Apparatus for implementing virtual private networks
DCFirst Claim
Patent Images
1. An apparatus for providing secured data communications between members of a virtual private network group comprising:
- input/output (I/O) circuitry for receiving and transmitting data packets between the members of said virtual private network group;
a system bus in communication with said I/O circuitry for conveying data between components of said system;
a compression engine in communication with said system bus for compressing outbound data packets and decompressing inbound data packets;
an encryption engine in communication with said system bus for encrypting outbound data packets and decrypting inbound data packets;
a central processing unit (CPU) in communication with said system bus for controlling the processing of data packets by said system, said CPU for determining which data packets are being sent between members of said virtual private network and for determining the data flow for said data packets in accordance with predetermined parameters for said virtual private network, wherein when said data packets are determined to not being sent between members of said virtual private network, the data flow for said data packets will be treated as ordinary internet traffic, and will not be processed by said compression engine and said encryption engine; and
a memory device in communication with said system bus for maintaining a list of members of said virtual private network and for storing said predetermined parameters.
14 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Protocols and architecture for secure virtual private networks. Intraenterprise data communications are supported in a secure manner over the Internet or other public network space with the implementation of secure virtual private networks. Members of a virtual private network group exchange data that may be compressed, encrypted and authenticated, if the exchange is between members of the group.
-
Citations
16 Claims
-
1. An apparatus for providing secured data communications between members of a virtual private network group comprising:
-
input/output (I/O) circuitry for receiving and transmitting data packets between the members of said virtual private network group;
a system bus in communication with said I/O circuitry for conveying data between components of said system;
a compression engine in communication with said system bus for compressing outbound data packets and decompressing inbound data packets;
an encryption engine in communication with said system bus for encrypting outbound data packets and decrypting inbound data packets;
a central processing unit (CPU) in communication with said system bus for controlling the processing of data packets by said system, said CPU for determining which data packets are being sent between members of said virtual private network and for determining the data flow for said data packets in accordance with predetermined parameters for said virtual private network, wherein when said data packets are determined to not being sent between members of said virtual private network, the data flow for said data packets will be treated as ordinary internet traffic, and will not be processed by said compression engine and said encryption engine; and
a memory device in communication with said system bus for maintaining a list of members of said virtual private network and for storing said predetermined parameters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
a private I/O port for coupling said apparatus to a site'"'"'s private network;
a public I/O port for coupling said apparatus to a public network space; and
I/O control logic in communication with said system bus and coupled to said private and public I/O ports for controlling data packet flow between said apparatus and said members of said virtual private network.
-
-
3. The apparatus of claim 2 wherein said CPU generates encapsulation headers for outbound data packets in accordance with a key management protocol.
-
4. The apparatus of claim 3 wherein said key management protocol comprises the Simple Key Management for Internet Protocol (SKIP).
-
5. The apparatus of claim 2 wherein said encryption engine comprises an application specific integrated circuit for performing DES encryption.
-
6. The apparatus of claim 2 wherein said encryption engine comprises an application specific integrated circuit for performing DES encryption or triple-DES encryption in accordance with said predetermined parameters.
-
7. The apparatus of claim 1 wherein said compression engine comprises an integrated circuit for performing LZW compression.
-
8. The apparatus of claim 1 wherein said memory comprises lookup tables for identifying all the virtual private network groups supported by said apparatus and the members of said group wherein said members are each identified by a network address and wherein a single network address may identify a member of multiple groups.
-
9. An apparatus for securely exchanging data packets between members of a virtual private network group comprising:
-
a first computer at a first site, said first computer having a first network address;
a first router associated with said first site for routing data packets originating from said first computer over a public network;
a first virtual private network unit disposed between said router and said public network, said first virtual public network unit for identifying virtual private network group data traffic and for securing said data traffic by manipulating said data traffic according to packet manipulation rules maintained by said virtual private network unit;
a second router associated with a second site for coupling said second site to the public network;
a second virtual private network unit disposed between said second router and the public network for intercepting network traffic destined for said second site, said second virtual public network unit for detecting virtual private network group traffic and for recovering original packet data; and
a second computer at said second site, said second computer having a second network address for receiving said packet data, wherein said first and second virtual private network units respectively comprise;
input/output (I/O) circuitry for receiving and transmitting data packets between the members of said virtual private network group;
a system bus in communication with said I/O circuitry for conveying data between components of said apparatus;
a compression engine in communication with said system bus for compressing outbound data packets and decompressing inbound data packets;
an encryption engine in communication with said system bus for encrypting outbound data packets and decrypting inbound data packets;
a central processing unit (CPU) in communication with said system bus for controlling the processing of data packets by said apparatus, said CPU for determining which data packets are being sent between members of said virtual private network and for determining the data flow for said data packets in accordance with predetermined parameters for said virtual private network, wherein when said data packets are determined to not being sent between members of said virtual private network, the data flow for said data packets will be treated as ordinary internet traffic, and will not be processed by said compression engine and said encryption engine; and
a memory device in communication with said system bus for maintaining a list of members of said virtual network and for storing said predetermined parameters. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
a private I/O port for coupling said apparatus to a site'"'"'s private network;
a public I/O port for coupling said apparatus to a public network space; and
I/O control logic in communication with said system bus and coupled to said private and public I/O ports for controlling data packet flow between said apparatus and said members of said virtual private network.
-
-
11. The system of claim 10 wherein said CPU generates encapsulation headers for outbound data packets in accordance with a key management protocol.
-
12. The system of claim 11 wherein said key management protocol comprises the Simple Key Management for Internet Protocol (SKIP).
-
13. The system of claim 10 wherein said encryption engine comprises an application specific integrated circuit for performing DES encryption.
-
14. The system of claim 10 wherein said encryption engine comprises an application specific integrated circuit for performing DES encryption or triple-DES encryption in accordance with said predetermined parameters.
-
15. The system of claim 10 wherein said compression engine comprises an integrated circuit for performing LZW compression.
-
16. A system of claim 10 wherein said memory comprises lookup tables for identifying all the virtual private network groups supported by said apparatus and the members of said group wherein said members are each identified by a network address and wherein a single network address may identify a member of multiple groups.
Specification