JP2005515700A - Methods and devices for providing secure connections in mobile computing environments and other intermittent computing environments - Google Patents

Abstract

  A method and device for enabling secure connections using standards-based virtual private network (VPN) IPSEC algorithms in mobile computing environments and intermittently connected computing environments, based on recent standards Increased algorithm. This is done by allowing the mobile device to automatically (re) set the security session while the mobile end system moves through a uniform or heterogeneous network while maintaining a network application session. . Transitions between networks occur uniformly by shielding networked applications from connecting interrupts. These applications and / or users do not need to sense these transitions, although intervention is possible. This method need not be modified for current network infrastructure and / or networked applications.

Description

Detailed Description of the Invention

[Cross-reference of related applications]
This application is related to the following co-pending and commonly assigned US patent applications:
US provisional patent application number 60 / 347,243 (filing date: January 14, 2002, patent attorney case number 3978-9);
US Provisional Patent Application No. 60 / 274,615 (Filing Date: March 12, 2001, entitled “Method and Device for Providing Mobile and Other Intermittent Connections in Computing Environments” (Attorney Case No. 3978) -6);
US Provisional Patent Application Serial No. 09 / 330,310 (filing date: June 11, 1999, entitled “Method and Device for Providing Mobile and Other Intermittent Connections in a Computing Environment”) (Attorney Case No. 3978) -3);
US Provisional Patent Application Serial No. 09 / 660,500 (Filing Date: September 12, 2000, entitled “Method and Device for Providing Mobile and Other Intermittent Connections in a Computing Environment”) (Attorney Case No. 3978 -2);
PCT International Application No. PCT / US01 / 28391 (Filing Date: September 12, 2001, entitled “Method and Device for Providing Mobile and Other Intermittent Connections in a Computing Environment” (Attorney Case No. 3978- It claims priority to 7).

  All of the above documents are hereby incorporated by reference.

[Explanation of commissioned research or progress by the federal government]
Not applicable.

BACKGROUND AND SUMMARY OF THE INVENTION
Wireless networks are widespread. Students access subject information from the university computer network while sitting in the lecture room or enjoying the outdoors in the center of the university campus. Doctors continue to make computer connections to the hospital computer network while patroling. A company employee can continue to review documents and access e-mail while moving from the office to the meeting room. Laptop or PDA users can access the web to view information in conference rooms, hotels, airports, and coffee shops, and access email and other applications over the Internet. Home users use wireless networks without pulling cables.

  Wireless connection has a high degree of freedom, but there is a risk to safety. Information transmitted over a cable or other wired network is usually secure. This is because the information needs to be connected to a cable for transmission. On the other hand, wirelessly transmitted information is received by all persons having wireless receivers within range. Risks to safety are not a big problem for students who read subject materials or for coffee shop customers who visit the WWW to view information, but not only customers, users and sick people, but also business and professional An important concern for the home.

  Usually, the wired computing world and the wireless computing world operate under very different paradigms. Wired world addresses are fixed, their connections are constant, and bandwidth is high. As a result, applications and message protocols designed for the wired world typically do not work in a wireless environment. However, end-user wireless expectations are set by the performance and operation of their wired network. Meeting these expectations is very difficult for those who design and develop wireless network structures, software, and devices.

  Authenticating users and maintaining reliable communications is more difficult in wireless networks than in wired networks. Wireless networks are typically subject to a wide variety of attacks (eg, man-in-the-middle, wiretapping, “freeride”, and threatening wide areas) and hypotheses that are rarely used for wired networks Become. For example, in modern network topologies such as wireless networks and virtual private networks (VPNs) based on the Internet, there is no physical boundary between the public and private networks. In networks like these, it is impossible to assume from a physical location, like a wired network in a secure facility, whether a user needs permission to access the system. In addition, radio data is often broadcast by radio frequency. This wireless data can pass beyond the control of the organization, through walls and ceilings, even in parking lots or streets. Therefore, information transmitted by the network is easily wiretapped. If vital patient information is blocked or altered by unauthorized persons using a laptop computer in the hospital lobby, or an industrial spy keeps the competitor's secrets upstairs Let's assume a case where it is determined from an office or a car in a parking lot by interfering with radio transmission. When using a wired network cable, the chances of an actual incident happening while connecting to the wired network cable in a secure facility are lower than the possibility that the wireless transmission from the wireless network will be interrupted Let ’s go. In addition, security threats and problems are faced when a user desires to use as many different wireless public networks as ever before to access sensitive data and applications.

A number of open standards that allow wireless network hardware suppliers to create interoperable systems offer several forms of confidentiality. For example, the IEEE 802.11b “Wi-Fi” standard has been widely implemented to provide wireless connectivity for all types of computing devices. This standard provides any wired equivalent privacy ("WEP") functionality that has been widely implemented. Attempts to solve security problems in wireless networks using various additional wireless standards. These wireless networks include, for example,
Wireless application protocol (WAP) and wired transport layer security (WTLS)
・ Mobile IP
Is included.
However, as explained below and recognized by the industry as a whole, these standards are completely easy to implement for mobile computing devices that roam between different networks or subnetworks. It has not provided a transparent, safety solution.

  WAP is typically designed for transmitting data to devices such as mobile phones, pagers, PDAs over low bandwidth wireless networks. The Wired Transport Layer Security (WTLS) protocol in WAP provides privacy, data integrity, and authentication between WAP-based applications. WAP gateways switch between WAP protocols, standard web and / or Internet protocols such as HTTP and TCP / IP, and WTLS is used to form encrypted secure pipes. One problem with this model is that it can be used in clear text form as soon as the intermediate WAP gateway decrypts the data. The clear text form compromises the safety between the end of the system. Furthermore, WAP has not typically been implemented for high bandwidth scenarios such as wireless local area network personal computer connections.

  WEP (Wired Equivalent Privacy) is intended to provide the same level of privacy as that of an unprotected wired local area network. WEP is an optional part of the IEEE 802.11 standard, but many hardware suppliers have implemented WEP. WEP provides some degree of authentication and confidentiality, but has some drawbacks and limitations.

  In order to provide authentication and confidentiality, WEP typically provides a default set of encryption keys (initially) that are shared between a wireless device (eg, a laptop computer with a wireless LAN adapter) and a wireless access point. Setting). Using WEP, a client with the correct encryption key can unlock the network and communicate with several access points on the wireless network. However, this network rejects link level connection requests without the proper key. Once they are so formed, wireless devices and access points that can be realized by WEP are also encrypted before transmitting data, and integrity checks are made to ensure that packets are not altered during transit. Without the correct key, the transmitted data cannot be decrypted. This decryption means preventing other wireless devices from eavesdropping.

  WEP is usually effective in protecting wireless links, although some industry analysts have questioned the strength of encryption currently used by WEP. However, the main limitation of WEP is that the protection provided by WEP does not extend beyond the wireless link itself. WEP typically does not provide end-to-end protection when data is received by a wireless access point and needs to be transferred to some other network destination. When data reaches the network access point or gateway, encryption / protection is released. Some other security solutions typically need to be used to provide end-to-end authentication and privacy.

  Mobile IP is another standard that attempts to solve some problems with wireless networks and other intermittently connected networks. Mobile IP is typically an algorithm-based standard that allows mobile devices to move network points of attachment mobile devices across homogeneous and heterogeneous network environments. That is, this Internet standard specifically identifies protocol enhancements (enhancements) that can route Internet Protocol (IP) datagrams (eg, messages) to mobile nodes on the Internet. This is shown, for example, in Perkins, C., “IP Mobility Support” (“RFC 2002”, October 1996).

  Mobile IP takes into account that each mobile node is always identified by its home address, regardless of the current point of attachment (attachment) to the Internet. While the mobile node is located away from its home, it is also associated with a “care-of address”. The care-of address provides information about the current point of connection to the Internet. The protocol provides for registering the location of the “care-of address” with the home agent. This home agent transmits a datagram directed to the mobile node via the “tunnel” to the “care-of address”. After reaching the “tunnel” end, each datagram is then delivered to the mobile node.

