BRIEF DESCRIPTION OF THE DRAWINGS
These, and further features of the invention, may be better understood with reference to the accompanying specification and drawings depicting the preferred embodiment, in which:
FIG. 1 is a schematic of a communications network including a plurality of secure network access devices and endpoints;
FIG. 2 is a schematic of an endpoint of FIG. 1;
FIG. 3 is a schematic of a secure network access device of FIG. 1;
FIG. 4 is a format diagram of a network packet that may be transmitted between the endpoints of FIGS. 1 and 2 and by means of the communications network of FIG. 1;
FIG. 5 is a flowchart of a processing of a message in accordance with a first preferred embodiment of the Method of the Present Invention, or first version, as implemented by the communications network, the endpoint and the secure network access device of FIGS. 1, 2 and 3;
FIG. 6 is a flowchart of an alternate, optional or additional processing of a message in accordance with a first preferred embodiment of the Method of the Present Invention, or first version, as implemented by the communications network, the endpoint and the secure network access device of FIGS. 1, 2 and 3; and
FIG. 7 is a flowchart of an alternate preferred variation of the first method of FIGS. 5 and 6.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
In describing the preferred embodiments, certain terminology will be utilized for the sake of clarity. Such terminology is intended to encompass the recited embodiment, as well as all technical equivalents, which operate in a similar manner for a similar purpose to achieve a similar result.
Referring now generally to the Figures and particularly to FIG. 1, FIG. 1 is a schematic of an electronics communications network 2 that includes the Internet 4, a plurality of network computers 6 and a plurality of endpoints 8. Each endpoint 8, to include a first endpoint 10 and a second endpoint 12, is configured to send and to receive electronic messages via at least one secure network access device 6, 14 & 16. Each network access device 6, to include a first secure network access device 14 and a second secure network access device 16, is configured to send and receive electronic messages via the communications network 2. Each secure network access device 6, 14 & 16 may optionally be configured to receive electronic messages from at least one endpoint 8, 10 & 12 and to forward on the electronic messages received from the at least one endpoint 8, 10 & 12 to the Internet 4. Each secure network access device 6, 14 & 16 may additionally, optionally or alternatively be configured to receive electronic messages from the Internet 4 and/or the communications network 2 and to forward on the electronic messages received from the Internet 4 and/or communications network 2 to at least one endpoint 8, 10 & 12.
Referring now generally to the Figures and particularly to FIG. 2, FIG. 2 is a schematic of an endpoint 8, 10 & 12. The endpoint 8, 10 & 12 is a digital computer that includes a processor 18, a memory 20, an input device F, a monitor 24, an internal endpoint communications bus 26 and a message interface 28. An endpoint 8, 10 or 12 may be comprised within a server or an intelligent peripheral device, such as a printer having a processor 18, a memory 20, and a message interface 28. The internal endpoint communications bus 26 bi-communicatively couples, and provides bi-directional communication to, the processor 18, the memory 20, the input device 22, the monitor 24, and the message interface 28. The input device 22 may be or comprise an electronic keyboard or other suitable input device known in the art that enables a human user to provide content to the endpoint 8, 10 or 12 for an electronic message. The memory 20 stores endpoint software that directs the processor 18 to generate, transmit and receive electronic messages. The monitor 24 may be or include a video monitor or other suitable output device that enables the human user to view at least some of the content of an electronic message. The message interface 28 bi-directionally communicatively couples the internal communications bus 26 with at least one secure network access device 6, 14 or 16, whereby the endpoint 8, 10 & 12 may send and/or receive electronic messages to and/or from the Internet 4 and/or the communications network 2.
Referring now generally to the Figures and particularly to FIG. 3, FIG. 3 is a schematic of a secure network access device 6, 14 & 16. The secure network access device 6, 14 & 16 includes a data plane network processor 30, a control plane processor 31, a network memory 32, a network internal communications bus 34, an endpoint interface 36, and a network interface 38. The network internal communications bus 34 bi-communicatively couples, and provides bi-directional communication to, the data plane network processor 30, the network memory 32, the endpoint interface 36, and the network interface 38. The network memory 32 stores the network access device system software that directs the data plane network processor 30 to generate, transmit and receive electronic messages to and/or from the Internet 4, the communications 2, and/or at least one endpoint 8, 10 or 12. The network interface 38 bi-directionally communicatively couples the network internal communications bus 34 with the Internet 4 and/or the communications network 2. The endpoint interface 36 bi-directionally communicatively couples the network computer 6, 14 or 16 with at least one endpoint 8, 10 or 12, whereby the endpoint 8, 10 & 12 may send and/or receive electronic messages to and/or from the Internet 4 and/or the communications network 2, by means of the secure network access device 6, 14 & 16.
