利索-全球专利检索

  1. 登录
  2. 注册

搜索结果

17 条记录 (耗时 0.015 秒)

    Secure multipoint internet protocol virtual private networks
    1.
    发明授权
    Secure multipoint internet protocol virtual private networks 有权
    安全的多点互联网协议虚拟专用网络

    公开(公告)号:US07724732B2

    公开(公告)日:2010-05-25

    申请号:US11072086

    申请日:2005-03-04

    申请人: James N. Guichard W. Scott Wainner John J. Mullooly Brian E. Weis

    发明人: James N. Guichard W. Scott Wainner John J. Mullooly Brian E. Weis

    IPC分类号: H04L12/56

    CPC分类号: H04L63/0272 H04L12/18 H04L12/4641 H04L63/0428

    摘要: A method, apparatus and computer program product for providing secure multipoint Internet Protocol Virtual Private Networks (IPVPNs) is presented. A packet lookup is performed in order to determine a next hop. A VPN label is pushed on the packet, as is an IP tunnel header. Group encryption through the use of DGVPN is further utilized. In such a manner secure connectivity and network partitioning are provided in a single solution.

    摘要翻译: 提出了一种用于提供安全多点互联网协议虚拟专用网(IPVPN)的方法,装置和计算机程序产品。 执行分组查找以确定下一跳。 VPN标签被推送到数据包,IP隧道头也是如此。 进一步利用通过使用DGVPN进行组加密。 以这种方式,在单一解决方案中提供了安全的连接和网络划分。

    Conditional BGP advertising for dynamic group VPN (DGVPN) clients
    3.
    发明授权
    Conditional BGP advertising for dynamic group VPN (DGVPN) clients 有权
    动态组VPN(DGVPN)客户端的条件BGP广告

    公开(公告)号:US07720995B2

    公开(公告)日:2010-05-18

    申请号:US11811381

    申请日:2007-06-08

    申请人: W. Scott Wainner James N. Guichard

    发明人: W. Scott Wainner James N. Guichard

    IPC分类号: G06F15/173 G06F7/04 H04L12/56

    CPC分类号: H04L63/104 H04L63/065

    摘要: In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.

    摘要翻译: 在组内的主机中,提供用于确保安全通信的方法。 该方法涉及(a)确定群组内的主机之间是否有安全通信的群组安全策略,(b)如果群组安全策略到位,则将路由信息通告给该群组内的其他主机,以及(c) 如果组安全策略不到位,则不向其他主机广告路由信息。 还提供了相应的装置和计算机程序产品实施例。

    System and methods for network segmentation
    4.
    发明授权
    System and methods for network segmentation 有权
    网络分割的系统和方法

    公开(公告)号:US07688829B2

    公开(公告)日:2010-03-30

    申请号:US11226011

    申请日:2005-09-14

    申请人: James N. Guichard W. Scott Wainner Saul Adler Khalil A. Jabr S. Scott Van de Houten

    发明人: James N. Guichard W. Scott Wainner Saul Adler Khalil A. Jabr S. Scott Van de Houten

    IPC分类号: H04L12/28

    CPC分类号: H04L12/4641 H04L45/50 H04L45/66

    摘要: A routing mechanism provides network segmentation preservation by route distribution with segment identification, policy distribution for a given VPN segment, and encapsulation/decapsulation for each segment using an Ethernet VLAN_ID, indicative of the VPN segment (subnetwork). Encapsulated segmentation information in a message packet identifies which routing and forwarding table is employed for the next hop. A common routing instance receives the message packets from the common interface, and indexes a corresponding VRF table from the VLAN ID, or segment identifier, indicative of the subnetwork (e.g. segment). In this manner, the routing instance receives the incoming message packet, decapsulates the VLAN ID in the incoming message packet, and indexes the corresponding VRF and policy ID from the VLAN ID, therefore employing a common routing instance over a common subinterface for a plurality of segments (subnetworks) coupled to a particular forwarding device (e.g. VPN router).

