CA2260709A1 - Method of using static maps in a virtual private network - Google Patents
Method of using static maps in a virtual private network Download PDFInfo
- Publication number
- CA2260709A1 CA2260709A1 CA002260709A CA2260709A CA2260709A1 CA 2260709 A1 CA2260709 A1 CA 2260709A1 CA 002260709 A CA002260709 A CA 002260709A CA 2260709 A CA2260709 A CA 2260709A CA 2260709 A1 CA2260709 A1 CA 2260709A1
- Authority
- CA
- Canada
- Prior art keywords
- gateway
- data
- connection
- static
- static map
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 230000003068 static effect Effects 0.000 title claims abstract description 114
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000004891 communication Methods 0.000 claims description 62
- 230000005641 tunneling Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 16
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 3
- 230000035755 proliferation Effects 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000012937 correction Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
- H04L41/122—Discovery or management of network topologies of virtualised topologies, e.g. software-defined networks [SDN] or network function virtualisation [NFV]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method and system for providing routing information for use in virtual private networks is disclosed. The method supports a variety of different secure network topologies. According to the method a static map is generated including information on each static gateway and resources accessible therethrough. The map also contains security information for accessing and authenticating a gateway.
Description
Doc No. 79-5 CA Patent METHOD OF USING STATIC MAPS IN A VIRTUAL PRIVATE
NETWORK
Field of the Invention This invention relates generally to communications networks and more particular to a virtual private network (VPN).
Background of the Invention Computer security is fast becoming an important issue. With the proliferation of computers and computer networks into all aspects of business and daily life -financial, medical, education, government, and communications - the concern over secure file access is growing. One method of providing security from unauthorized access to files is by implementing encryption and cipher techniques. These techniques convert data into other corresponding data forms in a fashion that is reversible. Once encrypted, the data is unintelligible unless first decrypted. DES, triple-DES and CAST are known encryption techniques that are currently believed to provide sufficient security for computer communications and files.
Historically, secure networks were achieved by preventing access to data within the network by those outside the network. Networks were formed of a number of computers interconnected by cables. No access to the network was permitted save through the use of one of the interconnected computers. In order to use these computers, it was necessary to be physically located within a building housing the network.
With the proliferation of modems, it became clear that remote access is a powerful tool. In order to provide remote access to network data, dial-up servers were maintained in communication with a public communication network such as a phone network. An individual wishing access to the network, connects to the dial-up server with a computer equipped with a modem or another appropriate communication device, logs into the network, and is then provided access to the network. In this fashion, network data Doc No. 79-5 CA Patent is only communicated over communication channels within the physical network and over dedicated dial-up connections. This was commonly viewed as less secure than the physically isolated computer network, but due to its advantages became commonplace.
With the proliferation of the Internet and Internet-based communications, a need has arisen to provide secure communications via an unsecured public network.
Encryption is commonly used to provide this security. For example, PGP (pretty good privacy) is an available encryption software product which implements a private-public key encryption system. Files are encrypted prior to transmission and then decrypted upon reception. The communicated file is secured by the encryption and is as secure as the encryption process used. For occasional file transfers, PGP and similar software products are excellent. Unfortunately, they are not well suited to network access via the public network.
In order to provide SVPNs, IPSEC (Internet Protocol Security) protocol suite was developed. IPSEC is a set of industry-standard extensions to the Internet Protocol (IP) that add security services. The suite contains protocols for an authentication header (AH) assuring data integrity, an encapsulating security payload (ESP) format ensuring data privacy, and a key management and exchange system (IKE). These industry-standard protocols allow for development and implementation of SVPNs.
Unfortunately, many commonly available network features are not available using these protocols alone. Also, flexibility is often compromised to ensure security. It would be advantageous to provide a high degree of flexibility, a broad range of network features, and a high level of security.
Object of the Invention It is an object of this invention to provide an SVPN having increased flexibility and increased features over those currently available using the IPSEC protocol suite. In particular it is an object of the invention to provide a method of managing routing and resource availability using pseudo-static information.
NETWORK
Field of the Invention This invention relates generally to communications networks and more particular to a virtual private network (VPN).
Background of the Invention Computer security is fast becoming an important issue. With the proliferation of computers and computer networks into all aspects of business and daily life -financial, medical, education, government, and communications - the concern over secure file access is growing. One method of providing security from unauthorized access to files is by implementing encryption and cipher techniques. These techniques convert data into other corresponding data forms in a fashion that is reversible. Once encrypted, the data is unintelligible unless first decrypted. DES, triple-DES and CAST are known encryption techniques that are currently believed to provide sufficient security for computer communications and files.
Historically, secure networks were achieved by preventing access to data within the network by those outside the network. Networks were formed of a number of computers interconnected by cables. No access to the network was permitted save through the use of one of the interconnected computers. In order to use these computers, it was necessary to be physically located within a building housing the network.
With the proliferation of modems, it became clear that remote access is a powerful tool. In order to provide remote access to network data, dial-up servers were maintained in communication with a public communication network such as a phone network. An individual wishing access to the network, connects to the dial-up server with a computer equipped with a modem or another appropriate communication device, logs into the network, and is then provided access to the network. In this fashion, network data Doc No. 79-5 CA Patent is only communicated over communication channels within the physical network and over dedicated dial-up connections. This was commonly viewed as less secure than the physically isolated computer network, but due to its advantages became commonplace.
With the proliferation of the Internet and Internet-based communications, a need has arisen to provide secure communications via an unsecured public network.
Encryption is commonly used to provide this security. For example, PGP (pretty good privacy) is an available encryption software product which implements a private-public key encryption system. Files are encrypted prior to transmission and then decrypted upon reception. The communicated file is secured by the encryption and is as secure as the encryption process used. For occasional file transfers, PGP and similar software products are excellent. Unfortunately, they are not well suited to network access via the public network.
In order to provide SVPNs, IPSEC (Internet Protocol Security) protocol suite was developed. IPSEC is a set of industry-standard extensions to the Internet Protocol (IP) that add security services. The suite contains protocols for an authentication header (AH) assuring data integrity, an encapsulating security payload (ESP) format ensuring data privacy, and a key management and exchange system (IKE). These industry-standard protocols allow for development and implementation of SVPNs.
Unfortunately, many commonly available network features are not available using these protocols alone. Also, flexibility is often compromised to ensure security. It would be advantageous to provide a high degree of flexibility, a broad range of network features, and a high level of security.
Object of the Invention It is an object of this invention to provide an SVPN having increased flexibility and increased features over those currently available using the IPSEC protocol suite. In particular it is an object of the invention to provide a method of managing routing and resource availability using pseudo-static information.
Doc No. 79-5 CA Patent Summary of the Invention In accordance with the invention there is provided a method of routing first data within a secure virtual private network comprising the steps of:
storing static map data, the static map data indicative of a plurality of static gateways and resources accessible through the static gateways, the static map data comprising security information for use in authenticating a gateway from the plurality of static gateways;
selecting a resource to which to direct the first data;
determining from the static map data a gateway for accessing the selected resource;
establishing a connection with the determined gateway and authenticating the gateway;
and, transmitting the first data to the gateway for provision to the selected resource.
In an embodiment, authentication of the gateway is performed using certification data.
In accordance with another embodiment of the invention there is provided a method of routing first data within a secure virtual private network comprising the steps of:
storing static map data, the static map data indicative of a static gateway and at least a resource accessible through the static gateway, the static map data stored on a workstation remote from the gateway;
determining a destination resource from the at least a resource, the first data for provision to the destination resource from the workstation;
determining from the stored static map data a first static gateway through which to access the destination resource;
establishing a connection between the workstation and the first static gateway;
transmitting the first data to the first static gateway for provision to the resource.
