METHOD, SYSTEM AND APPARATUS PROVIDING SECURE INFRASTRUCTURE

US 20110231654A1
Filed: 03/15/2011
Published: 09/22/2011
Est. Priority Date: 03/16/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method for generating an secure service layer upon non-secured network infrastructure, comprising:

receiving a service request associated with a desired IPSec service, the service request information including at least an identification of a secure network to be protected;

selecting at least one routing device including a boundary device for use as a Secure Gateway (SEG);

providing a secure networking service to terminate secure traffic from the secure network at a first portion of the boundary device;

providing a secure networking service to terminate tunneled public traffic from a non-secure network at a second portion of the boundary device;

creating an interface to appropriately group tunneled traffic and corresponding secure traffic to form secure network traffic paths, wherein each group is associated with a respective encapsulation identifier.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for automatically providing secure network infrastructure over non-secure network infrastructure such as by automatically generating IPSec tunnels through non-secure networks, terminating the IPSec tunnels at a boundary device and creating appropriate services to bridge traffic between the IPSec tunnels and a secure network. Various embodiments provide rapid provisioning of secure network infrastructure, a Secure Gateway (SEG) embodiment adapted to particular customer requirements and various business methodologies.

35 Citations

View as Search Results

40 Claims

1. A method for generating an secure service layer upon non-secured network infrastructure, comprising:
- receiving a service request associated with a desired IPSec service, the service request information including at least an identification of a secure network to be protected;
  
  selecting at least one routing device including a boundary device for use as a Secure Gateway (SEG);
  
  providing a secure networking service to terminate secure traffic from the secure network at a first portion of the boundary device;
  
  providing a secure networking service to terminate tunneled public traffic from a non-secure network at a second portion of the boundary device;
  
  creating an interface to appropriately group tunneled traffic and corresponding secure traffic to form secure network traffic paths, wherein each group is associated with a respective encapsulation identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The method of claim 1, further comprising:
    - selecting one or more access points within the non-secure network authorized to access the secure network.
  - 3. The method of claim 2, wherein multiple access points within the non-secure network are authorized to access the secure network, the method further comprising:
    - associating each of the access points with an appropriate SEG; and
      
      configuring the secure networking service of each SEG to terminate tunneled public traffic from corresponding access points.
  - 4. The method of claim 1, wherein said secure networking service to terminate secure traffic from the secure network comprises a Level 3 Virtual Private Network (L3 VPN) service.
  - 5. The method of claim 1, wherein said secure networking service to terminate tunneled traffic from the non-secure network comprises one of a Level 3 Virtual Private Network (L3 VPN) service, a VPRN (Virtual Private Routed Network) service and a IES (Internet Enhanced Service) service.
  - 6. The method of claim 1, wherein said secure networking service to terminate secure traffic from the secure network enables communication between a terminated IPSec tunnel and a Level 2 (L2) VPN secure network.
  - 7. The method of claim 1, wherein said secure service layer comprises an IPSec infrastructure and said tunneled public traffic comprises IPSec tunneled traffic.
  - 8. The method of claim 1, wherein said selecting of said at least one routing device including a boundary device comprises:
    - identifying one or more routers proximate the secure network to be protected; and
      
      selecting one of said routers according one or more of the following criteria;
      
      cost, proximity to customer, proximity to service provider and utilization level.
  - 9. The method of claim 1, wherein said generated IPSec service layer comprises a service for securely connecting a plurality of users to said secured network, said method further comprising further comprising:
    - dividing said users into a plurality of groups; and
      
      directing traffic associated with each group to a respective access point.
  - 10. The method of claim 9, wherein said user groups are defined according to user location.
  - 11. The method of claim 10, further comprising aggregating traffic associated with a group of users at a switching element geographically proximate the group of users.
  - 12. The method of claim 11, wherein said aggregated traffic includes video services traffic, said aggregated traffic communicated between said geographically proximate switching element and a head-end of a video services provider.
  - 13. The method of claim 12, wherein said video services provider comprises one of a cable television system, a MSO, a telecommunications systems provider and a broadcast network.
  - 14. The method of claim 1, wherein said method is executed by a service creation engine (SCE) instantiated within a computer associated with a network service provider.
  - 15. The method of claim 1, wherein said method is executed by a service creation engine (SCE) instantiated within a network operations center (NOC) of a network service provider.
  - 16. The method of claim 14, wherein said request includes configuration information associated with a type of secure connection to be made through one or more identified access points.
  - 17. The method of claim 14, wherein the type of secure connection comprises an IPSec tunnel.
  - 18. The method of claim 14, wherein the secured network comprises at least one of a secure corporate network, a secure intranet, one or more portions of a single third party network, and one or more portions of multiple third party networks.
  - 19. The method of claim 14, wherein the request further includes identifying information associated with one or more access points in secure communication with the secured network.
  - 20. The method of claim 19, wherein each of said access points comprises at least one of a switching device, a router and a bridge between said secured network and said non-secured network.
  - 21. The method of claim 20, wherein said non-secured network comprises one of a core network and an access network.
  - 22. The method of claim 19, wherein said access point comprises a router including an IPSec boundary device operative to terminate IPSec traffic from said generated IPSec service layer at said secured network.
  - 23. The method of claim 19, wherein:
    - said generated IPSec layer supports secure traffic from between users accessing said non-secure network by routing traffic from each user to respective access points of said secured network via respective IPSec tunnels; and
      
