Automated operation and security system for virtual private networks
First Claim
1. A node device for providing secure communication over a data network to computers coupled through the node device and a plurality of other node devices, comprising:
- at least one network communication interface for coupling the node device to the data network;
at least one local communication interface for coupling the node device to a local network of computers;
a tunneling communication service coupled to the at least one network communication interface and configured to establish at least one cryptographically secured communication tunnel with at least one other node device;
automated means for dynamically updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel;
a routing database for holding dynamically updated routing data;
a router that uses routing database information obtained from the dynamically updated routing data to identify the at least one cryptographically secured communication tunnel or the at least one local communication interface over which to forward a data packet that has been received from a cryptographic communication tunnel or from a local communication interface; and
at least one cryptographic module for encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel.
10 Assignments
0 Petitions
Accused Products
Abstract
A node device for providing secure communication services over a data network, such as the Internet or another public or private packet switched network, to multiple computers that are coupled through the node device and multiple other node devices. The node device includes a network communication interface for coupling the node device to the data network. The node device includes a data storage containing cryptographic information including information that is unique to the node device. The node device also includes a tunneling communication service coupled to the network interface configured to maintaining an encrypted communication tunnel with each of multiple other node devices using the cryptographic information. For example, the encrypted communication tunnels are implemented using the IPsec or PPTP protocols. The node device includes a routing database for holding routing data and a router coupled to the tunneling communication service and to the routing database. The router can pass communication from one communication tunnel to another. A centralized server can be used to control the node devices in a centralized manner, thereby reducing or eliminating on-site administration of node devices.
-
Citations
28 Claims
-
1. A node device for providing secure communication over a data network to computers coupled through the node device and a plurality of other node devices, comprising:
-
at least one network communication interface for coupling the node device to the data network;
at least one local communication interface for coupling the node device to a local network of computers;
a tunneling communication service coupled to the at least one network communication interface and configured to establish at least one cryptographically secured communication tunnel with at least one other node device;
automated means for dynamically updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel;
a routing database for holding dynamically updated routing data;
a router that uses routing database information obtained from the dynamically updated routing data to identify the at least one cryptographically secured communication tunnel or the at least one local communication interface over which to forward a data packet that has been received from a cryptographic communication tunnel or from a local communication interface; and
at least one cryptographic module for encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A node device for providing secure communication over a data network to computers coupled through the node device and a plurality of other node devices, comprising:
-
at least one network communication interface for coupling the node device to the data network;
at least one local communication interface for coupling the node device to a local network of computers;
a tunneling communication service coupled to the at least one network communication interface and configured to establish at least one cryptographically secured communication tunnel with at least one other node device;
means for segregating the at least one cryptographically secured communication tunnel and the at least one local communication interface into at least two separate VPNs such that each cryptographically secured communication tunnel and each local communication interface is a member of one of the separate VPNs;
automated means, on a VPN by VPN basis, for dynamically updating, and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel comprising each of the segregated VPNs;
forwarding means for receiving a data packet over a local communication interface belonging to a VPN that uses routing topology information corresponding only to said VPN and obtained from the automated means to identify the at least one cryptographically secured communication tunnel over which to forward the data packet;
forwarding means for receiving a data packet over a cryptographically secured communication tunnel belonging to a VPN that uses routing topology information corresponding only to said VPN and obtained from the automated means to identify the at least one local communication interface over which to forward the data packet; and
at least one cryptographic module for encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for providing secure communication over a data network to computers coupled through a node device and a plurality of other node devices, comprising:
-
coupling the node device to the data network via at least one network communication interface;
coupling the node device to a local network of computers via at least one local communication interface;
establishing at least one cryptographically secured communication tunnel between the node device and at least one other node device;
dynamically updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel;
maintaining dynamically updated routing data;
using routing database information obtained from the dynamically updated routing data to identify the at least one cryptographically secured communication tunnel or the at least one local communication interface over which to forward a data packet that has been received from a cryptographic communication tunnel or from a local communication interface; and
encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel. - View Dependent Claims (18, 19, 20)
-
-
21. A method for providing secure communication over a data network to computers coupled through a node device and a plurality of other node devices, comprising:
-
coupling the node device to the data network via at least one network communication interface;
coupling the node device to a local network of computers via at least one local communication interface;
establishing at least one cryptographically secured communication tunnel with at least one other node device;
segregating the at least one cryptographically secured communication tunnel and the at least one local communication interface into at least two separate VPNs such that each cryptographically secured communication tunnel and each local communication interface is a member of one of the separate VPNs;
dynamic updating and adapting to changes in the routing topology of the local network of computers and of the computers coupled through a plurality of other node devices that are reachable over the at least one cryptographically secured communication tunnel comprising each of the segregated VPNs, on a segregated VPN by VPN basis;
receiving a data packet over a local communication interface belonging to a VPN that uses routing topology information corresponding only to said VPN and identifying the at least one cryptographically secured communication tunnel over which to forward the data packet;
receiving a data packet over a cryptographically secured communication tunnel belonging to a VPN that uses routing topology information corresponding only to said VPN and identifying the at least one local communication interface over which to forward the data packet; and
encrypting/decrypting data packets sent or received over the at least one cryptographically secured communication tunnel. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
Specification