In accordance with the invention there is also provided a method of routing first data within a secure virtual private network comprising the steps of:
Doc No. 79-5 CA Patent storing a static map, the static map comprising gateway data and resource data, the gateway data including gateway routing data, gateway connection data, gateway security data, and gateway authentication data, the resource data related to a gateway and comprising resource routing data;
storing the static map on a workstation remote to a gateway for which gateway data is stored in the static map;
selecting one of a gateway and a resource to which to direct the first data;
determining from the static map data routing data, connection data, and security data for a gateway related to the selected one of a gateway and resource, wherein a gateway is related to itself;
using the determined routing data, connection data, and security data for the gateway, establishing a connection with the gateway and authenticating the gateway with which a connection is established; and, transmitting the first data to the gateway.
In accordance with the invention a static map is formed by the following steps:
receiving data from each gateway forming part of a secure virtual private network the data including gateway address, resources accessible through the gateway, and gateway authentication data;
collating the received data to form a static map; and, storing the static map within non-volatile memory.
Preferably, a system queries each gateway to determine sub-nets and resources accessible therethrough. Further, the data compiled automatically into the static map preferably includes security data such as a gateway identifier, whether or not a gateway supports tunneling and data relating to securing a communication session with the gateway from which the data is received.
In accordance with the invention there is provided a system for providing secure remote access via a wide area network to a private network, the system comprising:
Doc No. 79-5 CA Patent a first adapter for communicating with a network, the first adapter for providing data to the network;
a virtual adapter for concurrent execution with the first adapter, the virtual adapter having a routing address; and, an intermediate adapter for intercepting data directed to the virtual adapter and for securing the data and redirecting it to the first adapter for transmission via the network.
In accordance with the invention there is provided a system for providing secure remote access via a wide area network to a private network, the system comprising:
a first adapter for communicating with a network;
a virtual adapter for concurrent execution with the first adapter, for communicating with the first adapter, the virtual adapter for providing data to the first adapter, the information secured for transmission via the wide area network to the private network.
It is advantageous according to the invention that a single communication session by the adapter provides for communication with both the private network and the public network, and wherein communication with systems other than those forming part of the private network is performed independent of the private network.
In an embodiment the virtual adapter comprises a data securer for securing the data. For example the data securer comprises an encryptor for using encryption as a means for securing the data. In an embodiment the step of preparing the second data is performed by the virtual adapter.
Brief Description of the Drawings An exemplary embodiment of the invention will now be discussed in conjunction with the attached drawings in which:
Fig. 1 is a simplified schematic diagram of an SVPN;
Fig. 2 is a simplified flow diagram of a method of tunneling from a secured workstation through an unsecured communication channel to another secured workstation;
Doc No. 79-5 CA Patent Fig. 3 is a schematic diagram of a network comprising three sub-networks and an unsecured communication medium between two of the sub-networks;
Fig. 4 is a simplified block diagram of a prior art communication system;
Figs. Sa is simplified block diagram of a prior art communication system for communicating with the Internet;
Figs. Sb is simplified block diagram of a prior art communication system for communicating with a private network and thereby forming part of a secure virtual private network;
Fig. 6 is a simplified data flow diagram of communication with the Internet from a remote workstation forming part of a secure virtual private network;
Figs. 7a and 7b are simplified block diagrams of systems according to the invention for providing communication from a remote workstation forming part of a secure virtual private network with the Internet other than via the secure private network while connected to the secure virtual private network; and, Figs. 8a and 8b are simplified flow diagrams of the systems of Figs. 7a and 7b respectively.
Detailed Description Commonly when a user logs into a network, the user is provided access to the network according to established rules. For users physically located within a secure environment, these access restrictions prevent dissemination of sensitive information. For example, access to human resource data is often restricted. For users physically located outside the secure environment, these access restrictions prevent hacking -illegal access - from presenting a significant threat to data integrity and security.
Referring to Fig. 1, a secured virtual private network (SVPN) is shown. An unsecured communication medium 1 in the form of the Internet forms a communication backbone for the network and allows for communication between different geographical Doc No. 79-5 CA Patent locations. In communication with the unsecured communication medium 1 are a variety of unsecured and secured systems (not shown). The VPN operates across this communication medium providing communication through the medium 1 and transparent network operations. A secured VPN, an SVPN uses data obfuscation such as encryption to secure data communicated via an unsecure network. A secured network 3 is separated from the unsecured communication medium by a gateway 5. The gateway 5 acts to secure communications with other gateways and with workstations 7a provided with appropriate software. Workstations 7b located within secured networks 3 communicate with the secured network absent gateway security since they lie within the secure private network. Of course, when communication is with a workstation or resource outside the sub-network to which the workstations 7b are connected, then gateway security is required. The secured network also comprises a file server 7c and peripheral devices 7d.
Often, a VPN comprises several sub-networks each located remotely one from another. VPNs are often provided with management systems. In order to maintain a complex secured virtual private network comprising a plurality of sub-networks, information relating to each sub-network is required. The information is then used to determine routing for messages and for data. For example, a security gateway to which a request is to be directed in order to reach a desired destination is determined. Further, the information is indicative of information provided by the gateway for use in authentication of the gateway. This information, as described below, is used to prevent spoofing pretending to be a particular gateway in order to capture secure information.
Typically, a remote workstation is set up to communicate with a single gateway.
A user of the workstation accesses resources available via that one gateway.
When access to a resource that is not available through the gateway is desired, the user contacts a system administrator to determine information in the form of a gateway address and so forth for a gateway through which to access the desired resource. Then the user changes their settings to access that gateway and gains access to the resource. Once the resource is no longer needed, the user resets the settings - changes the destination gateway back to the original destination gateway - and continues using the network as before.
Such a Doc No. 79-5 CA Patent system is difficult to use and, because system administrators are not always available to answer questions, inconvenient. Often, a user requires training or detailed instructions to access different resources. The result is often that the different resources are not used or that users become frustrated with the network.
In accordance with the invention, a static network map is maintained. The static map comprises information relating to static nodes within the network. The information generally includes gateways and resources accessible through them. The use of a map of static nodes such as the static map is advantageous. An obvious advantage to the use of static maps is a presence of routing information on a workstation. The routing information allows for automated routing of data to a resource transparent to a user of the workstation. Further, selection of a resource from a list of resources is possible. Thus, a user can select a resource and send data thereto without ever understanding which gateway is accessed or what addresses and security were required.
Since the static map information is stored at each of several remote workstations, it is optionally secured. Of course, network topology is often not confidential and, therefore, the static map information is often unsecured. Optionally, the static map is updated unbeknownst to a user of the workstation. This allows substantial alterations to a physical private network without substantially affecting a user's access thereto.
Alternatively, the static map is updated by a user of a workstation.
Preferably, security information is stored within the static map. The security information reduces a likelihood of spoofing. Spoofing occurs when a system in communication with a wide area network such as the Internet pretends to be a network gateway. When a connection is formed with that system, a11 information sent to the "gateway" becomes accessible to that system. In order to prevent spoofing, a static map preferably contains security information. Security information includes information for verifying a gateway connection.
Doc No. 79-5 CA Patent For example, an identifier is provided associated with each gateway. When a communication is initiated with the gateway, certified data is provided from the gateway to the workstation. The identifier is included within the information or, alternatively, is indicative of the authenticity of the certificate. Once the certificate is received, the workstation verifies the authenticity of the certificate/identifier in order to ensure that the connection is with the true gateway. Thus, spoofing is prevented. Evidently, absent a static map, prevention of spoofing adds further information for a user to enter in order to access a different gateway.
Should gateway security be breached, the gateway identifier is changed and the static map is updated. By notifying remote users that a new static map exists, network security is ensured. Users follow directions to load the new static map and then a11 connections to the network are again secure and verified. Since the static map is generated at the physical network, copying of the static map to a correct location on a workstation is a11 that is required in order to update it. A utility to automate this task is easily implemented. Of course, the static map can be generated in any of a number of ways and at any of a number of locations including remote locations. It is preferred that it is generated automatically. This is possible by automatically querying all gateways in the SVPN for their configuration and generating a snapshot in the form of the static map file of a11 gateways.
