EP1466434A4 - Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments - Google Patents
Method and apparatus for providing secure connectivity in mobile and other intermittent computing environmentsInfo
- Publication number
- EP1466434A4 EP1466434A4 EP03703762A EP03703762A EP1466434A4 EP 1466434 A4 EP1466434 A4 EP 1466434A4 EP 03703762 A EP03703762 A EP 03703762A EP 03703762 A EP03703762 A EP 03703762A EP 1466434 A4 EP1466434 A4 EP 1466434A4
- Authority
- EP
- European Patent Office
- Prior art keywords
- network
- security
- communications
- session
- mobility
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/143—Termination or inactivation of sessions, e.g. event-controlled end of session
- H04L67/145—Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/04—Network layer protocols, e.g. mobile IP [Internet Protocol]
Definitions
- Wireless networks have become very popular. Students are accessing course information from the college's computer network while sitting in lecture hall or enjoying the outdoors in the middle of the college campus. Doctors are maintaining computing connectivity with the hospital computer network while making their rounds. Office workers can continue to work on documents and access their email as they move from their office to a conference room. Laptop or PDA users in conference centers, hotels, airports and coffee houses can surf the web and access email and other applications over the Internet. Home users are using wireless networks to eliminate the need to run cables.
- Wireless connectivity provides great flexibility but also presents security risks.
- Information transmitted through a cable or other wired network is generally secure because one must tap into the cable in order to access the transmission.
- information transmitted wirelessly can be received by anyone with a wireless receiver who is in range.
- Security risks may not present much of a problem to students reading course material or to cafe customers surfing the World Wide Web, but they present major concerns to businesses and professionals as well as their clients, customers and patients.
- wired and wireless computing worlds operate under very different paradigms.
- the wired world assumes a fixed address and a constant connection with high bandwidth.
- a wireless environment in contrast, exhibits intermittent connections and has higher error rates over what is usually a narrower bandwidth.
- applications and messaging protocols designed for the wired world don't always work in a wireless environment.
- the wireless expectations of end users are set by the performance and behaviors of their wired networks. Meeting these expectations creates a significant challenge to those who design and develop wireless networking architectures, software and devices.
- Wireless networks generally are subject to much greater varieties of attacks (e.g., man-in-the-middle, eavesdropping, "free rides” and wide area imposed threats) and assumptions that often do not apply to wired networks. For example, in modern network topologies such as wireless networks and Internet- based virtual private networks (VPNs), physical boundaries between public and private networks do not exist. In such networks, whether a user has the necessary permissions to access the system can no longer be assumed based on physical location as with a wired network in a secure facility.
- VPNs virtual private networks
- wireless data is often broadcasted on radio frequencies, which can travel beyond the control of an organization, through walls and ceilings and even out into the parking lot or onto the street.
- the information the network is carrying is therefore susceptible to eavesdropping.
- vital hospital patient information could be intercepted or even altered by an unauthorized person using a laptop computer in the hospital lobby, or if a corporate spy could learn his competitor's secrets by intercepting wireless transmissions from an office on the floor above or from a car in the parking lot.
- tapping into a wired network cable in a secure facility is possible, the chances of this actually happening are less likely than interception of radio transmissions from a wireless network.
- Further security threats and problems must be faced when users wish to use any of the ever-increasing variety of public wireless networks to access sensitive data and applications.
- Wi-Fi Wi-Fi
- Wi-Fi Wired Equivalent Privacy
- WAP Wireless Application Protocol
- WTLS Wired Transport Layer Security
- WAP generally is designed to transmit data over low-bandwidth wireless networks to devices like mobile telephones, pagers, PDA's, and the like.
- Wired Transport Layer Security (WTLS) protocol in WAP provides privacy, data integrity and authentication between WAP -based applications.
- a WAP gateway converts between the WAP protocol and standard web and/or Internet protocols such as HTTP and TCP/IP, and WTLS is used to create a secure, encrypted pipe.
- WTLS Wired Transport Layer Security
- One issue with this model is that once the intermediate WAP gateway decrypts the data, it is available in clear text form ⁇ presenting an opportunity for the end-to-end security of the system to be compromised.
- WAP has typically not been implemented for high-bandwidth scenarios such as wireless local area network personal computer connectivity.
- WEP Wired Equivalent Privacy
- WEP Wired Equivalent Privacy
- WEP generally relies on a default set of encryption keys that are shared between wireless devices (e.g., laptop computers with wireless LAN adapters) and wireless access points.
- a client with the correct encryption key can "unlock" the network and communicate with any access point on the wireless network; without the right key, however, the network rejects the link-level connection request. If they are configured to do so, WEP-enabled wireless devices and access points will also encrypt data before transmitting it, and an integrity check ensures that packets are not modified in transit. Without the correct key, the transmitted data cannot be decrypted - preventing other wireless devices from eavesdropping.
- WEP is generally effective to protect the wireless link itself although some industry analysts have questioned the strength of the encryption that WEP currently uses.
- a major limitation of WEP is that the protection it offers does not extend beyond the wireless link itself.
- WEP generally offers no end-to-end protection once the data has been received by a wireless access point and needs to be forwarded to some other network destination. When data reaches the network access point or gateway, it is unencrypted and unprotected.
- Some additional security solution must generally be used to provide end-to-end authentication and privacy.
- Mobile IP is another standard that attempts to solve some of the problems of wireless and other intermittently-connected networks.
- Mobile IP is a standards based algorithm that enables a mobile device to migrate its network point of attachment across homogeneous and heterogeneous network environments.
- this Internet Standard specifies protocol enhancements that allow routing of Internet Protocol (IP) datagrams (e.g., messages) to mobile nodes in the Internet. See for example Perkins, C, "IP Mobility Support", RFC 2002, October 1996.
- IP Internet Protocol
- Mobile IP contemplates that each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. While situated away from its home, a mobile node is also associated with a "care-of address, which provides information about its current point of attachment to the Internet.
- the protocol provides for registering the "care-of address with a home agent.
- the home agent sends datagrams destined for the mobile node through a "tunnel" to the "care-of address. After arriving at the end of the "tunnel,” each datagram is then delivered to the mobile node.
- Mobile IP provides useful techniques for remote connectivity, it is not yet widely deployed/implemented. This seems to be due to a variety of factors - at least one of which is that there continues to be some unsolved problems or areas where the Mobile IP standard is lacking and further enhancement or improvement would be desirable. For example, even though security is now fairly widely recognized as being a very important aspect of mobile networking, the security components of Mobile IP are still mostly directed to a limited array of security problems such as redirection attacks.
