Patent•
System and method for secure mobile connectivity
22 Jun 2004-
TL;DR: In this paper, the authors present a method and systems for securely connecting mobile nodes to an internal private network using IPsec based Virtual Private Network (VPN) technology, which employs a proxy home agent coupled to a home network associated with a mobile node that is located within a secure network, a home agent (HA) that is outside of the secure network and a VPN gateway to provide VPN services to a mobile device that changes its current address during the VPN session.
Abstract: The present invention discloses a methods and systems for securely connecting mobile nodes to an internal private network using IPsec based Virtual Private Network (VPN) technology. The system employs a proxy home agent (PHA) coupled to a home network associated with a mobile node that is located within a secure network, a home agent (HA) that is located outside of the secure network, and a VPN gateway to provide VPN services to a mobile device that changes its current address during the VPN session. The HA and PHA are configured to provide Mobile IP Home Agent functionality through a distributed system.
Citations
More filters
Patent•
20 Mar 2002TL;DR: In this paper, the authors propose to give precedence to intra-VPN traffic over extra-VPN on each customer's access link through access link prioritization or access link capacity allocation.
Abstract: A network architecture includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer's VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer's VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer's access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.
177 citations
Patent•
02 Jul 2004TL;DR: In this paper, a mediating apparatus is provided on an IP network, and stores an access control list (ACL) retained in a VPN gateway unit, which is used for authentication between the VPN client unit and the VPN gateway units and for encrypted communication there.
Abstract: A mediating apparatus is provided on an IP network, and stores an access control list (ACL) retained in a VPN gateway unit. The mediating apparatus: receives a retrieval request from a VPN client unit; acquires a private IP address of a communication unit by reference to ACL; searches DNS to acquire therefrom an IP address of the VPN gateway unit; generates a common key that is used for authentication between the VPN client unit and the VPN gateway unit and for encrypted communication therebetween; sends the IP address of the VPN gateway unit, the private IP address of the communication unit, and the common key to the VPN client unit; and sends the IP address of the VPN client unit and the common key to the VPN gateway unit.
111 citations
Patent•
28 Apr 2011
TL;DR: In this article, a distributed, multi-tenant Virtual Private Network (VPN) cloud system and methods for mobile security and user-based policy enforcement are presented, where plural mobile devices are configured to connect to one or more enforcement or processing nodes over VPN connections.
Abstract: The present disclosure provides distributed, multi-tenant Virtual Private Network (VPN) cloud systems and methods for mobile security and user based policy enforcement. In an exemplary embodiment, plural mobile devices are configured to connect to one or more enforcement or processing nodes over VPN connections. The enforcement or processing nodes are configured to perform content filtering, policy enforcement, and the like on some or all of the traffic from the mobile devices. The present invention is described as multi-tenant as it can connect to plural clients across different companies with different policies in a single distributed system. Advantageously, the present invention allows smartphone and tablet users to protect themselves from mobile malware, without requiring a security applications on the device. It allows administrators to seamless enforce policy for a user regardless of the device or network they are connecting to, as well as get granular visibility into the user's network behavior.
69 citations
Patent•
16 Mar 2010TL;DR: In this article, the authors propose to give precedence to intra-VPN traffic over extra-VPN on each customer's access link through access link prioritization or access link capacity allocation.
Abstract: A network architecture in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks (VPNs). The communication network includes a plurality of boundary routers that are connected by access links to CPE edge routers belonging to the one or more VPNs. To prevent traffic from outside a customer's VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS provided to traffic from within the customer's VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer's access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and the configuration of routing protocols to achieve logical traffic separation between intra-VPN traffic and extra-VPN traffic at the VPN boundary routers and CPE edge routers. By configuring the access networks, the VPN boundary routers and CPE edge routers, and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS attack prevention is achieved.
56 citations
Patent•
25 Feb 2005
TL;DR: In this article, the authors proposed a scheme to arrange data transmission for a mobile node in a telecommunications system comprising a secure network and an insecure network, where the VPN node and the home agent are configured to allocate the same IP address as an internal IP address and as a home address.
Abstract: The present invention relates to arranging data transmission for a mobile node in a telecommunications system comprising a secure network and an insecure network. A connection to a secure network for a mobile node may be arranged by a home agent if the mobile node is accessing the secure network directly or via a third network other than the insecure network, or a connection to the secure network may be arranged by a VPN node if the mobile node is accessing the secure network via the insecure network. According to a first aspect of the invention, the VPN node and the home agent are configured to allocate the same IP address as an internal IP address and as a home address.
50 citations
References
More filters
Patent•
23 Oct 2003
TL;DR: In this paper, an exemplary system and method for using a network access system, such as a virtual private network (VPN), are provided, where a user device may have a user session with a home agent, and a terminating security gateway may be in communication with the initiating security gateway via a tunnel.
