Secure network architecture

US 8,544,081 B2
Filed: 11/20/2007
Issued: 09/24/2013
Est. Priority Date: 11/20/2006
Status: Active Grant

First Claim

Patent Images

1. A star-connected network having a number of peripheral nodes and a central control arrangement;

whereineach peripheral node is restricted in terms of which types of direct communications it can set up across the network to being able to set up direct communications to the central control arrangement using a respective encrypted connection but not being able to set up communications directly with any other of the peripheral nodes unless at least it or the respective target peripheral node has received explicit authorization from the central control arrangement to establish or complete the direct communication; and

whereinthe central control arrangement comprises a processing system, including a computer processor, the processing system being configured to;

establish an encrypted connection with each peripheral node;

exchange control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorized connection between two peripheral nodes;

store in a database, security policy information specifying what connections between peripheral nodes are allowable; and

authorize connections which are allowable according to the stored security policy information using the control packet exchange.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a star-connected network (C1-C4, P1-P8) having a number of peripheral nodes (P1-P8) and a central control arrangement (C1-C4). Each peripheral node has means for restricting communications across the network to the central control arrangement using a respective encrypted connection unless the peripheral node has received explicit authorisation from the control arrangement to set up a direct connection with another peripheral node. The central control arrangement comprises: means for establishing an encrypted connection with each peripheral node; means for exchanging control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorised connection between two peripheral nodes; a database storing security policy information specifying what connections between peripheral nodes are allowable; and authorisation means for authorising connections which are allowable according to the stored security policy information using the control packet exchanging means.

34 Citations

View as Search Results

12 Claims

1. A star-connected network having a number of peripheral nodes and a central control arrangement;
- whereineach peripheral node is restricted in terms of which types of direct communications it can set up across the network to being able to set up direct communications to the central control arrangement using a respective encrypted connection but not being able to set up communications directly with any other of the peripheral nodes unless at least it or the respective target peripheral node has received explicit authorization from the central control arrangement to establish or complete the direct communication; and
  
  whereinthe central control arrangement comprises a processing system, including a computer processor, the processing system being configured to;
  
  establish an encrypted connection with each peripheral node;
  
  exchange control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorized connection between two peripheral nodes;
  
  store in a database, security policy information specifying what connections between peripheral nodes are allowable; and
  
  authorize connections which are allowable according to the stored security policy information using the control packet exchange.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network according to claim 1, whereinthe functionality of the central control arrangement is distributed between a plurality of central control server nodes.
  - 3. The network according to claim 1, wherein the processing system is further configured to:
    - establish encrypted connections with each peripheral node via a virtual private network server which is configured to receive all packets via a firewall which will drop all packets unless they are either directed to or originating from the central control arrangement or they associated with an explicitly authorized connection between two peripheral nodes where the direct authorized connection goes via the virtual private network server.
  - 4. The network according to claim 3, whereinthe central control arrangement includes an attack detection module which is operable to analyze connection attempts which fail to be authorized and to attempt to detect any patterns in such failed attempts.
  - 5. The network according to claim 1, whereineach peripheral node comprises authentication information securely stored in a tamper-resistant hardware module for authentication for establishing an encrypted connection with the central control or with a peripheral node after explicit authorization from the central control arrangement.
  - 6. The network according to claim 4, whereinthe central control arrangement includes a security policy engine comprising a high level engine for returning a permit or deny decision in response to a client identifier and a number of session parameters provided by a context handler having received an indication of establishment of a virtual private network corresponding to the identified client, the context handler processing the returned decisions into corresponding updated rules.
  - 7. The network according to claim 6, whereinthe session parameters include:
    - origin and destination network addresses and port numbers.
  - 8. The network according to claim 7, whereinthe session parameters further include an application identifier identifying the application or the type of application wishing to initiate the connection.
  - 9. The network according to claim 1, whereinthe star connected network is implemented on one or more interconnected packet switched mesh networks using virtual local area networks to support the encrypted connections.

10. A central control arrangement for a star-connected network having a number of peripheral nodes;
- the central control arrangement comprising a processing system, including a computer processor, the processing system being configured to;
  
  establish an encrypted connection with each peripheral node;
  
  exchange control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorized connection between two peripheral nodes;
  
  store in a database, security policy information specifying what connections between peripheral nodes are allowable; and
  
  authorize connections which are allowable according to the stored security policy information using the control packet exchange.

11. A method of operating a star-connected network having a number of peripheral nodes and a central control arrangement;
- the method comprising;
  
  restricting communications across the network to communications between the central control arrangement and a peripheral node using a respective encrypted connection unless the peripheral node has received explicit authorization to establish another connection from the central control arrangement;
  
  establishing an encrypted connection between two or more peripheral nodes and the central control arrangement;
  
  exchanging control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorized connection between both or two of the peripheral nodes;
  
  storing security policy information specifying what connections between peripheral nodes are allowable; and
  
  authorizing connections which are allowable according to the stored security policy information and transmitting corresponding authorization messages from the central control arrangement to the respective peripheral nodes.
- View Dependent Claims (12)
- - 12. A non-transitory data storage medium storing one or more of the computer programs for carrying out the method of claim 11.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
He, Liwen, Littlefair, Bryan, Martin, Thomas, Kallath, Dinesh, Rutherford, Christopher
Primary Examiner(s)
Patel, Nirav B
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US12/515,449
Publication Number

US 20100037311A1
Time in Patent Office

2,135 Days
Field of Search

726/15, 713/153, 713/154, 713/151, 709/227, 709/228
US Class Current

726/15
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

Secure network architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Secure network architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links