US20030069958A1 - Virtual private network management - Google Patents

Virtual private network management Download PDF

Info

Publication number
US20030069958A1
US20030069958A1 US10/151,319 US15131902A US2003069958A1 US 20030069958 A1 US20030069958 A1 US 20030069958A1 US 15131902 A US15131902 A US 15131902A US 2003069958 A1 US2003069958 A1 US 2003069958A1
Authority
US
United States
Prior art keywords
vpn
vip
configuration
configurations
belonging
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/151,319
Inventor
Mika Jalava
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Stonesoft Corp
Original Assignee
Stonesoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Stonesoft Corp filed Critical Stonesoft Corp
Assigned to STONESOFT CORPORATION reassignment STONESOFT CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JALAVA, MIKA
Priority to EP02102400A priority Critical patent/EP1304830B1/en
Priority to DE60212289T priority patent/DE60212289T2/en
Publication of US20030069958A1 publication Critical patent/US20030069958A1/en
Priority to US12/511,124 priority patent/US8019850B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities

Definitions

  • the invention relates in general to Virtual Private Networks (VPN).
  • VPN Virtual Private Networks
  • the invention relates to managing VPNs.
  • Public networks are presently being used more and more for sensitive and mission critical communications and the internal networks of various organisations and enterprises are nowadays connected to the public networks, Internet being one of them. Since the basic mechanisms of the public networks were originally not designed with secrecy and confidentiality in mind, public networks are untrusted networks.
  • VPN Virtual Private Networks
  • All traffic from a first party to a second party is encrypted in a security gateway of the first party, sent in encrypted form over the public network to the second party, where the transmitted data is decrypted in a security gateway and the decrypted data is forwarded to the recipient.
  • the VPN is typically transparent to the processes that are communicating between each other and the encryption and decryption depend on the configuration of the VPN between the parties.
  • the security gateways need to have information about the configuration of the other end of the VPN in order to be able to encrypt and decrypt the traffic correctly.
  • the configuration includes things like addressing, encryption algorithm and key information of the other end security gateway.
  • the configuration information is usually conveyed between the administrators of different sites by means of phone or some other traditional communication system.
  • the administrators then input the configuration to the security gateways of their sites in order to enable VPN connections between the sites.
  • the actual encryption keys are exchanged in VPN communication, but the configuration that is needed for initiating VPN connection needs to be conveyed by some other means.
  • FIG. 1 illustrates an example network topology with four sites 101 - 104 , who are able to communicate with each other by means of VPNs.
  • the sites 101 - 104 are connected to the Internet 100 via security gateways 105 - 108 .
  • Each security gateway is managed via a site-specific management server 109 - 112 , which usually resides inside respective site and to each site there is configured VPN configuration information of all other sites as well as the configuration of the site itself.
  • the security gateway functions as a firewall; the firewall configuration (access rules) of the security gateways is naturally not duplicated to the other sites.
  • One proposal for managing large VPNs is a star like VPN, where a central “hub” acts as a VPN router. Each site connects to the hub, which decrypts the packets and then re-encrypts them for the connection from the hub to the target site. This way, the VPN sites do not need to have up-to-date VPN information of all other sites; instead it is enough to be able to connect to the central hub.
  • FIG. 2 illustrates the network topology of FIG. 1 in connection with the star like VPN.
  • the sites include now only VPN configuration of the site itself and of a central hub 200 .
  • the central hub includes VPN configuration of all the sites in the configuration, and the sites connect to each other via the central hub.
  • the disadvantage of the star like VPN is that vast amounts of processing power are required at the hub.
  • the security gateway at each site still has the same amount of encryption load as in a standard distributed VPN, but the hub's load is in fact equal to the sum of the loads of all the sites. In large-scale VPNs this may be difficult or impossible to achieve and in any case very expensive.
  • the data transmitted in the VPNs is in cleartext form within the hub, which is clearly a security risk.
  • An object of the invention is to provide a method for managing VPN devices, which avoids or alleviates the problems mentioned above.
  • the object is achieved according to the invention as disclosed in the attached independent claims.
  • Preferred embodiments of the invention are disclosed in the dependent claims.
  • the features described in one dependent claim may be further combined with features described in another dependent claim to produce further embodiments of the invention.
  • the idea of the invention is to provide a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP).
  • VIP VPN Information Provider
  • the security gateway (or other VPN device) management is distributed so that at least part of the VPN configuration (especially the part consisting of site addressing, used encryption algorithms and key management) is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the security gateway.
  • the VIP according to the invention is a mutually trusted party, from which the parties joining a VPN are willing to accept configuration information.
  • a method for managing VPN devices comprises
  • VIP VPN Information Provider
  • a method for managing VPN device comprises
  • VIP VPN Information Provider
  • VIP VPN Information Provider
  • the configuration of at least one other VPN device may be provided directly to said first VPN device or via at least one other management system.
  • Own VPN configuration of a given VPN device may be defined in the VIP or in some other management system, from where the configuration is provided to the VIP for maintenance.
  • Providing the configuration(s) of other VPN devices to a VPN device may be done by sending to a first VPN device belonging to the first VPN, information about the VPN configurations maintained in the VIP, and by requesting from the first VIP VPN configuration of another security gateway belonging to the first VPN when needed.
  • Said information about the VPN configurations maintained in the VIP may be for example a set of addresses included in the first VPN. (The set of addresses may be a single address range or plurality of address ranges related to different sites included in the VPN.)
  • the request from the first VPN device comprises an address included in the first VPN, and said other VPN device is identified in the VIP by finding a VPN device related to said address.
  • Said information about the configurations—that is, the set of addresses— may be sent to the VPN devices after a change in the set of addresses included in the first VPN, or after a predefined time has elapsed since the information was sent the last time.
  • the VIP may send, to VPN devices belonging to the first VPN, VPN configurations maintained in the VIP, so that the configurations are readily available in the VPN devices when needed.
  • the VPN configurations maintained in the VIP may be sent for example after a new VPN configuration has been added to the VIP, after an old VPN configuration has been removed from the VIP, after a VPN configuration of at least one VPN device has been changed in the VIP, or after a predefined time has elapsed since the configurations were sent the last time. That is, all changes need to be instantly conveyed to the VPN devices.
  • the VIP may send only changes or additions to the information or configurations previously sent (an incremental update) or all available information or configurations (a full update).
  • a method for handling VPN configuration in a VPN device comprises
  • VIP VPN Information Provider
  • a VPN device related to a destination address refers to the VPN device, which is securing the site, to which the destination address belongs.
  • a VPN tunnel needs to be created to this VPN device.
  • a method for handling VPN configuration in a VPN Information Provider comprises
  • the method of the invention enables flexible management of a VPN between several autonomous organizations. Additionally, providing VPN management as a service is enabled. That is, the invention offers MSPs (Managed Service Providers) a possibility to provide a new type of service by means of VIPs.
  • MSPs Managed Service Providers
  • VPN configuration is managed separately from other configuration information and therefore management of VPN configuration can be securely outsourced and an organization can easily join different VPNs, which may be administered by a plurality of different VIPs.
  • FIG. 1 illustrates an example network topology
  • FIG. 2 illustrates a star like VPN topology
  • FIGS. 3, 4 and 5 illustrate example network topologies according to the invention
  • FIG. 6 is a flow chart illustrating management of VPN devices according to an aspect of the invention.
  • FIG. 7 is a flow chart illustrating management of VPN devices according to another aspect of the invention.
  • FIG. 8 is a flow chart illustrating handling of VPN configuration in a VPN device according to still other aspect of the invention.
  • FIGS. 1 and 2 are discussed in more detail above in connection with the prior art description.
  • the invention is mainly disclosed in connection with a VPN capable firewall implementation.
  • the method of the invention can be applied straightforwardly also in any security gateway without firewall functionality as well as in a VPN client solution, which provides VPN connectivity for a single (and often mobile) host.
  • the invention can be used in connection with dynamic security gateway (gateways, which do not have a static IP-address). Therefore, the invention can be employed in any device acting as an endpoint of a VPN.
  • VPN device's own VPN configuration is defined and maintained in a local management system, or in MSP's management system, if the VPN device is administered by an MSP.
  • the VPN configuration may be defined together with access rule configuration of the VPN device, if the VPN device acts as a firewall.
  • the VPN device may be only a simple encryption/decryption endpoint of a VPN without firewall functionality.
  • the VPN configuration of the VPN device is provided to VIP 1 , which is managing VPN 1 .
  • the VPN configuration may be provided to the gateway from the VIP 1 .
  • VIP 1 provides the VPN device with VPN configurations of other endpoints belonging to VPN 1 or information about the configuration of the VPN 1 as a whole.
