Third party VPN certification

US 7,209,479 B2
Filed: 06/06/2001
Issued: 04/24/2007
Est. Priority Date: 01/18/2001
Status: Active Grant

First Claim

Patent Images

1. A method for creating a virtual private network (VPN) over a telecommunications network, comprising steps of:

sending a request from a first VPN device to an on-line database connected to the telecommunications network for obtaining a secure domain name address associated with a second VPN device;

sending a request from the first VPN device to the second VPN device for establishing a VPN between the first and second VPN devices, the request including a first signed certificate having at least one verified VPN parameter for the first VPN device;

receiving a reply at the first VPN device from the second VPN device, the reply including a second signed certificate having at least one verified VPN parameter for the second VPN device; and

establishing the VPN between the first and second VPN devices based on each verified VPN parameter for each of the first and second VPN devices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual private network (VPN) over a telecommunications network is created by sending a request from a first VPN device to a second VPN device for establishing a VPN between the first and second VPN devices. The request includes a first signed certificate having a verified VPN parameter for the first VPN device. A reply is received at the first VPN device from the second VPN device that includes a second signed certificate having a verified VPN parameter for the second VPN device. The VPN is established between the first and second VPN devices based on each verified VPN parameter for each of the first and second VPN devices.

95 Citations

View as Search Results

66 Claims

1. A method for creating a virtual private network (VPN) over a telecommunications network, comprising steps of:
- sending a request from a first VPN device to an on-line database connected to the telecommunications network for obtaining a secure domain name address associated with a second VPN device;
  
  sending a request from the first VPN device to the second VPN device for establishing a VPN between the first and second VPN devices, the request including a first signed certificate having at least one verified VPN parameter for the first VPN device;
  
  receiving a reply at the first VPN device from the second VPN device, the reply including a second signed certificate having at least one verified VPN parameter for the second VPN device; and
  
  establishing the VPN between the first and second VPN devices based on each verified VPN parameter for each of the first and second VPN devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1, wherein the step of sending the request from the first VPN device to the second VPN device sends the request to the secure domain name address associated with the second VPN device.
  - 3. The method according to claim 1, wherein the step of sending the request from the first VPN device to the second VPN device for establishing the VPN further includes receiving a request for establishing the VPN from a client device that is associated with the first VPN device.
  - 4. The method according to claim 3, wherein the request received from the client device includes a destination designation for the VPN.
  - 5. The method according to claim 3, wherein the request received from the client device includes a source/destination designation for the VPN.
  - 6. The method according to claim 5, wherein the source/destination designation includes a wild card designation.
  - 7. The method according to claim 1, further comprising a step of verifying at the first VPN device the second signed certificate having at least one verified VPN parameter for the second VPN device.
  - 8. The method according to claim 7, wherein the step of verifying the second signed certificate includes a step of sending a request from the first VPN device to an on-line database for obtaining a public key associated with the second VPN device.
  - 9. The method according to claim 8, further comprising a step of verifying at the second VPN device the first signed certificate having at least one verified VPN parameter for the first VPN device.
  - 10. The method according to claim 9, wherein the step of verifying the first signed certificate includes a step of sending a request to an on-line database from the second VPN device for obtaining a public key associated with the first VPN device.
  - 11. The method according to claim 1, further comprising steps of:
    - determining at the second VPN device whether a policy rule prevents a VPN connection to the first VPN device; and
      
      sending the reply to the first VPN device from the second VPN device when no policy rule prevents a VPN connection to the first VPN device, and not sending the reply to the first VPN device when a policy rule prevents a VPN connection to the first VPN device.
  - 12. The method according to claim 1, wherein the telecommunications network is the Internet.
  - 13. The method according to claim 1, wherein the step of establishing the VPN between the first and second VPN devices establishes a standing VPN connection.
  - 14. The method according to claim 1, wherein the step of establishing the VPN between the first and second VPN devices establishes a VPN of opportunity.

