WO2015121705A1 - System for setting up a virtual private network - Google Patents
System for setting up a virtual private network Download PDFInfo
- Publication number
- WO2015121705A1 WO2015121705A1 PCT/IB2014/058918 IB2014058918W WO2015121705A1 WO 2015121705 A1 WO2015121705 A1 WO 2015121705A1 IB 2014058918 W IB2014058918 W IB 2014058918W WO 2015121705 A1 WO2015121705 A1 WO 2015121705A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- server
- servers
- virtual private
- private network
- proxy server
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A system for the activation of a Virtual Private Network comprising a plurality of servers and a proxy server associated to said servers, wherein said proxy server comprises a database wherein the identifying data of each one of said servers are associated to respective network addresses of said servers, and wherein said proxy server is configured to: - be connected to a plurality of remote devices by means of the Internet; - receive unencrypted data, identifying a determined server for the activation of a Virtual Private Network (VPN) between said remote device and said determined server from at least one of said remote devices, through the Internet; - receive encrypted data addressed to said determined server from said remote device; - select the network address associated to said determined server in said database; - activate a Virtual Private Network between said remote device and said determined server; - transmit at least said encrypted data to said determined server through said Virtual Private Network.
Description
SYSTEM FOR SETTING UP A VIRTUAL PRIVATE NETWORK
DESCRIPTION
The subject of the present invention is a system for setting up a Virtual Private Network. As it is known, the realization of a Virtual Private Network requires that two apparatuses, such as for example a mobile device and a server, are connected to each other in a safe and encrypted way.
Such connection can also be based on the Internet; in this case it is necessary to pay particular attention to the protection of the data exchanged between the two apparatuses involved.
Usually VPN networks are realized so that all the clients that have to be part of the VPN are connected to the same point of connection, the so-called VPN concentrator.
The Applicant has verified that, for particular applications, such structure type is not appropriate.
The aim of the present invention is to provide a system for setting up a Virtual Private Network having a structure that can be extended in a rapid and easy way.
Another aim of the present invention is to provide a system for setting up a VPN wherein the remote devices can communicate with respective servers using a limited number of public IP addresses, preferably a single public IP - or a single public IP for each country, for example. A further aim of the present invention is to provide a system for setting up a VPN wherein the number of servers can be increased without increasing the number of the public IP addresses used.
These and other aims are substantially reached by a system for setting up a Virtual Private Network according to what described in the attached claims.
Further characteristics and advantages will become more clear from the detailed description of one or more preferred, but not exclusive, embodiments of the invention. Such description is provided in the following with reference to the attached figure 1 , given by way of example and thus not limitative, wherein a block diagram is shown representative of a system in accordance with the invention.
With reference to figure 1, 1 indicates a system in accordance to the present invention as a whole.
The system 1 comprises a plurality of servers 10.
Each server 10 can be configured to store data and/or to process the data it receives, for example to execute a statistical processing. The nature and the type of data that, by way of
example, can be treated by the servers 10, will be described in the following.
The servers 10 can be connected to each other by means of a local area network (LAN) and/or by means of a wide area network (WAN). The whole set of servers 10 can form a so-called "cloud" network.
Each one of the servers 10 is associated in a univocal way to a network address. Such network address allows to access the respective server and to establish a connection to the server itself, for example with the aim to exchange data.
By way of example, the network addresses of the server 10 can be of the type 10.0.0.1 1, 10.0.0.12, 10.0.0.13, etc.
Such network addresses are preferably internal IP addresses.
The system 1 comprises also a proxy server 20.
The proxy server 20 is associated to the servers 10 by means of the aforementioned network. The proxy server 20 is associated to a public IP address.
By way of example, such public IP can be 46.37.30.37.
In order to be reached more easily by means of the Internet, the proxy server 20 can also be associated to a domain name, for example of the type proxy.YYYY.com.
The proxy server 20 comprises (or is associated to) a database 21, which contains the network addresses associated to each one of the servers 10.
In the database 21, each one of the network addresses is associated to the identifying data of the respective server 10.
Such identifying data can be, for example, of the type cli001.clienti.YYYY.com, cli002.clienti.YYYY.com, cli003.clienti.YYYY.com, etc..
Preferably none of the servers 10 is associated directly to a public IP address. As it will be clearer in the following, all the servers 10 make reference to the proxy server 20 and are accessible, at determined conditions, only by means of the proxy server 20 itself.
