WO2015121705A1 - System for setting up a virtual private network - Google Patents

System for setting up a virtual private network Download PDF

Info

Publication number
WO2015121705A1
WO2015121705A1 PCT/IB2014/058918 IB2014058918W WO2015121705A1 WO 2015121705 A1 WO2015121705 A1 WO 2015121705A1 IB 2014058918 W IB2014058918 W IB 2014058918W WO 2015121705 A1 WO2015121705 A1 WO 2015121705A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
servers
virtual private
private network
proxy server
Prior art date
Application number
PCT/IB2014/058918
Other languages
French (fr)
Inventor
Simone GASPARINI
Original Assignee
Techlan Reti S.R.L.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Techlan Reti S.R.L. filed Critical Techlan Reti S.R.L.
Priority to PCT/IB2014/058918 priority Critical patent/WO2015121705A1/en
Publication of WO2015121705A1 publication Critical patent/WO2015121705A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system for the activation of a Virtual Private Network comprising a plurality of servers and a proxy server associated to said servers, wherein said proxy server comprises a database wherein the identifying data of each one of said servers are associated to respective network addresses of said servers, and wherein said proxy server is configured to: - be connected to a plurality of remote devices by means of the Internet; - receive unencrypted data, identifying a determined server for the activation of a Virtual Private Network (VPN) between said remote device and said determined server from at least one of said remote devices, through the Internet; - receive encrypted data addressed to said determined server from said remote device; - select the network address associated to said determined server in said database; - activate a Virtual Private Network between said remote device and said determined server; - transmit at least said encrypted data to said determined server through said Virtual Private Network.