The static map also comprises connection related information. For example, if a gateway supports tunneling, this may be stored within the static map. If a gateway supports a particular form of encryption or data integrity checking, this may also be stored in the static map.
Thus, the use of static maps greatly enhances network flexibility. New sections of network are more easily accessible as are network resources in general.
Alterations to security are easily implemented, changes to gateway information is easily implemented, and so forth. The static map forms an easily distributable routing and security information Doc No. 79-5 CA Patent map for a virtual private network. Of course, the use of static maps for improved routing is also possible.
In an embodiment, a static map is created of network resources. The static map contains a list of resources and for each resource an associated gateway, an associated method of communication such as tunneling, and a distinguishing name. The static map is stored on a workstation. The distinguishing name is indicative of information provided to the workstation system to authenticate the gateway. In this way, the gateway is authenticated by the workstation and the workstation is authenticated by the gateway to ensure that both nodes are the correct network nodes.
Upon issuing a request, a requesting system searches the static map to determine a destination gateway. Communication therewith is initiated via the associated communication method and information is received from the gateway. When the information is as indicated by the static map and is authenticated, the communication of the request proceeds. When the authentication fails, the security of the communication is questionable.
Referring to Fig. 2, another embodiment of the invention is shown. When a request is for transmission from gateway 74 to resource 72, the static map indicates for resource 72 that gateway 74 should transmit the message using tunneling to gateway 76.
Gateway 74 and gateway 76 initiate communication and authenticate each other.
The message is then secured through encryption and transmitted to the gateway 76 via the Internet. At the gateway 76, the message is decrypted and transmitted over the network.
In this fashion, a static map presents a point to point map of communication over an unsecured medium. A11 resources behind gateway 76 are listed in the static map as requiring a transmission to gateway 76 using tunneling and so forth. The complexity of the network beyond gateway 76 is of little concern to the sub-network C.
In another embodiment in order to maintain a complex virtual network comprising a plurality of sub-networks, information relating to each sub-network is Doc No. 79-S CA Patent required. The information is then used to route information efficiently throughout the virtual network and to locate resources. In an embodiment of the invention, a data file is created for storing a "current" state of a network. The file is updated on a regular basis and contains information relating to static resources connected to the virtual network. The file comprises a static map of the network. The use of such a static map significantly improves performance over polling of resources or transmission of multiple requests by improving communication efficiency and response times. When a change in resources or active workstations is noted within a sub-net, a new static map for that sub-net is stored and is then transmitted for storage in the file. Changes are reflected by new configurations on the VPN gateway. Alternatively, an administrator updates the static map at intervals or upon a change to the network.
Referring to Fig. 3, an SVPN is shown comprising three separate corporate networks A, B, and C. When a request from workstation 71 in network C is intended for resource 72 in Network B, a common approach to fulfilling this request is to disconnect from network A and connect via the Internet to network B; however, a static map of the network indicates that resource 72 is available in the current network configuration by transmitting a request to network A. From network A the request is transmitted to network B and therein resource 72 is located. Should network B be provided with a gateway (shown as 73) to the Internet, an alternative route exists for the request. The use of static maps allows the system to determine a variety of routing choices to take in the event of network failure at a gateway or at another network node. Also, static maps permit selection of a most secure path for routing a request to a resource.
These and other advantages are significant over the prior art.
Security of management systems is essential to maintain network security and flexibility of management systems provides enhanced usability and improved turn-around times for problem correction. Often, increased flexibility results in decreased security.
Alternatively, increased flexibility results in reduced performance and increased resource utilisation.
Doc No. 79-5 CA Patent Connection security policies in an SVPN are based on a node pair forming a connection. This requires a significant allocation of resources because as the number of potential nodes increases, the number of connection security policies in the most general case is n2-n. For ten possible node connections, this results in 90 security level settings for each possible source/destination node pair. When 100 possible node connections exist, this number jumps to 9900. It is preferable to reduce the number of security level settings in order to facilitate network management, reduce memory requirements, and enhance usability of an SVPN. In an embodiment of the invention, a method of determining a security policy based on a particular host and a flexible security system for providing a negotiation between nodes via the host to determine desired connection security policies is implemented. A host is provided with a security level and a plurality of policies for enforcing the security level. Each node seeking to connect to another node via the host provides a certificate, which is authenticated, and the node is authorized. The nodes then "negotiate" a security level through implementation of the host security level and policies. For example, ISAKMP is flexible enough to permit negotiation of security levels and is used for this purpose. The host based security levels are less flexible than connection based security levels, but host based security levels are easier to administer.
A common concern in network security applications is physical intrusion. A
person gaining physical access to a network cable or to a gateway circuit board has access to significant amounts of information. Within the network cable, information is encoded to prevent access. Within each computer, the authorized user can view information only for that workstation. Commonly in the gateway, a significant amount of unsecured data exists. Opening a gateway and physically probing electrical connections provides access to data transmitted across each connection. According to the invention, a11 sensitive keying data stored within a gateway system is encrypted with a special Master Key. Therefore, only data in transit is discernable when a gateway system is breached unless the master encryption key is found. The master key is cleared when the gateway system case is compromised. This secures data from physical access attempts.
Doc No. 79-5 CA Patent Another common problem encountered in the use of SVPN systems is that of security concerns for mobile users. For example, when using a cellular modem, an individual may desire increased security. When dialing up an ISP that is identical to that used by the company, performance may be the most significant concern. When using a slow system, performance is critical. When using a very fast state-of the-art system security is more important. According to an embodiment of the invention, a profile is created containing data relating to a security level, a network adapter, tunneling information, and so forth. When accessing the SVPN, a profile is selected and those settings are used. Optionally, profile authentication occurs to ensure that a desired level of security is achieved for the SVPN and that network security is not compromised. The profile is evaluated in dependence upon a series of criteria including communication medium, location of the mobile user, identity of the mobile user, and desired level of security for the profile. In another embodiment, a profile is flexible. For example, a country of origin of a communication, the communication medium, and an identity of the mobile user is determined and an appropriate set of policies are used.
Referring to Fig. 4 a simplified block diagram of a portion of a wide area network is shown. An application is executed on a computer. Computer software applications are well known and serve many varied functions. An example of such an application is an email application.
When the application has data for transmission via the wide area network to another workstation or server in communication with the wide area network, the application provides the data to a virtual adapter in execution on the same computer. The virtual adapter processes the data for transmission via the wide area network.
For example, protocol related formatting is performed. Optionally, other processing such as compression of data is also performed. The processed data is then provided to the physical adapter. Though the following description refers to a virtual adapter for performing these operations, it is also possible to intercept data directed toward the virtual adapter, process the intercepted data and redirect it. Thus the virtual adapter does Doc No. 79-5 CA Patent not perform any actual processing of the data, but is used for routing the data; the routing of the data is then used to intercept it.
The adapter comprises a physical and a logical portion. The logical portion includes a device driver and so forth. The adapter is in communication via a communication medium with another system. When the communication medium is a wide area network (WAN) in the form of an Internet network, the other computer system is commonly an Internet Service Provider (ISP). Communication media are well known and are not important to the present invention. The adapters communicate according to a common set of rules or protocols. Some common protocols include error detection and correction codes in the form of parity, encryption standards, PPP protocol, and so forth.
The physical communication is transparent to the user of an application.
A virtual adapter receiving the data verifies that data transmission is without error. The data is then decoded and provided to a user level on the other system. In this way, a point to point communication is shown.
