METHODS AND APPARATUS FOR ESTABLISHING A DYNAMIC VIRTUAL PRIVATE NETWORK CONNECTION

US 20100125897A1
Filed: 11/20/2008
Published: 05/20/2010
Est. Priority Date: 11/20/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing VPN profiles external to a VPN client installed on an endpoint device, the method comprising:

monitoring a security compliance status of the endpoint device with at least one security policy stored on the endpoint device;

copying, in response to detecting a change in the security compliance status, at least one archived VPN profile from an encrypted datastore to a storage location accessible to the VPN client, wherein the at least one archived VPN profile comprises first connection information; and

configuring the VPN client to connect to a network using the first connection information in the at least one archived VPN profile.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for managing a dynamic virtual private network (VPN) connection of an endpoint device using locally-stored encrypted VPN profiles. The endpoint device comprises a VPN client configured to establish a secure connection with a computer via a network, an encrypted datastore for storing the encrypted VPN profiles, and a security agent for monitoring a security compliance status of the endpoint device with a security policy stored on the endpoint device. In response to detecting a change in the security compliance status of the endpoint device, the security agent copies VPN profiles from the encrypted datastore to a storage location accessible to the VPN client. The VPN client is configured to use the copied VPN profiles to securely connect to the computer. Periodic update requests from the security agent to an administrative server enable updated VPN profiles or security policies to be downloaded and stored in the encrypted datastore.

133 Citations

23 Claims

1. A method for managing VPN profiles external to a VPN client installed on an endpoint device, the method comprising:
- monitoring a security compliance status of the endpoint device with at least one security policy stored on the endpoint device;
  
  copying, in response to detecting a change in the security compliance status, at least one archived VPN profile from an encrypted datastore to a storage location accessible to the VPN client, wherein the at least one archived VPN profile comprises first connection information; and
  
  configuring the VPN client to connect to a network using the first connection information in the at least one archived VPN profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - establishing a first VPN connection with a computer over the network using the VPN client to provide access to a first portion of a secure network.
  - 3. The method of claim 2 further comprising:
    - detecting a change in the security compliance status of the endpoint device; and
      
      disconnecting the first VPN connection in response to detecting the change in the security compliance status.
  - 4. The method of claim 3 further comprising:
    - displaying an indication to a user of the endpoint device that the security compliance status of the endpoint device has changed.
  - 5. The method of claim 4, wherein detecting a change in the security compliance status of the endpoint device comprises detecting that the endpoint device is non-compliant with the at least one security policy.
  - 6. The method of claim 5 further comprising:
    - deleting the at least one archived VPN profile at the storage location accessible to the VPN client;
      
      copying at least one restricted profile from the VPN profiles in the encrypted datastore to the storage location accessible to the VPN client, wherein the at least one restricted profile comprises second connection information; and
      
      configuring the VPN client to connect to the network using the second connection information in the at least one restricted profile.
  - 7. The method of claim 6, further comprising:
    - establishing a second VPN connection with the computer over the network using the VPN client to provide access to a second portion of the secure network; and
      
      receiving information from the computer to modify at least one application on the endpoint device.
  - 8. The method of claim 4, wherein detecting a change in the security compliance status of the endpoint device comprises detecting that the endpoint device is compliant with the at least one security policy, the method further comprising displaying an indication of the security compliance status to a user of the endpoint device.
  - 9. The method of claim 8, further comprising:
    - deleting the at least one archived VPN profile at the storage location accessible to the VPN client;
      
      copying at least one regular profile from the VPN profiles in the encrypted datastore to the storage location accessible to the VPN client, wherein the at least one regular profile comprises third connection information;
      
      configuring the VPN client to connect to the network using the third connection information in the at least one regular profile; and
      
      establishing a second VPN connection over the network using the VPN client.

