公开(公告)号：US06226751B1

公开(公告)日：2001-05-01

申请号：US09062507

申请日：1998-04-17

申请人： Leslie J. Arrow ,  Henk J. Bots ,  Mark R. Hoke ,  William E. Hunt ,  Russell C. Jones ,  Quentin C. Liu

发明人： Leslie J. Arrow ,  Henk J. Bots ,  Mark R. Hoke ,  William E. Hunt ,  Russell C. Jones ,  Quentin C. Liu

IPC分类号： G06F1516

CPC分类号： H04L63/0272 ,  H04L12/4641 ,  H04L29/12367 ,  H04L29/12481 ,  H04L61/2514 ,  H04L61/2557

摘要： The present invention provides a method and an apparatus for establishing a virtual private network that operates over a public data network. One embodiment of the present invention includes a system that selects a plurality of entities coupled to the public data network to include in the virtual private network. The system next assembles a plurality of identifiers for the plurality of entities. These identifiers are used to identify communications between the plurality of entities, so that these communications can be transferred securely over the public data network. A variation on this embodiment includes defining encryption, authentication and compression parameters for the virtual private network. In another variation, selecting the plurality of entities includes, assembling entities coupled to the public data network into groups, and selecting groups of entities to include in the virtual private network. Another variation includes defining access control rules specifying types of communications that are allowed to pass through virtual private network units. These virtual private network units are typically used to couple local area networks to the public network so that secure communications on the public network pass through the virtual private network units. Yet another variation on this embodiment includes defining address translation rules for virtual private network units coupled to the public data network. These address translation rules are used to translate local network addresses to public network addresses.

摘要翻译： 本发明提供一种用于建立在公共数据网络上操作的虚拟专用网络的方法和装置。 本发明的一个实施例包括选择耦合到公共数据网络以包括在虚拟专用网络中的多个实体的系统。 系统接下来汇集多个实体的多个标识符。 这些标识符用于识别多个实体之间的通信，使得可以通过公共数据网络安全地传送这些通信。 该实施例的变型包括定义用于虚拟专用网络的加密，认证和压缩参数。 在另一个实施例中，选择多个实体包括：将耦合到公共数据网络的实体组合成组，以及选择要包括在虚拟专用网络中的实体组。 另一变型包括定义指定允许通过虚拟专用网单元的通信类型的访问控制规则。 这些虚拟专用网络单元通常用于将局域网耦合到公共网络，使得公共网络上的安全通信通过虚拟专用网络单元。 该实施例的另一变型包括为耦合到公共数据网络的虚拟专用网单元定义地址转换规则。 这些地址转换规则用于将本地网络地址转换为公网地址。

公开(公告)号：US06175917B1

公开(公告)日：2001-01-16

申请号：US09065899

申请日：1998-04-23

申请人： Leslie J. Arrow ,  Henk J. Bots ,  Mark R. Hoke ,  William E. Hunt ,  Russell C. Jones

发明人： Leslie J. Arrow ,  Henk J. Bots ,  Mark R. Hoke ,  William E. Hunt ,  Russell C. Jones

IPC分类号： G06F900

CPC分类号： G06F9/441 ,  G06F11/1417

摘要： One embodiment of the present invention provides a computer system with a plurality of storage memories, each storage memory storing an operating system program, and an identifier for identifying a storage memory containing an operating system program to be loaded when the unit is booted. The identifier is selectively switchable between storage memories so that the computer system may be selectively booted with an alternate operating system program. This facilitates loading a new version of an operating system, and then rapidly switching back to an old version of the operating system if the new version fails to function properly.

