System for protecting identity in a network environment

US 8,375,434 B2
Filed: 12/31/2005
Issued: 02/12/2013
Est. Priority Date: 12/31/2004
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one network device having at least one identifier, the network device being on a private side of a network and capable of communicating with a destination device on a public side of a network;

a plurality of masking devices for facilitating communications from the network device to the destination device, and configured to protect the at least one identifier from detection by the destination device by masking the identifier from the public side of the network, the identifiers of the at least one network device being protected by one or masking devices, wherein the masking devices operate in a coordinated manner,where the masking device protects the identifier of the network device by replacing the identifier on the private side of the network with a masking identifier on the public side of the network, andwhere the masking device further comprises a network address translation exploder (“

NATE”

).

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for protecting identify of network devices (102, 104, and 106) in a network environment. The system includes an apparatus having an interface to the network for completing connections to destination devices (152, 154, and 156) on the public side of the network. The apparatus includes a masking element (140) for associating at least one masking identifier with a communication from the network device and masking the identifier of the network device from the destination device.

Citations

44 Claims

1. A system comprising:
- at least one network device having at least one identifier, the network device being on a private side of a network and capable of communicating with a destination device on a public side of a network;
  
  a plurality of masking devices for facilitating communications from the network device to the destination device, and configured to protect the at least one identifier from detection by the destination device by masking the identifier from the public side of the network, the identifiers of the at least one network device being protected by one or masking devices, wherein the masking devices operate in a coordinated manner,where the masking device protects the identifier of the network device by replacing the identifier on the private side of the network with a masking identifier on the public side of the network, andwhere the masking device further comprises a network address translation exploder (“
  
  NATE”
  
  ).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20, 21)
- - 2. The system of claim 1 wherein the plurality of masking devices comprises a plurality of geographically disbursed masking devices.
  - 3. The system of claim 1 where the masking device protecting the identifier of the network device changes to another masking device.
  - 4. The system of claim 1 where the system further comprises a management apparatus for allocating the masking identifiers.
  - 5. The system of claim 1 where the masking device is configured to associate one of a plurality of masking identifiers with a network device.
  - 6. The system of claim 1 where the masking device is configured to associate one of a plurality of masking identifiers with each of a plurality of network devices.
  - 7. The system of claim 1 where the masking device is configured to associate a single masking identifier with a plurality of network devices.
  - 8. The system of claim 1 where the masking device associates a plurality of masking identifiers with a first network device and a plurality of masking identifiers with a second network device;
    - where the plurality of masking identifiers of the first network device overlap with the plurality of masking identifiers of the second network device.
  - 19. The system of claim 1 further comprising a network bridge on the private side of the network, where the network devices are configured to connect to the masking server on the private side of the network via the network bridge.
  - 20. The system of claim 19 further comprising a plurality of networks each comprising a plurality of network devices, the network devices each configured to connect to the masking server on the private side of the network via the network bridge.
  - 21. The system of claim 19 further comprising:
    - a plurality of networks each comprising a plurality of network devices, the network devices each configured to connect to selected ones of the masking servers on the private side of the network via the network bridge.

9. A system comprising:
- at least one network device having at least one identifier, the network device being on a private side of a network and capable of communicating with a destination device on a public side of a network;
  
  a plurality of masking devices for facilitating communications from the network device to the destination device, and configured to protect the at least one identifier from detection by the destination device by masking the identifier from the public side of the network, the identifiers of the at least one network device being protected by one or masking devices, wherein the masking devices operate in a coordinated manner,where the masking device protects the identifier of the network device by replacing the identifier on the private side of the network with a masking identifier on the public side of the network, andwhere the masking device further comprises a network address translation exploder (“
  
  NATE”
  
  ) for associating a single masking identifier with a plurality of network devices.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The system of claim 9 where the system further comprises:
    - at least one NATE gateway, each having at least one masking device, where each masking device employs a NATE; and
      
      a distribution apparatus operable to direct connections from the network device to a selected NATE gateway, the selected NATE gateway using its NATE to protect the identifier of the network device.
  - 11. The system of claim 10 wherein the distribution router comprises a NATE operable to provide a masking identifier.
  - 12. The system of claim 11 wherein the distribution router directs connections based on at least one routing rule.
  - 13. The system of claim 12 further comprising a distribution management server operable to create the routing rules and to provide the routing rules to the distribution router.
  - 14. The system of claim 12 where the routing rule is provided in a request to connect from the network device.
  - 15. The system of claim 9 further comprising:
    - at least one proxy server having at least one of the masking servers that employs a NATE; and
      
      a distribution proxy operable to facilitate communication from the network device to a selected one of the at least one proxy server, the selected proxy server using its NATE to protect the identifier of the network device.
  - 16. The system of claim 15 wherein the distribution proxy facilitates communications based on at least one proxy relay.
  - 17. The system of claim 16 further comprising a distribution management server operable to provide proxy relays to the distribution proxy.
  - 18. The system of claim 15 wherein the distribution router comprises a NATE operable to provide a masking identifier.