  • the VPN device uses the configuration normally for communicating over VPN 1 and VIP 1 takes care of that the configuration, which the VPN device has, is up-to-date.
  • the VPN device queries the actual configuration from the VIP 1 when needed.
  • the arrangement of the invention does not compromise security of the VPNs, even though the VPN configuration information of all sites is available from a central point (VIP).
  • the configuration includes the authentication keys of the sites, that is the end points of the VPNs, but in VPN each connection is encrypted with connection specific keys, which are negotiated between the communicating sites, and thus knowing the authentication key of a site does not enable breaking into a VPN connection.
  • FIG. 3 illustrates an example network topology according to one aspect of the invention.
  • the sites of the FIG. 1 are secured by security gateways 301 - 304 , which include the VPN configuration related to the VPN between the sites for other sites as in prior art.
  • the security gateways are taking care of all encryption tasks.
  • the local management systems 305 - 308 do not take care of providing the VPN configuration to the security gateways.
  • VPN configuration information of the sites is loaded to the security gateways from a VPN Information Provider (VIP) 300 .
  • VIP VPN Information Provider
  • the change needs to be done only in the VIP from which the updated configuration is then loaded to security gateways of all sites.
  • the VIP loads the configuration to the security gateways for example every time after a change occurs in the configuration.
  • the change may be an addition or removal of a site or modification of some site's configuration.
  • the VIP may push the configuration information to the security gateways after certain time interval has elapsed since the configuration was pushed the last time in order to minimize the possibility that the sites would not have up-to-date configuration.
  • the security gateways use the VPN configuration loaded from the VIP in the same way, as they would use configuration loaded from a local management system.
  • the security gateways basically need to be configured to accept configuration from the VIP, but otherwise their operation does not need to be altered.
  • the communication between the VIP and the security gateways is encrypted by some suitable means; for example Secure Sockets Layer (SSL) protocol may be used for this.
  • SSL Secure Sockets Layer
  • some parts of the configuration of the security gateways e.g. configuration not related to the VPNs, and/or possible access rules related to the VPN are managed from site-specific local management systems 305 - 308 .
  • the VIP may push only indication that the configuration has changed and the security gateway may initiate the transfer of updated configuration from the VIP to the security gateway.
  • FIG. 4 illustrates an example network topology according to another aspect of the invention.
  • three sites are secured by means of security gateways 404 - 406 , out of which security gateway 404 is managed from a local management 403 and security gateways 405 and 406 are managed from MSP's management-system 402 .
  • Naturally MSP's management connection to the security gateways 405 and 406 does not need to be over the Internet as shown in the Figure, but can be for example leased line.
  • Security gateways of sites 1 and 2 which join in VPN 1 , are provided with identification information for VIP 1 400 (VIP identification is defined in a local management or in MSPs management system), which is administering VPN 1 .
  • the sites receive VPN configuration for VPN 1 from VIP 1 .
  • security gateways of sites 2 and 3 which join in VPN 2 , are provided with identification information for VIP 2 401 , which is administering VPN 2 , and receive VPN configuration for VPN 2 from VIP 2 .
  • security gateway 405 of site 2 has identification information for both VIP 1 and VIP 2 .
  • the security gateways query the configuration from the VIP when needed.
  • the security gateways need to know from which VIP to query it.
  • the VIPs send to security gateways information about the configurations they have. This information may be for example a list of IP-addresses included in the VPN or list of VPN sites included in the VPN. In principle this means the addresses, which can be reached over by means of the respective VPN. In the latter case the specific other endpoint (other VPN device and its configuration) to which a certain VPN tunnel should be destined is provided to a security gateway only when needed.
  • the benefit of this solution is that smaller amount of data needs to be distributed to the security gateways.
  • this arrangement enables the use of dynamic security gateways. If a security gateway obtains its address dynamically, for example from a DHCP (Dynamic Host Configuration Protocol) server, other gateways cannot know from which address-the dynamic security-gateway is reached at a given time. Now, addresses behind the dynamic security gateway can be maintained in a VIP and conveyed to other gateways from there. Then the dynamic security gateway informs the VIP of its current address every time its address changes. The VIP then conveys the current address to another gateway when needed (other gateways query the current address on the basis of an address included in the site of the dynamic gateway). Since the address of a dynamic gateway may change at any given time, e.g.
  • DHCP Dynamic Host Configuration Protocol
  • a security gateway may cache configurations received from a VIP for future use, there is a possibility that a security gateway-has an out-of-date configuration for a dynamic gateway. Therefore, it is beneficial that the VIP tags the configuration of a dynamic security gateway differently from static configurations. In this way, a security gateway can for example adjust the time a configuration of a dynamic gateway is cached or otherwise treat dynamic and static entries differently.
  • FIG. 5 illustrates an example network topology according to still other aspect of the invention.
  • security gateways 503 and 506 of sites 1 and 3 are managed by local management 504 and MSP 502 , respectively.
  • the configurations are provided to a VIP 500 and maintained therein. It should be noted herein that when the VIP receives VPN configuration of a security gateway, it could check if the configuration is compatible with VPN policy of the VIP and with VPN configurations of the other security gateways belonging to the VPN. This can be done by simply comparing the new configuration to configurations of other gateways.
  • the security gateways When the security gateways are establishing a VPN tunnel they first query the configuration of the other endpoint from the VIP. (This is described in more detail above in connection with FIG. 4.)
  • VPN client 505 joining in the VPN as well.
  • the VPN configuration of the VPN client is maintained in the VIP in similar way as the configurations of the dynamic security gateways.
  • FIGS. 3 to 5 are not meant to be restrictive. Instead, implementation details related to one example may be combined to the details of another example in any suitable way.
  • the VIP and the VPN devices may be implemented as a suitable combination of hardware and software.
  • the implementation is software program code executed in a processor unit combined with suitable memory resources.
  • a major part of the implementation of the invention is a change in the handling of the configuration in the VPN device.
  • a VPN device according to the invention is adapted to receive configuration from more than one management entity, e.g. from a local management and a VIP.
  • VIP provides VPN configuration and local management provides access rule configuration.
  • local management may provide VPN configuration as well.
  • the VPN device is adapted to identify different VIP for example by means of certificates.
  • VPN device may check, if a VPN configuration received from a VIP is in accordance with other configuration of the VPN device, before accepting the configuration for use.
  • a VIP can be basically similar to a centralized VPN management system able to handle VPN devices; the VIP includes thus capability to define VPN configurations and to upload them to the VPN devices.
  • a VIP may accept readily defined VPN configurations for maintenance.
  • the VIP administering a VPN is preferably adapted to confirm that a received new configuration is compatible with the configurations of other gateways belonging to the VPN.
  • a VIP according to one aspect of the invention comprises mechanism for providing VPN devices with information about the configurations maintained in the VIP and sending configuration to VPN devices on demand, that is, as a response to a request.
  • FIG. 6 is a flow chart illustrating management of VPN devices according to an aspect of the invention.
  • VPN configurations are defined for VPN devices and the configurations are maintained in a VIP.
  • the VPN configuration of a given VPN device may be defined in the VIP or in some other management system, from where the configuration is provided to the VIP for maintenance.
  • a VPN device is provided with VPN configuration of some other VPN device by means of sending the configuration from the VIP.
  • certain aspects of the VPN devices are managed from some other management system. Such aspects may be for example access rule configurations or configurations related to some other VPN configuration.
  • FIG. 7 is a flow chart illustrating management of VPN devices according to another aspect of the invention.
  • VPN configurations are defined for VPN devices belonging to first and second VPNs in step 700 .
  • the configurations for the first VPN are maintained in a first VIP and the configurations for the second VPN are maintained in a second VIP in steps 702 and 704 respectively.
  • the VPN configuration of a given VPN device may be defined in a VIP or in some other management system, from where the configuration is provided to the respective VIP for maintenance.
  • a VPN device belonging to the first and second VPNs obtains VPN configuration of at least one other VPN device belonging to the first VPN from the first VIP and VPN configuration of at least one other VPN device belonging to the second VPN from the second VIP.
  • FIG. 8 is a flow chart illustrating handling of VPN configuration in a VPN device according to still other aspect of the invention.
  • the VPN device receives information about the VPN configurations maintained in a VIP (e.g. set of addresses included in the respective VPN). Then the VPN device receives a data packet destined to the VPN in step 802 . On the basis of the information received from the VIP the VPN device queries VPN configuration from the VIP in step 804 and uses VPN configuration obtained from the VIP for establishing a VPN tunnel for the data packet.

Abstract

The invention provides a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP). Management of a VPN device is distributed so that at least part of the VPN configuration is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the VPN device.