  Mobile IP offers useful technology for remote connections, but has not yet been widely deployed / implemented. This seems to be due to various factors. At least one of these factors is that it continues to have some unresolved issues or areas where mobile IP standards are lacking and areas where enhancement or improvement is desired. For example, security is now widely accepted as a very important aspect of mobile networking, but the Mobile IP security component is primarily aimed at many restricted security issues, such as redirection attacks. It has been.

  Redirection attacks are a real threat in all mobility systems. For example, if a malicious node gives wrong information to a home agent of a mobile IP network (eg, sometimes by simply playing a previous message), a redirection attack will occur. This is similar to a person submitting an incorrect “change address” form to a post office. As a result, all your mail will arrive in someone else's mailbox. The home agent informs that the mobile node has a new “care-of address”. In practice, however, this new “care-of address” is controlled by a malicious node. After this incorrect location registration occurs, all IP datagrams addressed to the mobile node are forwarded to the malicious node.

While Mobile IP provides a mechanism to prevent redirection attacks, there are other important security threats to be addressed before businesses can perceive that their wireless network solutions are secure enough. For example, mobile IP is usually
-Session disability tolerance / sustainability,
・ Policy management,
・ Distributed firewall function,
・ Service based on location,
・ Power management and
・ Other functions,
We do not provide comprehensive solutions for safety including mobile computing functions.

  To date, much work has been done on security by the Internet community in Mobile IP and other circumstances, but it is still possible and desirable to improve the solution. In particular, there is a need to provide enterprises and other organizations with a comprehensive mobility solution that is easy to use. They want to add end-to-end security to their current and new infrastructure. The infrastructure also supports mobility that transparently roams to applications that do not need to be “mobile aware” using a wide range of conventional technologies and standards. There are several solutions, but much of the infrastructure needs to be changed to the current infrastructure that is difficult to implement and maintain.

  For example, for the current examples that exist, Mobile IP is sometimes implemented as a “bump” in the TCP / IP protocol stack to replace components of the current operating system environment. An example of such a structure is shown in FIG. 1 of the prior art. In the illustrated exemplary prior art configuration, the Mobile IP module is located below the regular TCP / IP protocol stack component and manages transitions from one network to another. Yes. Typically, such a solution should be used to facilitate the operation of nomadic or migratory computing by adding and modifying the core network infrastructure components (entities). . Because such modifications are necessary, they cannot be implemented extensively and create problems in terms of maintainability and compatibility.

  Another common security solution that has been attractive to businesses is what is called a virtual private network (VPN). VPN is common to wired and wireless networks. Typically, VPNs are coupled to network components and resources via secure protocol tunnels so that devices connected to individual networks appear to share a common private backbone. VPNs accomplish this by allowing users to “tunnel” through a wireless network or other public network. At this time, at least the same level of confidentiality and characteristics as when the VPN is connected to the private wired network are performed in such a way that the configuration related to the “tunnel” enjoys. Before a “tunnel” can be formed, cryptography is used to form and authenticate the identity of the configuration associated with the tunnel. During the VPN connection, the information passing through the tunnel can be encrypted to provide privacy.

  VPN provides an end-to-end security overlay for two nodes that communicate across one or more insecure networks. The VPN function at each node further provides authentication and privacy if other network security is compromised or absent. VPNs have been widely accepted in a variety of network situations, for example, where users can connect to an office local area network via an insecure home Internet connection. Such a solution can provide strong encryption such as AES (Next Generation Standard Encryption), compression, and link optimization to reduce protocol chatty. However, many VPNs or most VPNs do not allow users to roam between subnets or networks without “breaking” the secure tunnel. In addition, many or most VPNs do not allow transport, security sessions, and application sessions that remain formed during roaming. Another potential obstacle is the conventional operating system, but not all of them are compatible with current wireless VPN protection.

  To address some roaming issues, the effectiveness of the standard has defined Mobile IP as described above. However, Mobile IP operates at the network layer, for example, and is therefore usually not prepared for session persistence / failure tolerance. If a mobile node is out of range or interrupted for a fairly short period of time, it is likely that the formed network session will be dropped (dropped). This creates important problems in terms of usability and productivity. Session persistence allows users to keep sessions formed and connected VPN tunnels, so session persistence is desirable even though coverage holes are entered during application transactions. Industry analysts and wireless Ethernet compatibility promotion agencies encourage companies to deploy VPN technology. This VPN technology directly addresses security concerns and provides advanced features such as network and subnet roaming, session persistence for intermittent connections, and battery life management for mobile devices. However, VPN solutions should support standard security cryptographic algorithms and wireless optimizations suitable for today's smaller wireless devices and should not change or require minor changes for the current infrastructure. Is desirable.

One security architecture based on standards and the protocol approach that has been used to provide secure communication between endpoints is called "Internet Security Protocol"("IPSec"). IPSec is a collection of open standards that have been developed by the Internet Engineering Task Force (IETF) to ensure communication over public and private networks. For example,
RFC 1827, “IP Encapsulated Security Payload (ESP)” R. Atkinson (August 1995),
RFC 1826, “IP Authentication Header” R. Atkinson, (August 1995),
RFC 1825, “Security Architecture for Internet Protocols” R. Atkinson (August 1995)
Is shown in

  In short, IPSec is a framework for ensuring private (dedicated) secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. The IPSec suite of encryption-based protection services and security protocols provides computer-level user and message authentication as well as data encryption, data integrity verification, and message confidentiality. IPSec functions include cryptographic key exchange and management, message header authentication, hash message authentication, encapsulated security payload protocol, triple data encryption, next generation standard cryptography, and other features. Specifically, IPSec provides a transport mode that encrypts the message payload and a tunnel mode that encrypts the payload, header, and path information of each message. In order to reduce costs, IPSec uses policy administration. IPSec policies are used to configure IPSec security services, rather than application programming interfaces (APIs). This policy provides various levels of protection suitable for most traffic types in most current networks. IPSec policies can be configured to meet security requirements for computers, applications, organizational units, domains, sites, or global enterprises based on IP addresses and / or port numbers.

  IPSec is commonly used in firewalls, authentication products, and VPNs. In addition, Microsoft implemented IPSec as a component of its Windows 2000® operating system and Windows XP® operating system. IPSec tunnel mode is particularly beneficial for creating a secure VPN between endpoints. IPSec VPN based on public key cryptography provides end-to-end secure message authentication and privacy. The IPSec endpoint functions as a database that manages and distributes encryption keys and security associations. IPSec is a private channel for exchanging vulnerable data, such as email, file downloads, news feeds, medical records, multimedia, or all other types of information for accurate implementation. Can provide.

  Initially, it may be required to add a security algorithm, such as the standard IPSec security algorithm, to Mobile IP or other mobility protocols relatively easily. For example, security is considered in an environment where it is not necessary to change the mobile node IP address by hierarchizing each entity in the form shown in FIG. 2 of the prior art. Thus, the IPSec security association between the mobile node and its final peer can be protected through the network segment boundary, and end-to-end security is also protected. However, the combination of Mobile IP and IPSec algorithm has its own problems.

  For example, when a mobile node roams to a different network and communicates with its final peer, a policy enforcement entity such as a firewall may dispose of the packet generated by the mobile node. . This occurs because of a common method known as ingress filtering rules. Many firewalls discard packets. These packets are generated by the mobile node using the firewall home address (internal network identifier) and received at the externally facing network interface to protect the network. This disposal process is intended to protect the network protected by the firewall from attacks. Ingress filtering has the effect of forcing tunneling of mobile IP frames in both directions. For example, it is shown in RFC 2356 Sun ’s SKIP Firewall Traversal for Mobile IP: G. Montenegro, V. Gupta. (June 1998).

