Method and apparatus for automatic configuration and management of a virtual private network

US 20050193103A1
Filed: 10/08/2003
Published: 09/01/2005
Est. Priority Date: 06/18/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method and apparatus for automatic configuration and management of a virtual private network operating over a public data network or insecure private network including a plurality of virtual private network gateways or devices (“

clients”

) so that communications within the virtual private network are channeled through the virtual private network gateways or directly to client devices, with secure delivery of configuration information to devices capable of using that information to automatically configure their own virtual private network and subnetwork characteristics, or using insecure delivery but enabled by the presence of a separate security device, the method comprising;

centralized configuration of the characteristics and operational parameters of a virtual private network, assigning subnetwork connection parameters on a host system and the corresponding network and subnetwork connection parameters on one or more client systems, and verifying that conflicts do not exist between defined subnetworks used by various client networks or subnetworks, and reconfiguring one or more client networks or subnetworks based on the result of certain verification checks;

reconfiguring the carrier devices or other security devices among participants in a secure VPN connection, thus changing the characteristics of one or more associated sessions, and potentially with time-restricted access to the VPN;

reconfiguring the carrier devices or other security devices among participants in a secure VPN connection, with a specified time for the configuration parameters to take effect, or upon the occurrence of a an agreed-upon specific event, such as inability to reach a particular VPN node (such as the corporate node), perhaps because that node has specifically been reconfigured by some other process;

inclusion of general network services or “

points of interest”

(if any) available to VPN clients, such as printers, network storage devices, software programs, or other network-accessible functions which may be of interest or benefit to VPN clients, including but not limited to device addresses, names, configuration settings, access-control information, and other data necessary for the VPN client device to automatically configure the VPN client system so that it may access and use such devices and services;

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method and apparatus for automatic configuration and management of a virtual private network operating over a public data network, and a method and apparatus for delivery of the configuration parameters to client interface equipment participating in the virtual private network. The system defines allowed connections between client and server gateway devices, and the parameters associated with the virtual private network. The system defines methods and apparatus for automatic startup, configuration, and shutdown of nodes of the resulting virtual private network based on factors such as the presence of a configuration carrier device. The present invention also describes a class of pseudo-interface mechanism that can hide the complexity of the underlying system from client devices incorporating the present invention, via a conventional network device interface.

434 Citations

9 Claims

1. A method and apparatus for automatic configuration and management of a virtual private network operating over a public data network or insecure private network including a plurality of virtual private network gateways or devices (“
- clients”
  
  ) so that communications within the virtual private network are channeled through the virtual private network gateways or directly to client devices, with secure delivery of configuration information to devices capable of using that information to automatically configure their own virtual private network and subnetwork characteristics, or using insecure delivery but enabled by the presence of a separate security device, the method comprising;
  
  centralized configuration of the characteristics and operational parameters of a virtual private network, assigning subnetwork connection parameters on a host system and the corresponding network and subnetwork connection parameters on one or more client systems, and verifying that conflicts do not exist between defined subnetworks used by various client networks or subnetworks, and reconfiguring one or more client networks or subnetworks based on the result of certain verification checks;
  
  reconfiguring the carrier devices or other security devices among participants in a secure VPN connection, thus changing the characteristics of one or more associated sessions, and potentially with time-restricted access to the VPN;
  
  reconfiguring the carrier devices or other security devices among participants in a secure VPN connection, with a specified time for the configuration parameters to take effect, or upon the occurrence of a an agreed-upon specific event, such as inability to reach a particular VPN node (such as the corporate node), perhaps because that node has specifically been reconfigured by some other process;
  
  inclusion of general network services or “
  
  points of interest”
  
  (if any) available to VPN clients, such as printers, network storage devices, software programs, or other network-accessible functions which may be of interest or benefit to VPN clients, including but not limited to device addresses, names, configuration settings, access-control information, and other data necessary for the VPN client device to automatically configure the VPN client system so that it may access and use such devices and services;
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising the steps of;
    - a method and apparatus for delivering virtual private network configuration and management information to one or more virtual private network gateways or devices, including client gateways and devices, corporate LAN gateway, or branch LAN gateways, providing for secure encrypted delivery of configuration and management information, or unsecured delivery of that same information in cases where security is not an issue, the method comprising;
      
      automatically selecting an appropriate set of configuration parameters, potentially based upon characteristics of the person or group which will use the parameters, and transmitting the configuration parameters to an encrypted key device via one or more of several possible physical interface, transmission, and programning methods, or;
      
      using reconfigurable logic devices, which are configured on the direct interpretation and translation of the encryption algorithm or the encrypted data provided by the centralized configuration management system, or;
      
      using reprogrammable logic devices which are embedded into pseudo-network cards or similar devices such as modems, which devices can then be used by client devices without further consideration of the fact that a secure and automatically configured VPN connection results from the use of the security device, or;
  - 3. The method of claim 1 and the apparatus of claim 2, further comprising the steps of:
    - use of the resulting programmed, encrypted or non-encrypted but keyed device with configuration information, which device is inserted into or attached to a client virtual private network gateway or direct access device, or which may be built into the device and enabled by the presence of an appropriate security device. Upon insertion, attachment, or detection, a daemon process on the VPN device to be configured detects the presence of the security device, retrieves the VPN and any other configuration information from the device or from other appropriate media, and uses that information to setup the VPN connection with the host system and other devices and points-of-interest, potentially including such connections between two or more VPN clients;
  - 4. The method and apparatus of claims 1 and 2, further comprising the steps of:
    - use of a default, encrypted and secure data channel to transmit VPN configuration information to one or more client VPN gateways or direct access devices, which devices are either known to the host configuration system, or can be determined to be valid potential members of the VPN through encryption schemes such as public-key and digital signature methods. The transmitted data is delivered to a daemon process, which configures the security device, whereupon the VPN then operates over a separate encrypted tunnel using the provided characteristics. The associated VPN may be restricted in various ways, including time restraints. Furthermore, the non-default configuration information may be caused to activate at a specific time in the future, or;
      