Description

SYSTEM FOR SETTING UP A VIRTUAL PRIVATE NETWORK
DESCRIPTION
The subject of the present invention is a system for setting up a Virtual Private Network. As it is known, the realization of a Virtual Private Network requires that two apparatuses, such as for example a mobile device and a server, are connected to each other in a safe and encrypted way.
Such connection can also be based on the Internet; in this case it is necessary to pay particular attention to the protection of the data exchanged between the two apparatuses involved.
Usually VPN networks are realized so that all the clients that have to be part of the VPN are connected to the same point of connection, the so-called VPN concentrator.
The Applicant has verified that, for particular applications, such structure type is not appropriate.
The aim of the present invention is to provide a system for setting up a Virtual Private Network having a structure that can be extended in a rapid and easy way.
Another aim of the present invention is to provide a system for setting up a VPN wherein the remote devices can communicate with respective servers using a limited number of public IP addresses, preferably a single public IP - or a single public IP for each country, for example. A further aim of the present invention is to provide a system for setting up a VPN wherein the number of servers can be increased without increasing the number of the public IP addresses used.
These and other aims are substantially reached by a system for setting up a Virtual Private Network according to what described in the attached claims.
Further characteristics and advantages will become more clear from the detailed description of one or more preferred, but not exclusive, embodiments of the invention. Such description is provided in the following with reference to the attached figure 1 , given by way of example and thus not limitative, wherein a block diagram is shown representative of a system in accordance with the invention.
With reference to figure 1, 1 indicates a system in accordance to the present invention as a whole.
The system 1 comprises a plurality of servers 10.
Each server 10 can be configured to store data and/or to process the data it receives, for example to execute a statistical processing. The nature and the type of data that, by way of example, can be treated by the servers 10, will be described in the following.
The servers 10 can be connected to each other by means of a local area network (LAN) and/or by means of a wide area network (WAN). The whole set of servers 10 can form a so-called "cloud" network.
Each one of the servers 10 is associated in a univocal way to a network address. Such network address allows to access the respective server and to establish a connection to the server itself, for example with the aim to exchange data.
By way of example, the network addresses of the server 10 can be of the type 10.0.0.1 1, 10.0.0.12, 10.0.0.13, etc.
Such network addresses are preferably internal IP addresses.
The system 1 comprises also a proxy server 20.
The proxy server 20 is associated to the servers 10 by means of the aforementioned network. The proxy server 20 is associated to a public IP address.
By way of example, such public IP can be 46.37.30.37.
In order to be reached more easily by means of the Internet, the proxy server 20 can also be associated to a domain name, for example of the type proxy.YYYY.com.
The proxy server 20 comprises (or is associated to) a database 21, which contains the network addresses associated to each one of the servers 10.
In the database 21, each one of the network addresses is associated to the identifying data of the respective server 10.
Such identifying data can be, for example, of the type cli001.clienti.YYYY.com, cli002.clienti.YYYY.com, cli003.clienti.YYYY.com, etc..
Preferably none of the servers 10 is associated directly to a public IP address. As it will be clearer in the following, all the servers 10 make reference to the proxy server 20 and are accessible, at determined conditions, only by means of the proxy server 20 itself.
The proxy server 20 can thus be accessible by means of the Internet. Preferably, between the proxy server 20 and the Internet, a protection module of the firewall type is interposed.
In accordance with the invention, a plurality of devices 30 is configured to connect, through the Internet, to the proxy server 20.
Such connection can be made by exploiting, for example, the domain name associated to the proxy server 20 which is resolved into the respective IP address from public DNS registers. In the following the invention is described with reference to one single remote device 30; it has to be noted, however, that the functionalities and the operations described can be referred also to other remote devices 30.
Once the remote device 30 is connected to the proxy server 20, the remote device 30 itself sends unencrypted data to the proxy server 20, identifying a determined server with which the remote device 30 wants to create a VPN.
The remote device 30 also sends encrypted data to the proxy server 20, addressed to such determined server.
The proxy server 20 selects, in its database 21, the network address associated to the determined server identified by the unencrypted data transmitted by the remote device 30. The proxy server 20 thus provides for directing the VPN request between the remote device and the determined server and for sending the encrypted data transmitted by the remote device 30 to the determined server, through such VPN.
The communication between the remote device 30 and the determined server can then continue, on the protected channel of the VPN, as a function of the operations that have to be carried out.
In other words, the remote device 30 creates a "tunnel" with the proxy server 20; in this way the subsequent connection requests (aiming to access the determined server 10) will not be resolved by the public DNS registers, but will be resolved directly by a private DNS server, associated to the proxy server 20. Such subsequent requests are, in practice, formed by the aforementioned encrypted and unencrypted data.
By way of example, the data that are exchanged through such channel can refer to the detection of one or more of the following magnitudes: temperature, atmospheric pressure, humidity, brightness, fluid flow rate (e.g. of liquids or of gas for consumption), energy consumption, etc.
Such data can be detected by appropriate sensor systems/detecting devices, installed in a determined environment, such as for example a residential, commercial or industrial building. In an embodiment, the remote device 30 is installed permanently, together with the respective sensor system, in the environment where it has to operate.
In such case, after its installation and configuration, the remote device 30 opens a connection with the determined server 10 according to the mode described above; such connection remains then open to allow loading the data detected on the server 10 substantially in real time.
In case failures or problems in the connection occur, the remove device 30 executes again the connection procedure to the proxy server 20 and to the determined server 10. In a different embodiment, the remote device 30 and its respective sensors are made as a portable device, which can be used for detections in a certain environment, preferably at predefined and limited intervals of time. Such type of detections can be carried out, for example, as a demonstration and/or as a preliminary check, before proceeding to, possibly, a permanent installation.
In the preferred embodiment, each remote device 30 corresponds to a respective server 10 or a respective group of servers. In other words, in order to maintain a reliable separation in the management of different environments, each server 10 or group of servers can be used to store and to manage the data coming from the remote devices 30.
From a management point of view, a single server 10 or group of servers 10 is dedicated to each environment or structure (typically relating to a determined customer), so that each server or group of servers is dedicated to a single customer. Such server 10 or group of servers 10 will be accessible only by the remote device 30 dedicated to the same customer. The invention achieves important advantages.
First of all, the system in accordance with the invention allows to exchange data in a safe and reliable way between a plurality of remote devices and respective servers.
Furthermore, the invention is characterized by a structure that can be extended in an extremely easy and rapid way. In particular, it is possible to increase the number of servers that can by reached by means of the proxy server without increasing the number of public IP addresses used.
It should also be noted that the system described and claimed here can be advantageously used in a way that uses, for example, a single public IP per country.
In this way, the architecture can be easily replicated as the territorial coverage of the system grows, avoiding delays in accessing to the servers by the respective remote devices.