Abstract: An exemplary system and method for using a network access system, such as a virtual private network (VPN), are provided. A user device may have a user session with a home agent. Additionally, an initiating security gateway may be in communication with the home agent, and a terminating security gateway may be in communication with the initiating security gateway via a tunnel (e.g., Internet Protocol in Internet Protocol (IP-in-IP) or Internet Protocol security (IPsec) tunnel). Further, a virtual local area network (VLAN) tag associated with the user session may map to a selector operable in a security policy database. The selector may be used to find a security policy defining an IPsec procedure, and the security policy may be applied to the tunnel. Also, the initiating security gateway may also include a Quality of Service (QoS) module that determines QoS markings for a packet traveling along the tunnel.
161 citations
Patent•
05 Apr 2002TL;DR: In this paper, the authors present a method to transfer data between a mobile host device and a source node via a number of independent data networks while maintaining a secure connection, where the security policy operated by the mobile host includes a primary security policy and a dynamic secondary security policy that selectively apply specified transformations to certain packets in the data transfer.
Abstract: The invention discloses a method transferring packets between a mobile host device (100) and a source node via a number of independent data networks while maintaining a secure connection. The independent networks may include, for example, the Internet (120), localized Access Zones (110,140), a Corporate Intranets, a Home Network (130) etc. Problems may occur, for example, when the mobile node is using a co-located care-of address, in which case both IP-in-IP and IPsec tunneling transformations are performed, and the current IPsec and IP-in-IP implementations cannot perform the required tunneling operations on the mobile host. This is because the IP-in-IP and IPsec tunneling when the IP-in-IP tunnel is not the outermost transformation. In an embodiment of the invention, the security policy operated by the mobile host includes a primary security policy and a dynamic secondary security policy that selectively apply specified transformations to certain packets in the data transfer.
81 citations
Patent•
13 May 2002
TL;DR: A system for updating classification chains, including but not limited to firewall ACLS, can include a network device having a plurality of interfaces to receive and transmit packets of data, a forwarding element to apply classification rules to the packets, and a packet classification chain that resides at least temporarily on the network device.
Abstract: A system for updating classification chains, including but not limited to firewall ACLS, can include a network device having a plurality of interfaces to receive and transmit packets of data, a forwarding element to apply classification rules to the packets, and a packet classification chain that resides at least temporarily on the network device, wherein the chain includes classification rules, an associated action, and an update field to trigger insertion or deletion of the rule.
65 citations
Patent•
19 Dec 2002TL;DR: In this paper, the authors proposed a secure network path through an inner and outer firewall pair between a mobile node on a foreign network and a corresponding node on the home network, where the mobile IP proxy acts as a surrogate home agent to the mobile node, and acts as surrogate mobile node to a home agent residing on a home network.
Abstract: Systems and methods provide a secure network path through an inner and outer firewall pair between a mobile node on a foreign network and a corresponding node on a home network. One aspect of the systems and methods includes providing a mobile IP proxy between the mobile node and a VPN gateway inside the firewalls. The mobile IP proxy acts as a surrogate home agent to the mobile node, and acts as a surrogate mobile node to a home agent residing on the home network.
61 citations
Patent•
09 Nov 2001TL;DR: In this article, a method for providing location privacy for a terminal node (MN) in communication with a communication partner node (CN) in a communication network system comprising at least a first communication network (HN, VN), wherein a respective node communicating via said communication network systems is identified by its permanent network address (MN_PA) and addressable by a temporary network address(MN_CoA), at least one server entity (LPS), a plurality of agent entities (LPA1,..., LPAn), wherein each of said at least LPS
Abstract: The present invention concerns a method for providing location privacy for a terminal node (MN) in communication with a communication partner node (CN) in a communication network system comprising at least a first communication network (HN, VN), wherein a respective node (MN) communicating via said communication network system is identified by its permanent network address (MN_PA) and addressable by a temporary network address (MN_CoA), at least one server entity (LPS), a plurality of agent entities (LPA1, . . . , LPAn), wherein each of said at least one server entities (LPS) maintains a record of said plurality of agent entities (LPA1, . . . , LPAn) and their respective location within the network system, said method comprising the steps of: requesting (S41), by said terminal node (MN), said at least one server entity (LPS) for location privacy, selecting (S42), at said at least one server entity (LPS), a specific one of said plurality of agent entities (LPA1, . . . , LPAn), based on data maintained in said record of said server entity and said temporary network address of said requesting terminal node, and communicating (S46) messages between said terminal node (MN) and said communication partner node (CN) via said selected one (LPA) of said agent entities. The present invention also, concerns corresponding network systems, server entities, agent entities and terminal nodes.
33 citations