- Redirection attacks are a very real threat in any mobility system.
- a redirection attack can occur when a malicious node gives false information to a home agent in a Mobile IP network (e.g., sometimes by simply replaying a previous message). This is similar to someone filing a false "change of address" form with the Post Office so that all your mail goes to someone else's mailbox.
- the home agent is informed that the mobile node has a new "care-of address. However, in reality, this new "care-of address is controlled by the malicious node. After this false registration occurs, all IP datagrams addressed to the mobile node are redirected to the malicious node.
- Mobile IP provides a mechanism to prevent redirection attacks
- Mobile IP generally does not provide a comprehensive security solution including mobile computing capabilities such as:
- Mobile IP is sometimes implemented as a "bump" in the TCP/IP protocol stack to replace components of the existing operating system environment.
- An example of such an architecture is shown in prior art Figure 1.
- a Mobile IP module sits below the regular TCP/IP protocol stack components and manages the transitions from one network to another.
- additions or modifications to existing core network infrastructure entities are needed to facilitate the behavior of nomadic or migratory computing. The need for such modifications makes widespread implementation difficult and causes problems in terms of maintainability and compatibility.
- VPNs are common on both wired and wireless networks. Generally, they connect network components and resources through a secure protocol tunnel so that devices connected to separate networks appear to share a common, private backbone. VPN's accomplish this by allowing the user to "tunnel" through the wireless network or other public network in such a way that the "tunnel” participants enjoy at least the same level of confidentiality and features as when they are attached to a private wired network.
- cryptographic methods are used to establish and authenticate the identity of the tunnel participants. For the duration of the VPN connection, information traversing the tunnel can be encrypted to provide privacy.
- VPN's provide an end-to-end security overlay for two nodes communicating over an insecure network or networks.
- VPN functionality at each node supplies additional authentication and privacy in case other network security is breached or does not exist.
- VPN's have been widely adopted in a variety of network contexts such as for example allowing a user to connect to his or her office local area network via an insecure home Internet connection.
- Such solutions can offer strong encryption such as the AES(Advanced Encryption Standard), compression, and link optimizations to reduce protocol chattiness.
- AES Advanced Encryption Standard
- many or most VPNs do not let users roam between subnets or networks without "breaking" the secure tunnel.
- many or most VPNs do not permit transport, security and application sessions to remain established during roaming.
- Another potential stumbling block is conventional operating systems - not all of which are compatible with the protection of existing wireless VPNs.
- Mobile IP operates at the network layer and therefore does not generally provide for session persistence/resilience. If the mobile node is out of range or suspended for a reasonably short period of time, it is likely that established network sessions will be dropped. This can present severe problems in terms of usability and productivity. Session persistence is desirable since it lets the user keep the established session and VPN tunnel connected - even if a coverage hole is entered during an application transaction.
- Industry analysts and the Wireless Ethernet Compatibility Alliance recommend that enterprises deploy VPN technology, which directly addresses the security problem, and also provides advanced features like network and subnet roaming, session persistence for intermittent connections, and battery life management for mobile devices.
- VPN solutions should desirably support standard security encryption algorithms and wireless optimizations suitable for today's smaller wireless devices, and should desirably also require no or minimal modification to existing infrastructure.
- IPSec Internet Security Protocol
- IPSec is a framework for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services.
- IP Internet Protocol
- the IPSec suite of cryptography-based protection services and security protocols provides computer-level user and message authentication, as well as data encryption, data integrity checks, and message confidentiality.
- IPSec capabilities include cryptographic key exchange and management, message header authentication, hash message authentication, an encapsulating security payload protocol, Triple Data Encryption, the Advanced Encryption Standard, and other features.
- IPSec provides a transport mode that encrypts message payload, and also provides a tunnel mode that encrypts the payload, the header and the routing information for each message.
- IPSec uses policy- based administration.
- IPSec policies rather than application programming interfaces (APIs), are used to configure IPSec security services.
- the policies provide variable levels of protection for most traffic types in most existing networks.
- IPSec is commonly used in firewalls, authentication products and VPNs.
- Microsoft has implemented IPSec as part of its Windows 2000 and Windows XP operating system.
- IPSec's tunnel mode is especially useful in creating secure end-to-end VPNs.
- IPSec VPNs based on public key cryptography provide secure end-to-end message authentication and privacy.
- IPSec endpoints act as databases that manage and distribute cryptographic keys and security associations. Properly implemented, IPSec can provide private channels for exchanging vulnerable data such as email, file downloads, news feeds, medical records, multimedia, or any other type of information.
- firewalls discard packets generated by mobile nodes using their home addresses (internal network identity) and received on an externally facing network interface in defense of the network. This discarding process is intended to protect the network secured by the firewall from being attacked.
- Ingress filtering has the effect of forcing the tunneling of Mobile IP frames in both directions. See for example RFC 2356 Sun's SKIP Firewall Traversal for Mobile IP: G. Montenegro, V. Gupta. (June 1998).
- This invention solves this problem by transparently providing secure, persistent, roamable IP -based communications using conventional technologies such as IPSec, Microsoft or other operating system security functionality while avoiding the commonly experienced ingress filtering problems. And unlike at least some implementations of Mobile IP, few if any changes are necessary to the underlying network infrastructure.
- Mobility Client functionality that virtualizes the underlying network.
- Applications running on the mobility client see at least one consistent virtual network identity (e.g. IP address).
- MS Mobility Server
- IPSEC Mobility Server
- the mobility server unwraps the request and places it on the network as though the server were the client - thus acting as a proxy for the client.
- a peer host sends a packet to the mobility client's virtual network identity
- the packet is first received by the mobility server and is then transferred to the mobility client.
- the mobility server maintains a stable point of communication for the peer hosts while the mobility client is free to roam among networks as well as suspend or roam out of range of any network.
- the mobility server keeps the mobility client's sessions alive and queues requests for the mobility client.
- the mobility server and client transfer any queued data and communication can resume where it left off.
- Preferred exemplary non-limiting implementations thus offer wireless optimizations and network and application session persistence in the context of a secure VPN or other connection.
- Wireless optimizations allow data to be transmitted as efficiently as possible to make maximal use of existing bandwidth.
- the system can be used to switch automatically to the fastest bandwidth network connection when multiple connections (Wi-Fi and GPRS, for example) are active.
- Network session persistence means that users don't have to repeat the login process when they move from one IP subnet to another, or when they go out of range of the network and return.
- Exemplary implementations automatically re-authenticate the connection every time users roam, without need for user intervention.
- Application session persistence means that standard network applications remain connected to their peers, preventing the loss of valuable user time and data.