Referring now generally to the Figures and particularly to FIG. 4, FIG. 4 is a format diagram of a network packet N, the network packet N including packet data fields N1-NX, and the network packet formatted in accordance with the IPsec standard or another suitable electronic communications and data security message formatting known in the art. The header data field N contains information related to the network packet N, to include the source address S.ADDR and the destination address D.ADDR. A message payload is stored in a payload data field N2, and other information is stored in the remaining packet data fields N3-NX. The network packet N may be transmitted between the endpoints 8, 10, 12 and by means of the communications network 2.
It is understood that encrypting and decrypting of network packets in accordance with the first method may comply with the IPsec encryption standard (RFC2401), and the encrypted messages may comprise the MAC and IP addresses of the communicating endpoints.
Referring now generally to the Figures and particularly to FIG. 5, GIG. 5 is a flowchart of a processing of a message in accordance with a first preferred embodiment of the Method of the Present Invention, or first version, as implemented by the communications network 2, the endpoints 8, 10, 12 and the secure network access devices 6, 14, 16 of FIGS. 1, 2 and 3. In step A.1 the first endpoint 10 formats and generates a network packet N, wherein the source address value S.ADDR identifies the first endpoint 10 as the message source and the destination address D.ADDR identifies the second endpoint 12 as the intended message recipient. In step A.2 network packet N is transmitted by the first endpoint 10 to the first secure network access device 14. In step A.3 the first secure network access device 14 examines the network packet N to determine whether the network packet N shall be encrypted. In executing step A.3, the first secure network access device 14 may apply stateful rules to determine whether the network packet N shall be encrypted. When the first secure network access device 14 determines in step A.3 that the network packet N shall be encrypted prior to transmission via the network 2, the first secure network access device 14 engages with the communications network 2 in step A.4 as a proxy for the first endpoint 10 and performs IKE and authentication operations in concert with either the second endpoint 12 or the second secure network access device 16 via the communication network 2. In step A.5 the first secure network access device 14 processes the network packet N with encryption and/or authentication algorithms to generate a processed network packet P. The processed network packet P may be organized and formatted to appear just as the network packet N would have appeared had the first endpoint 10 performed the steps A.4 and A.5. The first secure network access device 14 then transmits the processed network packet P via the communications network 2 along the same pathway that the network packet N would have traveled had the network packet N not been processed by the first secure network access device 14. It is understood that encrypting of step A.5 of network packets N in accordance with the first method may comply with the IPsec encryption standard (RFC2401), and the encrypted network packet P may comprise the MAC and IP addresses of the communicating endpoints 8, 10 OR 12.
In optional step A.2.X an intermediate network device 40 that is transposed between the first endpoint 10 and the first secure network access device 14 receives the network packet N from the first endpoint 10 and forwards on the network packet N to the first secure network access device 14 without changes the format or content of the network packet N. As per FIGS. 1 and 3, the intermediate network device 40 is a network access device 6 configured according to the network access device schematic of FIG. 3, and wherein the network interface 38 of the intermediate computer 40 bi-directionally communicatively couples the network internal communications bus 34 of the intermediate network access device 40 with the first secure network access device 14.
It is understood that a first plurality 8A of endpoint computers 8 may be communicatively coupled with first secure network access device 14, wherein the first secure network access device 14 may act as a proxy for each of the coupled endpoint computers 8 and process network packets N received from each coupled endpoint computer 8 of the first plurality 8A in accordance with the network system software of the first secure network access device 14. It is further understood that a second plurality 8B of endpoint computers 8 may be communicatively coupled with second secure network access device 16, wherein the second secure network access device 16 may act as a proxy for each of the coupled endpoint computers 8 of the second plurality 8A and process network packets N received from each coupled endpoint computer 8 in accordance with the network system software of the second secure network access device 16.
In certain preferred alternate embodiments of the Method of the Present Invention, the first secure network access device 14 may elect to process network packets N received from the first endpoint 10 and/or an endpoint 8 of the first plurality of endpoints 8 in concert with or in accordance with instructions received from a controller network computer 42 of the communications network 2. The controller network computer 42 is a network computer 6 configured according to the network computer schematic of FIG. 3, and wherein the network interface 38 of the controller network computer 42 bi-directionally communicatively couples the network internal communications bus 34 of the controller network computer 42 with the first secure network access device 14 via the communications network 2.