      a method to use a separate, but individually defined secure, encrypted, default network connection to present potential clients to a VPN host system, to return encrypted VPN configuration and management information via that default secure network connection, to automatically configure the VPN client device using that configuration and management information, and to open a separate connection, circuit, or virtual circuit between the client VPN gateway or device, the VPN host and various resources, devices, and other points of interest available to the VPN host and other VPN clients, resources, and devices, when such access is allowed. An aspect of this mode of operation is that the individually defined secure connection is controlled by the host configuration manager by virtue of the fact that every keyed device includes a unique ID code that is known to the manager before any such connection attempt is made, even if the key device is otherwise unprogrammed;
      
      mechanisms for inclusion of multiple VPN configuration parameters sets within one or more configuration devices, and defining fail-over, fall-back, or event-driven changes to the VPN configuration using one of these secondary configuration parameter sets under specific circumstances.
  - 5. The methods and apparatus of claims 1 through 4, further comprising the steps of:
    - a method and apparatus for automatically configuring a virtual private network client gateway or device using the delivered virtual private network configuration and management information, allowing various client configuration strategies and operating modes such as configure-once, dynamic-configuration, time-delayed reconfiguration, and forced-deconfiguration;
      
      a method and apparatus for the host control and configuration system to automatically stop one or more virtual private network connections using one of several methodologies;
      
      a method for forcing deconfiguration of one or more virtual private network clients access key devices, from a control computer located elsewhere in the virtual private network, overriding the client configuration information and disabling the client virtual private network configuration, connection, access control, or other functions until and unless the affected key device, client gateway, or client direct access device is reconfigured or reprogrammed;
      
      a method for checking or challenging the validity of a connection from a control computer located elsewhere on the virtual private network;
      
      a method for conveying new configuration parameters to a participating device in a virtual private network, said new configuration parameters to take effect at some future time or in response to a specific event;
  - 6. The methods of claims 1 through 5, and the apparatus of claim 2, further comprising the steps of:
    - a method and apparatus for automatically starting or restarting one or more virtual private network connections using one of several connection methodologies, and based on the configuration information provided from the host configuration manager. An example of such use would be to start a VPN connection, without disturbing other potential ongoing network traffic through the client device, when a secure key device is attached to or inserted into the appropriate client gateway device or direct access device, or when the presence of an appropriate security device is detected;
      
      a method and apparatus for automatically stopping one or more virtual private network connections using one of several connection methodologies, and based on the disconnection or detachment of the configuration device, or the disappearance of an appropriate security device. An example of such use would be to stop all VPN traffic, but still allow other network traffic to the public network, whenever the key device is removed from the client gateway or direct access device or when a device such as a specific radio-frequency ID tag is not detected nearby;
      
      a method for maintaining and using the VPN configuration information even if the configuration key device is removed from the client gateway or direct access device, allowing the key device to be reused by other potential clients after it has been appropriately reprogrammed. A benefit of this mode of operation is that a key device can be reprogrammed over the course of days while the VPN is still allowed to function to the benefit of the client;

7. A method and apparatus using the previous methods and claims, defining a new topology of managed VPN network wherein there is no corporate LAN per-se, but rather, a single server which configures and manages all of the clients or branch LAN members of a VPN providing the concept of a Virtual Office, existing only within the Virtual Private Network, the connected client machines and subnetworks, and the Public Network (or insecure Private Network) cloud. When used in such a configuration, the VPN Control system becomes a Virtual Office Server, potentially providing company services such as web presence, email servers, related services, connections between distributed workers including individuals or groups of workers, and providing those workers with additional, private services of various types;

8. A method for configuration service provided by a trusted third-party, such as a certified service agency. Such services may be available anywhere, using established certification procedures. An example of such an operation might be a trusted security company with worldwide presence, who can challenge and verify potential VPN participants, certify their identity, and provide programming for the security device to be used in the VPN, thus simplifying access to new and remote employees, agents, representatives, or other personnel who may require access to a specific VPN.
- View Dependent Claims (9)
- - 9. A new type of pseudo-network interface card which card appears to a computer as a conventional network interface card of some bus type such as PCI, PCMCIA, or other common hardware-oriented connection, which device includes a completely separate VPN subsystem that is isolated from that bus interface, whether or not it employs the features and mechanisms of the prior claims and apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John Drabik
Original Assignee
John Drabik
Inventors
Drabik, John

Application Number

US10/460,518
Publication Number

US 20050193103A1
Time in Patent Office

Days
Field of Search
US Class Current

709/221
CPC Class Codes

H04L 63/0272 Virtual private networks

Method and apparatus for automatic configuration and management of a virtual private network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

434 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for automatic configuration and management of a virtual private network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

434 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links