- Such optimizations and persistence is provided in the context of a security architecture providing end-to-end security for authentication and privacy.
- the network before data is transported between the network and a mobility client, the network ensures that the end user has the required permissions.
- a user establishes her identity by logging in to the mobility client using a conventional (e.g., Windows) domain user name and password.
- a conventional domain user name and password e.g., Windows
- Single sign-on also gives users access to other domain resources such as file system shares.
- a communications path is established for transporting application data. Any number of different protocols (e.g., Common Internet File System, Radius, other) can be used for user authentication.
- a mobility server can act as a Network Access Server to secure an initial access negotiation which establishes the user's user name and password using conventional protocols such as EAP-MD5, LEAP, or other protocol.
- EAP-MD5, LEAP, or other protocol such as EAP-MD5, LEAP, or other protocol.
- authentication in the exemplary non-limiting implementations provides user-specific passwords that can be used for policy management allowing access and resource allocation on a user basis.
- exemplary non-limiting implementations can be easily integrated with IPSEC or other security features in conventional operating systems such as for example Windows NT and Windows 2000. This allows access to conventional VPN and or other proven-secure connection technology.
- IPSec policies can be assigned through the group policy feature of Active Directory, for example. This allows IPSec policy to be assigned at the domain or organizational level - reducing the administrative overhead of configuring each computer individually.
- An on-demand security negotiation and automatic key management service can also be provided using the conventional IETF-defined Internet Key Exchange (IKE) as specified in Internet RFC 2409.
- IKE Internet Key Exchange
- Such exemplary implementations can provide IEFT standards-based authentication methods to establish trust relationships between computers using public key cryptography based certificates and/or passwords such as preshared keys. Integration with conventional standards-based security features such as public key infrastructure gives access to a variety of security solutions including secure mail, secure web sites, secure web communications, smart card logon processes, IPSec client authentication, and others.
- Illustrative exemplary embodiments can be cognizant of changes in network identity, and can selectively manage transition in network connectivity, possibly resulting in the termination and/or (re)instantiation of IPSec security sessions between communicating entities over at least one of a plurality of network interfaces. Exemplary illustrative embodiments also provide for the central management, distribution, and/or execution of policy rules for the establishment and/or termination of IP security sessions as well as other parameters governing the behavior for granting, denying and/or delaying the consumption of network resources.
- Roamable IPSec allows IPSec tunnel to automatically roam with mobile computing devices wherever they go - based on recognized IPSec security standard
- Roamable IPSec enables seamless roaming across any physical or electronic boundary with the authentication, integrity and encryption of IPSec, to provide a standards-based solution allowing mobile and remote users with VPN-level security and encryption in an IPSec tunnel that seamlessly roams with wireless users wherever they go and however they access their ente ⁇ rise data.
- the mobility server can instantiate at least one of a possible plurality of IP Security sessions between a mobility server and an ultimate peer on behalf of a mobility client. Establishing and maintaining IP Security sessions between the Mobility Server and ultimate communications peer, even during periods when the mobility client is unreachable.
- IP Security sessions Between the mobility server and ultimate communications peer, based on, but not limited to link inactivity, application session inactivity, or termination of a communications end point.
- a mobility security solution that starts at the mobile device and provides both secure user authentication and, when needed, secure data encryption.
- a mobility security solution that voids the need for single-vendor solutions not based on industry-wide, open and other standards.
- 1 Secure VPN that is extendable to a variety of different public data networks having different configurations (e.g., Wi-Fi network hotspot, wide-area wireless solutions such as CDPD or GPRS, etc.) dynamically controllable by the network administrator
- Secure transport and application session persistence works within existing network security so the network is not compromised. compatible with any of a variety of conventional security protocols including for example RADIUS, Kerberos, Public Key Infrastructure (PKI), and Internet Security Protocol (IPSec).
- RADIUS Remote Authentication Dial
- Kerberos Kerberos
- PKI Public Key Infrastructure
- IPSec Internet Security Protocol
- the computing environment and the applications do not need to change - mobility is there to use but its use is transparent to the user and to the applications.
- VPNs e.g., PPTP, L2TP/IPSec, IPSec, Nortel, Cisco, other
- Figure 1 shows an exemplary illustrative prior art mobile IP client architecture
- Figure 2 shows an exemplary illustrative prior art IPSec and Mobile IP architecture
- Figure 3 shows an exemplary illustrative network protocol enveloping that may be used to meet the possible required security policies to allow network traffic to flow between a mobile node to a foreign agent through policy enforcement equipment (e.g. firewall) to the home agent and then to another communications end point;
- policy enforcement equipment e.g. firewall
- Figure 4 shows an example mobility architecture in accordance with a presently preferred exemplary illustrative non-limiting embodiment of the present invention
- Figures 5 & 5A-5F show illustrative usage scenarios
- Figure 5G shows an exemplary client-server architecture
- Figure 6 shows an example simplified prior art operating system security architecture
- Figure 7 shows the example illustrative Figure 6 architecture modified to provide secure transparent illustrative mobility functionality
- Figure 8 shows an example illustrative run time linking sample
- Figure 9 shows an example illustrative client policy agent hooking
- Figure 10 shows an example illustrative server architecture. DETAILED DESCRIPTION OF EXEMPLARY NON-LIMITING
- FIG. 4 shows an exemplary overall illustrative non-limiting mobility architecture.
- the example mobility architecture includes a mobility client (MC) and a mobility server (MS).
- the mobility client may be, for example, any sort of computing device such as a laptop, a palm top, a Pocket PC, a cellular telephone, a desktop computer, or any of a variety of other appliances having remote connectivity capabilities.
- mobility client MC comprises a computing-capable platform that runs the Microsoft Windows 2000/XP operating system having security (for example, IPSec) functionality but other implementations are also possible.
- the system shown is scaleable and can accommodate any number of mobility clients and mobility servers.
- mobility client MC may be coupled to a network such as the Internet, a corporate LAN or WAN, an Intranet, or any other computer network. Such coupling can be wirelessly via a radio communications link such as for example a cellular telephone network or any other wireless radio or other communications link. In some embodiments, mobility client MC may be intermittently coupled to the network.
- the system shown is not, however, limited to wireless connectivity - wired connectivity can also be supported for example in the context of computing devices that are intermittently connected to a wired network.
- the wireless or other connectivity can be in the context of a local area network, a wide area network, or other network.
- mobility client MC communicates with the network using Internet Protocol (IP) or other suitable protocol over at least one of a plurality of possible network interfaces.