Description

    BACKGROUND OF THE INVENTION
  • The invention relates in general to Virtual Private Networks (VPN). In particular the invention relates to managing VPNs. [0001]
  • Public networks are presently being used more and more for sensitive and mission critical communications and the internal networks of various organisations and enterprises are nowadays connected to the public networks, Internet being one of them. Since the basic mechanisms of the public networks were originally not designed with secrecy and confidentiality in mind, public networks are untrusted networks. [0002]
  • Virtual Private Networks (VPN) are commonly used for connecting trusted parties to each other over untrusted public network through a secure tunnel. All traffic from a first party to a second party is encrypted in a security gateway of the first party, sent in encrypted form over the public network to the second party, where the transmitted data is decrypted in a security gateway and the decrypted data is forwarded to the recipient. The VPN is typically transparent to the processes that are communicating between each other and the encryption and decryption depend on the configuration of the VPN between the parties. However, the security gateways need to have information about the configuration of the other end of the VPN in order to be able to encrypt and decrypt the traffic correctly. The configuration includes things like addressing, encryption algorithm and key information of the other end security gateway. The configuration information is usually conveyed between the administrators of different sites by means of phone or some other traditional communication system. The administrators then input the configuration to the security gateways of their sites in order to enable VPN connections between the sites. The actual encryption keys are exchanged in VPN communication, but the configuration that is needed for initiating VPN connection needs to be conveyed by some other means. [0003]
  • Large VPNs are complicated and tedious to manage. Keeping the information about the structure of the VPN up to date at each site (network or group of networks connected to the VPN) is problematic but mandatory. Every site must have the correct configuration for all the other sites in order to communicate with them. In large VPNs there may be dozens or hundreds of sites and the configuration may vary in time rather frequently, and if the configuration of one VPN site changes all sites need to be updated. That is, the administrator of the sites changing its configuration needs to contact administrators of all other sites and communicate the changes to them, whereby they need to re-configure their security gateways. [0004]
  • FIG. 1 illustrates an example network topology with four sites [0005] 101-104, who are able to communicate with each other by means of VPNs. The sites 101-104 are connected to the Internet 100 via security gateways 105-108. Each security gateway is managed via a site-specific management server 109-112, which usually resides inside respective site and to each site there is configured VPN configuration information of all other sites as well as the configuration of the site itself. In case the security gateway functions as a firewall; the firewall configuration (access rules) of the security gateways is naturally not duplicated to the other sites.
  • One proposal for managing large VPNs is a star like VPN, where a central “hub” acts as a VPN router. Each site connects to the hub, which decrypts the packets and then re-encrypts them for the connection from the hub to the target site. This way, the VPN sites do not need to have up-to-date VPN information of all other sites; instead it is enough to be able to connect to the central hub. [0006]
  • FIG. 2 illustrates the network topology of FIG. 1 in connection with the star like VPN. The sites include now only VPN configuration of the site itself and of a [0007] central hub 200. The central hub includes VPN configuration of all the sites in the configuration, and the sites connect to each other via the central hub.
  • The disadvantage of the star like VPN is that vast amounts of processing power are required at the hub. The security gateway at each site still has the same amount of encryption load as in a standard distributed VPN, but the hub's load is in fact equal to the sum of the loads of all the sites. In large-scale VPNs this may be difficult or impossible to achieve and in any case very expensive. Furthermore, the data transmitted in the VPNs is in cleartext form within the hub, which is clearly a security risk. [0008]
  • If all the sites belonging to a VPN belong to the same organization, it is possible to administer them centrally by means of existing tools. In this case, all aspects of the security gateways, including access control configuration, are managed from one central point. However, the sites joining a VPN are not always sites of one party, but many different organizations may wish to establish a VPN between them. Clearly, such central management of all aspects of security gateways is not suitable, if different organizations are involved. Therefore a new way to manage VPNs of more than one organisation and especially large VPNs is required. [0009]
  • SUMMARY OF THE INVENTION
  • An object of the invention is to provide a method for managing VPN devices, which avoids or alleviates the problems mentioned above. The object is achieved according to the invention as disclosed in the attached independent claims. Preferred embodiments of the invention are disclosed in the dependent claims. The features described in one dependent claim may be further combined with features described in another dependent claim to produce further embodiments of the invention. [0010]
  • The idea of the invention is to provide a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP). The security gateway (or other VPN device) management is distributed so that at least part of the VPN configuration (especially the part consisting of site addressing, used encryption algorithms and key management) is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the security gateway. There may be several VPNs handled by different VIPs, so that an organization using the invention can flexibly join several independent VPNs. [0011]
  • The VIP according to the invention is a mutually trusted party, from which the parties joining a VPN are willing to accept configuration information. [0012]
  • According to a first aspect of the invention a method for managing VPN devices comprises [0013]
  • maintaining in a VPN Information Provider (VIP) VPN configurations of VPN devices belonging to a first VPN, [0014]
  • providing from the VIP to a first VPN device belonging to the first VPN, VPN configuration of at least one other VPN device belonging to the first VPN, and [0015]
  • managing certain aspects of said first VPN device belonging to the first VPN from at least one other management system. [0016]
  • According to a second aspect of the invention a method for managing VPN device comprises [0017]
  • maintaining in a first VPN Information Provider (VIP) VPN configurations of VPN device belonging to a first VPN, [0018]
  • maintaining in a second VPN Information Provider (VIP) VPN configurations of VPN device belonging to a second VPN, and [0019]
  • providing to a first VPN device belonging to the first and second VPNs, VPN configuration of at least one other VPN device belonging to the first VPN from the first VIP and VPN configuration of at least one other VPN device belonging to the second VPN from the second VIP. [0020]
  • The configuration of at least one other VPN device may be provided directly to said first VPN device or via at least one other management system. [0021]
  • Own VPN configuration of a given VPN device may be defined in the VIP or in some other management system, from where the configuration is provided to the VIP for maintenance. [0022]
  • Providing the configuration(s) of other VPN devices to a VPN device may be done by sending to a first VPN device belonging to the first VPN, information about the VPN configurations maintained in the VIP, and by requesting from the first VIP VPN configuration of another security gateway belonging to the first VPN when needed. Said information about the VPN configurations maintained in the VIP may be for example a set of addresses included in the first VPN. (The set of addresses may be a single address range or plurality of address ranges related to different sites included in the VPN.) In that case, the request from the first VPN device comprises an address included in the first VPN, and said other VPN device is identified in the VIP by finding a VPN device related to said address. Said information about the configurations—that is, the set of addresses—may be sent to the VPN devices after a change in the set of addresses included in the first VPN, or after a predefined time has elapsed since the information was sent the last time. [0023]
  • Alternatively the VIP may send, to VPN devices belonging to the first VPN, VPN configurations maintained in the VIP, so that the configurations are readily available in the VPN devices when needed. The VPN configurations maintained in the VIP may be sent for example after a new VPN configuration has been added to the VIP, after an old VPN configuration has been removed from the VIP, after a VPN configuration of at least one VPN device has been changed in the VIP, or after a predefined time has elapsed since the configurations were sent the last time. That is, all changes need to be instantly conveyed to the VPN devices. [0024]
  • In either of the above cases, the VIP may send only changes or additions to the information or configurations previously sent (an incremental update) or all available information or configurations (a full update). [0025]
  • According to a third aspect of the invention a method for handling VPN configuration in a VPN device comprises [0026]
  • receiving a packet directed to a destination address in a first VPN, [0027]
  • requesting and receiving VPN configuration for a VPN device related to said destination address from a VPN Information Provider (VIP) administering the first VPN, and [0028]
  • using said VPN configuration for establishing a VPN tunnel to said VPN device related to said destination address for reaching said destination address. [0029]
  • In this context, a VPN device related to a destination address refers to the VPN device, which is securing the site, to which the destination address belongs. In order to communicate to the destination address, a VPN tunnel needs to be created to this VPN device. [0030]
  • According to a fourth aspect of the invention a method for handling VPN configuration in a VPN Information Provider (VIP) comprises [0031]
  • maintaining VPN configurations of VPN devices belonging to a first VPN, [0032]
  • providing to VPN devices belonging to the first VPN, information about the VPN configurations maintained in the VIP, [0033]
  • receiving from a first VPN device belonging to the first VPN, a request for VPN configuration of another VPN device belonging to the first VPN, and [0034]
  • sending to said first VPN device belonging to the first VPN, the VPN configuration of the other VPN device as a response to the request. [0035]
  • According to the invention all entire encryption/decryption load is addressed to the firewalls or security gateways protecting the sites, while the VPN administration is centralized by means of VIPs to achieve consistent configuration at every site. Also there is no centralized location where all the traffic is in cleartext form as in the central hub arrangement, so the communication is more secure than in a star like structure. [0036]
  • The method of the invention enables flexible management of a VPN between several autonomous organizations. Additionally, providing VPN management as a service is enabled. That is, the invention offers MSPs (Managed Service Providers) a possibility to provide a new type of service by means of VIPs. VPN configuration is managed separately from other configuration information and therefore management of VPN configuration can be securely outsourced and an organization can easily join different VPNs, which may be administered by a plurality of different VIPs. [0037]
  • These and other features of the invention, as well as the advantages offered thereby, are described hereinafter with reference to embodiments illustrated in the accompanying drawings.[0038]
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates an example network topology, [0039]
  • FIG. 2 illustrates a star like VPN topology, [0040]
  • FIGS. 3, 4 and [0041] 5 illustrate example network topologies according to the invention,
  • FIG. 6 is a flow chart illustrating management of VPN devices according to an aspect of the invention, [0042]
  • FIG. 7 is a flow chart illustrating management of VPN devices according to another aspect of the invention, and [0043]
  • FIG. 8 is a flow chart illustrating handling of VPN configuration in a VPN device according to still other aspect of the invention.[0044]
  • DETAILED DESCRIPTION OF THE INVENTION
  • FIGS. 1 and 2 are discussed in more detail above in connection with the prior art description. [0045]
  • In the following description the invention is mainly disclosed in connection with a VPN capable firewall implementation. However, the method of the invention can be applied straightforwardly also in any security gateway without firewall functionality as well as in a VPN client solution, which provides VPN connectivity for a single (and often mobile) host. Additionally, the invention can be used in connection with dynamic security gateway (gateways, which do not have a static IP-address). Therefore, the invention can be employed in any device acting as an endpoint of a VPN. [0046]