Claims

1. A system for activating a Virtual Private Network comprising a plurality of servers (10) and a proxy server (20) associated to said servers (10),
wherein said proxy server (20) comprises a database (21 ) wherein the identifying data of each one of said servers (10) are associated to respective network addresses of said servers (10), and wherein said proxy server (20) is configured to:
- be connected to a plurality of remote devices (30) by means of the Internet;
- receive unencrypted data (Dl ), identifying a determined server for the activation of a Virtual Private Network (VPN) between said remote device (30) and said determined server (10), from at least one of said remote devices (30), through the Internet;
- receive encrypted data (D2) addressed to said determined server (10) from said remote device (30);
- select the network address associated to said determined server (10) in said database (21 );
- activate a Virtual Private Network (VPN) between said remote device (30) and said determined server (10);
- transmit at least said encrypted data (D2) to said determined server (10) through said Virtual Private Network (VPN).
2. A system according to claim 1 wherein said encrypted data (D2) are representative of environmental data and/or of energy consumption data detected by sensors/tools associated to said remote device (30).
3. A system according to claim 1 or 2, wherein each one of said remote devices (30) is uni vocally associated to one or more of said servers (10).
4. A system according to any one of the preceding claims wherein said proxy server (20) is identified by a single public IP address, and each one of said remote devices (30) can be connected to said proxy server (20) by means of said public IP address.
5. A system according to any one of the preceding claims, wherein no one of said servers (10) is directly associated to a public IP.
PCT/IB2014/058918 2014-02-11 2014-02-11 System for setting up a virtual private network WO2015121705A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2014/058918 WO2015121705A1 (en) 2014-02-11 2014-02-11 System for setting up a virtual private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2014/058918 WO2015121705A1 (en) 2014-02-11 2014-02-11 System for setting up a virtual private network

Publications (1)

Publication Number Publication Date
WO2015121705A1 true WO2015121705A1 (en) 2015-08-20

Family

ID=50391223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2014/058918 WO2015121705A1 (en) 2014-02-11 2014-02-11 System for setting up a virtual private network

Country Status (1)

Country Link
WO (1) WO2015121705A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110154477A1 (en) * 2009-12-22 2011-06-23 Cisco Technology, Inc. Dynamic content-based routing
US8051177B1 (en) * 2003-09-30 2011-11-01 Genband Us Llc Media proxy having interface to multiple virtual private networks
JP2012222678A (en) * 2011-04-12 2012-11-12 Nippon Telegr & Teleph Corp <Ntt> Access control system and access control method
US20140025321A1 (en) * 2007-04-03 2014-01-23 Electro Industries/Gaugetech System and method for performing data transfers in an intelligent electronic device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8051177B1 (en) * 2003-09-30 2011-11-01 Genband Us Llc Media proxy having interface to multiple virtual private networks
US20140025321A1 (en) * 2007-04-03 2014-01-23 Electro Industries/Gaugetech System and method for performing data transfers in an intelligent electronic device
US20110154477A1 (en) * 2009-12-22 2011-06-23 Cisco Technology, Inc. Dynamic content-based routing
JP2012222678A (en) * 2011-04-12 2012-11-12 Nippon Telegr & Teleph Corp <Ntt> Access control system and access control method

Similar Documents

Publication Publication Date Title
US20230035336A1 (en) Systems and methods for mitigating and/or preventing distributed denial-of-service attacks
US10033762B2 (en) Threat engagement and deception escalation
US9985988B2 (en) Deception to detect network scans
US11212315B2 (en) Tunneling for network deceptions
US10601823B2 (en) Machine to-machine and machine to cloud end-to-end authentication and security
US8380863B2 (en) Control of security application in a LAN from outside the LAN
US20150288604A1 (en) Sensor Network Gateway
US20170149825A1 (en) Modification of a Server to Mimic a Deception Mechanism
US8812616B2 (en) Remote port access (RPA) server
WO2017193093A1 (en) Systems and methods for enabling trusted communications between entities
KR20160006915A (en) The Management Method and Apparatus for the Internet of Things
CN103747005A (en) DNS (domain name system) cache poisoning protection method and device
US20180176774A1 (en) System and Method for Ensuring Secure Connections
Olazabal et al. Deploying man-in-the-middle attack on IoT devices connected to long range wide area networks (LoRaWAN)
Johnson Securing the participation of safety-critical SCADA systems in the industrial internet of things
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
WO2015121705A1 (en) System for setting up a virtual private network
US20210051163A1 (en) Identification and control of suspicious connected identities and activities
WO2015130752A1 (en) Sensor network gateway
AU2018304187B2 (en) Systems and methods for mitigating and/or preventing distributed denial-of-service attacks
Johnson Securing safety-critical scada in the internet of things
Miglani et al. Feasibility analysis of different methods for prevention against ARP spoofing
TW201840165A (en) Management and control system for automatically detecting existence of Internet protocol address device and management and control method thereof automatically detecting the existence of an Internet protocol address device
Xie et al. Using simulation platform to analyze radio modem security in SCADA
JP2018085615A (en) Monitoring device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14713905

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14713905

Country of ref document: EP

Kind code of ref document: A1