The proxy server 20 can thus be accessible by means of the Internet. Preferably, between the proxy server 20 and the Internet, a protection module of the firewall type is interposed.
In accordance with the invention, a plurality of devices 30 is configured to connect, through the Internet, to the proxy server 20.
Such connection can be made by exploiting, for example, the domain name associated to the proxy server 20 which is resolved into the respective IP address from public DNS registers. In the following the invention is described with reference to one single remote device 30; it has to be noted, however, that the functionalities and the operations described can be referred
also to other remote devices 30.
Once the remote device 30 is connected to the proxy server 20, the remote device 30 itself sends unencrypted data to the proxy server 20, identifying a determined server with which the remote device 30 wants to create a VPN.
The remote device 30 also sends encrypted data to the proxy server 20, addressed to such determined server.
The proxy server 20 selects, in its database 21, the network address associated to the determined server identified by the unencrypted data transmitted by the remote device 30. The proxy server 20 thus provides for directing the VPN request between the remote device and the determined server and for sending the encrypted data transmitted by the remote device 30 to the determined server, through such VPN.
The communication between the remote device 30 and the determined server can then continue, on the protected channel of the VPN, as a function of the operations that have to be carried out.
In other words, the remote device 30 creates a "tunnel" with the proxy server 20; in this way the subsequent connection requests (aiming to access the determined server 10) will not be resolved by the public DNS registers, but will be resolved directly by a private DNS server, associated to the proxy server 20. Such subsequent requests are, in practice, formed by the aforementioned encrypted and unencrypted data.
By way of example, the data that are exchanged through such channel can refer to the detection of one or more of the following magnitudes: temperature, atmospheric pressure, humidity, brightness, fluid flow rate (e.g. of liquids or of gas for consumption), energy consumption, etc.
Such data can be detected by appropriate sensor systems/detecting devices, installed in a determined environment, such as for example a residential, commercial or industrial building. In an embodiment, the remote device 30 is installed permanently, together with the respective sensor system, in the environment where it has to operate.
In such case, after its installation and configuration, the remote device 30 opens a connection with the determined server 10 according to the mode described above; such connection remains then open to allow loading the data detected on the server 10 substantially in real time.
In case failures or problems in the connection occur, the remove device 30 executes again the connection procedure to the proxy server 20 and to the determined server 10.
In a different embodiment, the remote device 30 and its respective sensors are made as a portable device, which can be used for detections in a certain environment, preferably at predefined and limited intervals of time. Such type of detections can be carried out, for example, as a demonstration and/or as a preliminary check, before proceeding to, possibly, a permanent installation.
In the preferred embodiment, each remote device 30 corresponds to a respective server 10 or a respective group of servers. In other words, in order to maintain a reliable separation in the management of different environments, each server 10 or group of servers can be used to store and to manage the data coming from the remote devices 30.
From a management point of view, a single server 10 or group of servers 10 is dedicated to each environment or structure (typically relating to a determined customer), so that each server or group of servers is dedicated to a single customer. Such server 10 or group of servers 10 will be accessible only by the remote device 30 dedicated to the same customer. The invention achieves important advantages.
First of all, the system in accordance with the invention allows to exchange data in a safe and reliable way between a plurality of remote devices and respective servers.
Furthermore, the invention is characterized by a structure that can be extended in an extremely easy and rapid way. In particular, it is possible to increase the number of servers that can by reached by means of the proxy server without increasing the number of public IP addresses used.
It should also be noted that the system described and claimed here can be advantageously used in a way that uses, for example, a single public IP per country.
In this way, the architecture can be easily replicated as the territorial coverage of the system grows, avoiding delays in accessing to the servers by the respective remote devices.
Claims
1. A system for activating a Virtual Private Network comprising a plurality of servers (10) and a proxy server (20) associated to said servers (10),
wherein said proxy server (20) comprises a database (21 ) wherein the identifying data of each one of said servers (10) are associated to respective network addresses of said servers (10), and wherein said proxy server (20) is configured to:
- be connected to a plurality of remote devices (30) by means of the Internet;
- receive unencrypted data (Dl ), identifying a determined server for the activation of a Virtual Private Network (VPN) between said remote device (30) and said determined server (10), from at least one of said remote devices (30), through the Internet;
- receive encrypted data (D2) addressed to said determined server (10) from said remote device (30);
- select the network address associated to said determined server (10) in said database (21 );
- activate a Virtual Private Network (VPN) between said remote device (30) and said determined server (10);
- transmit at least said encrypted data (D2) to said determined server (10) through said Virtual Private Network (VPN).
2. A system according to claim 1 wherein said encrypted data (D2) are representative of environmental data and/or of energy consumption data detected by sensors/tools associated to said remote device (30).
3. A system according to claim 1 or 2, wherein each one of said remote devices (30) is uni vocally associated to one or more of said servers (10).
4. A system according to any one of the preceding claims wherein said proxy server (20) is identified by a single public IP address, and each one of said remote devices (30) can be connected to said proxy server (20) by means of said public IP address.
5. A system according to any one of the preceding claims, wherein no one of said servers (10) is directly associated to a public IP.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IB2014/058918 WO2015121705A1 (en) | 2014-02-11 | 2014-02-11 | System for setting up a virtual private network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IB2014/058918 WO2015121705A1 (en) | 2014-02-11 | 2014-02-11 | System for setting up a virtual private network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015121705A1 true WO2015121705A1 (en) | 2015-08-20 |
Family
ID=50391223
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2014/058918 WO2015121705A1 (en) | 2014-02-11 | 2014-02-11 | System for setting up a virtual private network |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2015121705A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110154477A1 (en) * | 2009-12-22 | 2011-06-23 | Cisco Technology, Inc. | Dynamic content-based routing |
US8051177B1 (en) * | 2003-09-30 | 2011-11-01 | Genband Us Llc | Media proxy having interface to multiple virtual private networks |
JP2012222678A (en) * | 2011-04-12 | 2012-11-12 | Nippon Telegr & Teleph Corp <Ntt> | Access control system and access control method |
US20140025321A1 (en) * | 2007-04-03 | 2014-01-23 | Electro Industries/Gaugetech | System and method for performing data transfers in an intelligent electronic device |
-
2014
- 2014-02-11 WO PCT/IB2014/058918 patent/WO2015121705A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8051177B1 (en) * | 2003-09-30 | 2011-11-01 | Genband Us Llc | Media proxy having interface to multiple virtual private networks |
US20140025321A1 (en) * | 2007-04-03 | 2014-01-23 | Electro Industries/Gaugetech | System and method for performing data transfers in an intelligent electronic device |
US20110154477A1 (en) * | 2009-12-22 | 2011-06-23 | Cisco Technology, Inc. | Dynamic content-based routing |
JP2012222678A (en) * | 2011-04-12 | 2012-11-12 | Nippon Telegr & Teleph Corp <Ntt> | Access control system and access control method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230035336A1 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
US10033762B2 (en) | Threat engagement and deception escalation | |
US9985988B2 (en) | Deception to detect network scans | |
US11212315B2 (en) | Tunneling for network deceptions | |
US10601823B2 (en) | Machine to-machine and machine to cloud end-to-end authentication and security | |
US8380863B2 (en) | Control of security application in a LAN from outside the LAN | |
US20150288604A1 (en) | Sensor Network Gateway | |
US20170149825A1 (en) | Modification of a Server to Mimic a Deception Mechanism | |
US8812616B2 (en) | Remote port access (RPA) server | |
WO2017193093A1 (en) | Systems and methods for enabling trusted communications between entities | |
KR20160006915A (en) | The Management Method and Apparatus for the Internet of Things | |
CN103747005A (en) | DNS (domain name system) cache poisoning protection method and device | |
US20180176774A1 (en) | System and Method for Ensuring Secure Connections | |
Olazabal et al. | Deploying man-in-the-middle attack on IoT devices connected to long range wide area networks (LoRaWAN) | |
Johnson | Securing the participation of safety-critical SCADA systems in the industrial internet of things | |
Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
WO2015121705A1 (en) | System for setting up a virtual private network | |
US20210051163A1 (en) | Identification and control of suspicious connected identities and activities | |
WO2015130752A1 (en) | Sensor network gateway | |
AU2018304187B2 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
Johnson | Securing safety-critical scada in the internet of things | |
Miglani et al. | Feasibility analysis of different methods for prevention against ARP spoofing | |
TW201840165A (en) | Management and control system for automatically detecting existence of Internet protocol address device and management and control method thereof automatically detecting the existence of an Internet protocol address device | |
Xie et al. | Using simulation platform to analyze radio modem security in SCADA | |
JP2018085615A (en) | Monitoring device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14713905 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14713905 Country of ref document: EP Kind code of ref document: A1 |