  • According to one aspect of the invention VPN device's own VPN configuration is defined and maintained in a local management system, or in MSP's management system, if the VPN device is administered by an MSP. The VPN configuration may be defined together with access rule configuration of the VPN device, if the VPN device acts as a firewall. However, the VPN device may be only a simple encryption/decryption endpoint of a VPN without firewall functionality. When the site behind the VPN device wants to join for example VPN[0047] 1, the VPN configuration of the VPN device is provided to VIP1, which is managing VPN1. Alternatively, the VPN configuration may be provided to the gateway from the VIP1.
  • VIP[0048] 1 provides the VPN device with VPN configurations of other endpoints belonging to VPN1 or information about the configuration of the VPN1 as a whole. In the former case, the VPN device uses the configuration normally for communicating over VPN1 and VIP1 takes care of that the configuration, which the VPN device has, is up-to-date. In the latter case, the VPN device queries the actual configuration from the VIP1 when needed.
  • It must be appreciated that the arrangement of the invention does not compromise security of the VPNs, even though the VPN configuration information of all sites is available from a central point (VIP). The configuration includes the authentication keys of the sites, that is the end points of the VPNs, but in VPN each connection is encrypted with connection specific keys, which are negotiated between the communicating sites, and thus knowing the authentication key of a site does not enable breaking into a VPN connection. [0049]
  • FIG. 3 illustrates an example network topology according to one aspect of the invention. The sites of the FIG. 1 are secured by security gateways [0050] 301-304, which include the VPN configuration related to the VPN between the sites for other sites as in prior art. Thus, the security gateways are taking care of all encryption tasks. However, now the local management systems 305-308 do not take care of providing the VPN configuration to the security gateways. VPN configuration information of the sites is loaded to the security gateways from a VPN Information Provider (VIP) 300. It must be noted herein, that even though only one VIP is shown in the Figure, VPN configuration for some other VPN may be loaded to the security gateways from some other VIP, and that the number of different VPN configurations and VIPs used is not restricted.
  • When configuration of one site is changed the change needs to be done only in the VIP from which the updated configuration is then loaded to security gateways of all sites. The VIP loads the configuration to the security gateways for example every time after a change occurs in the configuration. The change may be an addition or removal of a site or modification of some site's configuration. In addition, the VIP may push the configuration information to the security gateways after certain time interval has elapsed since the configuration was pushed the last time in order to minimize the possibility that the sites would not have up-to-date configuration. The security gateways use the VPN configuration loaded from the VIP in the same way, as they would use configuration loaded from a local management system. The security gateways basically need to be configured to accept configuration from the VIP, but otherwise their operation does not need to be altered. The communication between the VIP and the security gateways is encrypted by some suitable means; for example Secure Sockets Layer (SSL) protocol may be used for this. In addition to this some parts of the configuration of the security gateways, e.g. configuration not related to the VPNs, and/or possible access rules related to the VPN are managed from site-specific local management systems [0051] 305-308.
  • Instead of pushing the whole configuration to the security gateways after every change, the VIP may push only indication that the configuration has changed and the security gateway may initiate the transfer of updated configuration from the VIP to the security gateway. [0052]
  • FIG. 4 illustrates an example network topology according to another aspect of the invention. Here three sites are secured by means of security gateways [0053] 404-406, out of which security gateway 404 is managed from a local management 403 and security gateways 405 and 406 are managed from MSP's management-system 402. Naturally MSP's management connection to the security gateways 405 and 406 does not need to be over the Internet as shown in the Figure, but can be for example leased line. Security gateways of sites 1 and 2, which join in VPN1, are provided with identification information for VIP1 400 (VIP identification is defined in a local management or in MSPs management system), which is administering VPN1. The sites receive VPN configuration for VPN1 from VIP1. Equally, security gateways of sites 2 and 3, which join in VPN2, are provided with identification information for VIP2 401, which is administering VPN2, and receive VPN configuration for VPN2 from VIP2. Thus, security gateway 405 of site 2 has identification information for both VIP1 and VIP2. When a security gateway detects a packet, which is destined to a host in a VPN the security gateway belongs to, the security gateway queries VPN configuration needed for establishing a VPN tunnel for reaching the host.
  • In this scenario, all VPN configurations are not distributed to the security gateways. Instead, the security gateways query the configuration from the VIP when needed. In order to be able to query configuration, the security gateways need to know from which VIP to query it. For this purpose, the VIPs send to security gateways information about the configurations they have. This information may be for example a list of IP-addresses included in the VPN or list of VPN sites included in the VPN. In principle this means the addresses, which can be reached over by means of the respective VPN. In the latter case the specific other endpoint (other VPN device and its configuration) to which a certain VPN tunnel should be destined is provided to a security gateway only when needed. The benefit of this solution is that smaller amount of data needs to be distributed to the security gateways. Since it is likely that in many VPN's all gateways do not communicate with all other gateways, all gateways do not necessarily need configuration for all possible other endpoints. Moreover, only fundamental changes in the configuration of the whole VPN trigger the need to distribute data to all security gateways. Since configuration of a gateway is queried from the VIP before use, minor changes in configuration of one security gateway do not need to be immediately communicated to all other security gateways. Only if a new site is added or removed from the VPN, i.e. the address range of the VPN changes, all security gateways need to be informed of the change. [0054]
  • In addition, this arrangement enables the use of dynamic security gateways. If a security gateway obtains its address dynamically, for example from a DHCP (Dynamic Host Configuration Protocol) server, other gateways cannot know from which address-the dynamic security-gateway is reached at a given time. Now, addresses behind the dynamic security gateway can be maintained in a VIP and conveyed to other gateways from there. Then the dynamic security gateway informs the VIP of its current address every time its address changes. The VIP then conveys the current address to another gateway when needed (other gateways query the current address on the basis of an address included in the site of the dynamic gateway). Since the address of a dynamic gateway may change at any given time, e.g. due to connectivity failures, and other gateways may cache configurations received from a VIP for future use, there is a possibility that a security gateway-has an out-of-date configuration for a dynamic gateway. Therefore, it is beneficial that the VIP tags the configuration of a dynamic security gateway differently from static configurations. In this way, a security gateway can for example adjust the time a configuration of a dynamic gateway is cached or otherwise treat dynamic and static entries differently. [0055]
  • FIG. 5 illustrates an example network topology according to still other aspect of the invention. Therein [0056] security gateways 503 and 506 of sites 1 and 3 are managed by local management 504 and MSP 502, respectively. VPN configurations of the security gateways defined in the local management or MSP. The configurations are provided to a VIP 500 and maintained therein. It should be noted herein that when the VIP receives VPN configuration of a security gateway, it could check if the configuration is compatible with VPN policy of the VIP and with VPN configurations of the other security gateways belonging to the VPN. This can be done by simply comparing the new configuration to configurations of other gateways. When the security gateways are establishing a VPN tunnel they first query the configuration of the other endpoint from the VIP. (This is described in more detail above in connection with FIG. 4.)
  • In addition to the [0057] sites 1 and 3 belonging to the VPN, there is a VPN client 505 joining in the VPN as well. The VPN configuration of the VPN client is maintained in the VIP in similar way as the configurations of the dynamic security gateways.
  • The example implementations of the invention illustrated in FIGS. [0058] 3 to 5 are not meant to be restrictive. Instead, implementation details related to one example may be combined to the details of another example in any suitable way.
  • The VIP and the VPN devices (security gateways, firewalls, VPN clients) according to the invention may be implemented as a suitable combination of hardware and software. Typically the implementation is software program code executed in a processor unit combined with suitable memory resources. [0059]
  • A major part of the implementation of the invention is a change in the handling of the configuration in the VPN device. A VPN device according to the invention is adapted to receive configuration from more than one management entity, e.g. from a local management and a VIP. In general VIP provides VPN configuration and local management provides access rule configuration. However, local management may provide VPN configuration as well. The VPN device is adapted to identify different VIP for example by means of certificates. In addition, VPN device may check, if a VPN configuration received from a VIP is in accordance with other configuration of the VPN device, before accepting the configuration for use. [0060]
  • A VIP can be basically similar to a centralized VPN management system able to handle VPN devices; the VIP includes thus capability to define VPN configurations and to upload them to the VPN devices. Alternatively, a VIP may accept readily defined VPN configurations for maintenance. In this case the VIP administering a VPN is preferably adapted to confirm that a received new configuration is compatible with the configurations of other gateways belonging to the VPN. In addition a VIP according to one aspect of the invention comprises mechanism for providing VPN devices with information about the configurations maintained in the VIP and sending configuration to VPN devices on demand, that is, as a response to a request. [0061]
  • Features of the invention are further illustrated in the flow charts of FIGS. 6, 7 and [0062] 8. FIG. 6 is a flow chart illustrating management of VPN devices according to an aspect of the invention. In steps 600 and 602, VPN configurations are defined for VPN devices and the configurations are maintained in a VIP. The VPN configuration of a given VPN device may be defined in the VIP or in some other management system, from where the configuration is provided to the VIP for maintenance. Then in step 604, a VPN device is provided with VPN configuration of some other VPN device by means of sending the configuration from the VIP. In step 606 certain aspects of the VPN devices are managed from some other management system. Such aspects may be for example access rule configurations or configurations related to some other VPN configuration.
  • FIG. 7 is a flow chart illustrating management of VPN devices according to another aspect of the invention. Therein, VPN configurations are defined for VPN devices belonging to first and second VPNs in [0063] step 700. The configurations for the first VPN are maintained in a first VIP and the configurations for the second VPN are maintained in a second VIP in steps 702 and 704 respectively. Also in this case the VPN configuration of a given VPN device may be defined in a VIP or in some other management system, from where the configuration is provided to the respective VIP for maintenance. Then in step 706, a VPN device belonging to the first and second VPNs obtains VPN configuration of at least one other VPN device belonging to the first VPN from the first VIP and VPN configuration of at least one other VPN device belonging to the second VPN from the second VIP.
  • FIG. 8 is a flow chart illustrating handling of VPN configuration in a VPN device according to still other aspect of the invention. In [0064] step 800, the VPN device receives information about the VPN configurations maintained in a VIP (e.g. set of addresses included in the respective VPN). Then the VPN device receives a data packet destined to the VPN in step 802. On the basis of the information received from the VIP the VPN device queries VPN configuration from the VIP in step 804 and uses VPN configuration obtained from the VIP for establishing a VPN tunnel for the data packet.
  • It will be apparent for those skilled in the art that the illustrative embodiments described are only examples and that various modifications can be made within the scope of the invention as defined in the appended claims. [0065]