- mobility server (MS) is also connected to the network over at least one of a plurality of possible network interfaces.
- the mobility server MS may communicate with one or more peers or other computing devices.
- the exemplary Figure 4 architecture allows mobility client MC to securely communicate with the peer hosts via the communications link, the network and/or the mobility server MS.
- the Figure 4 mobility server maintains the state of each mobile device and handles the session management required to maintain continuous connections to network applications.
- the mobility server maintains the connection to the network host by acknowledging receipt of data and queuing requests.
- the exemplary mobility server also manages network addresses for the mobile devices.
- Each device running on the mobile device has a virtual address on the network and a point of presence address.
- a standard protocol e.g., DHCP
- static assignment determines the virtual address. While the point of presence address of a mobile device will change when the device moves from one subnet to another (the virtual address stays constant while the connections are active).
- This illustrative arrangement works with standard transport protocols such as TCP/IP - intelligence on the mobile device and the mobility server assures that an application running on the mobile device remains in sync with its server.
- the mobility server also provides centralized system management through console applications and exhaustive metrics. A system administrator can use these tools to configure and manage remote connections, troubleshoot problems, and conduct traffic studies.
- the mobility server also, in the exemplary embodiment, manages the security of data that passes between it and the mobile devices on the public airways or on a wireline network.
- the server provides a firewall function by giving only authenticated devices access to the network.
- the mobility server can also certify and optionally encrypt all communications between the server and the mobile device.
- Tight integration with Active Directory or other directory/name service provides centralized user policy management for security.
- the Figure 4 architecture can be applied in any or all of a large and varying number of situations including but not limited to the exemplary situations shown in Figure 5 (for brevity and clarity sake, example embodiments are described using a single network point of attachment but it will be appreciated and understood that the current invention is not to be limited to such scope and application):
- the mobility client (depicted as a laptop computer for purposes of illustration) is shown inside a corporate or other firewall, and is shown connected to a wireless LAN (WLAN) having an access point.
- WLAN wireless LAN
- a private wireless network is connected to a wireline network through the mobility server. All application traffic generated on or destined for the wireless network is secured, and no other network traffic is bridged or routed to the wireless network.
- the system can be further configured to allow only mobility traffic to be processed by the mobility server on the wireless network.
- the mobility client is authenticated to the mobility server. Packets flow normally between the mobility client and the mobility server, and the communication channel between the mobility client and the mobility server is protected using the conventional IPSec security protocol.
- the mobility client has moved into a dead-spot and lost connectivity with the network.
- the mobility server maintains the mobility client's network applications sessions during this time.
- the client's sessions could have been dropped because Mobile IP does not offer session persistence.
- the mobility client has moved back into range of the corporate network on a different subnet.
- the mobility client acquires a new point-of-presence (POP) address on the new subnet, negotiates a new secure channel back to the mobility server using IPSec, reauthenticates with the mobility server, and resumes the previously suspended network sessions without intervention from the user and without restarting the applications.
- POP point-of-presence
- the mobility client has left the corporate network and roamed into range of public networks.
- the mobile client at location 4 shown in Figure 5 is shown in range of a conventional Wireless Wide Area Network (WWAN) wireless tower, and the mobile client at location 5 shown in Figure 5 is shown in range of a Wi-Fi or other wireless access point "hot spot" such as found in an airport terminal, conference center, coffee house, etc.
- WWAN Wireless Wide Area Network
- the wireless technology used for the public network need not be the same as that used inside the enterprise - since the illustrative system provides for secure roaming across heterogeneous networks.
- the mobility client's traffic must now pass through a corporate or other firewall.
- the firewall can be configured to pass IPSec traffic intended for the mobility server and/or the mobility client can be configured to use an IPSec session to the firewall. Either solution can be implemented without end-user interaction, although intervention is possible.
- mobility devices are connected to a diverse, public wide area network.
- the enterprise is also connected to the public network through a conventional firewall.
- the firewall is, in the exemplary embodiment, modified to allow mobility connections, specifically to the address of the mobility server. The connections are then protected by conventional security protocols such as IPSec.
- Traffic from the public to the private network that is not destined for the correct port is denied using conventional firewall rules.
- the firewall rules can specify either the domain ("allow access to 123.111.x: 5008") or the addresses of particular mobility servers ("allow access to 123.111.22.3:1002 and 123.111.23.4:5008”) - the latter approach being more secure.
- a single, multi-homed mobility server could be used to handle both the wired and wireless LAN traffic.
- a Network Address Translator maybe used to reduce the number of public (routable) IP addresses required.
- NAT Network Address Translator
- Figure 5C a many-to-one relationship is provided so that mobile devices can use just one of two IP addresses instead of requiring one address each. Any traffic coming from the wireless LAN access points preferably must satisfy both the firewall rules and be cleared by the mobility server. With encryption enabled, this configuration protects the wired network while offering legitimate wireless users full, secure access to corporate data.
- Figure 5D shows an example configuration that allows users to roam securely across different networks both inside and outside of the corporate firewall. The mobility server sits behind the firewall.
- the mobility client When the mobility client is inside the corporate firewall, connected to the wireless LAN (WLAN), and has been authenticated to the mobility server, packets flow normally and the communication channel between the mobile device and the mobility server (mobile VPN) is protected using IPSec.
- WLAN wireless LAN
- the Public Key Infrastructure, passwords and/or any other desired mechanism can be used to perform the key exchange for the IPSec tunnel.
- WLAN access points inside the firewall can be configured to filter all protocols except for a desired one (e.g., IPSec).
- the mobility server acts as a VPN protecting the data as it traverses the wireless network with IPSec encryption.
- the mobility server also acts as a firewall by preventing intruders from accessing the private network.
- the mobile device When the mobile device (client) moves into range of the corporate network on a different subnet, it acquires a new point-of-presence (POP) address on the new subnet, negotiates a new secure channel back to the mobility server using IPSec, re-authenticates with the mobility server, and resumes the previously suspended application sessions - all without user intervention being required.
- POP point-of-presence
- the applications can continue to run and the TCP or other connections can be maintained during this network transition since the network transition is transparent to the applications and the mobility server proxies communications on behalf of the mobile device during times when it is unreachable.
- the Figure 5E illustrative network configuration extends the protection of an enterprise firewall to its mobile clients.
- the mobility client is configured to use a conventional L2TP/IPSec tunnel to the firewall.
- IPSec filters on the mobile client can be configured to pass only authenticated IPSec packets to the mobile client's transport protocol stack and reject all other packets.
- the corporate firewall can be configured to reject all packets except for authenticated IPSec packets for trusted clients; any control channels necessary to set up secure connections; and responses to packets that originate from within the firewall for specifically permitted Internet or other network services.
- the mobility server located behind the firewall acts as a transport-level, proxy firewall.
- the Figure 5F arrangement provides optimizations that enhance performance and reliability on slow and unreliable wireless networks.
- the Figure 5F system doesn't allow data to sit on an intermediate server in an unencrypted state.
- the Figure 5F architecture allows standard web protocols such as HTTP and TLS to be used for e- commerce or other transactions (the web traffic is treated as a payload).
- the encrypted data is forwarded to its final destination (e.g., the web server) where is can be processed in the same way it would be if two wired peers were performing the same transaction.
- the Figure 5F system provides seamless roaming between different networks and application session persistence while devices are suspended or out of range of a wireless base station. When combined with the illustrative system's support for public key infrastructure and/or other security mechanisms, those capabilities form a powerful mobile e-commerce platform.
- IPSec IPSec Standards-Based Security Framework
- IPSec process of protecting frames can be broadly handled by three logically distinct functions. They are:
- a privacy (e.g., IPSec) module In this illustrative example, the Policy Agent is responsible for the configuration and storage of the configured policy ⁇ however it is the IPSec module that actually acts upon the requested policy of the Policy Agent.
- the preferred exemplary illustrative system provides two different related but separated aspects:
- the first aspect handles IPSec from the mobility client to the firewall or the mobility server
- each of the mobile devices executes a mobility management software client that supplies the mobile device with the intelligence to intercept network activity and relay it (e.g., via a mobile RPC or other protocol) to mobility management server.
- the mobility management client generally works transparently with operating system features present on the mobile device to keep client-site application sessions active when contact is lost with the network.
- a new, mobile interceptor/redirector component is inserted at the conventional transport protocol interface of the mobile device software architecture.
- This mobile interceptor or redirector transparently intercepts certain calls at this interface and routes them (e.g., via RPC and Internet Mobility Protocols and the standard transport protocols) to the mobility management server over the data communications network.
- the mobile interceptor/redirector thus can, for example, intercept network activity and relay it to server.
- the interceptor/redirector works transparently with operating system features to allow application sessions to remain active when the mobile device loses contact with the network.
- IPSec is a special case. Between the mobility client and the mobility server or the mobility client and a firewall, IPSec is protecting the packets using the point-of-presence (POP) address. Therefore, in one exemplary embodiment, to allow the existing IPSec infrastructure to operate normally, it should preferably remain informed of the current state of the network. We have therefore modified our previous design to inform IPSec of the change of network status (e.g., so it can negotiate a IPSec session when network connectivity is reestablished) while continuing to shield the networked application and the rest of the operating system from the temporary loss of a network access,.
- POP point-of-presence
- the IPSec module is responsible for filtering and protecting frames.
- the network stack first allows the IPSec module a chance to process the frame.
- the IPSec module applies whatever polices to the frame the Policy Agent requests for the corresponding network identity.
- the Policy Agent requires the IPSec module to protect a frame but it does not yet have the required security association (SA) with the peer in accordance with the requested policy, it issues a request to the security negotiation/key management module ⁇ in this illustrative case the ISAKMP/IKE (Internet Security Association and Key Management Protocol/Internet Key Exchange) module ⁇ to establish one. It is the responsibility of the ISAKMP/IKE module in this illustrative system to negotiate the requested security association and alert the IPSec (privacy) module as to the progress/status of the security association. Once the security association has been successfully established, the IPSec module continues its processing of the original frame.
- SA security association
- the Policy Agent uses conventional Microsoft Winsock API's (application programming interfaces) to monitor the state of the network and adjust its policies accordingly.
- Microsoft Winsock API's application programming interfaces
- the ISAKMP/IKE module also uses conventional Microsoft Winsock API's to perform security association negotiation as well as track network state changes in one exemplary embodiment.
- the above techniques establish a secure IPSec session that is generally tied to a particular IP address and/or port and must be essentially continuous in order to be maintained, as is well known. If the secure session is temporarily interrupted (e.g., because of a lost or suspended connection or a roam) and/or if the IP address and/or port changes, IPSec will terminate it. Unless something is done, terminating the secure IPSec session will cause the mobile application to lose communication even if the network session continues to appear to remain in place.
- the preferred illustrative exemplary embodiment solves this problem by introducing functionality ensuring that IPSec is passed sufficient information to allow it to react to the secure session being lost while continuing to shield this fact from the application - and by allowing IPSec to (re)negotiate a secure session once the network connectivity is reestablished using the same or different IP address or port number - all transparently to the networked application.
- the exemplary illustrative application is not adversely affected by termination of a previous security session and the establishment of a new one ⁇ just as the application is not adversely affected by access to the previous network being terminated and then reestablished (or in the case of roaming, to a new network with a new network identity being provisioned in its place).
- the mobility server during such interruptions continues to proxy communications with the peer(s) the mobile device is communicating with so that network application sessions are maintained and can pick up where they left off before the interruption occurred.
- Mobility client-side and server-side support each have different requirements. Therefore the architectures are different in the exemplary illustrative embodiment.
- the block diagram of an exemplary client architecture is show in Figures 5G and 7. Note that as compared to conventional Figure 6, we have added two additional components:
- the network- virtualizing component virtualizes the underlying client module network while selectively allowing the core operating system's IPSec infrastructure to continue to be informed about network state changes.
- the Policy Agent Hooking component "hooks" certain Policy Agent functions and redirects such processing to the network- virtualizing component so that the normal function of IPSec can be somewhat modified.
- the network- virtualizing component uses the services of the existing networking stack and is the layer responsible for virtualizing the underlying client module network. It also initiates and maintains the connection with the mobility server.
- the network- virtualizing component intercepts the request and returns at least one of a possible plurality of the mobility client's virtual network identities (e.g. virtual IP addresses).
- the client architecture should preferably allow the associated IPSec modules to see and track the current point of presence (POP) network address(es). Therefore, in the exemplary embodiment, if a request for the list of network addresses is issued and the request originated in the IPSec process, the network- virtualizing module passes the request along to an inherent network stack without any filtering or modification. Therefore, both the Policy Agent (e.g., polagent.dll in Windows 2000, ipsecsvc.dll in Windows XP) and the ISAKMP/IKE module are kept abreast of the mobility client's current POP address(es).
- POP point of presence
- the network-virtualizing module also tracks address changes. Without this component, the network stack would normally inform any associated applications of address list changes through the conventional application-programming interface, possibly by terminating the application communications end point. In the Microsoft operating systems, for example, this responsibility is normally tunneled through the conventional Winsock module, which in turn would then inform any interested network applications of the respective changes.
- the Policy Agent registers interest with Winsock (e.g., using the SIO_ADDRESS_LIST_CHANGE IOCTL via the conventional WSAIoctl function) and waits for the associated completion of the request.
- the Policy Agent may also be event driven and receive asynchronous notification of such network state changes.
- the Policy Agent also registers with Winsock a notification event for signaling (e.g., on FD_ADDRESS_LIST_CHANGE via the WSAEventSelect function).
- a notification event for signaling e.g., on FD_ADDRESS_LIST_CHANGE via the WSAEventSelect function.
- the Policy Agent retrieves the current list of addresses, adjusts its policies accordingly and updates the associated policy administration logic. It further informs the Security Negotiation/Key Exchange module, in this case the ISAKMP/IKE module, of the associated state change.
- the security negotiation/key exchange module (ISAKMP/IKE) module updates its list of open connection endpoints for subsequent secure association (SA) negotiations.
- SA secure association
- Winsock and associated applications are normally not allowed to see address list changes since this may disrupt normal application behavior and is handled by the network-virtualizing component. Therefore, in the preferred exemplary embodiment, another mechanism is used to inform the Policy Agent of changes with respect to the underlying network. To fulfill this requirement in the illustrative embodiment, the services of the Policy Agent Hooking module (nmplagnt) are employed.
- the illustrative embodiment employs the facilities of a hooking module (nmplagnt), and inserts the code into the policy administration, security negotiation, and key management (Policy Agent/ISAKMP/IKE) process(es) that are provided as part of the core operating system.
- hooking only certain functions of the Policy Agent module to this redirected code is accomplished via a combination of manipulating the Import Address Table (IAT) together with the use of a technique known as code injection. Injection of the redirected functions is accomplished with the help of conventional operating system APIs (e.g.
- the hooking technique in the illustrative embodiment takes advantage of the way in which the Microsoft Windows itself performs dynamic run-time linking.
- Microsoft Windows supports and uses extensively, Dynamic Link Libraries (DLLs).
- DLLs Dynamic Link Libraries
- a process is able to link to code at run-time.
- the caller To call a function in a dynamically linked library, the caller must know the location (address) of the specific function in the DLL. It is the operating systems responsibility to resolve the linkage between the code modules and is accomplished via an exchange of formatted tables present in both the caller and callee's run-time code modules.
- the dynamic library being called contains an Export Address Table (EAT).
- EAT Export Address Table
- the Export Address Table contains the information necessary to find the specifically requested function(s) in the dynamic library.
- the module requesting the service has both an Import Lookup Table (ILT) and an Import Address Table (IAT).
- the Import Lookup Table contains information about which dynamic library are needed and which functions in each library are used.
- the core operating system scans the associated Import Lookup Table for any dynamic libraries the module depends on and loads those DLLs into memory.
- the requesting modules Import Address Table is updated by the operating system with the address(location) of each function that maybe accessed in each of the dynamically loaded libraries.
- the nmplagnt module hooks the Policy Agent's calls to the conventional Microsoft Windows Winsock functions WSASocket, WSAIoctl, WSAEventSelect, closesocket, and WSACleanup.
- the Policy Agent module attempts to register for notification of address changes, the request is redirected to the network- virtualizing component.
- the network-virtualizing component by design is aware of changes in network attachment. When it detects a change to the point of presence address, it sends the appropriate notifications to the Policy Agent module. In the illustrative embodiment, this causes the Policy Agent module to query for the current address list.
- Figure 8 is an example of how in the illustrative embodiment a single function from a single DLL might be linked into a calling process.
- the operating system searched the ILT, found a need for target.dll, loaded target.dll into app.exe's address space, located TargetFunc in target.dll's EAT, and fixed up app.exe's IAT entry to point to TargetFunc in target.dll.
- the stub function will call through the IAT to the imported TargetFunc.
- the preferred exemplary embodiment is able to hook its target functions simply by replacing the corresponding entry for each function in the IAT as shown in Figure 9. This also has the advantage of localizing the hooking. Only the calls made by the requesting module in the target process are hooked. The rest of the system continues to function normally.
- the address of the LoadLibrary function was determined in step 2.
- the data bytes at label targetlibraryname will vary depending on the name of the module being loaded, where the corresponding module is located, and the operating system environment.
- the nmplagnt module has been injected into the policy administration, security negotiation, and key management (Policy Agent/ISAKMP/IKE) process(es) where it is able to redirect the processing of the needed function calls.
- Policy Agent/ISAKMP/IKE Policy Agent/ISAKMP/IKE
- the executable code responsible for adding these components to the operating environment can be provided to the mobile device via storage on a storage medium (e.g., optical disk) and/or by downloading over the network
- FIG. 10 shows an exemplary server architecture.
- the mobility server MS can also be based on a Windows 2000/XP (or any other) operating system.
- a hooking module is also used in the illustrative embodiment - but the functions intercepted by the hooking module in the case of mobility server MS are redirected to the proxy and filter modules that are also supplied by the preferred exemplary embodiment, instead of the network- virtualization module.
- a proxy driver can be used to implement the bulk of the mobility server functionality.
- a proxy driver can be used to implement the bulk of the mobility server functionality.
- three separate problems to solve for which three additional logical modules are used are used. They are:
- the first problem is how to manage virtual addresses for the mobility clients. Although it is possible in some network stack implementations to assign multiple addresses to the inherent networking stack components of the operating system, some systems do not support such functionality.
- the illustrative example embodiment employs the use of an identity mapping technique. It will be appreciated that the techniques herein are both compatible with and complimentary to either implementation, and such identity mapping functionality allows the security functionality to successfully operate within the more restrictive environments.
- the illustrative mobility server opens a communications endpoint associated with a local address and port and then identity maps between the corresponding virtual address(es) and port(s) before packets are processed by the protocol stack during reception and before they are transmitted out on the network.
- That mapping is the job of the network identity mapping module (nmprtmap) in one exemplary embodiment.
- the network identity mapping module (nmprtmap) in one exemplary embodiment.
- an application on a mobility client opens TCP port 21 on virtual address 10.1.1.2.
- this request is transferred from the mobility client to the mobility server.
- the MS opens the connection on its local address 10.1.1.1 on port 2042 and registers the appropriate mapping with the network identity mapping module.
- the packet generated by the inherent networking stack will have a source address of 10.1.1.1 port 2042.
- the network identity mapping module will then match the frame's protocol/address/port tuple against its mapping table and replace the source address with 10.1.1.2 port 21 before the packet is transmitted on network. The reverse operation is performed for received packets.
