Private network communication system
First Claim
1. A method for facilitating private communication between a first node on a first network and a second node on a second network via an administrative network separately connected to each of the first and second network, the administrative network comprising additional nodes that are connectable to the first and second networks, the method comprising the steps of:
- a) providing each node with a gateway, each gateway connecting the node to the node'"'"'s respective network, each gateway comprising a request microprocessor, a service invoker, a service implementation, a resource adapter, a data access layer and a security layer;
b) the administrative network and the gateway of the second node authorizing the first node to access a service requested by the first node and provided by the second node;
c) the administrative network transmitting from the first node a message, processed in through the gateway connected to the second node, that includes at least i) a unique name identifier assigned to the services interface of the second node, ii) a request universal identifier that uniquely identifies a request processed through the second node gateway, and iii) a unique identifier for a participant originating the request indicating that the first node desires to access the service;
d) at least one of the administrative network and the gateway of the second node confirming the identity of the first node;
e) at least one of the administrative network and the gateway of the first node confirming the identity of the second node;
f) the administrative network establishing an encrypted private connection between the gateway at the first node and the gateway at the second node through the administrative network following the successful confirmation of the identity of the first node and the identity of the second node;
g) the administrative network transmitting a request for the service from the first node to the second node;
h) the administrative network controlling the encrypted private connection to allow the first node to access services for which the first node is authorized and to prevent access by the first node to services for which the first node is not authorized; and
i) the administrative network logging activity of the first node and the second node;
wherein the administrative network determines a relationship between the first node and the second node based on each node'"'"'s domain and its given role in at least one of that domain and an additional domain to calculate a level of risk associated with allowing access by the first node to a requested service at the second node based on the type of requested service;
wherein the services for which the first node is authorized are determined based on the relationship between the first node and the second node based on the domain of each node, and the level of risk associated with allowing access by the first node to a requested service in the second node.
0 Assignments
0 Petitions
Accused Products
Abstract
A secure gateway is disclosed which facilitates communication between a first network and a second network through an intermediate network. The secure gateway, when operated in conjunction with at least one other secure gateway, supports secure peer to peer connectivity with integral security features such as mutual authentication, authorization specific access, and end to end auditing. An authorized service can be served securely through this gateway, across the open network, to a known requester, without fear of compromising the security or privacy of the server'"'"'s or requesters networks.
75 Citations
21 Claims
-
1. A method for facilitating private communication between a first node on a first network and a second node on a second network via an administrative network separately connected to each of the first and second network, the administrative network comprising additional nodes that are connectable to the first and second networks, the method comprising the steps of:
-
a) providing each node with a gateway, each gateway connecting the node to the node'"'"'s respective network, each gateway comprising a request microprocessor, a service invoker, a service implementation, a resource adapter, a data access layer and a security layer; b) the administrative network and the gateway of the second node authorizing the first node to access a service requested by the first node and provided by the second node; c) the administrative network transmitting from the first node a message, processed in through the gateway connected to the second node, that includes at least i) a unique name identifier assigned to the services interface of the second node, ii) a request universal identifier that uniquely identifies a request processed through the second node gateway, and iii) a unique identifier for a participant originating the request indicating that the first node desires to access the service; d) at least one of the administrative network and the gateway of the second node confirming the identity of the first node; e) at least one of the administrative network and the gateway of the first node confirming the identity of the second node; f) the administrative network establishing an encrypted private connection between the gateway at the first node and the gateway at the second node through the administrative network following the successful confirmation of the identity of the first node and the identity of the second node; g) the administrative network transmitting a request for the service from the first node to the second node; h) the administrative network controlling the encrypted private connection to allow the first node to access services for which the first node is authorized and to prevent access by the first node to services for which the first node is not authorized; and i) the administrative network logging activity of the first node and the second node; wherein the administrative network determines a relationship between the first node and the second node based on each node'"'"'s domain and its given role in at least one of that domain and an additional domain to calculate a level of risk associated with allowing access by the first node to a requested service at the second node based on the type of requested service; wherein the services for which the first node is authorized are determined based on the relationship between the first node and the second node based on the domain of each node, and the level of risk associated with allowing access by the first node to a requested service in the second node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
transmitting a request for a communication from the first node to the second node; controlling the encrypted private connection to allow the first node to access services for which the first node is authorized and to prevent access by the first node to services for which the first node is not authorized; logging at least one activity of the first node and the second node; and terminating the connection between the first node and the second node following the conclusion of the first node'"'"'s access to the authorized service.
-
-
9. The method of claim 2 wherein at least one of the additional nodes comprises directory of available services provided by the second node.
-
10. The method of claim 1 further comprising the step of the gateway associated with the second node terminating the encrypted private connection between the first node and the second node following the conclusion of the first node'"'"'s access to the authorized service.
-
11. A system for facilitating private communication between a first node on a first network and a second node on a second network that is not the first network, wherein the first node and the second node are each connected to a gateway, the system comprising:
-
a service administrative network intermediate the first network and the second network via a provided at the second node on the second network, the second node gateway configured to control access to the second node and facilitate communications from the second node; a requester generated at the first node on the first network, the gateway configured to (i) control access to the first node, (ii) facilitate communications from the first node, and (iii) transmit the request to the service provider; a first digital microprocessor located on the gateway associated with the first node that confirms an identity of the first node; a second digital microprocessor located on the gateway associated with the second node that confirms an identity of the second node; a third digital microprocessor located on the administrative network that prevents the first node from accessing an unauthorized service at the second node, wherein an encrypted private connection between the first node gateway and the second node gateway is established upon the confirmation of the identity of the first node and the confirmation of the identity of the second node in response to the request for the service from the first node, and wherein the third digital microprocessor prevents the first node from accessing an unauthorized service at the second node by controlling the encrypted private connection, the first and second digital microprocessors including a service invoker, a service implementation, a resource adapter, a data access layer and a security layer;
the third digital microprocessor including a data access layer and a security layer interconnected with the first and second digital microprocessors and controlling access by the first node to services offered by allowing or disallowing to the first node certain services available from within the second node dependent upon the first node'"'"'s status as indicated in an access control list, the access control list being associated with one or more of the first digital microprocessor, the second digital microprocessor and third digital microprocessor; and
a memory associated with one or more of the first digital microprocessor, the second digital microprocessor and third digital microprocessor that stores a log of activities between the first node and the second node;wherein the administrative network further comprising a risk microprocessor associated with the access control list that determines a relationship between the first node and the second node based on each node'"'"'s domain and its given role in at least one of that domain and an additional domain to calculate a level of risk associated with allowing access by the first node to a requested service at the second node based on the type of requested service; wherein the certain services available from within the second node for which the first node is allowed or disallowed are determined based on the relationship between the first node and the second node based on the domain of each node, and the level of risk associated with allowing access by the first node to a requested service in the second node. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
Specification