Claims (29)

1. A method for managing VPN devices, the method comprising the steps of
maintaining in a VPN Information Provider (VIP) VPN configurations of VPN devices belonging to a first VPN,
providing from the VIP to a first VPN device belonging to the first VPN, VPN configuration of at least one other VPN device belonging to the first VPN, and
managing certain aspects of said first VPN device belonging to the first VPN from at least one other management system.
2. A method as claimed in claim 1, wherein said configuration of at least one other VPN device is provided to said first VPN device via said at least one other management system.
3. A method as claimed in claim 1, wherein said configuration of at least one other VPN device is provided directly to said first VPN device.
4. A method as claimed in claim 1, further comprising
defining said VPN configurations of said VPN devices belonging to the first VPN in said at least one other management system, and
providing said VPN configurations to the VIP for maintenance.
5. A method as claimed in claim 1, further comprising
defining said VPN configurations of said VPN devices belonging to the first VPN in the VIP, and
providing said VPN configurations to respective VPN devices.
6. A method as claimed in claim 1, wherein the step of providing comprises
sending to VPN devices belonging to the first VPN, information about the VPN configurations maintained in the VIP,
receiving from a first VPN device belonging to the first VPN, a request for VPN configuration of another VPN device belonging to the first VPN, and
sending to said first VPN device belonging to the first VPN, the VPN configuration of the other VPN device as a response to the request.
7. A method as claimed in claim 6, wherein said information about the VPN configurations maintained in the VIP is a set of addresses included in the first VPN, said request from the first VPN device comprises an address included in the first VPN, and said other VPN device is identified in the VIP by finding a VPN device related to said address.
8. A method as claimed in claim 6, wherein said information about the VPN configurations maintained in the VIP is a set of addresses included in the first VPN, and said information is sent after a change in the set of addresses included in the first VPN, or after a predefined time has elapsed since the information was sent the last time.
9. A method as claimed in claim 1, wherein the step of providing comprises
sending to VPN devices belonging to the first VPN, VPN configurations maintained in the VIP.
10. A method as claimed in claim 9, wherein said VPN configurations maintained in the VIP are sent after a new VPN configuration has been added to the VIP, after an old VPN configuration has been removed from the VIP, after a VPN configuration of at least one VPN device has been changed in the VIP, or after a predefined time has elapsed since the configurations were sent the last time.
11. A method for managing VPN devices, the method comprising the steps of
maintaining in a first VPN Information Provider (VIP) VPN configurations of VPN devices belonging to a first VPN,
maintaining in a second VPN Information Provider (VIP) VPN configurations of VPN devices belonging to a second VPN, and
providing to a first VPN device belonging to the first and second VPNs, VPN configuration of at least one other VPN device belonging to the first VPN from the first VIP and VPN configuration of at least one other VPN device belonging to the second VPN from the second VIP.
12. A method as claimed in claim 11, wherein said configuration of at least one other VPN device is provided to said first VPN device via at least one other management system.
13. A method as claimed in claim 11, wherein said configuration of at least one other VPN device is provided directly to said first VPN device.
14. A method as claimed in claim 11, further comprising
defining said VPN configurations of said VPN devices belonging to the first and second VPNs in at least one other management system, and
providing said VPN configurations to the VIPs for maintenance.
15. A method as claimed in claim 11, further comprising
defining said VPN configurations of said VPN devices belonging to the first VPN in the first VIP and said VPN configurations of said VPN devices belonging to the second VPN in the second VIP, and
providing said VPN configurations to respective VPN devices.
16. A method as claimed in claim 11, wherein the step of providing comprises
sending to VPN devices belonging to a VPN, information about the VPN configurations maintained in the respective VIP,
receiving from a first VPN device belonging to the VPN, a request for VPN configuration of another VPN device belonging to the VPN, and
sending to said first VPN device belonging to the VPN, the VPN configuration of the other VPN device as a response to the request.
17. A method as claimed in claim 16, wherein said information about the VPN configurations maintained in the VIP is a set of addresses included in the first VPN, said request from the first VPN device comprises an address included in the first VPN, and said other VPN device is identified in the VIP by finding a VPN device related to said address.
18. A method as claimed in claim 16, wherein said information about the VPN configurations maintained in the VIP is a set of addresses included in the first VPN, and said information is sent after a change in the set of addresses included in the first VPN, or after a predefined time has elapsed since the information was sent the last time.
19. A method as claimed in claim 11, wherein the step of providing comprises
sending to VPN devices belonging to a VPN, VPN configurations maintained in the respective VIP.
20. A method as claimed in claim 19, wherein said VPN configurations maintained in the VIP are sent after a new VPN configuration has been added to the VIP, after an old VPN configuration has been removed from the VIP, after a VPN configuration of at least one VPN device has been, changed in the VIP, or after a predefined time has elapsed since the configurations were sent the last time.
21. A method for handling VPN configuration in a VPN device, the method comprising
receiving a packet directed to a destination address in a first VPN,
requesting and receiving VPN configuration for a VPN device related to said address from a VPN Information Provider (VIP) administering the first VPN, and
using said VPN configuration for establishing a VPN tunnel to said VPN device related to said destination address for reaching said destination address.
22. A method for handling VPN configuration in a VPN Information Provider (VIP), the method comprising
maintaining VPN configurations of VPN devices belonging to a first VPN,
providing to VPN devices belonging to the first VPN, information about the VPN configurations maintained in the VIP,
receiving from a first VPN device belonging to the first VPN, a request for VPN configuration of another VPN device belonging to the first VPN, and
sending to said first VPN device belonging to the first VPN, the VPN configuration of the other VPN device as a response to the request.
23. An arrangement for managing VPN devices comprising
at least two VPN devices belonging to a first VPN,
a VPN Information Provider (VIP) maintaining VPN configurations of VPN devices belonging to the first VPN,
at least one other management system managing certain aspects of said VPN devices belonging to the first VPN, while
the VPN devices are adapted to receive from the at least one other management system, a first part of configuration, and from the VIP, a second part of configuration, which comprises VPN configuration of at least one other VPN device belonging to the first VPN.
24. An arrangement as claimed in claim 23, wherein the first part of configuration comprises VPN configuration and/or access rule configuration.
25. An arrangement for managing VPN devices comprising
at least two VPN Information Providers (VIP), a first one maintaining VPN configurations of VPN devices belonging to a first VPN and a second one maintaining VPN configurations of VPN devices belonging to a second VPN, and
a VPN device belonging to the first and second VPNs and receiving VPN configuration information from the first and second VIPs.
26. A VPN device comprising
a mechanism for receiving a packet directed to a destination address in a first VPN,
mechanisms for requesting and receiving VPN configuration for a VPN device related to said address from a VPN Information Provider (VIP) administering the first VPN, and
a mechanism for using said VPN configuration for establishing a VPN tunnel to said VPN device related to said destination address for reaching said destination address.
27. A VPN Information Provider (VIP) comprising
a mechanism for maintaining VPN configurations of VPN devices belonging to a first VPN,
a mechanism for providing to VPN devices belonging to the first VPN, information about the VPN configurations maintained in the VIP,
a mechanism for receiving from a first VPN device belonging to the first VPN, a request for VPN configuration of another VPN device belonging to the first VPN, and
a mechanism for sending to said first VPN device belonging to the first VPN, the VPN configuration of the other VPN device as a response to the request.
28. A computer-readable medium, comprising program code which, when executed on a computer device, causes the computer device to provide a VPN device functionality comprising
receiving a packet directed to a destination address in a first VPN,
requesting and receiving VPN configuration for a VPN device related to said address from a VPN Information Provider (VIP) administering the first VPN, and
using said VPN configuration for establishing a VPN tunnel to said VPN device related to said destination address for reaching said destination address.
29. A computer-readable medium, comprising program code which, when executed on a computer device, causes the computer device to provide a VPN Information Provider (VIP) functionality comprising
maintaining VPN configurations of VPN devices belonging to a first VPN,
providing to VPN devices belonging to the first VPN, information about the VPN configurations maintained in the VIP,
receiving from a first VPN device belonging to the first VPN, a request for VPN configuration of another VPN device belonging to the first VPN, and
sending to said first VPN device belonging to the first VPN, the VPN configuration of the other VPN device as a response to the request.
US10/151,319 2001-10-05 2002-05-21 Virtual private network management Abandoned US20030069958A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP02102400A EP1304830B1 (en) 2001-10-05 2002-10-01 Virtual private network management
DE60212289T DE60212289T2 (en) 2001-10-05 2002-10-01 Management of Private Virtual Networks (VPN)
US12/511,124 US8019850B2 (en) 2001-10-05 2009-07-29 Virtual private network management