10. A computer-readable medium encoded with a series of instructions that when executed by a endpoint device perform a method of updating VPN profiles stored on an endpoint device, the method comprising:
- transmitting a profile update request from a security agent on the endpoint device to a profile server, the profile update request comprising authentication information including at least one set of security credentials;
  
  receiving, in response to the profile update request, a VPN profile file comprising a plurality of VPN profiles;
  
  parsing the VPN profile file to extract the plurality of VPN profiles; and
  
  storing the plurality of VPN profiles in an encrypted datastore on the endpoint device.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-readable medium of claim 10, wherein the VPN profile file is an XML file, and parsing the VPN profile file comprises parsing the XML file.
  - 12. The computer-readable medium of claim 10, further comprising:
    - monitoring a security compliance status of the endpoint device with at least one security policy stored on the endpoint device;
      
      copying, in response to detecting a change in the security compliance status, at least one of the plurality of VPN profiles from the encrypted datastore to a storage location accessible to the VPN client, wherein the at least one of the plurality of VPN profiles comprises connection information; and
      
      configuring the VPN client to connect to a network using the connection information.
  - 13. The computer-readable medium of claim 12, further comprising:
    - establishing a VPN connection with a computer over the network using the VPN client.

14. A method for providing an updated VPN profile file from a profile server to an endpoint device, the method comprising:
- receiving a profile update request from a security agent on the endpoint device, the profile update request comprising authentication information including at least one set of security credentials;
  
  searching the profile server for the updated VPN profile file based at least in part on the authentication information; and
  
  transmitting, if found, the updated VPN profile file to the client on the endpoint device.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14, wherein the profile server is an authenticated file server, the method further comprising:
    - transmitting an error message to the security agent if the profile server determines that the authentication information is not valid.
  - 16. The method of claim 14, wherein the VPN profile file is an XML file comprising a plurality of VPN profiles.
  - 17. The method of claim 14, wherein the updated profile file comprises at least one new VPN profile.

18. An apparatus for monitoring a compliance of a endpoint device with at least one security policy, the endpoint device comprising:
- a VPN client configured to establish a secure connection with a computer via a network;
  
  an encrypted datastore for storing archived VPN profiles, wherein at least one of the archived VPN profiles comprises connection information used by the VPN client to establish the secure connection; and
  
  a security agent for monitoring the compliance of the endpoint device with the at least one security policy, wherein the security agent copies at least one VPN profile from the archived VPN profiles in the encrypted datastore to a storage location accessible to the VPN client, wherein the at least one VPN profile is copied based at least in part on the compliance of the endpoint device with the at least one security policy.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The apparatus of claim 18, wherein the archived VPN profiles comprises at least one regular profile, the at least one regular profile permitting the VPN client to establish an unrestricted VPN connection to the computer over the network, and at least one restricted profile, the at least one restricted profile permitting the VPN client to establish a restricted connection to the computer over the network.
  - 20. The apparatus of claim 19, wherein the security agent is configured to copy the at least one regular profile from the encrypted datastore to the storage location accessible to the VPN client when the endpoint device is in compliance with the at least one security policy.
  - 21. The apparatus of claim 19, wherein the security agent is configured to copy the at least one restricted profile from the encrypted datastore to the storage location accessible to the VPN client when the end user device is not in compliance with the at least one security policy.
  - 22. The apparatus of claim 18, wherein the security agent comprises a copy facility for copying the at least one VPN profile from the archived VPN profiles in the encrypted datastore to a storage location accessible to the VPN client.
  - 23. The apparatus of claim 18, wherein the security agent comprises an update facility for transmitting a profile update request to a profile server, wherein the profile update request comprises authentication information including at least one set of security credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Jain, Rahul, Hope, Ryan

Application Number

US12/274,623
Publication Number

US 20100125897A1
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 63/0272 Virtual private networks

H04L 63/20 for managing network securi...

METHODS AND APPARATUS FOR ESTABLISHING A DYNAMIC VIRTUAL PRIVATE NETWORK CONNECTION

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

133 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR ESTABLISHING A DYNAMIC VIRTUAL PRIVATE NETWORK CONNECTION

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

133 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links