Referring to Figs. Sa and Sb simplified block diagrams of prior art implementations of virtual communication adapters are shown. The communication adapters are both for execution on a same computer. Because of the way the adapters function, only one adapter is executable at any given time. Thus, a user communicates using a system according to the block diagram of Fig. Sa or Fig. Sb but not both. When communication with a wide area network such as the Internet is performed, the adapter of Fig. Sb is used. A system in execution of such an adapter provides Internet browsing, email, and other Internet access. Security is that provided by the Internet software tools in execution and by the virtual adapter. Many virtual adapters provide no security. When communication with the private network is performed, a secure virtual private network is created. All communicated data is secured prior to transmission to a secure gateway of the private network. There the data is decoded and transmitted to its destination. Such a connection provides access to private network data, applications, and internal mail. It also Doc No. 79-5 CA Patent provides connections to the Internet but only via the gateway. Thus to communicate with the Internet, a data flow diagram such as that shown in Fig. 6 is required.
Referring to Fig. 6, a very complicated diagram results when an Internet request is transmitted when connected to an SVPN. The request is secured because it isn't distinguished from other SVPN data. It is then transmitted via the WAN to the gateway.
The gateway decodes the data and then, routes it to its destination. Often, firewalls implement security protocols to prevent security breaches of the private network. When the request and the requested data are not perceived as a security threat, the requested data is received by the gateway and secured for transmission back to the workstation.
Alternatively, a user of the workstation can disconnect themselves from the SVPN and connect to the WAN with the virtual adapter of Fig. Sb in order to access the Internet.
Another prior art adapter system comprises two adapters in concurrent execution wherein a "virtual" adapter directs data output therefrom back up to a user level of the system. There it is redirected to the adapter through a plurality of system levels. Such a system is inefficient in its use of system resources and since the virtual adapter returns processed data to the user level, not a true implementation of a virtual adapter.
Clearly, none of these solutions is optimal. In one, the gateway must handle all Internet requests twice and the firewall provides security even though the workstation is not within the private network. In another, the user of a workstation must disconnect and reconnect numerous times during the course of a same session at the workstation. In yet another system resources are inefficiently allocated and data integrity is not guaranteed since at a user level within the system, the data is accessible to interception and modification.
Referring to Figs. 7a and 7b, block diagrams of systems according to the invention are shown. In Fig. 7a, a system for providing secure remote access via a wide area network to a private network is shown. The system comprises an adapter and a virtual adapter in concurrent execution. The virtual adapter acts as a destination for Doc No. 79-5 CA Patent routing. Data routed to the virtual adapter is intercepted by the intermediate adapter and processed. The data is then rerouted to the adapter for communication via the wide area network.
The adapter in the form of a WAN adapter is for communicating information via the wide area network. This information is typically in the form of Internet requests and responses. Thus, any commonly available Internet software such as world wide web browsers, email software, gopher software, video conferencing software, etc.
is useful while connected to the Internet.
The virtual adapter in the form of an SVPN virtual adapter is a destination for secured information for transmission via the wide area network to the private network. In essence, the virtual adapter address is used to direct data for similar processing as with a prior art SVPN adapter. The data is processed with a data securer in the form of an encryptor for obfuscating the data. Typically, data is obfuscated through encryption as is commonly known in the art. When a user wishes to transmit information to or receive information from the private network, an application in the form of an internal mail system, a database, or an operating system of the workstation provides data routed to the virtual adapter. The data is intercepted and secured and packaged for transmission to a gateway via the wide area network. Once it is secured and packaged, it is provided to the adapter for communicating it to the gateway.
Referring to Fig. 7b, a system for providing secure remote access via a wide area network to a private network is shown. The system comprises a virtual adapters and an adapter. The adapters execute concurrently on the system. According to the embodiment of Fig. 7b, only the adapter in the form of a WAN virtual adapter has associated hardware. The virtual adapter in the form of an SVPN virtual adapter communicates with applications in execution on the system and with the adapter.
The adapter is for communicating information for transmission via the wide area network. The information may be secured information received from the virtual adapter Doc No. 79-5 CA Patent or it may be unsecured information received from an application. The virtual adapter is for communicating secured information with the adapter for transmission via the wide area network to the private network. Thus the adapter transmits a11 information to the network and processes information received and for transmission based on the wide area network protocol. The virtual adapter acts as a translator for securing information and for processing the data to ensure data integrity.
Referring to Figs. 8a and 8b, simplified flow diagrams of methods for each of the systems of Figs. 7a and 7b are shown.
In Fig. 8a, another method for secure remote access via a wide area network to a private network is shown. Data is provided from an application for communication to another system via a public network in the form of a wide area network. The data is one of data for communication via the secure virtual private network or for communication in an unsecured fashion. When the data is unsecured data, it is provided to an adapter which processes the data and provides it for transmission. Of course, secure data in the form of encrypted messages or files may also be provided to the adapter. The adapter is selected based on a designated destination for the data and not whether or not it is secured. When the data is for transmission in a secure fashion, the data is routed to a virtual adapter. The data is intercepted by a process for securing the data and then provided to the adapter.
Optionally further processing occurs such as address translation. When the virtual adapter and the adapter are in concurrent execution on the workstation, Internet access and SVPN
access are possible simultaneously without the drawbacks of routing a11 Internet requests via the SVPN.
In Fig. 8b, a method for secure remote access via a wide area network to a private network is shown. Data is provided from an application for communication to another system via a public network in the form of a wide area network. The data is one of data for communication via the secure virtual private network or for communication in an unsecured fashion. When the data is unsecured data, it is provided to an adapter, which processes the data and provides it for transmission. Of course, secure data in the form of Doc No. 79-5 CA Patent encrypted messages or files may also be provided to the adapter. The adapter is selected based on a designated destination for the data and not whether or not it is secured. When the data is for being transmitted in a secure fashion, the data is provided to a virtual adapter for securing the data, processing the data, and providing the data to the adapter for communication to a gateway of a secure private network. When the virtual adapter and the adapter are in concurrent execution on the workstation, Internet access and SVPN
access are possible simultaneously without the drawbacks of routing all Internet requests via the SVPN.
Though the method of using static maps according to the invention is described with reference to use on workstations disposed remotely from a gateway, it is also applicable to use by gateways. The gateways use static map data to route data within the secure virtual private network. For example, when a gateway is routing data to a resource within another portion of the secure virtual private network via another different gateway.
Numerous other embodiments may be envisaged without departing from the spirit I 5 and scope of the invention.
storing static map data, the static map data indicative of a plurality of static gateways and resources accessible through the static gateways, the static map data comprising security information for use in authenticating a gateway from the plurality of static gateways;
selecting a resource to which to direct the first data;
determining from the static map data a gateway for accessing the selected resource;
establishing a connection with the determined gateway and authenticating the gateway;
and, transmitting the first data to the gateway for provision to the selected resource.
In an embodiment, authentication of the gateway is performed using certification data.
In accordance with another embodiment of the invention there is provided a method of routing first data within a secure virtual private network comprising the steps of:
storing static map data, the static map data indicative of a static gateway and at least a resource accessible through the static gateway, the static map data stored on a workstation remote from the gateway;
determining a destination resource from the at least a resource, the first data for provision to the destination resource from the workstation;
determining from the stored static map data a first static gateway through which to access the destination resource;
establishing a connection between the workstation and the first static gateway;
transmitting the first data to the first static gateway for provision to the resource.
In accordance with the invention there is also provided a method of routing first data within a secure virtual private network comprising the steps of:
Doc No. 79-5 CA Patent storing a static map, the static map comprising gateway data and resource data, the gateway data including gateway routing data, gateway connection data, gateway security data, and gateway authentication data, the resource data related to a gateway and comprising resource routing data;
storing the static map on a workstation remote to a gateway for which gateway data is stored in the static map;
selecting one of a gateway and a resource to which to direct the first data;
determining from the static map data routing data, connection data, and security data for a gateway related to the selected one of a gateway and resource, wherein a gateway is related to itself;
using the determined routing data, connection data, and security data for the gateway, establishing a connection with the gateway and authenticating the gateway with which a connection is established; and, transmitting the first data to the gateway.
