A Secure Virtual Network Layer and Virtual Network Manager that Establishes a Comprehensive Business Reporting and Security Infrastructure as an Integral Part of the Network

US 20060248205A1
Filed: 05/09/2006
Published: 11/02/2006
Est. Priority Date: 10/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a secure virtual service network on any physical network comprising:

transmitting from a first computer to a third computer a request for a service located on a second network, wherein the first computer is located on a first network and operates as a gateway between the first network and a third network;

authenticating the request at the third computer;

determining at the third computer an authorization of a user at the first network to access a service located on the second network;

establishing a secure connection between the first computer and a second computer located on the second network, wherein the second computer operates as a gateway between the second network and the third network, after the successful authentication of said first computer by said third computer; and

providing a service to a user at said first network from said second network by way of said secure connection only if said third computer determines that said user is authorized to access said service.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Secure Service Network (SSN) in which at least two participants having a relationship are connected to a physical network by way of Secure Service Gateways and share information defined by one or more Service Definitions allowing for the creation of a secure Virtual Service Connection (VSC) between the participants in which the VSC is specific to the activity being performed and the participants provisioned for that activity. SSN enables the creation of a secure virtual network topology on any network transport that allows participants to exchange documents and transact business over the network real time, where all activity inherits a business and security infrastructure that is independent and in addition to the applications, devices, web services, users using the network.

93 Citations

View as Search Results

49 Claims

1. A method for establishing a secure virtual service network on any physical network comprising:
- transmitting from a first computer to a third computer a request for a service located on a second network, wherein the first computer is located on a first network and operates as a gateway between the first network and a third network;
  
  authenticating the request at the third computer;
  
  determining at the third computer an authorization of a user at the first network to access a service located on the second network;
  
  establishing a secure connection between the first computer and a second computer located on the second network, wherein the second computer operates as a gateway between the second network and the third network, after the successful authentication of said first computer by said third computer; and
  
  providing a service to a user at said first network from said second network by way of said secure connection only if said third computer determines that said user is authorized to access said service.

2. A method for establishing a secure virtual service network on any physical network comprising:
- transmitting from a first computer to a third computer a request for a service located on a second network, wherein the first computer is located on a first network and operates as a gateway between the first network and a third network;
  
  authenticating the request at the third computer;
  
  determining at a second computer an authorization of a user at said first network to access a service located on the second network, wherein the second computer is located on the second network and operates as a gateway between the second network and the third network third computer;
  
  establishing a secure connection between the first computer and the second computer after the successful authentication of said first computer by said third computer; and
  
  providing a service to a user at said first network from said second network by way of said secure connection only if said second computer determines that said user is authorized to access said service.

3. A method for establishing a secure virtual network on any physical network comprising:
- transmitting from a first computer to a third computer a request for a service located on a second network, wherein the first computer is located on a first network and operates as a gateway between the first network and a third network;
  
  authenticating the request at the third computer;
  
  determining at a second computer and at the third computer an authorization of a user at said first network to access a service located on the second network, wherein the second computer is located on the second network and operates as a gateway between the second network and the third network third computer;
  
  establishing a secure connection between the first computer and the second computer after the successful authentication of said first computer by said third computer; and
  
  providing a service to a user at said first network from said second network by way of said secure connection only if said second computer and said third computer determines that said user is authorized to access said service.

4. A method for the management and provisioning of a secure Virtual Service Network (VSN) topology on any physical network transport where the transport and any application or web service running over the transport is made secure through the implementation of integrated Authentication, Authorization, Encryption, Usage based billing, End to End Logging, Privacy, and Service Level Activity as a function of a connection on the network.
- View Dependent Claims (16, 17)
- - 16. A method of claim 4 where security enforcement allows service providers the ability to provision and manage access to their services independent of any other participant on the network.
  - 17. A method of claim 4 where SSL encryption is coupled to identity by way of a mutual authentication process using PKI and digital certificates.

25. A method for incorporating geo-spatial and time data into a virtual network connection to effect strong security on a mixed user/application network where the security components effected includes one or more of:
- Authentication;
  
  Authorization;
  
  Encryption;
  
  Non-Repudiation.

26. A method for incorporating geo-spatial and time data into a virtual network connection to effect strong security and business reporting where business reporting includes one or more of the following:
- payload size;
  
  billing by location;
  
  response time.

31. A method for the creation and management of infrastructure VSCs allowing the creation of a virtual network topology using any physical network connection wherein the infrastructure VSCs include one or more of the following services on the network that are specific to the provisioning of the service to one or more participants:
- Access Control List service for authorization verification of a request for a service;
  
  Certificate Revocation List for the digital certificate status and revocation;
  
  Logging service for the consistent logging of network activity across all network participants but specific to each and every VSC and the participants it is provisioned to;
  
  Discovery service for the identification of available services specific to a participant or activity on the Virtual Network Topology;
  
  Geo-Spatial correlation service for establishing a spatial reference for activities on a Virtual Network Topology;
  
  A Certificate Generation service allowing the creation of a digital certificate for use by one or more participants on the network;
  
  Certificate signing service for supporting registration and PKI lifecycle management associated with users and nodes on a Virtual Network Topology;
  
  SSG node generation service for the creation of a Software Package that can be downloaded and registered to a Virtual Network Topology;
  
  User Authentication service allowing the validation of a credential presented by a user/device on a Virtual Network Topology and a service repository service that allows for the management of service definition in a repository on the network.

33. A method for the creation, management, and provisioning of a secure virtual network topology where the default security model is “
- deny all—
  
  explicitly grant”
  
  for all virtual network communications where, at a minimum, the following is enforced as a function of a connection;
  
  transport encryption;
  
  mutual authentication of all parties to a connection;
  
  service specific authorization and;
  
  end to end logging inclusive of correlation IDs for all service activity.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 18, 19, 20, 21, 22, 23, 24, 27, 28, 29, 30, 32, 36, 37, 48)
- - 5. A method of claims 4, or 33 or 34 where transport encryption is accomplished independent of payload encryption
  - 6. A method of claim 5 where payload encryption is accomplished by way of recipient specific encryption comprising digital certificates using a Public Key Infrastructure.
  - 7. A method of claim 5 where transport encryption is the result of a mutually authentication process using embedded PKI for the establishment of identity for the negotiation of a function and participant specific dedicated encrypted network connection.
  - 8. A method of claims 4 or 33 or 34 where authentication is accomplished by way of the management and provisioning of digital certificates.
  - 9. A method of claim 8 where mutual authentication is accomplished for all virtual network connections using a Certificate Authority and PKI.
  - 10. A method of claim 8 or 9 where additional authentication is accomplished by way of one or more authentication services exposed on the network where information is validated against one or more credential repositories.
  - 11. A method of claims 4 or 33 or 34 or 35 where each service is provisioned in its own isolated and participant specific virtual network connection so as to maintain complete privacy for all network activity specific to the participants in that activity.
  - 12. A method of claims 4 or 33 or 34 where transitive security, control, privacy, and reporting is managed and maintained for service connections as defined by predetermined relationship and control models.
  - 13. A method of claims 4 or 33 or 34 where authorization is accomplished by way of identities extracted from PKI and digital certificates for local and/or central authorization control and enforcement.
  - 14. A method of claims 4 or 33 or 34 where identities are extracted from third party systems through service definitions on the network and for the purpose of Access Control List (ACL) enforcement for services provided on the network.
  - 15. A method of claims 4 or 33 or 34 where authorization is centrally enforced, locally enforced, or enforced in a two stage process where local ACL enforcement can only further restrict accesses granted by a central ACL but can not grant access not also present in a central ACL.
  - 18. A method of claims 4 or 33 or 34 where Virtual Network participant roles are one of Service Provider, Service Requestor, administrator, or any combination thereof.
  - 19. A method of claims 4 or 33 where Quality of Service (QOS) can be implemented, managed, and reported on specific to a service and the provisioning of a service to one or more participants on the solution of the invention.
  - 20. A method of claim 19 where QOS can be accomplished on a mixed physical network including multi-carrier and private network implementations where QOS definitions across two or more physical networks may be different.
  - 21. A method of claims 4 or 33 where information is extracted from any Virtual Service Connection and provisioning in a manner that allows for end to end logging, reporting, SLA management, and billing independent of the application or web service attached to the Virtual Service Network.
  - 22. A method of claims 4 or 33 or 34 or 35 where governance, reporting and management is effected in one of the following process models:
    - Strong Central Governance and Management;
      
      Central authentication and authorization management and enforcement;
      
      Distributed Governance with Central Certificate Management;
      
      Central authentication management and enforcement;
      
      Local authorization management and enforcement;
      
      Peer to Peer Distributed Governance;
      
      Local authentication management and enforcement;
      
      Local authorization management and enforcement;
      
      Hybrid Governance;
      
      Local and central authorization management and enforcement;
      
      Central authentication and local enforcement.
  - 23. A method of claims 4 or 33 or 34 where the VSN is comprised of a virtual network topology created through the implementation of one or more Virtual Service Connections over any physical network transport and specific to the participants in that service.
  - 24. A method of claims 4 or 33 or 34 that incorporates geo location and time data with a Virtual Service Connection to effect strong operational security for conducting business over a network where positional data is derived from any combination of the following:
    - GPS receivers;
      
      GPS remote transmitter stations;
      
      RFID tag in correlation to Services on the network Time Service on the network.
  - 27. A method of claims 4 or 33 and 34 where a PKI infrastructure is used to enforce elements of security that include any mix of authentication, encryption, authorization, where the PKI certificate generation, provisioning, distribution, signing and revocation are automated and integrated functions on the network.
  - 28. A method of claim 27 were a self enrollment process that includes strong authentication is effected by using PKI and a registration process where a software based SSG can be securely created, downloaded, registered and provisioned over a network connection.
  - 29. A method of claims 4 or 33 or 34 where a digital certificate can be portable and allows a user to self register from any device attached to the network that includes a browser and internet connection where the digital certificate is used as one factor for authentication and registration.
  - 30. A method of claims 4 or 33 or 34 where operational security is automated through decisioning based on the inclusion of geospatial, time, and integrated business reporting as a function of activity on one or more instances of SSN wherein the SSN is applied to (1) Military operations incorporating troop and threat positions as well as real time correlation between participants communicating over the network;
    - (2) Intelligence operations where collection activity and threat activity is correlated in real time to address security for networked participants;
      
      (3) Police;
      
      (4) 911;
      
      (5) Fire response;
      
      (6) communications where operational management of resources and participants can be used to effect security for networked participants (7) Transportation control to include air traffic control, commuter train, subway, and port management;
      
      (8) Medical resource management and reporting to effect resource allocation and response level classification;
      
      (9) Operational business reporting for global networked companies to include production, distribution, inventory management, payments management, and sales across the internet.
  - 32. A method of claims 4 or 33 or 34 where a secure private virtual network community is created in support of bill presentment where bill presenters:
    - Are Service providers on the network;
      
      Can create, provision and bill for services independent of any other participant on the network;
      
      Can establish broker relationships with other participants on the network;
      
      Can broker services from third parties as services on the network.
  - 36. A method of claims 4 or 33 or 34 or 35 comprising the creation of secure virtual network communities enabled through an SSN layered on top of a traditional network infrastructure.
  - 37. A method of claims 4 or 33 or 34 or 35 where management reporting includes one or more of the following specific to one or more users/activities provisioned on the network:
    - response times for VSCs on the network;
      
      payload size for activity on the network;
      
      service status codes for activity on the network;
      
      service and provisioning specific billing for all service activity on the network where reporting is private and specific to the participants provisioned to a service and independent of all other activity or participants on the network;
      
      transitive security reporting for the correlation of transitive service activity on the network in support of service brokering on the network.
  - 48. A method of claim 23 where a node (SSG) on the virtual network supported multiple concurrent VSCs as a function of services provisioned to the network.

34. A method for the creation, management, and provisioning of a secure virtual service connection (VSC) that includes the following as a function of a connection:
- service definition;
  
  mutual authentication of all parties to a connection;
  
  service specific authorization;
  
  transport encryption;
  
  end to end logging inclusive of correlation IDs for all service activity.

35. A method for the creation, management, and provisioning of a secure service definition where the service may be one or more of the following exposed through a VSC;
- (1) application proxied through an SSN;
  
  (2) a function in an application exposed through the SSN;
  
  (3) a web service exposed through the SSN; and
  
  (4) a streaming connection exposed through the SSN.

38. A method for the enablement and business reporting in support of federated security on a virtual network topology where predefined relationship and control models are supported and enforced by an SSN layered on top of a traditional network infrastructure.

39. A Global Gateway Computer located on a third network for managing the provisioning, reporting, and implementation of a secure virtual network topology for secure communications from a first network to a second network, said Global Gateway Computer Comprising:
- an input for receiving a request for a service from a first computer, wherein the first computer is located in the first network and operates as a gateway between the first network and the third network, and wherein the service is provided by the second network;
  
  a processor for authenticating the request and for determining if the first computer is authorized to use the service; and
  
  an output for transmitting a message to the first computer that facilitates the establishment of a peer to peer secure connection between the first computer and a second computer upon the successful authentication of the first computer and if the user is authorized to use the service, wherein the second computer is located on the second network and operates as a gateway between the second network and the third network.

40. A secure virtual network topology comprising:
- a first computer gateway to a third network, wherein the first computer gateway is located on a first network, a second computer gateway to the third network, wherein the second computer gateway is located on a second network, a global computer, wherein the global computer is located on the third network, a transmitter at said first computer gateway for transmitting a request to the global computer for a service that is provided by the second network, an input at said global computer for receiving the request, a processor at said global computer for authenticating the request and for making a determination that a requester is authorized to access the service, a peer to peer connection between the first computer gateway and the second computer gateway established after the authentication of the request by the global computer; and
  
  a second processor on said second network for providing the service to the requester upon the determination that the requester is authorized to access the service.

41. A secure virtual network topology comprising:
- a first computer gateway to a third network, wherein the first computer gateway is located on a first network, a second computer gateway to the third network, wherein the second computer gateway is located on a second network, a global computer, wherein the global computer is located on the third network, a transmitter at said first computer gateway for transmitting a request to the global computer for a service that is provided by the second network, an input at said global computer for receiving the request, a processor at said global computer gateway for authenticating the request;
  
  a peer to peer connection between the first computer gateway and the second computer gateway established after the authentication of the request by the global computer;
  
  a second processor at said second computer gateway for making a second determination that a requester is authorized to access the service, and a third processor on said second network for providing the service to the requester upon the determination by the second computer gateway that the requester is authorized to access the service.

42. A secure virtual network topology comprising:
- a first computer gateway to a third network, wherein the first computer gateway is located on a first network, a second computer gateway to the third network, wherein the second computer gateway is located on a second network, a global computer, wherein the global computer is located on the third network, a transmitter at said first computer gateway for transmitting a request to the global computer for a service that is provided by the second network, an input at said global computer for receiving the request, a processor at said global computer gateway for authenticating the request and for making a first determination that a requester is authorized to access the service;
  
  a peer to peer connection between the first computer gateway and the second computer gateway established after the authentication of the request by the global computer;
  
  a second processor at said second computer gateway for making a second determination that a requester is authorized to access the service, and a third processor on said second network for providing the service to the requester upon the determination by the second computer gateway and the global computer that the requester is authorized to access the service.

43. A Secure Virtual Network Topology Apparatus comprised of components that include one or more Secure Service Gateways linked together by way of a physical network connection that is wired or wireless and operating in a proxy and/or and service mode including one or more of:
- an Optional Global Secure Service Gateway;
  
  Network Functions to include;
  
  Service Repository;
  
  VSC domain controller and administration model;
  
  Service Management, Provisioning, Billing and Reporting Console;
  
  one or more governance models;
  
  Network Infrastructure Services and Reporting; and
  
  participant and service provisioning specific reporting and billing.

44. A Secure Service Gateway comprised of one or more of the following:
- a security proxy with port level firewall;
  
  a service implementation; and
  
  an integration framework.

45. A Secure Virtual Network Topology Apparatus comprised of one or more of the following:
- A network of SSGs;
  
  one or more infrastructure and management services and functions used across SSGs in a network;
  
  a reporting and aggregation process for integration data from multiple SSGs in a network in a secure and auditable fashion;
  
  a VSC provisioning process where VSCs are provisioned across multiple SSGs connected on a network for use by specific network participants linked to one or more SSGs.

46. A SSG that can securely register as a new participant on an instance of an SSN where the registration and provisioning process is automated once the SSG is attached to a physical network connection that has access to an instance of an SSN.

47. A Virtual Network Topology Manager that includes management and service functions running on two or more physical devices that implement one or more of the following infrastructure services on a physical network in VSCs to facilitate the creation and management of business service VSCs on any physical network:
- (1) Access Control List service for authorization verification of a request for a service;
  
  (2) Certificate Revocation List for the digital certificate status and revocation;
  
  (3) Logging service for the consistent logging of network activity across all network participants but specific to each and every VSC and the participants it is provisioned to;
  
  (4) Discovery service for the identification of available services specific to a participant or activity on the Virtual Network Topology;
  
  (5) Geo-Spatial correlation service for establishing a spatial reference for activities on a Virtual Network Topology;
  
  (6) a Certificate Generation service allowing the creation of a digital certificate for use by one or more participants on the network;
  
  (7) Certificate signing service for supporting registration and PKI lifecycle management associated with users and nodes on a Virtual Network Topology; and
  
  (8) SSG node generation service for the creation of a Software Package that can be downloaded and registered to a Virtual Network Topology.

49. A device or software module that represents a node in a secure virtual network where that node supports multiple concurrent and separate secure connections wherein a connection comprises authentication, authorization, encryption for each connection that is specific to the provisioning of a connection to a participant on a virtual network and further including an operation of the node in one or more of the modes;
- (1) a single user gateway and (2) a gateway for multiple users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Randall E. Orkis, William M. Randle
Original Assignee
Randall E. Orkis, William M. Randle
Inventors
Orkis, Randall E., Randle, William M.

Granted Patent

US 7,949,871 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 2221/2145   Inheriting rights or proper...

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

A Secure Virtual Network Layer and Virtual Network Manager that Establishes a Comprehensive Business Reporting and Security Infrastructure as an Integral Part of the Network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

49 Claims

Specification

Use Cases

Quick Links

Others

A Secure Virtual Network Layer and Virtual Network Manager that Establishes a Comprehensive Business Reporting and Security Infrastructure as an Integral Part of the Network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

49 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others