel is established, data may be transmitted between nodes without the risk of interception by unauthorized users through the use of encryption, e.g., preshared keys, public keys. A preshared key is a value that is used to authenticate the nodes of a tunnel. That is, the sane preshared key must be possessed by the two nodes in order to create a tunnel between the nodes.
A virtual private network may be configured by having one node designated as the server node and a plurality of nodes designated as client nodes. Each client node is connected to the server node establishing a plurality of tunnels between the client nodes and the server node. A tunnel definition defines the end points of a tunnel thereby establishing a tunnel. A security policy describes the characteristics of protection for the transfer of information between the nodes defining the tunnel. In prior art virtual private networks, VPN's create a security policy and a tunnel definition in the server node for each of the plurality of tunnels connected to the server node thereby resulting in a large number of security policies to be created and maintained for the many users of resources on a network.
It would therefore be desirable to develop a virtual private network where the server node has one security policy and one tunnel definition associated with a plurality of tunnels where the plurality of tunnels are associated with a group, i.e., group of users. It would further be desirable to allow the users to be identified by any specified name. It would further be desirable to allow a non-contiguous set of ID types to be defined as a group.
SUMMARY
The problems outlined above may at least in part be solved in some embodiments by configuring a group database in the server node where the group database comprises a group name and a list of members associated with the group name. Furthermore, a rules database in the server node is configured. The rules database associates the group name with a particular security policy. The server node then has a single security policy for each of the plurality of tunnels associated with the group name. Furthermore, a tunnel definition database in the server node is configured. In the tunnel definition database, the remote ID is defined as the group name. The server node then has a single tunnel definition for each of the plurality of tunnels associated with the group name.
In one embodiment, a method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprises the step of configuring a group database in the server node. The group database comprises the group name and a list of members associated with the group name. The method further comprises configuring a rules database in the server node. The rules database associates the group name with a particular security policy. The method further comprises configuring a tunnel definition database in the server node. In the tunnel definition database, the remote ID is defined as the group name.
In another embodiment of the present invention, the list of members associated with the group name comprises a non-contiguous list of ID types, e.g., Internet Key Exchange (IKE) defined ID types such as Internet Protocol addresses, User@ Fully Qualified Domain Name (FQDN), FQDN, and X.500 Distinguished Name. In another embodiment of the present invention, the members associated with the group name are identified by any specified name.
The foregoing has outlined rather broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the invention will be described hereinafter which form the subject of the claims of the invention.
REFERENCES:
patent: 5768271 (1998-06-01), Seid et al.
patent: 5864666 (1999-01-01), Shrader
patent: 5968176 (1999-10-01), Nessett et al.
patent: 6055236 (2000-04-01), Nessett et al.
patent: 6079020 (2000-06-01), Liu
patent: 6092200 (2000-07-01), Muniyappa et al.
patent: 6158010 (2000-12-01), Moriconi et al.
patent: 6226748 (2001-05-01), Bots et al.
patent: 6408336 (2002-06-01), Schneider et al.
patent: 6487600 (2002-11-01), Lynch
patent: 6662221 (2003-12-01), Gonda et al.
WatchGuard, “WatchGuard VPN Guide, Watchguard Firebox System”, 1998-2003, WatchGuard Technologies Inc., entire document.
Cheng Pau-Chen
D'Sa Ajit Clarence
Feng Jian Hua
Genty Denise Marie
Wilson Jacqueline Hegedus
Baum Ronald
Sheikh Ayaz
Voigt, Jr. Robert A.
Walker Mark S.
Winstead Sechrest & Minick P.C.
LandOfFree
Virtual private network with multiple tunnels associated... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Virtual private network with multiple tunnels associated..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Virtual private network with multiple tunnels associated... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3295503