  In addition, before the packet passes between the external network interconnect and the internal network interconnect (also known as VPN), the IPSec security session can be used by the external agent (foreign agent) and the externally facing policy enforcement device ( For example, it has become common practice in the industry to need to be installed with a firewall. When the foreign agent is arranged together with the mobile node, the operation becomes difficult. As exemplary FIG. 3 shows, other levels of network protocol enveloping may be used to meet the required security policy. This means that network traffic between mobile nodes, via policy enforcement devices (eg, firewalls), foreign agents, home agents, and other communication endpoints (ie, the final peer) This is because it can flow. However, this adds additional substantial costs for further encapsulation. In addition, if foreign agent components are not deployed with mobile nodes (or with policy restrictions on newly attacked networks), certain foreign agents may need to be used for these communications and credentials Information needs to be shared in some way between the foreign agent and the end of the first (external) IPSec session. The disadvantage of this methodology is that it increases security risk by sharing credential information with network entities that may not be directly under user or co-management control.

  There is a need to solve these problems that define security, network roaming, and session persistence beyond traditional telecommunications, which is not limited to standard IP-based networks without the need to modify current network applications. is there. In addition, such a solution would be useful if it was not necessary to deploy Mobile IP or any other infrastructure such as a foreign agent when accessing a remote network. Also, the functionality may be transparent to networked applications. Therefore, there is no need to modify the networked application.

  The present invention avoids commonly experienced intrusion filtering problems while at the same time being secure, persistent and roamable using conventional technologies such as IPSec, Microsoft, or other operating system security features. This problem is solved by transparently providing communication based on IP. And unlike at least some implementations of Mobile IP, minimal, if any, changes are necessary for the underlying network infrastructure.

  In general, one preferred embodiment, which is typical and unrestricted, provides a mobility client (MC) function that virtualizes the underlying network. An application running on the mobility client references at least one consistent virtual network identity (identifier) (eg, IP address). When an application on the mobility client forms a network request, the mobility client intercepts the request and directs it to a mobility server (MS) that supports security such as IPSEC. The mobility server resolves this request and recognizes this request on the network as if the server was a client acting as a proxy for the client.

  In a typical embodiment, the reverse occurs. When a peer host sends a packet to the mobility client's virtual network identity, the packet is first received by the mobility server and then forwarded to the mobility client. The mobility server maintains a stable point of communication for peer hosts while the mobility client not only interrupts or roams outside the scope of all networks, but also roams freely between networks. When the mobility client is out of range, the mobility server keeps the mobility client session active and queues the mobility client request. When the mobility client is reachable again, the mobility server and client can transfer all waiting data and resume communication where it was interrupted.

  Thus, a preferred exemplary implementation without limitation provides radio optimization and network session persistence and application session persistence in the context of secure VPN or other connections. In order to make the best use of the current bandwidth, wireless optimization can transfer data as effectively as possible. For example, the system can be used to automatically convert to the fastest bandwidth network connection when multiple connections (eg, Wi-Fi and GPRS) are active. Network session persistence means that the user does not have to repeat the login process when the user moves from one IP subnet to another or returns out of range of the network. To do. In a typical implementation, each time a user roams, the connection is automatically re-authenticated without requiring user intervention. Application session persistence means that standard network applications remain connected to their peers to prevent loss of useful user time and data. Such optimization and persistence is provided in the context of a security architecture that provides end-to-end security for authentication and privacy.

  In one illustrative embodiment, prior to transferring data between the network and the mobility client, the network ensures that the end user has the necessary permissions. The user sets the user's identifier by logging into the mobility client using a conventional (eg, Windows®) domain user name and password. By using conventional domain credentials, a single sign-on process is considered and no additional authentication tables or other infrastructure additions are required. Single sign-on also provides user access to other domain resources such as file system sharing. As soon as the user is authenticated, a communication path is formed to transport application data. Any number of different protocols (eg, open file / printer sharing system, Radius, etc.) can be used for user authentication. With some of these protocols, the mobility server can function as a network access server. This ensures an initial access negotiation that forms the user's username and password using conventional protocols (eg, EAP-MD5, LEAP, or other protocols). Unlike some wireless protocols, such authentication in a typical, non-limiting implementation provides a user-specific password. This password is used for policy management that provides user-based access and resource allocation.

  Significant, non-limiting, typical implementations can be easily integrated by IPSEC or by other security features in traditional operating systems such as Windows NT® and Windows 2000®. This provides access to traditional VPN and / or other connection technologies that have been proven secure. The IPSec policy can be assigned, for example, through the group policy characteristics of the active directory. This allows IPSec policies to be assigned at the domain or organizational level, reducing the administrative overhead of configuring each computer individually. On-demand security negotiation and automatic key management services can be provided using conventional Internet Key Exchange (IKE) defined by the IETF, as shown by Internet RFC 2409. Such a typical implementation can provide an authentication method based on the IEFT standard. This makes it possible to form a trust relationship between computers using a certificate and / or password based on public key encryption, such as a key shared in advance. Various security, including secure email, secure website, secure web communication, smart card logon process, IPSec client authentication, etc. by integrating into security features based on traditional standards such as public key infrastructure Access to the solution.

  Exemplary exemplary embodiments can recognize changes in network identities (network identifiers), can selectively manage transitions in network connections, and, in some cases, across at least one plurality of network interfaces, communicating entities The IPSec security session between is terminated and / or instantiated again. The illustrative exemplary embodiment, as well as other parameters that define the state to authorize, deny, and / or delay the consumption of network resources, central management, distribution, and / or Alternatively, it is provided for execution of policy provisions for setting and / or terminating an IP security session.

  The useful properties that serve as examples without limitation are shown below.

  • With roamable IPSec, IPSec tunnels can automatically roam with the device wherever the mobile computing device operates. Based on the recognized IPSec security standards, roamable IPSec can roam uniformly across all physical and electronic boundaries of IPSec, including authentication, integrity, and encryption. This is a standard that allows mobile and remote users with VPN level security and encryption in IPSec tunnels to roam uniformly by wireless users wherever they go and how they access their corporate data. Provide based solutions.

  Detect when a change in network point to attach, interruption of network connection, roaming or other sub-network to different networks, mobile client identity, or other discontinuities occurred on the mobile client And (again) instantiate the IP security session while maintaining the network application session (ie, almost everything that is transparent to the networked application).

  Operating system components, transport protocol engines, and / or by transparently and selectively injecting computer instructions and transferring the execution path of at least one software or other component, eg based on process name Achieve additional functional levels while maintaining binary compatibility of applications.

  • Selectively but transparently virtualize at least one network interface for applications and operating system components. That is, it protects the application and operating system components from the features of mobile computing while other components can recognize interrupts in connections and changes at the connecting (attachment) network point.

  Selectively virtualize at least one network interface for network applications and operating system components; Thus, the network application and operating system components are protected from adverse events that interfere with communication, such as changes in connected (attachment) network points and / or when to disconnect.

  -Multiple IP security sessions can be set up across one or more network interfaces associated with at least one network point to be attached, and network application communication goes beyond all of the multiple IP security sessions Thus, these communications that can flow out at the same time and are correctly multiplexed / demultiplexed, flow to the corresponding higher layer communication session.

  Apply policy provisions to selectively allow, deny, and / or delay network communication flows across at least one multiple IP security session.

  • Manage and / or distribute policies for setting IP security sessions primarily from a central authority.

  “Additional Session” concept-During the proxy of communication for mobile clients, the mobility server will, among the possible IP security sessions between the mobility server and the ultimate peer, for the benefit of the mobility client At least one of can be instantiated.

  Set up and maintain an IP security session between the mobility server and the final communication peer even during periods when the mobility client is not reachable.

  Automatically IP security sessions between the mobility server and the final communication peer, based on, but not limited to, inactive links, inactive application sessions, or termination of communication endpoints finish.