摘要翻译： 本发明的一个实施例提供了具有多个存储存储器的计算机系统，每个存储存储器存储操作系统程序，以及用于识别包含当该单元启动时要加载的操作系统程序的存储存储器的标识符。 标识符可以在存储存储器之间选择性地切换，使得计算机系统可以用备选的操作系统程序有选择地启动。 这有助于加载新版本的操作系统，然后如果新版本无法正常运行，则可以快速切换回旧版本的操作系统。

公开(公告)号：US6154839A

公开(公告)日：2000-11-28

申请号：US65898

申请日：1998-04-23

申请人： Leslie J. Arrow ,  Henk J. Bots ,  Mark R. Hoke ,  William E. Hunt ,  Bruce T. Huntley

发明人： Leslie J. Arrow ,  Henk J. Bots ,  Mark R. Hoke ,  William E. Hunt ,  Bruce T. Huntley

IPC分类号： H04L12/46 ,  H04L29/06 ,  H04L29/12 ,  H04L9/32

CPC分类号： H04L12/4641 ,  H04L29/12367 ,  H04L29/12462 ,  H04L29/12481 ,  H04L61/2514 ,  H04L61/255 ,  H04L61/2557 ,  H04L63/0272

摘要： One embodiment of the present invention includes a system that translates addresses in a data packet based upon a user identifier in the data packet. The system receives the data packet sent from a source node to a destination node by a user. This data packet includes a source address of the source node, a destination address of the destination node and the user identifier that identifies the user. The system uses the user identifier to look up communication privileges associated with the user. If the communication privileges allow the user to communicate with the destination node, the system replaces the source address in the data packet with a privileged address, and forwards the data packet to the destination node. In a variation on this embodiment, the privileged address is recognized by a system firewall so that it facilitates passage of the packet through firewall. In another variation, the privileged address specifies a return address of a given address translation unit and thereby facilitates load balancing across multiple address translation units. In a further variation, the system receives a reply packet from the destination node directed to the privileged address, and replaces the privileged address in the reply packet with the source address so that the reply packet is directed to the source node, before forwarding the reply packet to the source node. In another variation, receiving the reply packet includes acting as a proxy for the privileged address under the address resolution protocol. Another variation further includes authenticating, encrypting and optionally compressing the data packet.

摘要翻译： 本发明的一个实施例包括基于数据分组中的用户标识符来转换数据分组中的地址的系统。 系统从用户接收从源节点发送到目的节点的数据包。 该数据包包括源节点的源地址，目的地节点的目的地地址和标识用户的用户标识符。 系统使用用户标识符查找与用户相关联的通信权限。 如果通信权限允许用户与目的地节点进行通信，则系统用特权地址替换数据分组中的源地址，并将数据分组转发到目的地节点。 在该实施例的变型中，特权地址由系统防火墙识别，以便其有利于分组通过防火墙。 在另一变型中，特权地址指定给定地址转换单元的返回地址，从而有助于多个地址转换单元之间的负载平衡。 在进一步的变化中，系统从目的地节点接收指向特权地址的应答分组，并用源地址替换应答分组中的特权地址，以便在转发答复之前应答分组被定向到源节点 分组到源节点。 在另一变型中，接收回复分组包括在地址解析协议下作为特权地址的代理。 另一变型还包括认证，加密和可选地压缩数据分组。

公开(公告)号：US06701437B1

公开(公告)日：2004-03-02

申请号：US09188867

申请日：1998-11-09

申请人： Mark R. Hoke ,  Leslie J. Arrow

发明人： Mark R. Hoke ,  Leslie J. Arrow

IPC分类号： H04L900

CPC分类号： H04L63/0272 ,  H04L12/4641 ,  H04L29/12367 ,  H04L29/12481 ,  H04L61/2514 ,  H04L61/2557

摘要： One embodiment of the present invention provides a computer system for processing communications in a virtual private network. The computer system operates in a selective mode, in which only communications transiting the virtual private network are processed according to specified virtual private network parameters, such as encryption, compression and authentication algorithms. Virtual private network communications passing between a public network and a private network are thus received and processed according to the algorithms, while other communications bypass the computer system. Multiple private networks may be served by a single computer system.

摘要翻译： 本发明的一个实施例提供了一种用于处理虚拟专用网络中的通信的计算机系统。 计算机系统以选择模式运行，其中仅根据指定的虚拟专用网络参数（例如加密，压缩和认证算法）处理转移虚拟专用网络的通信。 因此，在公共网络和专用网络之间传递的虚拟专用网络通信根据算法被接收和处理，而其他通信绕过计算机系统。 多个专用网络可能由单个计算机系统提供。