- This network identity mapping technique allows the mobility server to communicate to peer systems using virtualized addresses without requiring modification to the core operating system transport protocol stack
- the second problem is a direct result of this mapping technique. Because the network identity mapping module logically operates below IPSec module (i.e. processes frames before during reception and after during transmission), it cannot directly manipulate IPSec protected frames without corrupting the packets or being intimately involved in the privacy or authenticating process. To address this issue, in one exemplary embodiment, the aforementioned IPSec filter module (nmipsec) inserts itself between the operating systems networking stack components and the associated IPSec modules. The filter module inspects each outgoing packet before IPSec protects the packet and each incoming packet after IPSec removes any encoding.
- the network identity mapping module(nmprtma ⁇ ) To determine whether or not the frames source or destination identity should be mapped. In this way, the f nctionality of the mapping logic is moved to a level where is can perform its function without interfering with the IPSec processing. Hooking the link between the IPSec and networking stack components is implementation and operating system dependent. In the illustrative exemplary embodiment, again the hooking process is completed by the manipulation of tables that are exchanged between the inherent IPSec and networking stack modules - but other implementations and environments could rely on other techniques. In the illustrative embodiment the IPSec filter module (nmipsec) loads before the IPSec module but after the transportprotocol module.
- the IPSec filter module (nmipsec) records and replaces the original function pointers with it's own entry points. Once the associated tables are exchanged in this manner, the IPSec filter module (nmipsec) can manipulate the contents of and control which packets the inherent IPSec module operates on.
- the third issue is where the hooking techniques also used by the mobility clients is employed.
- the inherent networking stack has no knowledge of the mobility client's virtual address(es). Consequently, the policy administration, security negotiation, and key management (Policy Agent/ISAKMP/IKE module) process(es) are also not cognizant of these additional known network addresses. Therefore, there are no IPSec security policies to cover frames received for or transmitted from the mobility client's virtual address(es).
- the security negotiation module in this case the ISAKMP/IKE module
- the security negotiation hooking module(nmike) can employ the same hooking methodology described for the mobility client and illustrated in Figure 8.
- the security negotiation hooking module (nmike) intercepts any address change notification request.
- the proxy modules registers or deregisters a mobility client's virtual address(es) with the network identity mapping module(nmprtmap), it also informs the security negotiation hooking module(nmike).
- This module in turn then informs the policy administration module (Policy Agent) of the respective change.
- Policy Agent Policy Agent
- the security negotiation hooking module(nmike) intercepts the request and adds all of the current virtual addresses to the returned list.
- the policy administration module Policy Agent
- the security negotiation (ISAKMP/IKE) module will attempt to open and associate a communications endpoint for each address in the list.
- the security negotiation hooking module intercepts the request to the conventional Microsoft windows Winsock bind function and modifies the requested virtual address and port with a INADDR_ANY.
- the security negotiation hooking module employs the services of the network identity mapping module (nmprtmap) and creates a mapping between the actual address and port associated with the newly established communications end point to the virtual address and the assigned port for security negotiations (in this case port 500 is the standard ISAKMP port).
- the security negotiation hooking module (nmike) registers the actual address and port with IPSec filtering module (nmipsec) to instruct the module to pass packets to and from the specified address without further IPSec filter processing. All documents referenced herein are incorporated by reference as if expressly set forth herein.
- IPSec IPSec
- Microsoft operating systems IPSec and related technologies can be arranged in a number of manners, executing with some of the required algorithms executing either in software or hardware.
- certain implementations may include hardware accelerator technology for the ciphering process, etc.
- Many network interface and computer manufactures have commercially available products that are used for this exact purpose. It is to be appreciated that the above specifications however describes the logical placement of required functionally and may actually execute in a distributed fashion. Accordingly, the invention is intended to cover all modifications and equivalent arrangements within the scope of the claims.
Abstract
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US34724302P | 2002-01-14 | 2002-01-14 | |
US347243P | 2002-01-14 | ||
PCT/US2003/000817 WO2003061188A1 (en) | 2002-01-14 | 2003-01-13 | Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1466434A1 EP1466434A1 (en) | 2004-10-13 |
EP1466434A4 true EP1466434A4 (en) | 2005-09-07 |
Family
ID=23362911
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP03703762A Withdrawn EP1466434A4 (en) | 2002-01-14 | 2003-01-13 | Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1466434A4 (en) |
JP (1) | JP2005515700A (en) |
AU (1) | AU2003205094A1 (en) |
CA (1) | CA2474089A1 (en) |
WO (1) | WO2003061188A1 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8078727B2 (en) | 1998-10-09 | 2011-12-13 | Netmotion Wireless, Inc. | Method and apparatus for providing mobile and other intermittent connectivity in a computing environment |
US7293107B1 (en) | 1998-10-09 | 2007-11-06 | Netmotion Wireless, Inc. | Method and apparatus for providing mobile and other intermittent connectivity in a computing environment |
US20050091355A1 (en) * | 2003-10-02 | 2005-04-28 | International Business Machines Corporation | Providing a necessary level of security for computers capable of connecting to different computing environments |
US20070008924A1 (en) * | 2004-01-15 | 2007-01-11 | Padraig Moran | Device to facilitate the deployment of mobile virtual private networks for medium/large corporate networks |
WO2006048605A1 (en) * | 2004-11-03 | 2006-05-11 | Qinetiq Limited | Wireless link communications between computer and receiving network each running vpn security software and wireless-link security software |
JP5766148B2 (en) * | 2012-04-25 | 2015-08-19 | 三菱電機株式会社 | Nuclear power plant monitoring and control system |
CN109657491B (en) * | 2018-11-29 | 2023-06-30 | 国云科技股份有限公司 | Database firewall implementation method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2000033189A1 (en) * | 1998-11-30 | 2000-06-08 | Motorola Inc. | Method and apparatus in a data communication system for establishing a reliable internet protocol session |