  It relates to at least one IP security session between the mobility server, the final peer, the mobility client, and the mobility server for the current mobility client network identifier.

  Achieve other levels of functionality while maintaining binary compatibility with operating system components, transport protocol engines, and applications by transparently injecting computer instructions and transferring execution paths.

  Configuring at least one of a plurality of IP security sessions across a plurality of network interfaces associated with at least one network point to be attached (attachment), wherein network application communication is Those communications that can flow simultaneously over at least one of them and are correctly multiplexed / demultiplexed and distributed circulate into a reasonably high layer communication session.

  • selectively virtualizing at least one network interface for network applications and operating system components, and thus the change of the network point (of attachment) and / or the timing of disconnection of the network application and operating system components; Shield from all adverse events that interrupt communication.

  Centrally manage and distribute policy specifications from the central office for setting up and / or terminating IP security sessions for mobile clients and / or mobile servers.

  A mobility security solution that starts with a mobile device and provides both secure user authentication and secure data encryption if necessary.

  Mobility security solutions that are not required for a single vendor solution that is not based on other open standards across the industry.

  A secure VPN that can be extended to a variety of different public data networks (eg, Wi-Fi network hotspots, CDPD or GPRS, etc.) with different configurations that can be dynamically controlled by the network administrator.

  A mobility security solution that works with a variety of different computing devices with different configurations running different operating systems.

  -While maintaining a network application session, the user can maintain the battery by suspending and recovering a secure session.

  Provide a secure solution in a wireless topology with dead spots and coverage holes.

  There is no need to develop a custom mobile application or use a mobile library to obtain an application that operates in a mobile environment.

  -Secure transport-Application session persistence.

  • Works within current network security, so the network is not compromised.

  Compatible with a variety of all conventional security protocols including, for example, RADIUS, Kerberos, Public Key Infrastructure (PKI), and Internet Security Protocol (IPSec).

  The computing environment and applications need not change. Mobility needs to be used there, but its use is transparent to users and applications.

  • All or almost all applications run without modification, so no redevelopment or user retraining is required.

  -Automatically regenerate user session keys at customized intervals.

  A continuous and secure connection that ensures data integrity between wired and wireless data networks.

  Companies that run VPN (eg PPTP, L2TP / IPSec, IPSec, Nortel, Cisco, etc.) use these technologies to add radio optimization, session persistence, and other security for mobile workers be able to.

  LEAP or other access point authentication security seamlessly integrates into distributed enterprises to add optimized roamable security and encryption.

[Detailed Description of Embodiment]
FIG. 4 is a typical and comprehensive example and illustrates a non-limiting mobility architecture. The mobility architecture of this embodiment includes a mobility client (MC) and a mobility server (MS). A mobility client can be any kind of computing device such as a laptop, palmtop, pocket PC, mobile phone (cellular phone), desktop computer, or any other device with various remote connectivity capabilities. Also good. In one specific embodiment, the mobility client MC includes a computing capable platform. The platform runs a Microsoft Windows 2000® / Windows XP® operating system with security (eg, IPSec) functionality, but other implementations are possible. The illustrated system is large and can provide any number of mobility clients and mobility servers.

  In an exemplary embodiment, the mobility client MC may be connected to a network such as the Internet, a corporate LAN or WAN, an intranet, or any other computer network. Such a connection can be made wirelessly, for example via a wireless communication link such as a mobile phone network, or via other wireless communication links or other communication links. In some embodiments, the mobility client MC may be intermittently connected to the network. However, the illustrated system is not limited to wireless connections, and can support wired connections, for example, in situations where computing devices are intermittently connected to a wired network. For local area networks, wide area networks, or other networks, wireless or other connections can be made.

  In this specific embodiment, the mobility client MC communicates with a network using the Internet Protocol (IP) or other suitable protocol over at least one of the multiple network interfaces that can be implemented. In an illustrative embodiment, a mobility server (MS) is also connected to the network beyond at least one of a plurality of network interfaces that can be implemented. The mobility server MS may also communicate with one or more peers or other computing devices. The specific architecture of FIG. 4 allows the mobility client MC to communicate securely with the peer host via the communication link, the network and / or the mobility server MS.

  More specifically, the mobility server in FIG. 4 maintains the state of each mobile device and performs session management. This session management is necessary for maintaining a continuous connection to a network application. The mobility server responds to receiving data when the mobile device becomes out of reach due to an interruption, moving out of coverage, or changing the “present location” address of the mobile device The connection to the network host is maintained by queuing the request.

  A specific mobility server also manages network addresses for mobile devices. Each device operating on a mobile device has a virtual address in the network and the address of a real point. A standard protocol (eg, DHCP) or static assignment determines the virtual address. On the other hand, when the mobile device moves from one subnet to another, the address of the real point of the mobile device changes (while the connection is active, the virtual address is constant).

  The configuration of this embodiment is linked to a standard transport protocol such as TCP / IP. In such a protocol, the capabilities at the mobile device and mobility server ensure that applications running on the mobile device remain in sync with that server.

  The mobility server also provides centralized system management with console applications and full metrics. System administrators can use these tools to shape and manage remote connections, troubleshooting issues, and traffic surveys.

  The mobility server, in an exemplary embodiment, also manages the security of data transmitted over the general communication path or wired network between the mobility server and the mobile device. This server provides a firewall function by giving access to the network only to devices that are authenticated via the network. The mobility server can also authorize and optionally encrypt all communications between the server and the mobile device. Tight integration with Active Directory or other directory / name services also provides centralized user policy management for security.

  The architecture of FIG. 4 can be provided in a large variety of situations, not limited to the specific situation shown in FIG. 5 (for brevity and clarity, the embodiment uses a single network point to connect) However, it will be understood that the invention is not limited to such scope and use).

  Referring to position number 1 shown in FIG. 5 and FIG. 5A, a mobility client (depicted as a laptop computer for clarity) is shown in a joint firewall or other firewall. Connected to a wireless LAN (WLAN) having an access point. In this example, a private wireless network is connected to a wired network via a mobility server. All application traffic generated or destined for the wireless network is protected, and other network traffic is connected to or sent to the wireless network There is nothing. Furthermore, by using standard firewall characteristics in the operating system, the system can be configured so that the mobility server can process only the mobility traffic on the wireless network. In this example, the mobility client is authenticated to the mobility server. Packets typically flow between the mobility client and the mobility server, and the communication channel between the mobility client and the mobility server is protected using a conventional IPSec security protocol.

  At position number 2 shown in FIG. 5, the mobility client has moved to a dead spot and is not connected to the network. The mobility server maintains the network application session of the mobility client during this time. If the mobile client is using Mobile IP instead of this specific embodiment, the client's session was disconnected because Mobile IP does not provide session persistence.

  At position number 3, the mobility client has returned to the corporate network range on a different subnet. The mobility client acquires the address of a new point of presence (POP) on the new subnet, uses IPSec to return to the mobility server, negotiates a new secure channel, and authenticates with the mobility server again. Resume a previously interrupted network session without user intervention and without restarting the application. This process is transparent to mobile applications and application servers.

  In the location numbers 4 and 5 shown in FIG. 5, referring also to FIGS. 5B and 5C, the mobility client is away from the common network and roamed to the public network (public network). For example, the mobile client at location 4 shown in FIG. 5 is shown in the range of a conventional wireless wide area network (WWAN) radio tower, and the mobile client at location 5 shown in FIG. 5 is Wi-FI, Or, in the range of other wireless access points “hot spots” (eg, airport terminals, conference centers, coffee shops, etc.). The wireless technology used in the public network need not be the same as that used in the enterprise. This is because the system according to the embodiment stipulates that it roams safely across heterogeneous networks. Mobility client traffic now passes through joint firewalls or other firewalls. This firewall is configured to exceed the IPSec traffic destined for the mobility server and / or the mobility client is configured to use an IPSec session to the firewall. Both solutions can be intervened but implemented without end-user interaction.