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20011949A FI20011949A0 (en) 2001-10-05 2001-10-05 Managing a Virtual Private Network
FI20011949 2001-10-05

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US12/511,124 Division US8019850B2 (en) 2001-10-05 2009-07-29 Virtual private network management

Publications (1)

Publication Number Publication Date
US20030069958A1 true US20030069958A1 (en) 2003-04-10

Family

ID=8562009

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/151,319 Abandoned US20030069958A1 (en) 2001-10-05 2002-05-21 Virtual private network management
US12/511,124 Expired - Fee Related US8019850B2 (en) 2001-10-05 2009-07-29 Virtual private network management

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12/511,124 Expired - Fee Related US8019850B2 (en) 2001-10-05 2009-07-29 Virtual private network management

Country Status (4)

Country Link
US (2) US20030069958A1 (en)
EP (1) EP1304830B1 (en)
DE (1) DE60212289T2 (en)
FI (1) FI20011949A0 (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040003076A1 (en) * 2002-06-26 2004-01-01 Minolta Co., Ltd. Network management program, network management system and network management apparatus
US20040083290A1 (en) * 2002-10-25 2004-04-29 Zesen Chen Software implemented virtual private network service
US20040093492A1 (en) * 2002-11-13 2004-05-13 Olivier Daude Virtual private network management with certificates
US20060111113A1 (en) * 2002-10-17 2006-05-25 Heikki Waris Virtual private network with mobile nodes
US20070016947A1 (en) * 2002-04-04 2007-01-18 Joel Balissat Method and system for securely scanning network traffic
US20070180514A1 (en) * 2002-04-04 2007-08-02 Joel Balissat Multipoint server for providing secure, scaleable connections between a plurality of network devices
US20070299954A1 (en) * 2006-06-27 2007-12-27 International Business Machines Corporation System, method and program for determining a network path by which to send a message
US20080091803A1 (en) * 2004-05-21 2008-04-17 Li Liu Method for managing a virtual private network
EP1958057A1 (en) * 2005-11-23 2008-08-20 ILS Technology, LLC. Business-to-business remote network connectivity
US20080301794A1 (en) * 2007-05-31 2008-12-04 Jaushin Lee Method and system for providing remote access to resources in a secure data center over a network
US20090125617A1 (en) * 2007-11-09 2009-05-14 Klessig Robert W Local auto-configuration of network devices connected to multipoint virtual connections
US7574738B2 (en) 2002-11-06 2009-08-11 At&T Intellectual Property Ii, L.P. Virtual private network crossovers based on certificates
US8079059B1 (en) * 2005-05-31 2011-12-13 Imera Systems, Inc. Method and system for providing terminal view access of a client device in a secure network
US20110317588A1 (en) * 2003-10-30 2011-12-29 Rockstar Bidco Lp Autodiscovery for virtual networks
US8307084B1 (en) 2008-02-14 2012-11-06 Imera Systems, Inc. Method and system for providing lock-down communities comprising a plurality of resources
US20140380461A1 (en) * 2008-12-10 2014-12-25 Amazon Technologies, Inc. Establishing secure remote access to private computer networks
US8953486B2 (en) 2007-11-09 2015-02-10 Cisco Technology, Inc. Global auto-configuration of network devices connected to multipoint virtual connections
US20150358281A1 (en) * 2010-08-20 2015-12-10 Huawei Technologies Co., Ltd. Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network
US9521037B2 (en) 2008-12-10 2016-12-13 Amazon Technologies, Inc. Providing access to configurable private computer networks
US9524167B1 (en) 2008-12-10 2016-12-20 Amazon Technologies, Inc. Providing location-specific network access to remote services
US20170063800A1 (en) * 2012-10-10 2017-03-02 International Business Machines Corporation Dynamic virtual private network
US10868715B2 (en) 2008-12-10 2020-12-15 Amazon Technologies, Inc. Providing local secure network access to remote services
US20210192016A1 (en) * 2014-09-05 2021-06-24 Silver Peak Systems, Inc. Dynamic monitoring and authorization of an optimization device
US11178184B2 (en) 2012-07-06 2021-11-16 Cradlepoint, Inc. Connecting a cloud network to the internet
US11184230B2 (en) * 2012-07-06 2021-11-23 Cradlepoint, Inc. Transmitting broadcast domain configurations
US20220070023A1 (en) * 2020-09-01 2022-03-03 Ricoh Company, Ltd. Communication system, vpn termination device, and storage medium
US11290491B2 (en) * 2019-03-14 2022-03-29 Oracle International Corporation Methods, systems, and computer readable media for utilizing a security service engine to assess security vulnerabilities on a security gateway element
US11424995B1 (en) 2012-07-06 2022-08-23 Cradlepoint, Inc. Management of a network via a GUI of user relationships
US11516077B2 (en) 2012-07-06 2022-11-29 Cradlepoint, Inc. Deployment of network-related features over cloud network
US11743098B2 (en) 2012-07-06 2023-08-29 Cradlepoint, Inc. Managing a network overlaid on another network

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7353537B2 (en) * 2004-03-31 2008-04-01 Novell, Inc. Secure transparent virtual private networks
EP1699181A1 (en) * 2005-03-01 2006-09-06 Swisscom AG Method and System for automatic configuration of a subnet inside a network
CN102487328A (en) * 2010-12-02 2012-06-06 中兴通讯股份有限公司 Method and system for communication between network manager and network element
CN103684959B (en) 2012-09-20 2017-10-24 华为技术有限公司 VPN realization method and PE equipment
US9384028B1 (en) * 2013-12-19 2016-07-05 Amdocs Software Systems Limited System, method, and computer program for preserving service continuity in a network function virtualization (NFV) based communication network
KR102169302B1 (en) * 2014-04-30 2020-10-23 삼성전자주식회사 A method, a terminal and a server for providing communication service
US10887130B2 (en) 2017-06-15 2021-01-05 At&T Intellectual Property I, L.P. Dynamic intelligent analytics VPN instantiation and/or aggregation employing secured access to the cloud network device