      for users having different access points to said secured network, traffic between said users is routed between said different access points via said secured network; and
      
      for users having a common access point to said secured network, traffic between said users is routed directly through said common access point.
  - 24. The method of claim 1, further comprising adapting the operation of one or more mobile services to according to said generated IPSec service layer to provision thereby the desired IPSec service.
  - 25. The method of claim 1, further comprising adapting the operation of one or more transport layer elements supporting paths associated with mobile services included within said generated IPSec service layer.
  - 26. The method of claim 1, wherein the service request is provided via data entered into a single form at a network operations center (NOC).
  - 27. The method of claim 26, wherein the service request is provided via data included within a single form by a customer, the method further comprising reviewing the service request to validate conformance with a service level agreement (SLA) associated with the customer.
  - 28. The method of claim 1, wherein said request is associated with a tunnel template including signaling parameters associated with tunneled traffic flow.
  - 29. The method of claim 28, wherein said tunnel template further includes policies related to tunneled traffic flow.
  - 30. The method of claim 29, wherein said policies include one or more of an associated between particular IP addresses and corresponding services.
  - 31. The method of claim 29, wherein said policies provide for fractional use of IPSec tunnels.
  - 32. The method of claim 1, further comprising:
    - determining whether any portions of mobile services within the generated IPSec service traverse a non-managed network; and
      
      forwarding, toward a manager of said non-managed network, a request to validate the generated IPSec service conveyed via mobile service portions associated with said non-managed network.
  - 33. The method of claim 1, further comprising forwarding, toward a manager of a non-managed network, a request to validate support for one or more mobile service portions within said generated IPSec service that traverse said non-managed network.
  - 34. The method of claim 33, further comprising:
    - in response to a message indicative of a lack of support by said non-managed network for a mobile service portion, forwarding toward said manager of said non-managed network a request to adapt a provisioning of said mobile service portion to provide support for said mobile service portion.
  - 35. The method of claim 1, wherein data correlating each path to its respective transport layer infrastructure is stored in a database initially generated during a discovery process.
  - 36. The method of claim 6, wherein said database is generated according to the steps of iteratively correlating path structure associated with underlying transport layer structure and storing the results of this correlation.
  - 37. The method of claim 1, wherein the non-secure network comprises an LTE network, the method further comprising:
    - identifying IES and VPRN services associated with the one or more identified access points, each mobile service comprising at least one path, each path supported by transport layer infrastructure within said non-secured network; and
      
      generating an IPSec service layer using one or more of said mobile services.

38. A computer readable medium including software instructions which, when executed by a processor, perform a method for generating a secure service layer upon non-secured network infrastructure, comprising:
- receiving a service request associated with a desired IPSec service, the service request information including at least an identification of a secure network to be protected;
  
  selecting at least one routing device including a boundary device for use as a Secure Gateway (SEG);
  
  providing a secure networking service to terminate secure traffic from the secure network at a first portion of the boundary device;
  
  providing a secure networking service to terminate tunneled public traffic from a non-secure network at a second portion of the boundary device;
  
  creating an interface to appropriately group tunneled traffic and corresponding terminated secure traffic to form secure network traffic paths, wherein each group is associated with a respective encapsulation identifier.

39. A computer program product, wherein a computer is operative to process software instructions which adapt the operation of the computer such that computer performs perform a method for generating a secure service layer upon non-secured network infrastructure, comprising:
- receiving a service request associated with a desired IPSec service, the service request information including at least an identification of a secure network to be protected;
  
  selecting at least one routing device including a boundary device for use as a Secure Gateway (SEG);
  
  providing a secure networking service to terminate secure traffic from the secure network at a first portion of the boundary device;
  
  providing a secure networking service to terminate tunneled public traffic from a non-secure network at a second portion of the boundary device;
  
  creating an interface to appropriately group tunneled traffic and corresponding secure traffic to form secure network traffic paths, wherein each group is associated with a respective encapsulation identifier.

40. A Secure Gateway (SEG), comprising:
- a first plurality of ports accepting traffic associated with a non-secure network;
  
  a second plurality of ports accepting traffic associated with a secure network; and
  
  a boundary device adapted to provide a secure networking service to terminate secure traffic from the secure network at a first portion, adapted to a secure networking service to terminate tunneled public traffic from the non-secure network at a second portion, and adapted to create an interface to appropriately group tunneled traffic and corresponding secure traffic to form secure network traffic paths, wherein each group is associated with a respective encapsulation identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Balus, Paula N., Farook, Mohammad, Colla, Sergio, Calippe, Joël R., Somadder, Gurudas

Application Number

US13/047,859
Publication Number

US 20110231654A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 12/5691   Access to open networks; In...

H04L 41/12   Discovery or management of ...

H04L 47/825   Involving tunnels, e.g. MPLS

H04L 63/164   at the network layer

METHOD, SYSTEM AND APPARATUS PROVIDING SECURE INFRASTRUCTURE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

METHOD, SYSTEM AND APPARATUS PROVIDING SECURE INFRASTRUCTURE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others