  In the example of FIG. 5B, the mobility device is connected to various public wide area networks. The enterprise is also connected to the public network through a conventional firewall. This firewall is modified in a specific embodiment, in particular to allow mobility connection to the address of the mobility server. These connections are then protected by a conventional security protocol such as IPSec.

  The example of FIG. 5C includes a private wired network in a company, hospital, or other premises, and a wireless local area network that supports mobile devices connected to the wireless local area network through a conventional firewall It is shown. Traffic from the public network that is not transmitted through the correct port to the private network is rejected by conventional firewall rules. Firewall rules are domain specific ("123.11.x: 5008 is accessible") or ("123.11.21.22.3: 1002 and 123.11.21.23.4: 5008 are accessible") specific One of the mobility server addresses can be specified. The latter approach is safer. In small premises, a single multihomed mobility server can be used to handle both wired and wireless LAN traffic. As soon as the user is authenticated, the user accesses the wired network. A network address translator (NAT) may be used to reduce the number of public (routable) IP addresses required. In the example shown in FIG. 5C, a many-to-one relationship is provided so that the mobile device can use only one of the two IP addresses instead of requiring one address each. it can. All traffic from the wireless LAN access point satisfies both firewall rules and is preferably removed by the mobility server. With usable encryption, this configuration provides legitimate wireless users with complete and secure access to collaborative data and protects the wired network.

  FIG. 5D shows an example configuration in which a user can roam across various networks securely inside and outside the co-firewall. The mobility server is placed behind the firewall. When a mobility client is behind a joint firewall, connected to a wireless LAN (WLAN), and authenticated to a mobility server, packets are usually transmitted and communication between the mobile device and the mobility server (mobile VPN) The channel is protected by IPSec. In this example, the public key infrastructure, password, and / or any other desired mechanism can be used to perform key exchange for the IPSec tunnel. For further protection, WLAN access points within the firewall can be configured to filter all protocols except the desired protocol (eg, IPSec). The mobility server functions as a VPN that protects data when traversing a wireless network using IPSec encryption. In this specific configuration, the mobility server also functions as a firewall by preventing intruders from accessing the private network. When a mobile device (client) moves to a joint network range on a different subnet, the mobile device acquires a new real point (POP) address on the new subnet and returns to the mobility server using IPSec. A new secure channel is negotiated, re-authenticated by the mobility server, and resumes a previously interrupted application session without requiring user intervention. These applications can continue to run and TCP or other connections can be maintained during this network transition. This is because network transitions are transparent to the application and the mobility server proxies communications on behalf of the mobile device when the mobile device is not reachable.

  The example network configuration of FIG. 5E extends the protection of the joint firewall for its mobile clients. In this implementation scenario, the mobility client is configured using a conventional L2TP / IPSec tunnel to the firewall. The IPSec filter at the mobile client can be configured to pass authenticated IPSec packets and reject all other packets only for the mobile client's transport protocol stack. Authenticated IPSec packets for trusted clients (ie originating from within the firewall for all control channels needed to set up a secure connection and specially authorized Internet or other network services) A joint firewall can be configured to reject all packets except for (replies to packets). The mobility server located behind the firewall functions as a transport level, proxy firewall. Proxies all network traffic to protect the user's device from a wide range of attacks, including attacks using incomplete packets, buffer overflows, fragmentation errors, and port scanning, for example User transactions are forced through the software. Because the mobility server acts as a transport level proxy, this protection can be transparently provided for a wide range of applications. Attacks against the network can be blocked by filter rules configured by the firewall and / or the proxy firewall function of the mobility server. Also, attacks against mobile devices are prevented by IPSec filter rules configured at the mobile client. Also, attempts to decrypt user passwords using a sniffer attack are hampered by a secure tunnel provided by IPSec.

  FIG. 5F shows another electronic commerce model that is a specific embodiment. Like WAP, the configuration of FIG. 5F provides optimizations that increase performance and reliability for slow and unreliable wireless networks. Unlike WAP, the system of FIG. 5F prevents data from being present on the intermediate server in an unencrypted state. The structure of FIG. 5F allows standard web protocols such as HTTP and TLS to be used for electronic commerce or other transactions (web traffic is treated as a payload). The encrypted data is transferred to the last destination of the data (eg, a web server) that can be processed in the same way as if two wired peers were executing the same transaction. In addition to optimizing for wireless networks, the FIG. 5F system provides seamless roaming between different networks and application session persistence while the device is interrupted or located out of range of the wireless base station. Provide sex. When combined with exemplary system support for public key infrastructure and / or other security mechanisms, these capabilities form a powerful mobile e-commerce platform.

  The above scenario is only a number of other intermittent, mobile, nomadic example scenarios, or may define other connection scenarios.

[Specific integration with security framework based on IPSec standard]
Typically, the IPSec process for protecting a frame is extensively performed by three functions that can be logically distinguished. These functions are
Policy configuration and administration Security negotiation / key management privacy processing. Although these processes can be logically differentiated, the reliability to perform their functions may be shared by one or more modules, or distributed in any way within the operating system or other system May be. For example, in the embodiment of the client operating system which is a specific example, it is implemented in the following three functional areas or logic modules.
1. 1. Policy agent module 2. Security negotiation and key management (eg, ISAKMP / IKE) module Privacy (eg, IPSec) module In this exemplary embodiment, the policy agent is responsible for the configuration and storage of the configured policy. However, it is the IPSec module that actually acts on the policy agent's requested policy. The preferred specific embodiment system provides two different aspects that are related but separate.
In the first aspect, IPSec is processed from the mobility client to the firewall or mobility server.
In another aspect, it handles communications at virtual addresses between the mobility server and the peer host.
First, consider specific example communications to and from a mobility client.

[Specific Mobility Client Architecture]
As part of the overall design of the preferred embodiment, network roaming activity is typically hidden from applications running on mobility clients. Therefore, this application is usually not given information about details about mobility roaming (or need to know about the above details). Briefly, as described in several commonly assigned co-pending patent applications and the above publications, each mobile device runs a mobility management software client. Here, a mobility management software client is one that provides mobile devices with the intelligence to intercept network activity and relay it to a mobility management server (eg, via mobile RPC or other protocols). . In this preferred embodiment, the mobility management client is typically transparent to the operating system characteristics present on the mobile device to keep the client-site application session active when connectivity to the network is lost. Interlocked. The new mobile interceptor / redirector component is inserted into the traditional transport protocol interface of the mobile device software architecture. It is useful for the mobile interceptor / redirector to operate on the transport layer itself while the mobile interceptor / redirector can operate at a different level than the transport interface. This mobile interceptor or redirector transparently intercepts certain calls on this interface and manages those calls across the data communication network (eg, via RPC and Internet Mobility Protocol and Standard Transport Protocol). Transfer to server. Thus, the mobile interceptor / redirector can, for example, intercept network activity and relay this activity to a server. The interceptor / redirector works transparently with operating system characteristics so that application sessions can remain active when the mobile device loses connection with the network.

  This configuration provides effective transparency for applications, networks, and other network sources / destinations. However, IPSec is a special case. Between the mobility client and the mobility server or between the mobility client and the firewall, IPSec protects the packet with a point of presence (POP) address. Thus, in one specific embodiment, the infrastructure preferably leaves information about the current state of the network so that the current IPSec infrastructure can operate normally. Thus, previous designs have been modified to inform IPSec of changes in network conditions while continuing to protect networked applications and the rest of the operating system from temporary loss of network access (eg, thus IPSec can negotiate an IPSec session when the network connection is re-established). Before describing the method performed in one illustrative embodiment, initially, the conventional Microsoft Windows 2000® / Windows XP® shown in FIG. The operating system IPSec architecture will be described. Note that Windows 2000 (registered trademark) / Windows XP (registered trademark) and IPSec are described for illustration only, and other operating systems and security arrangements may be used instead.