Referring now generally to the Figures and particularly to FIG. 6, FIG. 6 is a flowchart of an alternate, optional or additional processing of a message in accordance with a first preferred embodiment of the Method of the Present Invention, or first version, as implemented by the communications network, the endpoint and the secure network access device of FIGS. 1, 2 and 3. In step B.1 the second endpoint computer 16 receives the processed network packet P via the communications network 2. In step B.2 the second secure network access device 16 authenticates the processed network packet P. After confirming authentication is step B.3, the second secure network access device 16 decrypts the processed network packet P and derives the network packet N from the processed network packet P in step B.4. It is understood that the decrypting of step B.4 of network packets N in accordance with the first method may comply with the IPsec encryption standard (RFC2401), and the encrypted network packet P may comprise the MAC and IP addresses of the communicating endpoints 8, 10 OR 12. The second secure network access device 16 derives the network packet N in step B.5 from the results of the authentication step B.2 and the decryption step B.4. In step B.6 the network packet N is transmitted from the second secure network access device 16 to the second endpoint 8, whereby the second endpoint 8 receives the network packet N and the processing performed by the first secure network access device 14 and the second secure network access device 16 on the network packet N and the processed network packet P is transparent to and undetected by the second endpoint computer.
Referring now generally to the Figures, and particularly to FIGS. 3, 5 and 6, it is understood that the encryption of the network packet N performed in step A.5 of FIG. 5 may be at least partially accomplished by encryption acceleration hardware 44 of the first secure network access device 12. It is further understood that the decryption of the processed network packet P performed in step B.4 of FIG. 6 may be at least partially accomplished by encryption acceleration hardware 44 of the second secure network access device 16.
In certain other alternate preferred embodiments of the Method of the Present Invention, the first endpoint 10 and/or the second endpoint 12 may send and receive network packets N with the intermediation of only one secure network access device 6, 14 or 16. In certain alternate preferred exemplary alternate configurations of the first endpoint 10, the first endpoint 10 may further comprise an endpoint-network interface 46, as per FIG. 2, wherein the endpoint-network interface 46 communicatively couples the endpoint internal communications bus 26 of the first endpoint 10 directly with the communications network 2 and/or the Internet 4. Additionally, optionally or alternatively, certain still alternate preferred exemplary alternate configurations of the second endpoint 12, the second endpoint 12 may further comprise an endpoint-network interface 46, as per FIG. 2, wherein the endpoint-network interface 46 communicatively couples the endpoint internal communications bus 26 of the second endpoint 12 directly with the communications network 2 and/or the Internet 4.
Referring now generally to the Figures and particularly to FIG. 7, FIG. 7 is a flowchart of an alternate preferred variation of the first method, wherein the first endpoint 10 uses the end-point network interface 46 to communicate with the second secure network access device 16 and to optionally authenticate and encrypt the network packet N prior to transmission from the first endpoint 10. In step C.1 the first endpoint 10 formats and generates a network packet N, wherein the source address value S.ADDR identifies the first endpoint 10 as the message source and the destination address D.ADDR identifies the second endpoint 12 as the intended message recipient. In step C.2 the first endpoint 10 examines the network packet N to determine whether the network packet N shall be encrypted. In executing step C.2, the first endpoint 10 may apply stateful rules of the endpoint software of the first endpoint 10 to determine whether the network packet N shall be encrypted. When the first endpoint 10 determines in step C.2 that the network packet N shall be encrypted prior to transmission via the network 2, the first endpoint 10 engages in step C.3 with the second secure network access device 16 via the communication network 2 to perform authentication and IKE data generation. In step C.4 the first endpoint 10 processes the network packet N with encryption and/or authentication techniques, and in accordance with the algorithms and data generated in step C.3, to generate a processed network packet P. The first endpoint 10 then transmits the processed network packet P via the communications network 2 in step C.5. After receipt of the processed network packet P, the second secure network access device 16 then authenticates and decrypts the processed network packet P in accordance with the flowchart of FIG. 6, wherein the second secure network access device 116 derives the network packet N from the processed network packet P, and provides the regenerated network packet N to the second endpoint 12.