    摘要翻译: 路由机制通过分段识别,给定VPN段的策略分配以及使用指示VPN段(子网)的以太网VLAN_ID对每个段进行封装/解封装来提供网络分段保护。 消息分组中的封装分段信息标识下一跳采用的路由和转发表。 公共路由实例从公共接口接收消息包,并从指示子网(例如,段)的VLAN ID或段标识符中对相应的VRF表进行索引。 以这种方式,路由实例接收到入消息包,将入局消息包中的VLAN ID解封装,并从VLAN ID中对相应的VRF和策略ID进行索引,因此在公共子接口上采用公共路由实例, 耦合到特定转发设备(例如,VPN路由器)的段(子网络)。

    Internal routing protocol support for distributing encryption information
    5.
    发明授权
    Internal routing protocol support for distributing encryption information 有权
    内部路由协议支持分发加密信息

    公开(公告)号:US07620975B2

    公开(公告)日:2009-11-17

    申请号:US11059736

    申请日:2005-02-17

    申请人: James N. Guichard W. Scott Wainner Brian E. Weis David A. McGrew

    发明人: James N. Guichard W. Scott Wainner Brian E. Weis David A. McGrew

    IPC分类号: G06F7/04 G06F15/16 G06F17/30 H04F29/06

    CPC分类号: H04L45/00 H04L45/04 H04L63/0428 H04L63/065 H04L63/102

    摘要: A method and apparatus for providing routing protocol support for distributing encryption information is presented. Subnet prefixes reachable on a first customer site in an encrypted manner are identified, as are security groups the subnet prefixes belong to. An advertisement is received at a first Customer Edge (CE) device in the first customer site, the advertisement originating from a Customer (C) device in the first customer site. The advertisement indicates links, subnets to be encrypted, and security group identifiers. The prefixes and the security group identifiers are then propagated across a service provider network to a second CE device located in a second customer site. In such a manner, encryption and authentication is expanded further into a customer site, as customer devices are able to indicate to a service provider network infrastructure and other customer devices in other customer sites which local destinations require encryption/authentication.

    摘要翻译: 提出了一种用于提供分发加密信息的路由协议支持的方法和装置。 标识第一个客户站点上加密方式的子网前缀,以及子网前缀所属的安全组。 在第一客户站点的第一客户边缘(CE)设备处接收广告,该广告源自第一客户站点中的客户(C)设备。 该广告指示要加密的链接,子网,以及安全组标识符。 然后,前缀和安全组标识符通过服务提供商网络传播到位于第二客户站点中的第二CE设备。 以这种方式,加密和认证进一步扩展到客户站点,因为客户设备能够向服务提供商指示本地目的地需要加密/认证的其他客户站点中的网络基础设施和其他客户设备。

    Conditional BGP advertising for dynamic group VPN (DGVPN) clients
    7.
    发明申请
    Conditional BGP advertising for dynamic group VPN (DGVPN) clients 有权
    动态组VPN(DGVPN)客户端的条件BGP广告

    公开(公告)号:US20080307110A1

    公开(公告)日:2008-12-11

    申请号:US11811381

    申请日:2007-06-08

    申请人: W. Scott Wainner James N. Guichard

    发明人: W. Scott Wainner James N. Guichard

    IPC分类号: G06F15/173

    CPC分类号: H04L63/104 H04L63/065

    摘要: In a host within a group, a method for ensuring secure communications is provided. The method involves (a) determining if a group security policy is in place for secure communication between hosts within the group, (b) if the group security policy is in place, advertising routing information to another host within the group, and (c) if the group security policy is not in place, refraining from advertising routing information to the other host. Corresponding apparatus and computer program product embodiments are also provided.

    摘要翻译: 在组内的主机中,提供用于确保安全通信的方法。 该方法涉及(a)确定群组内的主机之间是否有安全通信的群组安全策略,(b)如果群组安全策略到位,则将路由信息通告给该群组内的另一个主机,以及(c) 如果组安全策略不到位,则不向其他主机广告路由信息。 还提供了相应的装置和计算机程序产品实施例。

    Migrating a network to tunnel-less encryption
    8.
    发明授权
    Migrating a network to tunnel-less encryption 有权
    将网络迁移到无隧道加密

    公开(公告)号:US08307423B2

    公开(公告)日:2012-11-06

    申请号:US12337315

    申请日:2008-12-17

    申请人: W. Scott Wainner Brian E. Weis

    发明人: W. Scott Wainner Brian E. Weis

    IPC分类号: G06F9/00

    CPC分类号: H04L63/0272 H04L63/0428 H04L63/20

    摘要: A method comprises, in a network comprising VPN gateway devices configured only for plaintext data communication, configuring a policy server with a security policy including DO NOT ENCRYPT statements temporarily overriding PERMIT statements defining which packets should be encrypted; selecting one sub-group of the VPN gateway devices in which tunnel-less encryption is not configured; configuring of the VPN gateway devices in the sub-group for tunnel-less encryption by: configuring each device in a passive mode of operation in which the device is configured to receive either encrypted packets or plaintext packets matching encryption policy; configuring local DO NOT ENCRYPT statements matching traffic that is currently being converted to ciphertext; removing, from the access control list of the policy server, DO NOT ENCRYPT statements referring to protected LAN CIDR blocks behind the VPN gateway devices in the selected sub-group; configuring the sub-group to send encrypted packets by removing, from each of the VPN gateway devices in the selected sub-group, the local DO NOT ENCRYPT statements for the CIDR blocks currently being converted and protected by the selected sub-group; repeating the configuring each of the VPN gateway devices in the selected sub-group for tunnel-less encryption, and the configuring the sub-group to send encrypted packets, for each other one of the sub-groups; and removing the passive mode on each of the VPN gateway devices.