  In Windows 2000 (registered trademark) / Windows XP (registered trademark), frames are filtered and protected by IPSec. Additional information can be found, for example, in Weber, Chlis, “Using IPSec in Windows 2000 and XP (Using IPSec in Windows® 2000 and XP)” (Security Focus, May 12, 2001). ing. That is, however, according to a non-limiting embodiment, before the frame can be processed by the protocol stack or before the frame is transmitted over the network, the network stack initially allows the IPSec module to process the frame. Get. The IPSec module applies a policy agent request for the appropriate network identity to the frame, whatever the policy is. The policy agent requires an IPSec module that protects the frame, but forms the module if the policy agent does not already have the required security association (SA) with a peer according to the requested policy. In order to do so, a request for a security negotiation / key management module is issued (in this embodiment, an ISAKMP / IKE (Intemet Security Association and Key Management Protocol / Internet Key Exchange) module). It is the role of ISAKMP / IKE in this example system to negotiate the requested security association and inform the IPSec module about the progress / status of the security association. As soon as the security association is successfully formed, the IPSec module continues to process the module of the original frame.

  In this example embodiment, the policy agent uses a conventional Microsoft Winsock API (Application Program Interface) to monitor network conditions and adjust its policy accordingly. However, this depends on using other interfaces to alert this logical component of network conditions in other environments. Thus, in a specific embodiment, the ISAKMP / IKE module also uses a conventional Microsoft Winsock API to perform security association negotiation as well as track network state changes.

  That is, the above technique forms a normally secure IPSec session that is bound to a specific IP address and / or port. Moreover, as is well known, in order to maintain, it is basically necessary to use the above technique continuously. IPSec terminates this technique if a secure session is temporarily interrupted (eg, due to loss or suspension of connection or due to roaming) and / or if the IP address and / or port changes. Will let you. If something isn't done, the mobile application loses communication when the secure IPSec session ends, even though the network session continues to function. This illustrative preferred specific embodiment solves this problem by introducing functionality. Here, functionality ensures that a sufficient amount of information that can reach a lost secure session is passed to IPSec while keeping this fact protected from the application. The above embodiment also allows IPSec to establish a secure session as soon as the network connection is reconfigured using the same or different IP address or port number (all transparent to networked applications). Solve the problem by being able to negotiate. In this way, specific illustrative applications are not adversely affected by the termination of a previous security session and the setting of a new security session. After an application is terminated, it can be adversely affected by accessing the old network (or for roaming, a new network with a new network identity defined at that location) There is nothing. At the same time, the mobility server during this interruption continues to proxy communication with the peer with which the mobile device is communicating. Thus, the network application session is maintained and can be resumed from where the network application session was suspended before interruption occurred.

The support on the mobility client side and the support on the mobility server side each have different requirements. Thus, the architecture is different in the exemplary embodiment shown. A block diagram of a typical client architecture is shown in FIGS. 5G and 7. Compared to the conventional FIG. 6, there are two more component / policy agent hooking components (nmplugnt)
・ Network virtualization component (nmdrv)
Added.

  That is, in this illustrative preferred embodiment, the core operating system's IPSec infrastructure can continue to selectively receive information regarding changes in the network state, while the network virtualization component is responsible for the underlying client module network. Virtualize. In this illustrative embodiment, the policy agent hooking component “hooks” a particular policy agent function and directs such processing to the network virtualization component. As a result, the normal functionality of IPSec can be modified somewhat.

  More specifically, in this exemplary embodiment, the network virtualization component (nmdrv) is a layer that uses the services of the current network stack and is responsible for virtualizing the underlying client module network. This component also initiates and maintains a connection with the mobility server. If the client network application requests a list of local IP addresses, the network virtualization component (nmdrv) intercepts the request and can execute at least one of a plurality of mobility client virtual network identities (eg, virtual IP addresses) that can be executed. Send one back.

  However, the client architecture preferably allows the relevant IPSec module to understand and detect the current point of presence (POP) network address so that the unique IPSec component can continue to operate in the normal manner. Thus, in this exemplary embodiment, if a request for a list of network addresses is issued and this request occurs in the IPSec process, the network virtualization module does not filter or modify the native network stack. Pass along the request. Thus, both the policy agent (eg, pollent.dll on Windows 2000®, ipsecsvc.dll on Windows XP®) and the ISAKMP / IKE module are both parallel to the mobility client's current POP address. And maintain.

  In this exemplary embodiment, the network virtualization module also detects address changes. Without this component, the network stack will typically know the change in the address list of all relevant applications via the traditional application programming interface by terminating the application communication endpoint if possible. . In Microsoft operating systems, for example, this reliability is usually poured into conventional winsock modules. This module also informs all interested network applications of each change. In this exemplary embodiment, the policy agent registers the influence on the winsock (eg, using the SIO_ADDRESS_LIST_CHANGE IOCTL via the conventional WSAIoctl function) and waits for the associated request to complete. The policy agent may be a driven event and may receive asynchronous notification of such network state changes. Again, in this illustrative exemplary embodiment, the policy agent also registers a notification event with the winsock to signal (eg, in FD_ADDRESS_LIST_CHANGE via the WSAEventSelect function). If the policy agent is alerted to a change in the address list, the policy agent retrieves the current list of addresses and consequently adjusts the policy and updates the associated policy administration logic. In addition, the policy agent notifies the security negotiation / key exchange module (in this case, the ISAKMP / IKE module) of relevant state changes. The Security Negotiation / Key Exchange Module (ISAKMP / IKE) module again updates the above list of modules for open connection endpoints for the next secure association (SA) negotiation.

  In this exemplary embodiment, the winsock and related applications typically cannot understand changes in the address list. This is because it disrupts normal application behavior and is handled by the network virtualization component. Thus, in this preferred exemplary embodiment, other mechanisms are used to inform the policy agent of changes with respect to the underlying network. In order to satisfy this requirement in this illustrative embodiment, a policy agent hooking module (nmplugnt) service is used.

  To achieve service redirection, this illustrative embodiment uses the functionality of a hooking module (nmplugnt) to policy administration, security negotiation, and key management (policy agent / ISAKMP / IKE) processes, Insert the code. These processes are provided as part of the core operating system. In this illustrative embodiment, hooking only certain functions of the policy agent module into the transferred code combines the manipulation of the import address table (IAT) with the use of a technique known as code injection. Is achieved through things. Injected function injection is accomplished in this illustrative embodiment using conventional operating system APIs (eg, OpenProcess, VirtualAllocEx, ReadProcessMemory, WriteProcessMemory, and CreateRemoteThread). In this exemplary preferred embodiment, nmplugnt. dll is lsass. When injected into an exe executable module, the module Hook the LoadLibrary and FreeLibrary entries in dll. Thereby, the module can detect when the policy agent is loaded and when it is unloaded. Of course, other implementations are possible depending on the particular operating environment.

  Further, the advantage of the hooking technique in this illustrative embodiment is in the way that Microsoft Windows itself performs dynamic runtime linking. Typically, Microsoft Windows® supports and uses the dynamic link library (DLL) for easy code reuse. By using this DLL technology, the process can be linked to the code at runtime. In order to invoke a function in a dynamically linked library, the caller needs to know the location (address) of a particular function in the DLL. It is the reliability of the operating system for decoupling between code modules, and is accomplished through the exchange of initialized tables that exist both in the caller and the caller runtime code module. . The called dynamic library includes an export address table (EAT). This export address table contains information necessary to find out the functions particularly required in the dynamic library. The module requesting service has both an import lookup table (ILT) and an import address table (IAT). The import lookup table contains information that requires a dynamic library and uses the function of each library. When a requesting module is loaded into memory for any reason, the core operating system scans the import lookup table associated with all dynamic libraries that the module depends on and loads these DLLs into memory. . As soon as a particular module is loaded, the import address table of the requesting module is updated by the operating system with the address (location) of each function that may access each dynamically loaded library. The Once again, various implementations are possible in other environments.