It is understood that the second endpoint 12 additionally, optionally, alternatively may further comprise an endpoint network interface 46. Referring now generally to the Figures while continuing to refer particularly to FIG. 7, FIG. 7 the endpoint software of the second endpoint 12 may direct the second endpoint 12 to flowchart to execute an alternate preferred variation of the first method, wherein the second endpoint 12 uses the end-point network interface 46 to communicate with the first secure network access device 14 and to optionally authenticate and encrypt the network packet N prior to transmission from the second endpoint 12. In step C.1 the second endpoint 12 formats and generates a network packet N, wherein the source address value S.ADDR identifies the second endpoint 12 as the message source and the destination address D.ADDR identifies the first endpoint 10 as the intended message recipient. In step C.2 the second endpoint 12 examines the network packet N to determine whether the network packet N shall be encrypted. In executing step C.2, the second endpoint 12 may apply stateful rules of the endpoint software of the second endpoint 12 to determine whether the network packet N shall be encrypted. When the second endpoint 12 determines in step C.2 that the network packet N shall be encrypted prior to transmission via the network 2, the second endpoint 12 engages in step C.3 with the first secure network access device 14 via the communication network 2 to perform authentication and IKE data generation. In step C.4 the second endpoint 12 processes the network packet N with encryption and/or authentication techniques, and in accordance with the algorithms and data generated in step C.3, to generate a processed network packet P. The second endpoint 12 then transmits the processed network packet P via the communications network 2. After receipt of the processed network packet P, the first secure network access device 14 then authenticates and decrypts the processed network packet P in accordance with the flowchart of FIG. 6, wherein the first secure network access device 14 derives the network packet N from the processed network packet P, and provides the regenerated network packet N to the first endpoint 10.
In certain still additional alternate preferred embodiments of the Method of the Present Invention, the controller network computer 42, and optionally in combination with at least one secure network access device 6, 14 or 16 and at least two endpoints 8, 10 and 12, determines whether a particular network packet N shall be encrypted by applying stateful traffic rules. The stateful traffic rules may evaluate one or more of the qualities or aspects of the network packet N, to include the source IP address, the destination IP address and/or communications protocol of the network packet N. If the communications protocol of the network packet conforms to a TCP or a UDP standard, the source port and the destination port may also be partially or wholly determinative of the determination of whether the network packet may be encrypted. If the communications protocol of the network packet conforms to a ICMP standard, the source and destination types and codes may also be partially or wholly determinative of the determination of whether the network packet may be encrypted.
The rules may include other qualifications, such as group memberships required by clients or user attempting to access an endpoint 8, 10 or 12 or a secure network access device 6, 14 or 16. In certain alternate preferred embodiments of the second method, the controller secure network access device 42 maintains a trusted domain, wherein the trusted domain is limited to specified endpoints 8, 10 & 12 and secure network access device 6, 14 & 16 that are authorized to mutually authenticate as IKE negotiators with other members 6, 8, 10, 12, 14 & 16 of the trusted domain.
When a secure network access device 6, 14 & 16 is acting as a proxy for an endpoint 8, 10 or 12, incoming IKE messages addressed to the instant endpoint 8, 10 Or 12 and received by the secure network access device 6, 14 & 16 are examined to determine whether the destination IP address and the source destination IP address both indicate endpoints 8, 10 & 12 are listed as members of the trusted domain by the controller network computer 44. Where both the destination IP address and the source destination IP address are both members of the trusted domain, the secure network access device 6, 14 or 16 acts as a proxy for the endpoint 8, 10 or 12 coupled with the secure network access device 6, 14 or 16. When acting as a proxy, the secure network access device 6, 14 or 16 executes the first method as described herein.
The foregoing disclosures and statements are illustrative only of the Present Invention, and are not intended to limit or define the scope of the Present Invention. The above description is intended to be illustrative, and not restrictive. Although the examples given include many specificities, they are intended as illustrative of only certain possible embodiments of the Present Invention. The examples given should only be interpreted as illustrations of some of the preferred embodiments of the Present Invention, and the full scope of the Present Invention should be determined by the appended claims and their legal equivalents. Those skilled in the art will appreciate that various adaptations and modifications of the just-described preferred embodiments can be configured without departing from the scope and spirit of the Present Invention. Therefore, it is to be understood that the Present Invention may be practiced other than as specifically described herein. The scope of the Present Invention as disclosed and claimed should, therefore, be determined with reference to the knowledge of one skilled in the art and in light of the disclosures presented above.
Patent Application
20080059788