In accordance with the invention a static map is formed by the following steps:
receiving data from each gateway forming part of a secure virtual private network the data including gateway address, resources accessible through the gateway, and gateway authentication data;
collating the received data to form a static map; and, storing the static map within non-volatile memory.
Preferably, a system queries each gateway to determine sub-nets and resources accessible therethrough. Further, the data compiled automatically into the static map preferably includes security data such as a gateway identifier, whether or not a gateway supports tunneling and data relating to securing a communication session with the gateway from which the data is received.
In accordance with the invention there is provided a system for providing secure remote access via a wide area network to a private network, the system comprising:
Doc No. 79-5 CA Patent a first adapter for communicating with a network, the first adapter for providing data to the network;
a virtual adapter for concurrent execution with the first adapter, the virtual adapter having a routing address; and, an intermediate adapter for intercepting data directed to the virtual adapter and for securing the data and redirecting it to the first adapter for transmission via the network.
In accordance with the invention there is provided a system for providing secure remote access via a wide area network to a private network, the system comprising:
a first adapter for communicating with a network;
a virtual adapter for concurrent execution with the first adapter, for communicating with the first adapter, the virtual adapter for providing data to the first adapter, the information secured for transmission via the wide area network to the private network.
It is advantageous according to the invention that a single communication session by the adapter provides for communication with both the private network and the public network, and wherein communication with systems other than those forming part of the private network is performed independent of the private network.
In an embodiment the virtual adapter comprises a data securer for securing the data. For example the data securer comprises an encryptor for using encryption as a means for securing the data. In an embodiment the step of preparing the second data is performed by the virtual adapter.
Brief Description of the Drawings An exemplary embodiment of the invention will now be discussed in conjunction with the attached drawings in which:
Fig. 1 is a simplified schematic diagram of an SVPN;
Fig. 2 is a simplified flow diagram of a method of tunneling from a secured workstation through an unsecured communication channel to another secured workstation;
Doc No. 79-5 CA Patent Fig. 3 is a schematic diagram of a network comprising three sub-networks and an unsecured communication medium between two of the sub-networks;
Fig. 4 is a simplified block diagram of a prior art communication system;
Figs. Sa is simplified block diagram of a prior art communication system for communicating with the Internet;
Figs. Sb is simplified block diagram of a prior art communication system for communicating with a private network and thereby forming part of a secure virtual private network;
Fig. 6 is a simplified data flow diagram of communication with the Internet from a remote workstation forming part of a secure virtual private network;
Figs. 7a and 7b are simplified block diagrams of systems according to the invention for providing communication from a remote workstation forming part of a secure virtual private network with the Internet other than via the secure private network while connected to the secure virtual private network; and, Figs. 8a and 8b are simplified flow diagrams of the systems of Figs. 7a and 7b respectively.
Detailed Description Commonly when a user logs into a network, the user is provided access to the network according to established rules. For users physically located within a secure environment, these access restrictions prevent dissemination of sensitive information. For example, access to human resource data is often restricted. For users physically located outside the secure environment, these access restrictions prevent hacking -illegal access - from presenting a significant threat to data integrity and security.
Referring to Fig. 1, a secured virtual private network (SVPN) is shown. An unsecured communication medium 1 in the form of the Internet forms a communication backbone for the network and allows for communication between different geographical Doc No. 79-5 CA Patent locations. In communication with the unsecured communication medium 1 are a variety of unsecured and secured systems (not shown). The VPN operates across this communication medium providing communication through the medium 1 and transparent network operations. A secured VPN, an SVPN uses data obfuscation such as encryption to secure data communicated via an unsecure network. A secured network 3 is separated from the unsecured communication medium by a gateway 5. The gateway 5 acts to secure communications with other gateways and with workstations 7a provided with appropriate software. Workstations 7b located within secured networks 3 communicate with the secured network absent gateway security since they lie within the secure private network. Of course, when communication is with a workstation or resource outside the sub-network to which the workstations 7b are connected, then gateway security is required. The secured network also comprises a file server 7c and peripheral devices 7d.
Often, a VPN comprises several sub-networks each located remotely one from another. VPNs are often provided with management systems. In order to maintain a complex secured virtual private network comprising a plurality of sub-networks, information relating to each sub-network is required. The information is then used to determine routing for messages and for data. For example, a security gateway to which a request is to be directed in order to reach a desired destination is determined. Further, the information is indicative of information provided by the gateway for use in authentication of the gateway. This information, as described below, is used to prevent spoofing pretending to be a particular gateway in order to capture secure information.
Typically, a remote workstation is set up to communicate with a single gateway.
A user of the workstation accesses resources available via that one gateway.
When access to a resource that is not available through the gateway is desired, the user contacts a system administrator to determine information in the form of a gateway address and so forth for a gateway through which to access the desired resource. Then the user changes their settings to access that gateway and gains access to the resource. Once the resource is no longer needed, the user resets the settings - changes the destination gateway back to the original destination gateway - and continues using the network as before.
Such a Doc No. 79-5 CA Patent system is difficult to use and, because system administrators are not always available to answer questions, inconvenient. Often, a user requires training or detailed instructions to access different resources. The result is often that the different resources are not used or that users become frustrated with the network.
In accordance with the invention, a static network map is maintained. The static map comprises information relating to static nodes within the network. The information generally includes gateways and resources accessible through them. The use of a map of static nodes such as the static map is advantageous. An obvious advantage to the use of static maps is a presence of routing information on a workstation. The routing information allows for automated routing of data to a resource transparent to a user of the workstation. Further, selection of a resource from a list of resources is possible. Thus, a user can select a resource and send data thereto without ever understanding which gateway is accessed or what addresses and security were required.
Since the static map information is stored at each of several remote workstations, it is optionally secured. Of course, network topology is often not confidential and, therefore, the static map information is often unsecured. Optionally, the static map is updated unbeknownst to a user of the workstation. This allows substantial alterations to a physical private network without substantially affecting a user's access thereto.
Alternatively, the static map is updated by a user of a workstation.
Preferably, security information is stored within the static map. The security information reduces a likelihood of spoofing. Spoofing occurs when a system in communication with a wide area network such as the Internet pretends to be a network gateway. When a connection is formed with that system, a11 information sent to the "gateway" becomes accessible to that system. In order to prevent spoofing, a static map preferably contains security information. Security information includes information for verifying a gateway connection.
Doc No. 79-5 CA Patent For example, an identifier is provided associated with each gateway. When a communication is initiated with the gateway, certified data is provided from the gateway to the workstation. The identifier is included within the information or, alternatively, is indicative of the authenticity of the certificate. Once the certificate is received, the workstation verifies the authenticity of the certificate/identifier in order to ensure that the connection is with the true gateway. Thus, spoofing is prevented. Evidently, absent a static map, prevention of spoofing adds further information for a user to enter in order to access a different gateway.
Should gateway security be breached, the gateway identifier is changed and the static map is updated. By notifying remote users that a new static map exists, network security is ensured. Users follow directions to load the new static map and then a11 connections to the network are again secure and verified. Since the static map is generated at the physical network, copying of the static map to a correct location on a workstation is a11 that is required in order to update it. A utility to automate this task is easily implemented. Of course, the static map can be generated in any of a number of ways and at any of a number of locations including remote locations. It is preferred that it is generated automatically. This is possible by automatically querying all gateways in the SVPN for their configuration and generating a snapshot in the form of the static map file of a11 gateways.
The static map also comprises connection related information. For example, if a gateway supports tunneling, this may be stored within the static map. If a gateway supports a particular form of encryption or data integrity checking, this may also be stored in the static map.
Thus, the use of static maps greatly enhances network flexibility. New sections of network are more easily accessible as are network resources in general.
Alterations to security are easily implemented, changes to gateway information is easily implemented, and so forth. The static map forms an easily distributable routing and security information Doc No. 79-5 CA Patent map for a virtual private network. Of course, the use of static maps for improved routing is also possible.
