SECURE NETWORK ARCHITECTURE

US 20100037311A1
Filed: 11/20/2007
Published: 02/11/2010
Est. Priority Date: 11/20/2006
Status: Active Grant

First Claim

Patent Images

1. A star-connected network having a number of peripheral nodes and a central control arrangement;

whereineach peripheral node is restricted in terms of which types of direct communications it can set up across the network to being able to set up direct communications to the central control arrangement using a respective encrypted connection but not being able to set up communications directly with any other of the peripheral nodes unless at least it or the respective target peripheral node has received explicit authorization from the central control arrangement to establish or complete the direct communication; and

whereinthe central control arrangement comprises;

means for establishing an encrypted connection with each peripheral node;

means for exchanging control packets with two or more peripheral nodesusing two or more respective encrypted connections in order to set up an authorised connection between two peripheral nodes;

a database storing security policy information specifying what connections between peripheral nodes are allowable; and

authorisation means for authorising connections which are allowable according to the stored security policy information using the control packet exchanging means.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a star-connected network (C1-C4, P1-P8) having a number of peripheral nodes (P1-P8) and a central control arrangement (C1-C4). Each peripheral node has means for restricting communications across the network to the central control arrangement using a respective encrypted connection unless the peripheral node has received explicit authorisation from the control arrangement to set up a direct connection with another peripheral node. The central control arrangement comprises: means for establishing an encrypted connection with each peripheral node; means for exchanging control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorised connection between two peripheral nodes; a database storing security policy information specifying what connections between peripheral nodes are allowable; and authorisation means for authorising connections which are allowable according to the stored security policy information using the control packet exchanging means.

196 Citations

13 Claims

1. A star-connected network having a number of peripheral nodes and a central control arrangement;
- whereineach peripheral node is restricted in terms of which types of direct communications it can set up across the network to being able to set up direct communications to the central control arrangement using a respective encrypted connection but not being able to set up communications directly with any other of the peripheral nodes unless at least it or the respective target peripheral node has received explicit authorization from the central control arrangement to establish or complete the direct communication; and
  
  whereinthe central control arrangement comprises;
  
  means for establishing an encrypted connection with each peripheral node;
  
  means for exchanging control packets with two or more peripheral nodesusing two or more respective encrypted connections in order to set up an authorised connection between two peripheral nodes;
  
  a database storing security policy information specifying what connections between peripheral nodes are allowable; and
  
  authorisation means for authorising connections which are allowable according to the stored security policy information using the control packet exchanging means.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A network according to claim 1, wherein the functionality of the central control arrangement is distributed between a plurality of central control server nodes.
  - 3. A network according to claim 1, wherein the means for establishing encrypted connections with each peripheral node comprises a virtual private network server which is configured to receive all packets via a firewall which will drop all packets unless they are either directed to or originating from the central control arrangement or they associated with an explicitly authorised connection between two peripheral nodes where the direct authorised connection goes via the vitual private network server.
  - 4. A network according to claim 3, wherein the central control arrangement includes an attack detection module which is operable to analyse connection attempts which fail to be authorised and to attempt to detect any patterns in such failed attempts.
  - 5. A network according to claim 1 wherein each peripheral node comprises authentication information securely stored in a tamper-resistant hardware module for authentication for establishing an encrypted connection with the central control or with a peripheral node after explicit authorisation from the central control arrangement.
  - 6. A network according to claim 4, wherein the central control arrangement includes is a security policy engine comprising a high level engine for returning a permit or deny decision in response to a client identifier and a number of session parameters provided by a context handler having received an indication of establishment of a virtual private network corresponding to the identified client, the context handler processing the returned decisions into corresponding updated rules.
  - 7. A network according to claim 6, wherein the session parameters include:
    - origin and destination network addresses and port numbers.
  - 8. A network according to claim 7 wherein the session parameters further include an application identifier identifying the application or the type of application wishing to initiate the connection.
  - 9. A network according to claim 1 wherein the star connected network is implemented on one or more interconnected packet switched mesh networks using virtual local area networks to support the encrypted connections.

10. A central control arrangement for a star-connected network having a number of peripheral nodes;
- the central control arrangement comprising;
  
  means for establishing an encrypted connection with each peripheral node;
  
  means for exchanging control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorised connection between two peripheral nodes;
  
  a database storing security policy information specifying what connections between peripheral nodes are allowable; and
  
  authorisation means for authorising connections which are allowable according to the stored security policy information using the control packet exchanging means.

11. A method of operating a star-connected network having a number of peripheral nodes and a central control arrangement;
- the method comprising;
  
  restricting communications across the network to communications between the central control arrangement and a peripheral node using a respective encrypted connection unless the peripheral node has received explicit authorisation to establish another connection from the central control arrangement;
  
  establishing an encrypted connection between two or more peripheral nodes and the central control arrangement;
  
  exchanging control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorised connection between both or two of the peripheral nodes;
  
  storing security policy information specifying what connections between peripheral nodes are allowable; and
  
  authorising connections which are allowable according to the stored security policy information and transmitting corresponding authorisation messages from the central control arrangement to the respective peripheral nodes.
- View Dependent Claims (12, 13)
- - 12. A suite of computer programs for carrying out the method of claim 11.
  - 13. Tangible data storage means storing one or more of the computer programs of claim 12.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Littlefair, Bryan, Martin, Thomas, Rutherford, Christopher, Kallath, Dinesh, He, Liwen

Granted Patent

US 8,544,081 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

SECURE NETWORK ARCHITECTURE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

196 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE NETWORK ARCHITECTURE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links