    摘要翻译: 一种方法包括在包括仅用于明文数据通信的VPN网关设备的网络中,配置具有安全策略的策略服务器,所述安全策略包括DO NOT ENCRYPT语句临时覆盖定义哪些分组应被加密的PERMIT语句; 选择不配置无隧道加密的VPN网关设备的一个子组; 通过以下方式配置子组中的VPN网关设备:通过以下方式配置每个设备:被动模式,其中设备被配置为接收与加密策略相匹配的加密分组或明文分组; 配置当前正在转换为密文的流量的本地DO NOT ENCRYPT语句; 从策略服务器的访问控制列表中删除参考所选子组中VPN网关设备后面的受保护的LAN CIDR块的语句; 通过从所选子组中的每个VPN网关设备中移除当前被所选子组转换和保护的CIDR块的本地DO NOT ENCRYPT语句来配置子组以发送加密分组; 重复配置所选子组中的每个VPN网关设备以进行无隧道加密,并且配置子组以对彼此之一的子组发送加密分组; 并在每个VPN网关设备上删除被动模式。

    MIGRATING A NETWORK TO TUNNEL-LESS ENCRYPTION
    9.
    发明申请
    MIGRATING A NETWORK TO TUNNEL-LESS ENCRYPTION 有权
    移动网络进行隧道加密

    公开(公告)号:US20100154028A1

    公开(公告)日:2010-06-17

    申请号:US12337315

    申请日:2008-12-17

    申请人: W. Scott Wainner Brian E. Weis

    发明人: W. Scott Wainner Brian E. Weis

    IPC分类号: G06F21/00

    CPC分类号: H04L63/0272 H04L63/0428 H04L63/20

    摘要: A method comprises, in a network comprising VPN gateway devices configured only for plaintext data communication, configuring a policy server with a security policy including DO NOT ENCRYPT statements temporarily overriding PERMIT statements defining which packets should be encrypted; selecting one sub-group of the VPN gateway devices in which tunnel-less encryption is not configured; configuring of the VPN gateway devices in the sub-group for tunnel-less encryption by: configuring each device in a passive mode of operation in which the device is configured to receive either encrypted packets or plaintext packets matching encryption policy; configuring local DO NOT ENCRYPT statements matching traffic that is currently being converted to ciphertext; removing, from the access control list of the policy server, DO NOT ENCRYPT statements referring to protected LAN CIDR blocks behind the VPN gateway devices in the selected sub-group; configuring the sub-group to send encrypted packets by removing, from each of the VPN gateway devices in the selected sub-group, the local DO NOT ENCRYPT statements for the CIDR blocks currently being converted and protected by the selected sub-group; repeating the configuring each of the VPN gateway devices in the selected sub-group for tunnel-less encryption, and the configuring the sub-group to send encrypted packets, for each other one of the sub-groups; and removing the passive mode on each of the VPN gateway devices.

    摘要翻译: 一种方法包括在包括仅用于明文数据通信的VPN网关设备的网络中,配置具有安全策略的策略服务器,所述安全策略包括DO NOT ENCRYPT语句临时覆盖定义哪些分组应被加密的PERMIT语句; 选择不配置无隧道加密的VPN网关设备的一个子组; 通过以下方式配置子组中的VPN网关设备:通过以下方式配置每个设备:被动模式,其中设备被配置为接收与加密策略相匹配的加密分组或明文分组; 配置当前正在转换为密文的流量的本地DO NOT ENCRYPT语句; 从策略服务器的访问控制列表中删除参考所选子组中VPN网关设备后面的受保护的LAN CIDR块的语句; 通过从所选子组中的每个VPN网关设备中移除当前被所选子组转换和保护的CIDR块的本地DO NOT ENCRYPT语句来配置子组以发送加密分组; 重复配置所选子组中的每个VPN网关设备以进行无隧道加密,并且配置子组以对彼此之一的子组发送加密分组; 并在每个VPN网关设备上删除被动模式。