In an embodiment, a static map is created of network resources. The static map contains a list of resources and for each resource an associated gateway, an associated method of communication such as tunneling, and a distinguishing name. The static map is stored on a workstation. The distinguishing name is indicative of information provided to the workstation system to authenticate the gateway. In this way, the gateway is authenticated by the workstation and the workstation is authenticated by the gateway to ensure that both nodes are the correct network nodes.
Upon issuing a request, a requesting system searches the static map to determine a destination gateway. Communication therewith is initiated via the associated communication method and information is received from the gateway. When the information is as indicated by the static map and is authenticated, the communication of the request proceeds. When the authentication fails, the security of the communication is questionable.
Referring to Fig. 2, another embodiment of the invention is shown. When a request is for transmission from gateway 74 to resource 72, the static map indicates for resource 72 that gateway 74 should transmit the message using tunneling to gateway 76.
Gateway 74 and gateway 76 initiate communication and authenticate each other.
The message is then secured through encryption and transmitted to the gateway 76 via the Internet. At the gateway 76, the message is decrypted and transmitted over the network.
In this fashion, a static map presents a point to point map of communication over an unsecured medium. A11 resources behind gateway 76 are listed in the static map as requiring a transmission to gateway 76 using tunneling and so forth. The complexity of the network beyond gateway 76 is of little concern to the sub-network C.
In another embodiment in order to maintain a complex virtual network comprising a plurality of sub-networks, information relating to each sub-network is Doc No. 79-S CA Patent required. The information is then used to route information efficiently throughout the virtual network and to locate resources. In an embodiment of the invention, a data file is created for storing a "current" state of a network. The file is updated on a regular basis and contains information relating to static resources connected to the virtual network. The file comprises a static map of the network. The use of such a static map significantly improves performance over polling of resources or transmission of multiple requests by improving communication efficiency and response times. When a change in resources or active workstations is noted within a sub-net, a new static map for that sub-net is stored and is then transmitted for storage in the file. Changes are reflected by new configurations on the VPN gateway. Alternatively, an administrator updates the static map at intervals or upon a change to the network.
Referring to Fig. 3, an SVPN is shown comprising three separate corporate networks A, B, and C. When a request from workstation 71 in network C is intended for resource 72 in Network B, a common approach to fulfilling this request is to disconnect from network A and connect via the Internet to network B; however, a static map of the network indicates that resource 72 is available in the current network configuration by transmitting a request to network A. From network A the request is transmitted to network B and therein resource 72 is located. Should network B be provided with a gateway (shown as 73) to the Internet, an alternative route exists for the request. The use of static maps allows the system to determine a variety of routing choices to take in the event of network failure at a gateway or at another network node. Also, static maps permit selection of a most secure path for routing a request to a resource.
These and other advantages are significant over the prior art.
Security of management systems is essential to maintain network security and flexibility of management systems provides enhanced usability and improved turn-around times for problem correction. Often, increased flexibility results in decreased security.
Alternatively, increased flexibility results in reduced performance and increased resource utilisation.
Doc No. 79-5 CA Patent Connection security policies in an SVPN are based on a node pair forming a connection. This requires a significant allocation of resources because as the number of potential nodes increases, the number of connection security policies in the most general case is n2-n. For ten possible node connections, this results in 90 security level settings for each possible source/destination node pair. When 100 possible node connections exist, this number jumps to 9900. It is preferable to reduce the number of security level settings in order to facilitate network management, reduce memory requirements, and enhance usability of an SVPN. In an embodiment of the invention, a method of determining a security policy based on a particular host and a flexible security system for providing a negotiation between nodes via the host to determine desired connection security policies is implemented. A host is provided with a security level and a plurality of policies for enforcing the security level. Each node seeking to connect to another node via the host provides a certificate, which is authenticated, and the node is authorized. The nodes then "negotiate" a security level through implementation of the host security level and policies. For example, ISAKMP is flexible enough to permit negotiation of security levels and is used for this purpose. The host based security levels are less flexible than connection based security levels, but host based security levels are easier to administer.
A common concern in network security applications is physical intrusion. A
person gaining physical access to a network cable or to a gateway circuit board has access to significant amounts of information. Within the network cable, information is encoded to prevent access. Within each computer, the authorized user can view information only for that workstation. Commonly in the gateway, a significant amount of unsecured data exists. Opening a gateway and physically probing electrical connections provides access to data transmitted across each connection. According to the invention, a11 sensitive keying data stored within a gateway system is encrypted with a special Master Key. Therefore, only data in transit is discernable when a gateway system is breached unless the master encryption key is found. The master key is cleared when the gateway system case is compromised. This secures data from physical access attempts.
Doc No. 79-5 CA Patent Another common problem encountered in the use of SVPN systems is that of security concerns for mobile users. For example, when using a cellular modem, an individual may desire increased security. When dialing up an ISP that is identical to that used by the company, performance may be the most significant concern. When using a slow system, performance is critical. When using a very fast state-of the-art system security is more important. According to an embodiment of the invention, a profile is created containing data relating to a security level, a network adapter, tunneling information, and so forth. When accessing the SVPN, a profile is selected and those settings are used. Optionally, profile authentication occurs to ensure that a desired level of security is achieved for the SVPN and that network security is not compromised. The profile is evaluated in dependence upon a series of criteria including communication medium, location of the mobile user, identity of the mobile user, and desired level of security for the profile. In another embodiment, a profile is flexible. For example, a country of origin of a communication, the communication medium, and an identity of the mobile user is determined and an appropriate set of policies are used.
Referring to Fig. 4 a simplified block diagram of a portion of a wide area network is shown. An application is executed on a computer. Computer software applications are well known and serve many varied functions. An example of such an application is an email application.
When the application has data for transmission via the wide area network to another workstation or server in communication with the wide area network, the application provides the data to a virtual adapter in execution on the same computer. The virtual adapter processes the data for transmission via the wide area network.
For example, protocol related formatting is performed. Optionally, other processing such as compression of data is also performed. The processed data is then provided to the physical adapter. Though the following description refers to a virtual adapter for performing these operations, it is also possible to intercept data directed toward the virtual adapter, process the intercepted data and redirect it. Thus the virtual adapter does Doc No. 79-5 CA Patent not perform any actual processing of the data, but is used for routing the data; the routing of the data is then used to intercept it.
The adapter comprises a physical and a logical portion. The logical portion includes a device driver and so forth. The adapter is in communication via a communication medium with another system. When the communication medium is a wide area network (WAN) in the form of an Internet network, the other computer system is commonly an Internet Service Provider (ISP). Communication media are well known and are not important to the present invention. The adapters communicate according to a common set of rules or protocols. Some common protocols include error detection and correction codes in the form of parity, encryption standards, PPP protocol, and so forth.
The physical communication is transparent to the user of an application.
A virtual adapter receiving the data verifies that data transmission is without error. The data is then decoded and provided to a user level on the other system. In this way, a point to point communication is shown.
Referring to Figs. Sa and Sb simplified block diagrams of prior art implementations of virtual communication adapters are shown. The communication adapters are both for execution on a same computer. Because of the way the adapters function, only one adapter is executable at any given time. Thus, a user communicates using a system according to the block diagram of Fig. Sa or Fig. Sb but not both. When communication with a wide area network such as the Internet is performed, the adapter of Fig. Sb is used. A system in execution of such an adapter provides Internet browsing, email, and other Internet access. Security is that provided by the Internet software tools in execution and by the virtual adapter. Many virtual adapters provide no security. When communication with the private network is performed, a secure virtual private network is created. All communicated data is secured prior to transmission to a secure gateway of the private network. There the data is decoded and transmitted to its destination. Such a connection provides access to private network data, applications, and internal mail. It also Doc No. 79-5 CA Patent provides connections to the Internet but only via the gateway. Thus to communicate with the Internet, a data flow diagram such as that shown in Fig. 6 is required.