Citations (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5953338A (en) * 1996-12-13 1999-09-14 Northern Telecom Limited Dynamic control processes and systems for asynchronous transfer mode networks
US6047325A (en) * 1997-10-24 2000-04-04 Jain; Lalit Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks
US6079020A (en) * 1998-01-27 2000-06-20 Vpnet Technologies, Inc. Method and apparatus for managing a virtual private network
US6097722A (en) * 1996-12-13 2000-08-01 Nortel Networks Corporation Bandwidth management processes and systems for asynchronous transfer mode networks using variable virtual paths
US6226751B1 (en) * 1998-04-17 2001-05-01 Vpnet Technologies, Inc. Method and apparatus for configuring a virtual private network
US20010044842A1 (en) * 2000-05-17 2001-11-22 Nec Corporation Communication system, communication control method and control program storage medium
US20020022481A1 (en) * 2000-08-18 2002-02-21 Doo-Yong Yang Method for providing roaming service among private mobile switching centers
US20020055989A1 (en) * 2000-11-08 2002-05-09 Stringer-Calvert David W.J. Methods and apparatus for scalable, distributed management of virtual private networks
US20020091815A1 (en) * 2001-01-10 2002-07-11 Center 7, Inc. Methods for enterprise management from a central location using intermediate systems
US20020093915A1 (en) * 2001-01-18 2002-07-18 Victor Larson Third party VPN certification
US20020097725A1 (en) * 1998-07-27 2002-07-25 Nec Corporation Resource and protocol management for virtual private networks within multiprocessor ATM switches
US20020124090A1 (en) * 2000-08-18 2002-09-05 Poier Skye M. Method and apparatus for data communication between a plurality of parties
US20020133534A1 (en) * 2001-01-08 2002-09-19 Jan Forslow Extranet workgroup formation across multiple mobile virtual private networks
US20020161925A1 (en) * 1998-10-30 2002-10-31 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US20020198840A1 (en) * 2000-08-25 2002-12-26 Banka Peter S. Method and apparatus for providing network dependent application services
US20030028624A1 (en) * 2001-07-06 2003-02-06 Taqi Hasan Network management system
US20030032409A1 (en) * 2001-03-16 2003-02-13 Hutcheson Stewart Douglas Method and system for distributing content over a wireless communications system
US20030030662A1 (en) * 1999-04-02 2003-02-13 Matthew W. Poisson Managing a virtual private network
US6526056B1 (en) * 1997-12-23 2003-02-25 Cisco Technology, Inc. Virtual private network employing tag-implemented egress-channel selection
US20030041136A1 (en) * 2001-08-23 2003-02-27 Hughes Electronics Corporation Automated configuration of a virtual private network
US6529499B1 (en) * 1998-09-22 2003-03-04 Lucent Technologies Inc. Method for providing quality of service for delay sensitive traffic over IP networks
US20030055990A1 (en) * 2001-08-23 2003-03-20 Hughes Electronics Corporation, Single-modem multi-user virtual private network
US20030055933A1 (en) * 2001-09-20 2003-03-20 Takeshi Ishizaki Integrated service management system for remote customer support
US20030177221A1 (en) * 2002-03-18 2003-09-18 Hamid Ould-Brahim Resource allocation using an auto-discovery mechanism for provider-provisioned layer-2 and layer-3 Virtual Private Networks
US6636898B1 (en) * 1999-01-29 2003-10-21 International Business Machines Corporation System and method for central management of connections in a virtual private network
US6678835B1 (en) * 1999-06-10 2004-01-13 Alcatel State transition protocol for high availability units
US6701358B1 (en) * 1999-04-02 2004-03-02 Nortel Networks Limited Bulk configuring a virtual private network
US6751729B1 (en) * 1998-07-24 2004-06-15 Spatial Adventures, Inc. Automated operation and security system for virtual private networks
US20050022183A1 (en) * 1999-04-02 2005-01-27 Poisson Matthew W. Virtual private network manager GUI with links for use in configuring a virtual private network
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system
US7136374B1 (en) * 2001-03-19 2006-11-14 Juniper Networks, Inc. Transport networks supporting virtual private networks, and configuring such networks
US7274704B1 (en) * 2000-07-14 2007-09-25 Nortel Networks Limited Piggybacking VPN information in BGP for network based VPN architectures

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7574495B1 (en) * 2000-09-13 2009-08-11 Fortinet, Inc. System and method for managing interworking communications protocols
US8250357B2 (en) * 2000-09-13 2012-08-21 Fortinet, Inc. Tunnel interface for securing traffic over a network
US20020144144A1 (en) * 2001-03-27 2002-10-03 Jeffrey Weiss Method and system for common control of virtual private network devices

Patent Citations (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5953338A (en) * 1996-12-13 1999-09-14 Northern Telecom Limited Dynamic control processes and systems for asynchronous transfer mode networks
US6097722A (en) * 1996-12-13 2000-08-01 Nortel Networks Corporation Bandwidth management processes and systems for asynchronous transfer mode networks using variable virtual paths
US6047325A (en) * 1997-10-24 2000-04-04 Jain; Lalit Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks
US6526056B1 (en) * 1997-12-23 2003-02-25 Cisco Technology, Inc. Virtual private network employing tag-implemented egress-channel selection
US6079020A (en) * 1998-01-27 2000-06-20 Vpnet Technologies, Inc. Method and apparatus for managing a virtual private network
US6226751B1 (en) * 1998-04-17 2001-05-01 Vpnet Technologies, Inc. Method and apparatus for configuring a virtual private network
US6751729B1 (en) * 1998-07-24 2004-06-15 Spatial Adventures, Inc. Automated operation and security system for virtual private networks
US20020097725A1 (en) * 1998-07-27 2002-07-25 Nec Corporation Resource and protocol management for virtual private networks within multiprocessor ATM switches
US6529499B1 (en) * 1998-09-22 2003-03-04 Lucent Technologies Inc. Method for providing quality of service for delay sensitive traffic over IP networks
US20020161925A1 (en) * 1998-10-30 2002-10-31 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US6636898B1 (en) * 1999-01-29 2003-10-21 International Business Machines Corporation System and method for central management of connections in a virtual private network
US6701358B1 (en) * 1999-04-02 2004-03-02 Nortel Networks Limited Bulk configuring a virtual private network
US20050022183A1 (en) * 1999-04-02 2005-01-27 Poisson Matthew W. Virtual private network manager GUI with links for use in configuring a virtual private network
US20030030662A1 (en) * 1999-04-02 2003-02-13 Matthew W. Poisson Managing a virtual private network
US6678835B1 (en) * 1999-06-10 2004-01-13 Alcatel State transition protocol for high availability units
US6944183B1 (en) * 1999-06-10 2005-09-13 Alcatel Object model for network policy management
US20010044842A1 (en) * 2000-05-17 2001-11-22 Nec Corporation Communication system, communication control method and control program storage medium
US7274704B1 (en) * 2000-07-14 2007-09-25 Nortel Networks Limited Piggybacking VPN information in BGP for network based VPN architectures
US20020022481A1 (en) * 2000-08-18 2002-02-21 Doo-Yong Yang Method for providing roaming service among private mobile switching centers
US6912388B2 (en) * 2000-08-18 2005-06-28 Samsung Electronics Co., Ltd. Providing roaming service among private mobile switching centers
US20020124090A1 (en) * 2000-08-18 2002-09-05 Poier Skye M. Method and apparatus for data communication between a plurality of parties
US20020198840A1 (en) * 2000-08-25 2002-12-26 Banka Peter S. Method and apparatus for providing network dependent application services
US7403980B2 (en) * 2000-11-08 2008-07-22 Sri International Methods and apparatus for scalable, distributed management of virtual private networks
US20020055989A1 (en) * 2000-11-08 2002-05-09 Stringer-Calvert David W.J. Methods and apparatus for scalable, distributed management of virtual private networks
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system
US20020133534A1 (en) * 2001-01-08 2002-09-19 Jan Forslow Extranet workgroup formation across multiple mobile virtual private networks
US20020091815A1 (en) * 2001-01-10 2002-07-11 Center 7, Inc. Methods for enterprise management from a central location using intermediate systems
US20020093915A1 (en) * 2001-01-18 2002-07-18 Victor Larson Third party VPN certification
US20030032409A1 (en) * 2001-03-16 2003-02-13 Hutcheson Stewart Douglas Method and system for distributing content over a wireless communications system
US7136374B1 (en) * 2001-03-19 2006-11-14 Juniper Networks, Inc. Transport networks supporting virtual private networks, and configuring such networks
US20030028624A1 (en) * 2001-07-06 2003-02-06 Taqi Hasan Network management system
US20030055990A1 (en) * 2001-08-23 2003-03-20 Hughes Electronics Corporation, Single-modem multi-user virtual private network
US20030041136A1 (en) * 2001-08-23 2003-02-27 Hughes Electronics Corporation Automated configuration of a virtual private network
US20030055933A1 (en) * 2001-09-20 2003-03-20 Takeshi Ishizaki Integrated service management system for remote customer support
US20030177221A1 (en) * 2002-03-18 2003-09-18 Hamid Ould-Brahim Resource allocation using an auto-discovery mechanism for provider-provisioned layer-2 and layer-3 Virtual Private Networks