15. A method for creating a virtual private network (VPN) over a telecommunications network, comprising steps of:
- sending a request from a first VPN device to an on-line database connected to the telecommunications network for obtaining a secure domain name address associated with a second VPN device;
  
  receiving a request from the first VPN device at the second VPN device for establishing a VPN between the first and second VPN devices, the request including a first signed certificate having at least one verified VPN parameter for the first VPN device;
  
  sending a reply to the first VPN device from the second VPN device, the reply including a second signed certificate having at least one verified VPN parameter for the second VPN device; and
  
  establishing the VPN between the first and second VPN devices based on each verified VPN parameter for each of the first and second VPN devices.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method according to claim 15, further comprising a step of verifying at the second VPN device the first signed certificate having at least one verified VPN parameter for the first VPN device.
  - 17. The method according to claim 16, wherein the step of verifying the first signed certificate includes a step of sending a request from the second VPN device to an on-line database for obtaining a public key associated with the first VPN device.
  - 18. The method according to claim 15, further comprising steps of:
    - determining at the second VPN device whether a policy rule prevents a VPN connection to the first VPN device; and
      
      sending the reply to the first VPN device from the second VPN device when no policy rule prevents a VPN connection to the first VPN device, and not sending the reply to the first VPN device when a policy rule prevents a VPN connection to the first VPN device.
  - 19. The method according to claim 15, wherein the telecommunications network is the Internet.
  - 20. The method according to claim 15, wherein the step of establishing the VPN between the first and second VPN devices establishes a standing VPN connection.
  - 21. The method according to claim 15, wherein the step of establishing the VPN between the first and second VPN devices establishes a VPN of opportunity.

22. A method for creating a virtual private network (VPN) over a telecommunications network, comprising steps of:
- sending a certificate request for a virtual private network (VPN) device to a certification authority connected to the telecommunications network, the certificate request including at least one VPN parameter that will be used by the VPN device for establishing a VPN over the telecommunications network;
  
  receiving a signed certification from the certification authority, the signed certification containing the at least one VPN parameter contained in the certificate request;
  
  configuring the VPN device to operate in accordance with the at least one VPN parameter contained in the signed certificate,exchanging the signed certificate with another VPN device at a selected telecommunications network address;
  
  establishing the VPN in accordance with the at least one VPN parameter contained in the signed certificate;
  
  receiving a request from a client device connected to the VPN device for establishing a VPN connection to a selected telecommunications network address; and
  
  querying an on-line database connected to the telecommunications network for obtaining a secure domain name address for the selected telecommunications network address,wherein the step of establishing the VPN connection to the selected telecommunications network address is performed when the on-line database contains the secure domain name address for the selected telecommunications network address.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 23. The method according to claim 22, wherein the certificate request includes at least one telecommunications network address that the VPN device will use as a client network address for a VPN established though the VPN device.
  - 24. The method according to claim 23, wherein the certificate request includes a range of telecommunications network addresses that the VPN device will use as client network addresses for VPNs established though the VPN device.
  - 25. The method according to claim 22, wherein the step of establishing the VPN is further based on a source and destination name pair.
  - 26. The method according to claim 25, wherein the source and destination name pair includes a wild card designation.
  - 27. The method according to claim 22, wherein the step of establishing the VPN is further based on at least one rule allowing a VPN connection to the selected telecommunications network address.
  - 28. The method according to claim 22, wherein the step of establishing the VPN is further based on a Quality of Service parameter.
  - 29. The method according to claim 22, wherein the step of establishing the VPN is further based on a bandwidth limitation parameter.
  - 30. The method according to claim 22, wherein the telecommunications network is the Internet.
  - 31. The method according to claim 22, wherein the request for establishing the VPN contains a source and destination name pair.
  - 32. The method according to claim 22, further comprising a step of sending at least one VPN parameter for the VPN device that is not contained in the certificate request to the certification authority for verification by the certificate authority.
  - 33. The method according to claim 22, further comprising steps of:
    - receiving the certificate request for the VPN device from the VPN device at the certification authority;
      
      verifying at the certification authority the at least one VPN parameter contained in the certificate request; and
      