Referring to Fig. 6, a very complicated diagram results when an Internet request is transmitted when connected to an SVPN. The request is secured because it isn't distinguished from other SVPN data. It is then transmitted via the WAN to the gateway.
The gateway decodes the data and then, routes it to its destination. Often, firewalls implement security protocols to prevent security breaches of the private network. When the request and the requested data are not perceived as a security threat, the requested data is received by the gateway and secured for transmission back to the workstation.
Alternatively, a user of the workstation can disconnect themselves from the SVPN and connect to the WAN with the virtual adapter of Fig. Sb in order to access the Internet.
Another prior art adapter system comprises two adapters in concurrent execution wherein a "virtual" adapter directs data output therefrom back up to a user level of the system. There it is redirected to the adapter through a plurality of system levels. Such a system is inefficient in its use of system resources and since the virtual adapter returns processed data to the user level, not a true implementation of a virtual adapter.
Clearly, none of these solutions is optimal. In one, the gateway must handle all Internet requests twice and the firewall provides security even though the workstation is not within the private network. In another, the user of a workstation must disconnect and reconnect numerous times during the course of a same session at the workstation. In yet another system resources are inefficiently allocated and data integrity is not guaranteed since at a user level within the system, the data is accessible to interception and modification.
Referring to Figs. 7a and 7b, block diagrams of systems according to the invention are shown. In Fig. 7a, a system for providing secure remote access via a wide area network to a private network is shown. The system comprises an adapter and a virtual adapter in concurrent execution. The virtual adapter acts as a destination for Doc No. 79-5 CA Patent routing. Data routed to the virtual adapter is intercepted by the intermediate adapter and processed. The data is then rerouted to the adapter for communication via the wide area network.
The adapter in the form of a WAN adapter is for communicating information via the wide area network. This information is typically in the form of Internet requests and responses. Thus, any commonly available Internet software such as world wide web browsers, email software, gopher software, video conferencing software, etc.
is useful while connected to the Internet.
The virtual adapter in the form of an SVPN virtual adapter is a destination for secured information for transmission via the wide area network to the private network. In essence, the virtual adapter address is used to direct data for similar processing as with a prior art SVPN adapter. The data is processed with a data securer in the form of an encryptor for obfuscating the data. Typically, data is obfuscated through encryption as is commonly known in the art. When a user wishes to transmit information to or receive information from the private network, an application in the form of an internal mail system, a database, or an operating system of the workstation provides data routed to the virtual adapter. The data is intercepted and secured and packaged for transmission to a gateway via the wide area network. Once it is secured and packaged, it is provided to the adapter for communicating it to the gateway.
Referring to Fig. 7b, a system for providing secure remote access via a wide area network to a private network is shown. The system comprises a virtual adapters and an adapter. The adapters execute concurrently on the system. According to the embodiment of Fig. 7b, only the adapter in the form of a WAN virtual adapter has associated hardware. The virtual adapter in the form of an SVPN virtual adapter communicates with applications in execution on the system and with the adapter.
The adapter is for communicating information for transmission via the wide area network. The information may be secured information received from the virtual adapter Doc No. 79-5 CA Patent or it may be unsecured information received from an application. The virtual adapter is for communicating secured information with the adapter for transmission via the wide area network to the private network. Thus the adapter transmits a11 information to the network and processes information received and for transmission based on the wide area network protocol. The virtual adapter acts as a translator for securing information and for processing the data to ensure data integrity.
Referring to Figs. 8a and 8b, simplified flow diagrams of methods for each of the systems of Figs. 7a and 7b are shown.
In Fig. 8a, another method for secure remote access via a wide area network to a private network is shown. Data is provided from an application for communication to another system via a public network in the form of a wide area network. The data is one of data for communication via the secure virtual private network or for communication in an unsecured fashion. When the data is unsecured data, it is provided to an adapter which processes the data and provides it for transmission. Of course, secure data in the form of encrypted messages or files may also be provided to the adapter. The adapter is selected based on a designated destination for the data and not whether or not it is secured. When the data is for transmission in a secure fashion, the data is routed to a virtual adapter. The data is intercepted by a process for securing the data and then provided to the adapter.
Optionally further processing occurs such as address translation. When the virtual adapter and the adapter are in concurrent execution on the workstation, Internet access and SVPN
access are possible simultaneously without the drawbacks of routing a11 Internet requests via the SVPN.
In Fig. 8b, a method for secure remote access via a wide area network to a private network is shown. Data is provided from an application for communication to another system via a public network in the form of a wide area network. The data is one of data for communication via the secure virtual private network or for communication in an unsecured fashion. When the data is unsecured data, it is provided to an adapter, which processes the data and provides it for transmission. Of course, secure data in the form of Doc No. 79-5 CA Patent encrypted messages or files may also be provided to the adapter. The adapter is selected based on a designated destination for the data and not whether or not it is secured. When the data is for being transmitted in a secure fashion, the data is provided to a virtual adapter for securing the data, processing the data, and providing the data to the adapter for communication to a gateway of a secure private network. When the virtual adapter and the adapter are in concurrent execution on the workstation, Internet access and SVPN
access are possible simultaneously without the drawbacks of routing all Internet requests via the SVPN.
Though the method of using static maps according to the invention is described with reference to use on workstations disposed remotely from a gateway, it is also applicable to use by gateways. The gateways use static map data to route data within the secure virtual private network. For example, when a gateway is routing data to a resource within another portion of the secure virtual private network via another different gateway.
Numerous other embodiments may be envisaged without departing from the spirit I 5 and scope of the invention.
Claims (23)
1. A method of routing first data within a secure virtual private network comprising the steps of:
storing static map data, the static map data indicative of a plurality of static gateways and resources accessible through the static gateways, the static map data comprising security information for use in authenticating a gateway from the plurality of static gateways;
selecting a resource to which to direct the first data;
determining from the static map data a gateway for accessing the selected resource;
establishing a connection with the determined gateway and authenticating the gateway;
and, transmitting the first data to the gateway for provision to the selected resource.
storing static map data, the static map data indicative of a plurality of static gateways and resources accessible through the static gateways, the static map data comprising security information for use in authenticating a gateway from the plurality of static gateways;
selecting a resource to which to direct the first data;
determining from the static map data a gateway for accessing the selected resource;
establishing a connection with the determined gateway and authenticating the gateway;
and, transmitting the first data to the gateway for provision to the selected resource.
2. A method as defined in claim 1 wherein the step of storing the static map data is performed automatically.
3. A method as defined in claim 1 wherein the step of establishing a connection with the determined gateway and authenticating the gateway comprises the steps of:
establishing a secure connection with the determined gateway, receiving certification data from the gateway the verified data for use in authenticating the gateway; and, authenticating the gateway based on the certification data and the security information.
establishing a secure connection with the determined gateway, receiving certification data from the gateway the verified data for use in authenticating the gateway; and, authenticating the gateway based on the certification data and the security information.
4. A method as defined in claim 3 comprising the step of:
automatically, storing the static map data, the static map data comprising gateway data and resource data, the gateway data including gateway routing data and gateway authentication data, and the resource data related to a gateway and comprising resource routing data.
automatically, storing the static map data, the static map data comprising gateway data and resource data, the gateway data including gateway routing data and gateway authentication data, and the resource data related to a gateway and comprising resource routing data.
5. A method as defined in claim 4 wherein the step of storing the static map data comprises storing the static map data on a workstation remote to a gateway for which gateway data is stored within the static map data.
6. A method as defined in claim 5 wherein the gateway data comprises gateway connection data for a gateway, the gateway connection data indicative of a method of communicating securely with the gateway.
7. A method as defined in claim 6 wherein the gateway connection data for a gateway includes data indicative of whether the gateway supports tunneling.