22. A system comprising:
- at least one network device having at least one identifier, the network device being on a private side of a network and capable of communicating with a destination device on a public side of a network;
  
  a plurality of masking devices for facilitating communications from the network device to the destination device, and configured to protect the at least one identifier from detection by the destination device by masking the identifier from the public side of the network, the identifiers of the at least one network device being protected by one or masking devices, wherein the masking devices operate in a coordinated manner;
  
  a Virtual Private Network (VPN) concentrator connected to the network device, the VPN concentrator operable to direct a communication request from the network device to a network router, the network router operable to direct a communication to a destination server in accordance with a routing request from the network device; and
  
  a proxy server having a NATE, the proxy server being identified in the routing request and operable to provide a gateway for connecting to the destination server using a masking identifier provided by the NATE.
- View Dependent Claims (23, 24)
- - 23. The system of claim 22 where the proxy server provides a second VPN connection to the destination server.
  - 24. The system of claim 22 where the proxy server provides a second VPN connection to another network gateway.

25. A method of protecting identity comprising:
- requesting a connection between a network device and a destination server at a network routing device; and
  
  routing the connection via a gateway having a NATE server configured to operate a plurality of masking devices, wherein the masking devices operate in a coordinated manner, and operable to generate a masking identifier to protect an identifier of the network device.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The method of claim 25 further comprising:
    - receiving a selected route from the network device, the selected route designating the gateway having the NATE server.
  - 27. The method of claim 25 comprising:
    - before the step of routing the connection via the selected NATE gateway, routing the connection using a default route via a default NATE gateway.
  - 28. The method of claim 26 further comprising receiving the selected route from a distribution management server in a routing rule.
  - 29. The method of claim 26 further comprising receiving the selected route as a proxy relay.

30. A method for providing identity protection to a plurality of networks comprising:
- providing a plurality of network devices in the plurality of network devices with access to a plurality of masking servers having an interface to a plurality of destination servers over a network, wherein the masking devices operate in a coordinated manner;
  
  receiving requests to connect network devices in the at least one private network at the masking server, the requests comprising at least one identifier associated with the network devices;
  
  protecting the at least one identifier by substituting the at least one identifier with a masking identifier in each request to connect; and
  
  completing the connections for each request,wherein the masking server substitutes the identifier associated with the network devices using a Network Address Translator Exploder (NATE).
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. The method of claim 30 further comprising:
    - connecting the network devices to the masking servers via a leased line interface.
  - 32. The method of claim 30 further comprising:
    - connecting the network devices to the masking servers via a virtual private network.
  - 33. The method of claim 30 further comprising:
    - connecting the network devices to the masking servers via packet source routing.
  - 34. The method of claim 30 further comprising:
    - connecting the network devices to the masking servers via proxy chaining by providing a local client proxy for each network device and receiving a user selection comprising a selected proxy server to use for the connection.
  - 35. The method of claim 30 further comprising:
    - partitioning at least one portion of one of the plurality of networks for protection.
  - 36. The method of claim 35 further comprising:
    - partitioning the at least one portion by selecting certain ports for protection.
  - 37. The method of claim 35 further comprising:
    - partitioning the at least one portion by designating connections for protection according to selected destinations.
  - 38. The method of claim 35 further comprising:
    - partitioning the at least one portion by designating connections for protection according to selected users.
  - 39. The method of claim 30 wherein the step of providing access comprises:
    - configuring the network devices to initiate connections to the masking server via a network bridge.
  - 40. The method of claim 32 wherein the step of providing access comprises:
    - configuring the network devices to initiate connections to the masking server via a VPN concentrator.

41. A method for gathering information from a destination server comprising:
- requesting a connection between a network device and the destination server on a network at one of a plurality of masking servers, wherein the masking devices operate in a coordinated manner, the connection comprising at least one identifier of the network device;
  
  substituting the identifier of the network device with at least one masking identifier in the connection at the one of the plurality of masking servers;
  
  completing the connection to allow communication between the network device and the destination server where the destination server does not have access to the identifier of the network device;
  
  receiving a request for selected information from the network device and sending the request to the destination server; and
  
  receiving the selected information from the destination server and sending the selected information to the network device,where the step of substituting the masking identifier comprises using a Network Address Translation Exploder (“
  
  NATE”
  
  ).
- View Dependent Claims (42, 43, 44)
- - 42. The method of claim 41 further comprising substituting the masking identifier.
  - 43. The method of claim 41 where the step of substituting the at least one different masking identifier comprises the step of using a NATE to generate the new masking identifier.
  - 44. The method of claim 41 further comprising selecting a second one of the plurality of masking servers, where the step of substituting the at least one different masking identifier is performed by the second one of the masking servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ntrepid, LLC
Original Assignee
Ntrepid Corporation
Inventors
Cottrell, Lance M., Brennet, Brian, Tentler, Daniel, Anderson, Gene
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Anderson, Michael D

Application Number

US11/722,497
Publication Number

US 20080196098A1
Time in Patent Office

2,600 Days
Field of Search

709/206, 726/23, 370/352
US Class Current

726/12
CPC Class Codes

H04L 63/0414 during transmission, i.e. p...

System for protecting identity in a network environment

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

System for protecting identity in a network environment

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links