      sending the signed certification to the VPN device when each VPN parameter contained in the certificate request is verified.
  - 34. The method according to claim 33, wherein the certificate request includes at least one telecommunications network address that the VPN device will use as a client network address for a VPN established through the VPN device,wherein the step of verifying verifies each telecommunication network address contained in the certificate request.
  - 35. The method according to claim 33, wherein the certificate request includes a range of telecommunications network addresses that the VPN device will use as client network addresses for VPNs established through the VPN device,wherein the step of verifying verifies the range of telecommunications network addresses contained in the certificate request.
  - 36. The method according to claim 22, further comprising steps of:
    - receiving a request at an on-line database connected to the telecommunications network from the VPN device for a secure domain name address for a selected VPN device connected to the telecommunications network; and
      
      sending the secure domain name address for the selected VPN device to the requesting VPN device when the secure domain name address for the selected VPN device is contained in the online database.
  - 37. The method according to claim 22, further comprising steps of:
    - receiving at the certification authority at least one VPN parameter for the VPN device that is not contained in the certificate request; and
      
      storing the at least one received VPN parameter that is not contained in the certificate request in an on-line database.

38. A virtual private network (VPN) device, comprising:
- a memory containing a certificate that has been signed by a certification authority, the signed certificate containing at least one VPN parameter for the VPN device that has been verified by the certification authority, and a plurality of pre-authorized name pairs having a local name and a remote name for a VPN; and
  
  a processor programmed to receive a request for establishing a VPN between the VPN device and a second VPN device and to respond to the request by sending the signed certificate over a telecommunications network to the second VPN device based on the received request.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 39. The VPN device according to claim 38, wherein the request is received from the second VPN device, wherein the request includes a signed certificate for the second VPN device, the signed certificate for the second VPN device containing at least one VPN parameter for the second VPN device that has been verified by a second certification authority.
  - 40. The VPN device according to claim 39, wherein the processor verifies the signed certificate for the second VPN device before sending the signed certificate to the second VPN device.
  - 41. The VPN device according to claim 40, wherein the processor verifies the signed certificate for the second VPN device using a public key associated with the second VPN device.
  - 42. The VPN device according to claim 39, wherein the processor establishes a VPN based on each verified VPN parameter for the VPN device and based on each verified VPN parameter for the second VPN device.
  - 43. The VPN device according to claim 39, wherein the second certification authority and the certification authority are the same.
  - 44. The VPN device according to claim 38, wherein the request is received from a client device associated with the VPN device,wherein the processor sends a request to an on-line database connected to the telecommunications network for obtaining a secure domain name address associated with the second VPN device, andwherein the processor sends the signed certificate over the telecommunications network to the secure domain name address associated with the second VPN device.
  - 45. The VPN device according to claim 44, wherein the request received from the client device includes a destination designation for the VPN.
  - 46. The VPN device according to claim 44, wherein the request received from the client device includes a source/destination designation for the VPN.
  - 47. The VPN device according to claim 44, wherein the source/destination designation includes a wild card designation.
  - 48. The VPN device according to claim 38, wherein the processor determines whether a policy rule contained in the memory prevents a VPN connection to the second VPN device;
    - andwherein the processor sends the certificate to the second VPN device when no policy rule contained in the memory prevents a VPN connection to the second VPN device.
  - 49. The VPN device according to claim 38, wherein the telecommunications network is the Internet.
  - 50. The VPN device according to claim 38, wherein the request for establishing a VPN is a request for establishing a standing VPN connection.
  - 51. The VPN device according to claim 38, wherein the request for establishing a VPN is a request for establishing a VPN of opportunity.
  - 52. The VPN device according to claim 38, wherein the VPN device is one of a VPN concentrator, a router, a firewall and a host computer.

53. A computer-readable medium containing computer executable instructions for performing steps of:
- receiving a request for establishing a VPN from a client device that is associated with a first VPN device, wherein the request received from the client device includes a source/destination designation for the VPN, and wherein the source/and destination designation includes a wild card designation;
  
  sending a request from the first VPN device to a second VPN device for establishing a VPN between the first and second VPN devices, the request including a first signed certificate having at least one verified VPN parameter for the first VPN device; and
  
  receiving a reply at the first VPN device from the second VPN device, the reply including a second signed certificate having at least one verified VPN parameter for the second VPN device; and
  
  establishing the VPN between the first and second VPN devices based on each verified VPN parameter for each of the first and second VPN devices.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 54. The computer-readable medium according to claim 53, further comprising a step of sending a request from the first VPN device to an on-line database connected to the telecommunications network for a secure domain name address associated with the second VPN device.
  - 55. The computer-readable medium according to claim 54, wherein the step of sending the request from the first VPN device to the second VPN device sends the request to the secure domain name address associated with the second VPN device.
  - 56. The computer-readable medium according to claim 53, wherein the request received from the client device includes a destination designation for the VPN.
  - 57. The computer-readable medium according to claim 53, further comprising a step of verifying at the first VPN device the second signed certificate having at least one verified VPN parameter for the second VPN device.
  - 58. The computer-readable medium according to claim 57, wherein the step of verifying the second signed certificate includes a step of sending a request from the first VPN device to an on-line database for a public key associated with the second VPN device.
  - 59. The computer-readable medium according to claim 58, further comprising a step of verifying at the second VPN device the first signed certificate having at least one verified VPN parameter for the first VPN device.
  - 60. The computer-readable medium according to claim 59, wherein the step of verifying the first signed certificate includes a step of sending a request to an on-line database from the second VPN device for a public key associated with the first VPN device.
  - 61. The computer-readable medium according to claim 53, further comprising steps of:
    - determining at the second VPN device whether a policy rule prevents a VPN connection to the first VPN device; and
      
      sending the reply to the first VPN device from the second VPN device when no policy rule prevents a VPN connection to the first VPN device, and not sending the reply to the first VPN device when a policy rule prevents a VPN connection to the first VPN device.
  - 62. The computer-readable medium according to claim 53, wherein the telecommunications network is the Internet.
  - 63. The computer-readable medium according to claim 53, wherein the step of establishing the VPN between the first and second VPN devices establishes a standing VPN connection.
  - 64. The computer-readable medium according to claim 53, wherein the step of establishing the VPN between the first and second VPN devices establishes a VPN of opportunity.

65. A computer-readable medium containing computer-executable instructions for performing steps of:
- sending a certificate request for a virtual private network device to a certification authority connected to the telecommunications network, the certificate request including at least one VPN parameter that will be used by the VPN device for establishing a VPN over the telecommunications network, wherein the certificate request includes a range of telecommunications network addresses that the VPN device will use as client network addresses for VPNs established though the VPN device;
  
  receiving a signed certification from the certification authority, the signed certification containing the at least one VPN parameter contained in the certificate request;
  
  configuring the VPN device to operate in accordance with the at least one VPN parameter contained in the signed certificate,exchanging the signed certificate with another VPN device at a selected telecommunications network address; and
  
  establishing the VPN in accordance with the at least one VPN parameter contained in the signed certificate.
- View Dependent Claims (66)
- - 66. The computer-readable medium according to claim 65, wherein the telecommunications network is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VirnetX Inc. (Virnetx Holding Corporation)
Original Assignee
Science Applications International Corporation
Inventors
Larson, Victor
Primary Examiner(s)
Phunkulh, Bob A.

Application Number

US09/874,258
Publication Number

US 20020093915A1
Time in Patent Office

2,148 Days
Field of Search

370/230, 370/235, 370/389, 370/392, 370/400, 370/401, 370/409, 713/153, 713/155, 713/156, 713/157, 713/158, 713/160, 713/161, 713/168, 713/176
US Class Current

370/389
CPC Class Codes

H04L 2209/64   Self-signed certificates

H04L 41/0806   for initial configuration o...

H04L 41/12   Discovery or management of ...

H04L 41/40   using virtualisation of net...

H04L 47/805   QOS or priority aware

H04L 63/0272   Virtual private networks

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04L 9/3263   involving certificates, e.g...

Third party VPN certification

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Third party VPN certification

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links