  In this exemplary embodiment, the nmplugnt module hooks the policy agent call to the traditional Microsoft Windows Winsock functions WSASocket, WSAIoctl, WSAEventSelect, closesocket, and WSACleanup after being loaded by the predetermined method. After executing this process, whenever the policy agent module attempts to register for an address change notification, the request is forwarded to the network virtualization component. As mentioned above, the network virtualization component by design notices changes in network connectivity. If this component detects a change to a point of presence address, it sends an appropriate notification to the policy agent module. Thus, in this illustrative embodiment, the policy agent module queries the current address list. Therefore, the policy agent and consequently the ISAKMP / IKE module are notified of all address list changes.

  FIG. 8 shows an example of how to link a single function from a single DLL in this illustrative embodiment to a call process. Specifically, the operating system looks for ILT and sets target. find the dll request, target. dll. exe is loaded into the address space and target. locating TargetFunc in the dll's EAT. app. to indicate TargetFunc in dll. fixed exe's IAT entry. app. When exe calls its stubbed TargetFunc, the stub function calls to TargetFunc imported via IAT. Since all important calls pass through the IAT, this preferred exemplary embodiment simply hooks its target function by exchanging the appropriate entry for each function in the IAT as shown in FIG. it can. This advantage is also in changing hooking. Only calls made by the requesting module in the target process are hooked. The rest of the system usually continues to function.

In summary, in an illustrative embodiment in one exemplary and detailed implementation, the following steps are performed.
1. Invoke open processes to gain access to policy administration, security negotiation, and key management (policy agent / ISAKMP / IKE) processes and address spaces.
2. Use a read process memory function to find a load library function in the address space of the relevant process.
3. The VirtualAllocEx function is used to allocate sufficient memory to hold the exemplary injection code shown in step 4 in the address space of the particular process.
4). A write process memory (WeightProcessMemory) for injecting the following code into the memory allocated in Step 3 is used.

LoadLibrary (&targetlibryname);
label targetlibryname:
"C: \\ Program Files \\ NetMotion client \\ nmplagnt. Dll"
The address of the load library (LoadLibrary) function was determined in Step 2. Data bytes in the label target library name will vary depending on the name of the module being loaded and the operating system environment, where appropriate modules are present.
5). In order to execute the injected code, a Create Remote Thread (CreateRemoteThread) function is called.
6). Wait for the remote thread to finish.
7). Free allocated memory.
8). Terminate the process.

  At the end of these steps, the nmplugnt module has been injected into the policy administration, security negotiation, and key management (policy agent / ISAKMP / IKE) processes if the necessary function call processing can be transferred. It will be appreciated that the above code procedure is an operating system, is processor dependent and is shown for illustration only and is therefore not limited to this particular order or operation. In addition, executable code responsible for adding these components to the operating environment is provided to the mobile device via a recording device on the recording medium (eg, optical disc) and / or downloaded across the network. it can.

  A similar method is performed using a free library function instead of the load library function that does not load the nmplugnt module by reversing the hooking process. In short, the description is kept to a minimum as anyone who has been taught about the technology should be able to achieve the desired result.

[Example of mobility server architecture]
Using an IPSec methodology for communication between a mobility server and a peer host, although using this methodology for some of the same techniques used for mobility clients, has various problems to be solved. is there. FIG. 10 shows a typical server architecture. In this exemplary embodiment, the mobility server MS may be located in a Windows 2000® / Windows XP® (or any other) operating system. In this particular illustrative implementation, the hooking module is also used in the illustrative embodiment. However, the function intercepted by the hooking module in the case of the mobility server MS is transferred to the proxy and filter module. These filter modules are also supplied by an exemplary preferred embodiment instead of a network virtualization module.

In a typical mobility server, a proxy driver (nmproxy) can be used to perform a large-capacity mobility server function. However, in one typical implementation, there are three individual problems, which are solved by using the other three logic modules. These logic modules are
・ Network identity mapping driver (nmprtmap),
-IPSec filter driver (nmipsec), and
・ Security negotiation hooking library (nmike)
That is.

  The first issue is how to manage virtual addresses for mobility clients. In some network stack implementations, multiple addresses can be assigned to a unique networking stack component of the operating system. However, some systems do not support such functions. To support a more limited implementation, the illustrative embodiment uses identity mapping techniques. It will be appreciated that these techniques are both compatible and complementary to each other. With such an identity mapping function, the security function can be successfully driven in a more limited environment. The exemplary mobility server identifies the communication endpoint associated with the local address and port before receiving packets before they are processed by the protocol stack and before these packets are transmitted over the network. Open, and then perform an identity map (identity map) between the corresponding virtual address and port. This mapping is, in one exemplary embodiment, a job of the network identity mapping module (nmprtmap). For example, assume that an application at the mobility client opens TCP port 21 on virtual address 10.1.1.2. Previously defined mechanisms (see, eg, US patent application Ser. No. 09 / 330,310 (filing date: June 11, 1999), entitled “To provide mobile and other intermittent connections in computing environments” By using the method and device "), this request is transmitted from the mobility client to the mobility server. In response, the MS opens a connection to its port 2042 for the local address 10.1.1.1 and registers the appropriate mapping with the network identity mapping module. If a mobile client in combination with a proxy driver (nmproxy) wants to send data on its newly opened connection, the packet generated by the unique network stack has the source address of 10.1.1.1 port 2042 doing. The network identity mapping module adapts the protocol / address / port tuple of the frame against the mapping table and replaces the source address and 10.1.1.2 port 21 before the packet is transmitted to the network. . The reverse operation is performed on the received packet. By using this network identity mapping technique, the mobility server can communicate with the peer system using the virtualized address without having to modify the core operating system transport protocol stack.

  The second problem is a direct result of this mapping technique (mapping technique). Since the network identity mapping module operates logically below the IPSec module (ie, processes the frame before receiving and after transmitting), it directly processes the IPSec protected frame if it does not corrupt the packet. Cannot or cannot be closely related to the privacy or authentication process. To address this issue, in one illustrative embodiment, the aforementioned IPSec filter module (nmipsec) inserts itself between the operating system networking stack component and its IPSec module. The filter module examines each outgoing packet before IPSec protects the packet and examines each incoming packet after IPSec removes all ciphers. As soon as the frame is controlled, the frame examines the network identity mapping module (nmprtmap) to determine whether the frame source or destination identity should be mapped. In this way, the function of the mapping logic is shifted to a level where the function of the mapping logic can be executed without interfering with the IPSec processing.

  Hooking the link between IPSec and networking stack components varies depending on the implementation and operating system. In an exemplary exemplary embodiment, the hooking process is completed again by manipulating the tables exchanged between the unique IPSec and the networking stack module. However, other implementations and environments may be based on other technologies. In this illustrative embodiment, the IPSec filter module (nmipsec) loads before the IPSec module and after the transport protocol module. When the IPSec module tries to exchange the function table of the module with the transport protocol component, the IPSec filter module (nmipsec) records and exchanges the original function pointer with its own entry point. As soon as the table is exchanged in this way, the IPSec filter module (nmipsec) can manipulate the content and control which packets the unique IPSec module operates on.