8. A method as defined in claim 5 wherein the gateway data comprises gateway security and connection data for a gateway the step of establishing a connection with the gateway and authenticating the gateway with which a connection is established comprising the steps of establishing a secure connection with the determined gateway, the connection of a type indicated by the gateway connection and security data and secured in accordance therewith.
9. A method of routing first data within a secure virtual private network comprising the steps of:
storing static map data, the static map data indicative of a static gateway and at least a resource accessible through the static gateway, the static map data stored on a workstation remote from the gateway;
determining a destination resource from the at least a resource, the first data for provision to the destination resource from the workstation;
determining from the stored static map data a first static gateway through which to access the destination resource;
establishing a connection between the workstation and the first static gateway;
transmitting the first data to the first static gateway for provision to the resource.
storing static map data, the static map data indicative of a static gateway and at least a resource accessible through the static gateway, the static map data stored on a workstation remote from the gateway;
determining a destination resource from the at least a resource, the first data for provision to the destination resource from the workstation;
determining from the stored static map data a first static gateway through which to access the destination resource;
establishing a connection between the workstation and the first static gateway;
transmitting the first data to the first static gateway for provision to the resource.
10. A method as defined in claim 9 wherein the static map data comprises security information for use in authenticating a gateway from the gateways, and wherein the step of establishing a connection comprises the step of authenticating the first static gateway.
11. A method as defined in claim 10 wherein the step of storing the static map data comprises the step of:
storing the static map data, the static map data comprising gateway and resource data indicative of a static gateway and at least a resource accessible through the static gateway, the gateway data including gateway routing data and gateway authentication data, and the resource data related to a gateway and comprising resource routing data.
storing the static map data, the static map data comprising gateway and resource data indicative of a static gateway and at least a resource accessible through the static gateway, the gateway data including gateway routing data and gateway authentication data, and the resource data related to a gateway and comprising resource routing data.
12. A method as defined in claim 11 wherein the step of storing the static map data is performed automatically.
13. A method as defined in claim 11 wherein the step of storing the static map data comprises storing the static map data on a workstation remote to a gateway for which gateway data is stored within the static map data.
14. A method as defined in claim 13 wherein the gateway data comprises gateway connection data for a gateway, the gateway connection data indicative of a method of communicating securely with the gateway.
15. A method as defined in claim 13 wherein the gateway data comprises gateway security data for a gateway, the gateway security data indicative of a security access procedure for accessing the gateway securely.
16. A method as defined in claim 13 wherein the gateway data comprises gateway security and connection data for a gateway the step of establishing a connection with the gateway and authenticating the gateway with which a connection is established comprising the step of:
establishing a secure connection with the determined gateway, the connection of a type indicated by the gateway connection and security data and secured in accordance therewith.
establishing a secure connection with the determined gateway, the connection of a type indicated by the gateway connection and security data and secured in accordance therewith.
17. A method of routing first data within a secure virtual private network comprising the steps of:
storing a static map, the static map comprising gateway data and resource data, the gateway data including gateway routing data, gateway connection data, gateway security data, and gateway authentication data, the resource data related to a gateway and comprising resource routing data;
storing the static map on a workstation remote to a gateway for which gateway data is stored in the static map;
selecting one of a gateway and a resource to which to direct the first data;
determining from the static map data routing data, connection data, and security data for a gateway related to the selected one of a gateway and resource, wherein a gateway is related to itself;
using the determined routing data, connection data, and security data for the gateway, establishing a connection with the gateway and authenticating the gateway with which a connection is established; and, transmitting the first data to the gateway.
storing a static map, the static map comprising gateway data and resource data, the gateway data including gateway routing data, gateway connection data, gateway security data, and gateway authentication data, the resource data related to a gateway and comprising resource routing data;
storing the static map on a workstation remote to a gateway for which gateway data is stored in the static map;
selecting one of a gateway and a resource to which to direct the first data;
determining from the static map data routing data, connection data, and security data for a gateway related to the selected one of a gateway and resource, wherein a gateway is related to itself;
using the determined routing data, connection data, and security data for the gateway, establishing a connection with the gateway and authenticating the gateway with which a connection is established; and, transmitting the first data to the gateway.
18. A method as defined in claim 17 wherein the step of establishing a connection with the gateway and authenticating the gateway with which a connection is established comprises the steps of establishing a secure connection with the determined gateway, receiving certification data from the gateway the verified data for use in authenticating the gateway, and authenticating the gateway based on the certification data and the security information.
19. A method as defined in claim 18 wherein the step of storing the static map data is performed automatically.
20. A method of routing first data comprising the steps of:
receiving data from each gateway forming part of a secure virtual private network the data including gateway address, resources accessible through the gateway, and gateway authentication data;
collating the received data to form a static map; and, storing the static map within non-volatile memory.
receiving data from each gateway forming part of a secure virtual private network the data including gateway address, resources accessible through the gateway, and gateway authentication data;
collating the received data to form a static map; and, storing the static map within non-volatile memory.
21. A method as defined in claim 20 comprising the steps of providing queries to gateways within the secure virtual private network.
22. A method as defined in claim 20 wherein the gateway authentication data includes a gateway identifier.
23. A method as defined in claim 22 wherein the data includes data relating to securing a communication session with the gateway from which the data is received.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002260709A CA2260709A1 (en) | 1998-02-04 | 1999-02-04 | Method of using static maps in a virtual private network |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2,228,687 | 1998-02-04 | ||
| CA002228687A CA2228687A1 (en) | 1998-02-04 | 1998-02-04 | Secured virtual private networks |
| CA002260709A CA2260709A1 (en) | 1998-02-04 | 1999-02-04 | Method of using static maps in a virtual private network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2260709A1 true CA2260709A1 (en) | 1999-08-04 |
Family
ID=29585074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002260709A Abandoned CA2260709A1 (en) | 1998-02-04 | 1999-02-04 | Method of using static maps in a virtual private network |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2260709A1 (en) |
-
1999
- 1999-02-04 CA CA002260709A patent/CA2260709A1/en not_active Abandoned
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6529513B1 (en) | Method of using static maps in a virtual private network | |
| US6804777B2 (en) | System and method for application-level virtual private network | |
| Blaze et al. | Trust management for IPsec | |
| US7660980B2 (en) | Establishing secure TCP/IP communications using embedded IDs | |
| US8332464B2 (en) | System and method for remote network access | |
| KR101076848B1 (en) | Reducing network configuration complexity with transparent virtual private networks | |
| US7099957B2 (en) | Domain name system resolution | |
| US6981143B2 (en) | System and method for providing connection orientation based access authentication | |
| US7197550B2 (en) | Automated configuration of a virtual private network | |
| US6807181B1 (en) | Context based control data | |
| US20030191963A1 (en) | Method and system for securely scanning network traffic | |
| US20030217148A1 (en) | Method and apparatus for LAN authentication on switch | |
| CN100525304C (en) | Network system, internal server, terminal device, storage medium and packet relay method | |
| WO2004107646A1 (en) | System and method for application-level virtual private network | |
| CA2437548A1 (en) | Apparatus and method for providing secure network communication | |
| US20050060534A1 (en) | Using a random host to tunnel to a remote application | |
| EP4323898B1 (en) | Computer-implemented methods and systems for establishing and/or controlling network connectivity | |
| GB2317539A (en) | Firewall for interent access | |
| JP2005515700A (en) | Methods and devices for providing secure connections in mobile computing environments and other intermittent computing environments | |
| US20150381387A1 (en) | System and Method for Facilitating Communication between Multiple Networks | |
| Kamens | Retrofitting Network Security to Third-Party Applications-The SecureBase Experience. | |
| CA2260709A1 (en) | Method of using static maps in a virtual private network | |
| US6983332B1 (en) | Port-bundle host-key mechanism | |
| US20250240175A1 (en) | Methods and systems for implementing secure communication channels between systems over a network | |
| Xu et al. | Celestial security management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued | ||
| FZDE | Discontinued |
Effective date: 20040204 |