Cited By (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7562386B2 (en) 2002-04-04 2009-07-14 At&T Intellectual Property, Ii, L.P. Multipoint server for providing secure, scaleable connections between a plurality of network devices
US20070016947A1 (en) * 2002-04-04 2007-01-18 Joel Balissat Method and system for securely scanning network traffic
US8136152B2 (en) 2002-04-04 2012-03-13 Worcester Technologies Llc Method and system for securely scanning network traffic
US7543332B2 (en) 2002-04-04 2009-06-02 At&T Corporation Method and system for securely scanning network traffic
US7448081B2 (en) 2002-04-04 2008-11-04 At&T Intellectual Property Ii, L.P. Method and system for securely scanning network traffic
US20070169187A1 (en) * 2002-04-04 2007-07-19 Joel Balissat Method and system for securely scanning network traffic
US20070180514A1 (en) * 2002-04-04 2007-08-02 Joel Balissat Multipoint server for providing secure, scaleable connections between a plurality of network devices
US7370097B2 (en) * 2002-06-26 2008-05-06 Minolta Co., Ltd. Network management program, network management system and network management apparatus
US20040003076A1 (en) * 2002-06-26 2004-01-01 Minolta Co., Ltd. Network management program, network management system and network management apparatus
US20060111113A1 (en) * 2002-10-17 2006-05-25 Heikki Waris Virtual private network with mobile nodes
US20040083290A1 (en) * 2002-10-25 2004-04-29 Zesen Chen Software implemented virtual private network service
US7574738B2 (en) 2002-11-06 2009-08-11 At&T Intellectual Property Ii, L.P. Virtual private network crossovers based on certificates
US20040093492A1 (en) * 2002-11-13 2004-05-13 Olivier Daude Virtual private network management with certificates
US9154463B2 (en) * 2003-10-30 2015-10-06 Rpx Clearinghouse Llc Autodiscovery for virtual networks
US20110317588A1 (en) * 2003-10-30 2011-12-29 Rockstar Bidco Lp Autodiscovery for virtual networks
US20080091803A1 (en) * 2004-05-21 2008-04-17 Li Liu Method for managing a virtual private network
US8079059B1 (en) * 2005-05-31 2011-12-13 Imera Systems, Inc. Method and system for providing terminal view access of a client device in a secure network
EP1958057A4 (en) * 2005-11-23 2009-12-23 Ils Technology Llc Business-to-business remote network connectivity
EP1958057A1 (en) * 2005-11-23 2008-08-20 ILS Technology, LLC. Business-to-business remote network connectivity
US20070299954A1 (en) * 2006-06-27 2007-12-27 International Business Machines Corporation System, method and program for determining a network path by which to send a message
US9137043B2 (en) 2006-06-27 2015-09-15 International Business Machines Corporation System, method and program for determining a network path by which to send a message
US20080301794A1 (en) * 2007-05-31 2008-12-04 Jaushin Lee Method and system for providing remote access to resources in a secure data center over a network
US8141143B2 (en) 2007-05-31 2012-03-20 Imera Systems, Inc. Method and system for providing remote access to resources in a secure data center over a network
US20090125617A1 (en) * 2007-11-09 2009-05-14 Klessig Robert W Local auto-configuration of network devices connected to multipoint virtual connections
US8667095B2 (en) * 2007-11-09 2014-03-04 Cisco Technology, Inc. Local auto-configuration of network devices connected to multipoint virtual connections
US8953486B2 (en) 2007-11-09 2015-02-10 Cisco Technology, Inc. Global auto-configuration of network devices connected to multipoint virtual connections
US8307084B1 (en) 2008-02-14 2012-11-06 Imera Systems, Inc. Method and system for providing lock-down communities comprising a plurality of resources
US10728089B2 (en) 2008-12-10 2020-07-28 Amazon Technologies, Inc. Providing access to configurable private computer networks
US9374341B2 (en) * 2008-12-10 2016-06-21 Amazon Technologies, Inc. Establishing secure remote access to private computer networks
US9521037B2 (en) 2008-12-10 2016-12-13 Amazon Technologies, Inc. Providing access to configurable private computer networks
US9524167B1 (en) 2008-12-10 2016-12-20 Amazon Technologies, Inc. Providing location-specific network access to remote services
US11831496B2 (en) 2008-12-10 2023-11-28 Amazon Technologies, Inc. Providing access to configurable private computer networks
US9756018B2 (en) 2008-12-10 2017-09-05 Amazon Technologies, Inc. Establishing secure remote access to private computer networks
US11290320B2 (en) 2008-12-10 2022-03-29 Amazon Technologies, Inc. Providing access to configurable private computer networks
US20140380461A1 (en) * 2008-12-10 2014-12-25 Amazon Technologies, Inc. Establishing secure remote access to private computer networks
US10868715B2 (en) 2008-12-10 2020-12-15 Amazon Technologies, Inc. Providing local secure network access to remote services
US10951586B2 (en) 2008-12-10 2021-03-16 Amazon Technologies, Inc. Providing location-specific network access to remote services
US20150358281A1 (en) * 2010-08-20 2015-12-10 Huawei Technologies Co., Ltd. Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network
US9813380B2 (en) * 2010-08-20 2017-11-07 Huawei Technologies Co., Ltd. Method, apparatus, and network system for terminal to traverse private network to communicate with server in IMS core network
US11178184B2 (en) 2012-07-06 2021-11-16 Cradlepoint, Inc. Connecting a cloud network to the internet
US11743098B2 (en) 2012-07-06 2023-08-29 Cradlepoint, Inc. Managing a network overlaid on another network
US11184230B2 (en) * 2012-07-06 2021-11-23 Cradlepoint, Inc. Transmitting broadcast domain configurations
US20220045905A1 (en) * 2012-07-06 2022-02-10 Cradlepoint, Inc. Implicit traffic engineering
US11516077B2 (en) 2012-07-06 2022-11-29 Cradlepoint, Inc. Deployment of network-related features over cloud network
US11424995B1 (en) 2012-07-06 2022-08-23 Cradlepoint, Inc. Management of a network via a GUI of user relationships
US10205756B2 (en) * 2012-10-10 2019-02-12 International Business Machines Corporation Dynamic virtual private network
US20170063800A1 (en) * 2012-10-10 2017-03-02 International Business Machines Corporation Dynamic virtual private network
US20210192016A1 (en) * 2014-09-05 2021-06-24 Silver Peak Systems, Inc. Dynamic monitoring and authorization of an optimization device
US11868449B2 (en) 2014-09-05 2024-01-09 Hewlett Packard Enterprise Development Lp Dynamic monitoring and authorization of an optimization device
US11921827B2 (en) 2014-09-05 2024-03-05 Hewlett Packard Enterprise Development Lp Dynamic monitoring and authorization of an optimization device
US11290491B2 (en) * 2019-03-14 2022-03-29 Oracle International Corporation Methods, systems, and computer readable media for utilizing a security service engine to assess security vulnerabilities on a security gateway element
US20220070023A1 (en) * 2020-09-01 2022-03-03 Ricoh Company, Ltd. Communication system, vpn termination device, and storage medium
US11711239B2 (en) * 2020-09-01 2023-07-25 Ricoh Company, Ltd. Communication system, VPN termination device, and storage medium

Also Published As

Publication number Publication date
EP1304830A2 (en) 2003-04-23
EP1304830A3 (en) 2003-08-13
EP1304830B1 (en) 2006-06-14
FI20011949A0 (en) 2001-10-05
DE60212289T2 (en) 2006-11-02
DE60212289D1 (en) 2006-07-27
US8019850B2 (en) 2011-09-13
US20090287810A1 (en) 2009-11-19

Similar Documents

Publication Publication Date Title
US8019850B2 (en) Virtual private network management
US6131120A (en) Enterprise network management directory containing network addresses of users and devices providing access lists to routers and servers
US6701437B1 (en) Method and apparatus for processing communications in a virtual private network
US8607301B2 (en) Deploying group VPNS and security groups over an end-to-end enterprise network
EP2264951B1 (en) Third party VPN certification
US7373660B1 (en) Methods and apparatus to distribute policy information
US7099957B2 (en) Domain name system resolution
US7769838B2 (en) Single-modem multi-user virtual private network
US7848335B1 (en) Automatic connected virtual private network
US20020124090A1 (en) Method and apparatus for data communication between a plurality of parties
EP1134955A1 (en) Enterprise network management using directory containing network addresses of users and devices providing access lists to routers and servers
US10680830B2 (en) Systems and methods for certifying devices to communicate securely
US20040044908A1 (en) System and method for transmitting and receiving secure data in a virtual private group
US20150150114A1 (en) Method and System for Providing Secure Remote External Client Access to Device or Service on a Remote Network
WO2002017558A2 (en) Method and apparatus for data communication between a plurality of parties
US20050086533A1 (en) Method and apparatus for providing secure communication
KR20030013496A (en) Device for sending data using multi-tunneled virtual private network gateway
US7613195B2 (en) Method and system for managing computer networks
US7237263B1 (en) Remote management of properties, such as properties for establishing a virtual private network
EP1413095B1 (en) System and method for providing services in virtual private networks
WO2022219551A1 (en) Computer-implemented methods and systems for establishing and/or controlling network connectivity
Broderick Implementing Virtual Private Networks in Today's Organization

Legal Events

Date Code Title Description
AS Assignment

Owner name: STONESOFT CORPORATION, FINLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JALAVA, MIKA;REEL/FRAME:013217/0899

Effective date: 20020704

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION