SECURE NETWORK ARCHITECTURE

US 20100064133A1
Filed: 11/20/2007
Published: 03/11/2010
Est. Priority Date: 11/20/2006
Status: Active Grant

First Claim

Patent Images

1. A star-connected network having a number of client nodes and a server node, for permitting the client nodes to establish indirect communication sessions with one another wherein:

each client node is restricted in terms of which types of direct communications it can set up across the network to being able to set up direct communications to the server node using a respective encrypted connection but not being able to set up communications directly with any other of the client nodes and is operable to request initiation of an indirect communications session to the server node via a respective encrypted connection, the session request specifying one or more session parameters including an application identifier associated with the application initiating the indirect communication session; and

wherein the server node comprises;

a connection controller for establishing an encrypted connection with each client node;

a store storing, in respect of each permitted current session initiated by an application running on a client node, a session parameter set including an application identifier;

a routing controller for routing packets between two client nodes using two respective encrypted connections; and

a firewall for allowing or blocking said packets depending on whether or not each such packet includes an application identifier associated with or contained in a stored session parameter set.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a star-connected network (C1-C4, P1-P8) having a number of peripheral nodes (P1-P8) and a central control arrangement (C1-C4). Each peripheral node has means for restricting communications across the network to the central control arrangement using a respective encrypted connection unless the peripheral node has received explicit authorization from the control arrangement to set up a direct connection with another peripheral node. The central control arrangement comprises: means for establishing an encrypted connection with each peripheral node; means for exchanging control packets with two or more peripheral nodes using two or more respective encrypted connections in order to set up an authorized connection between two peripheral nodes; a database storing security policy information specifying what connections between peripheral nodes are allowable; and authorization means for authorizing connections which are allowable according to the stored security policy information using the control packet exchanging means.

53 Citations

View as Search Results

12 Claims

1. A star-connected network having a number of client nodes and a server node, for permitting the client nodes to establish indirect communication sessions with one another wherein:
- each client node is restricted in terms of which types of direct communications it can set up across the network to being able to set up direct communications to the server node using a respective encrypted connection but not being able to set up communications directly with any other of the client nodes and is operable to request initiation of an indirect communications session to the server node via a respective encrypted connection, the session request specifying one or more session parameters including an application identifier associated with the application initiating the indirect communication session; and
  
  wherein the server node comprises;
  
  a connection controller for establishing an encrypted connection with each client node;
  
  a store storing, in respect of each permitted current session initiated by an application running on a client node, a session parameter set including an application identifier;
  
  a routing controller for routing packets between two client nodes using two respective encrypted connections; and
  
  a firewall for allowing or blocking said packets depending on whether or not each such packet includes an application identifier associated with or contained in a stored session parameter set.
- View Dependent Claims (2, 3, 4, 5, 7)
- - 2. A network according to claim 1, wherein the session parameter sets areautomatically updated upon establishing and terminating the encrypted connections.
  - 3. A network according to claim 2, wherein the connection controller comprises a virtual private network server which is configured to receive and send all packets via the firewall.
  - 4. A network according to claim 1, wherein each client node has authentication information securely stored in a tamper-resistant hardware module for authentication for establishing an encrypted connection with the server node.
  - 5. A network according to claim 4, further comprising a security policy engine operable to return a permit or deny decision in response to a client identifier and a number of session parameters provided by a client node requesting establishment of a communication link to another one of the client nodes.
  - 7. A network according to claim 1, wherein the star connected network is implemented on one or more interconnected packet switched mesh networks using virtual local area networks to support the encrypted connections.

6. A network according to claim 6, wherein the session parameters include:
- source and destination network addresses;
  
  session type;
  
  application type for session; and
  
  port numbers.

8. A server node for a star-connected network having a number of client nodes and a server node, the network being operable to permit the client nodes to establish indirect communication sessions with one another wherein:
- the server the server node comprises;
  
  a connection controller for establishing an encrypted connection with each client node;
  
  a store storing, in respect of each permitted current session initiated by an application running on a client node, a session parameter set including an application identifier;
  
  a routing controller for routing packets between two client nodes using two respective encrypted connections; and
  
  a firewall for allowing or blocking said packets depending on whether or not each such packet includes an application identifier associated with or contained in a stored session parameter set.

9. A method of operating a star-connected network having a number of client nodes and a server node to permit the client nodes to establish indirect communication sessions with one another, the method comprising:
- restricting each client node in terms of which types of direct communications it can set up across the network to being able to set up direct communications to the server node using a respective encrypted connection but not being able to set up communications directly with any other of the client nodes,establishing an encrypted connection between an initiating client node and the server node;
  
  generating at the initiating client node a session request to initiate an indirect communications session with a target client node, the target client node being another one of the client nodes, and sending this session request to the server node via the encrypted connection between the initiating client node and the server node, the session request specifying one or more session parameters including an application identifier associated with the application running on the initiating client node responsible for initiating the indirect communication session;
  
  determining whether or not to permit the session based on stored security policies and, if the session is permitted,establishing an encrypted connection between the server node and the target client node;
  
  storing, in respect of the permitted session, a session parameter set including an application identifier associated with the application responsible for initiating the session; and
  
  routing packets including the application identifier between the initiating and target client nodes using the respective encrypted connections.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9 further comprising discarding received packets which do not include an identifier stored in a session parameter set associated with a current permitted session.
  - 11. Processor implementable instructions for causing a client node or a server node to operate in accordance with the method of claim 9.
  - 12. A Tangible data storage device storing processor implementable instructions according to claim 11.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
He, Liwen, Littlefair, Bryan, Martin, Thomas, Rutherford, Christopher, Kallath, Dinesh

Granted Patent

US 8,959,334 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/154
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/20   for managing network securi...

SECURE NETWORK ARCHITECTURE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE NETWORK ARCHITECTURE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links