EP1089495A2 (en) * | 1999-10-01 | 2001-04-04 | Nortel Networks Limited | Method and system for switching between two network access technologies without interrupting active network applications |
WO2001028185A1 (en) * | 1999-10-08 | 2001-04-19 | Telefonaktiebolaget Lm Ericsson (Publ) | Wide area network mobility for ip based networks |
WO2001031472A1 (en) * | 1999-10-22 | 2001-05-03 | Telcordia Technologies, Inc. | Method and system for host mobility management protocol |
EP1150521A1 (en) * | 2000-04-25 | 2001-10-31 | Alcatel | Method for setting up a session between a host of a data network and a mobile terminal of a mobile network and device for performing such method |
WO2002023362A1 (en) * | 2000-09-12 | 2002-03-21 | Netmotion Wireless, Inc. | Method and apparatus for providing mobile and other intermittent connectivity in a computing environment |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10178421A (en) * | 1996-10-18 | 1998-06-30 | Toshiba Corp | Packet processor, mobile computer, packet transferring method and packet processing method |
US6415329B1 (en) * | 1998-03-06 | 2002-07-02 | Massachusetts Institute Of Technology | Method and apparatus for improving efficiency of TCP/IP protocol over high delay-bandwidth network |
GB2364477B (en) * | 2000-01-18 | 2003-11-05 | Ericsson Telefon Ab L M | Virtual private networks |
US20010052081A1 (en) * | 2000-04-07 | 2001-12-13 | Mckibben Bernard R. | Communication network with a service agent element and method for providing surveillance services |
JP2001298449A (en) * | 2000-04-12 | 2001-10-26 | Matsushita Electric Ind Co Ltd | Security communication method, communication system and its unit |
JP3730480B2 (en) * | 2000-05-23 | 2006-01-05 | 株式会社東芝 | Gateway device |
EP1350151A2 (en) * | 2000-11-13 | 2003-10-08 | Ecutel, Inc. | System and method for secure network mobility |
-
2003
- 2003-01-13 JP JP2003561153A patent/JP2005515700A/en active Pending
- 2003-01-13 AU AU2003205094A patent/AU2003205094A1/en not_active Abandoned
- 2003-01-13 CA CA002474089A patent/CA2474089A1/en not_active Abandoned
- 2003-01-13 WO PCT/US2003/000817 patent/WO2003061188A1/en active Application Filing
- 2003-01-13 EP EP03703762A patent/EP1466434A4/en not_active Withdrawn
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2000033189A1 (en) * | 1998-11-30 | 2000-06-08 | Motorola Inc. | Method and apparatus in a data communication system for establishing a reliable internet protocol session |
EP1089495A2 (en) * | 1999-10-01 | 2001-04-04 | Nortel Networks Limited | Method and system for switching between two network access technologies without interrupting active network applications |
WO2001028185A1 (en) * | 1999-10-08 | 2001-04-19 | Telefonaktiebolaget Lm Ericsson (Publ) | Wide area network mobility for ip based networks |
WO2001031472A1 (en) * | 1999-10-22 | 2001-05-03 | Telcordia Technologies, Inc. | Method and system for host mobility management protocol |
EP1150521A1 (en) * | 2000-04-25 | 2001-10-31 | Alcatel | Method for setting up a session between a host of a data network and a mobile terminal of a mobile network and device for performing such method |
WO2002023362A1 (en) * | 2000-09-12 | 2002-03-21 | Netmotion Wireless, Inc. | Method and apparatus for providing mobile and other intermittent connectivity in a computing environment |
Non-Patent Citations (4)
Title |
---|
INTERNETWEEK: "Wireless Works", INTERNETWEEK, 7 May 2001 (2001-05-07), XP002324101, Retrieved from the Internet <URL:http://www.internetweek.com/reviews01/rev050701-5.htm> [retrieved on 20050411] * |
NETMOTION WIRELESS: "Extending Mobile Solutions Without Middleware", NETMOTION WIRELESS WHITE PAPER, 6 August 2001 (2001-08-06), XP002324100, Retrieved from the Internet <URL:http://www.afn.org/~afn48922/downs/wireless/netmotion_extending_mobility.pdf> [retrieved on 20050411] * |
See also references of WO03061188A1 * |
YONGGUANG ZHANG ET AL: "A persistent connection model for mobile and distributed systems", COMPUTER COMMUNICATIONS AND NETWORKS, 1995. PROCEEDINGS., FOURTH INTERNATIONAL CONFERENCE ON LAS VEGAS, NV, USA 20-23 SEPT. 1995, LOS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, 20 September 1995 (1995-09-20), pages 300 - 307, XP010200337, ISBN: 0-8186-7180-7 * |
Also Published As
Publication number | Publication date |
---|---|
CA2474089A1 (en) | 2003-07-24 |
AU2003205094A1 (en) | 2003-07-30 |
WO2003061188A1 (en) | 2003-07-24 |
JP2005515700A (en) | 2005-05-26 |
EP1466434A1 (en) | 2004-10-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7882247B2 (en) | Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments | |
EP1774438B1 (en) | System and method for establishing a virtual private network | |
US6529513B1 (en) | Method of using static maps in a virtual private network | |
EP2790387B1 (en) | Method and system for providing connectivity for an ssl/tls server behind a restrictive firewall or nat | |
US7536715B2 (en) | Distributed firewall system and method | |
US7676838B2 (en) | Secure communication methods and systems | |
US7278157B2 (en) | Efficient transmission of IP data using multichannel SOCKS server proxy | |
EP3459318B1 (en) | Using wlan connectivity of a wireless device | |
US20030131245A1 (en) | Communication security system | |
US20050223111A1 (en) | Secure, standards-based communications across a wide-area network | |
US20020090089A1 (en) | Methods and apparatus for secure wireless networking | |
US20060095969A1 (en) | System for SSL re-encryption after load balance | |
US20070124489A1 (en) | Nat access control with ipsec | |
US20050086533A1 (en) | Method and apparatus for providing secure communication | |
WO2003061188A1 (en) | Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments | |
Cisco | Using PIX Firewall | |
EP1413095B1 (en) | System and method for providing services in virtual private networks | |
WO2003003664A1 (en) | System and method for address and key distribution in virtual networks | |
Xenakis et al. | Dynamic network-based secure VPN deployment in GPRS | |
Xenakis et al. | Alternative Schemes for Dynamic Secure VPN Deployment in UMTS | |
Xenakis et al. | A secure mobile VPN scheme for UMTS | |
Casole et al. | Secure access to corporate resources in a multi-access perspective: needs, problems, and solutions | |
Xu | Building mobile L2TP/IPsec tunnels | |
Hudak et al. | Security in Mobile IP: A survey of security related issues in deploying Mobile IP | |
CA2260709A1 (en) | Method of using static maps in a virtual private network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20040722 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK RO |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: SAVARESE, JOSEPH T. Inventor name: STAVENS, AARON Inventor name: STURNIOLO, EMIL |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: 7H 04L 29/08 B Ipc: 7H 04L 29/06 B Ipc: 7H 04L 9/00 A |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20050725 |
|
17Q | First examination report despatched |
Effective date: 20060515 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20100801 |