  The third problem is that the hooking technique used by the mobility client is used. As noted above, due to the mapping technique used in one illustrative implementation, the unique networking stack does not know the mobility client's virtual address. As a result, the policy administration, security negotiation, and key management (policy agent / ISAKMP / IKE module) processes also do not recognize these added network addresses. Therefore, there is no IPSec security policy for covering frames received by the mobility client virtual address and transmitted from the address. Furthermore, the security negotiation module (in this case the ISAKMP / IKE module) does not have a communication endpoint open to negotiate a security association for the mobility client. To address this issue in the illustrative embodiment, the security negotiation hooking module (nmike) can use the same hooking methodology described for mobility clients and shown in FIG. The security negotiation hooking module (nmike) intercepts all address change notification requests. If the proxy module registers or unregisters a mobility client virtual address with a network identity mapping module (nmprtmap), the proxy module also informs the security negotiation hooking module (nmike). At the same time, this module notifies the policy administration module (policy agent) of each change. If the Policy Administration (Policy Agent) or Security Negotiation (ISAKMP / IKE) module requests a list of current addresses via a conventional Microsoft Windows® GetIpAddrTable function call, the Security Negotiation Hooking Module (nmike) Intercept the request and add all of the current virtual addresses to the return list. When the policy administration module (policy agent) sees each virtual address in the list, it considers the address as a real address and forms an appropriate policy for the IPSec module. In response to the modification of the network address list, the security negotiation (ISAKMP / IKE) module attempts to open and associate a communication endpoint for each address in the list. However, as described above, this operation usually fails because the illustrative networking stack in this illustrative embodiment is unaware of the facts regarding these other network addresses because of the mapping methodology. To solve this problem, the Security Negotiation Hooking Module (nmike) intercepts the request for the traditional Microsoft Windows® Winsock bind function and modifies the port with the requested virtual address and INADDR_ANY. . As soon as the endpoint is bound through its own transport protocol stack, the security negotiation hooking module (nmike) serves the network identity mapping module (nmprtmap) to the real and virtual addresses. A mapping between the port associated with the newly formed communication endpoint and the port assigned for security negotiation (in this case, port 500 is a standard ISAKMP port). Finally, the Security Negotiation Hooking Module (nmile) does not perform any other IPSec filtering, the real address to instruct the module to pass the packet to and from the specific address. And a port having an IPSec filter module.

  All documents referred to herein are incorporated by reference into the disclosure. As a result, these documents should be clearly described.

  Although the invention has been described with reference to a practical and preferred embodiment, the invention is not limited to this embodiment. In particular, for example, the present invention is not limited to IPSec or Microsoft operating systems. IPSec and related technologies can be configured in a variety of ways, running with some required algorithms running in software or hardware. That is, some implementations may include, for example, hardware accelerator technology for the encryption process. Many network interface and computer industries have commercially available products that are used for this demanding purpose. However, it should be appreciated that the above specification describes the logical arrangement of the required functions and may actually be implemented in a distributed manner. Accordingly, the present invention is intended to cover all modifications and equivalent arrangements within the scope of the appended claims.

1 illustrates an exemplary, exemplary prior art mobile IP client architecture. FIG. FIG. 1 illustrates a typical, exemplary prior art IPSec and Mobile IP architecture. FIG. 4 illustrates an exemplary network protocol envelope that may be used to satisfy an executable and necessary security policy. This causes network traffic to flow between the mobile node to the foreign agent and the mobile node to other communication endpoints via a policy enforcement device (eg, firewall) to the home agent. be able to. FIG. 3 illustrates an example mobility architecture according to an exemplary embodiment without preferred illustrative limitations of the present invention. FIG. 6 illustrates an exemplary usage scenario. FIG. 6 illustrates an exemplary usage scenario. FIG. 6 illustrates an exemplary usage scenario. FIG. 6 illustrates an exemplary usage scenario. FIG. 6 illustrates an exemplary usage scenario. FIG. 6 illustrates an exemplary usage scenario. FIG. 6 illustrates an exemplary usage scenario. 1 illustrates an exemplary client-server architecture. FIG. FIG. 1 illustrates an exemplary and simple prior art operating system security architecture. FIG. 7 illustrates the exemplary FIG. 6 architecture modified to provide a secure, transparent, exemplary mobility function. FIG. 6 illustrates an exemplary runtime link sample. FIG. 6 illustrates exemplary client policy agent hooking. FIG. 2 illustrates a typical server architecture.

Claims (60)

In a method of maintaining network communication with a mobile or other intermittently connected computing device that executes at least one networked application related to at least one network application session,
(A) detecting the occurrence of an event that affects network communication with the computing device;
(B) terminating, instantiating and / or re-instantiating an IP security session used by the computing device while maintaining the network application session in response to the detection. Including network communication maintenance methods.   The method of claim 1, wherein the detecting includes detecting a change in a connected network point.   The method of claim 1, wherein the detecting includes detecting that a previous IP security session has ended due to an interruption of a network connection.   The method of claim 1, wherein the detecting includes detecting that a network identifier of a mobile device has changed.   The method of claim 1, wherein the detecting includes detecting that a mobile device has roamed to various networks or sub-networks.   The step (b) includes the step of negotiating a new IP security session in place of the previously blocked IP security session in a manner that is transparent to the networked application. Item 2. The method according to Item 1.   The method of claim 1, wherein step (b) includes using IPSec to form a secure tunnel over the network.   The method of claim 1, further comprising applying policy provisions to selectively allow, deny, or delay network communication flows beyond the IP security session.   The method according to claim 1, further comprising the step of centrally managing and distributing a policy relating to the formation of the IP security session from a central office.   The method of claim 1, further comprising securely proxying the mobile device communication.   The method of claim 1, further comprising terminating a previous IP security session based on the detection. In a method of modifying an operating environment comprising at least one software component, the operating environment uses a transport engine protocol to execute at least one application;
(A) transparently and selectively injecting computer instructions into the operating environment;
(B) Transfer the execution path of at least one software component to obtain other functions while maintaining binary compatibility for the operating environment component, transport engine protocol, and application. And a method comprising:   The method of claim 12, wherein the transfer is based on a process name. In a method for providing data communication in a mobile computing environment, the environment includes at least one device using at least one network interface for network applications and operating system components;
(A) protecting the network application by selectively and transparently virtualizing the at least one network interface and manipulating system components from at least some characteristics of the mobile computing environment;
(B) A method including the step of allowing the other components described above to recognize at least a connection interruption and a change of a network point to be connected. A method for providing data communication in an environment including at least one device using at least one network interface for network applications and operating system components, comprising:
(A) selectively virtualizing at least one network interface, thereby protecting network applications and operating system components from at least some adverse events that may interfere with communication;
(B) using the virtualized network interface to perform data communication.   The method according to claim 15, wherein the adverse event includes a change of a connected network point.   The method of claim 15, wherein the adverse event includes a time of network disconnection. In using multiple IP security sessions across multiple network interfaces associated with at least one network point to connect to
(A) distributing network application communications to simultaneously flow across the plurality of IP security sessions;
(B) multiplexing / demultiplexing the distributed communication flow into a corresponding higher layer communication session.   19. The policy provision is further applied to selectively allow, deny, or delay network communication flows beyond at least one of the plurality of IP security sessions. The method described.   The method of claim 18, wherein the centralized management and distribution of policies for setting up multiple IP security sessions from a central office. (A) promoting the formation of a plurality of IP security sessions;
(B) selectively permit, deny, and / or flow of network communications beyond at least one of the plurality of IP security sessions based on at least a portion of the applied policy provision; Or a delaying step.   The method of claim 21, further comprising centrally managing and distributing the policy provisions from a central office. In the method of enforcing secure network connection,
(A) setting up an IP security session within the computing network;
(B) Centrally managing and distributing a policy related to the setting of the IP security session from the central office. In the proxy method of mobile communication,
(A) setting communication with a mobile device;
(B) setting up communication with the final peer of the mobile device;
(B) instantiating at least one of a plurality of viable IP security sessions having a final peer on behalf of the mobile device.   25. The method of claim 24, wherein the mobile device includes a client and step (a) includes setting up client server communication. In the proxy method of mobile communication,
(A) establishing at least one IP security session between the mobile device and its communication peer;
(B) maintaining an IP security session with the communication peer during a period when the mobile device is unreachable. In a method for managing an IP security session between a mobility server and a final communication peer,
(A) setting at least one IP security session between the mobility server and a final communication peer;
(B) automatically terminating the IP security session in response to the occurrence of a predetermined event.   28. The method of claim 27, wherein the predetermined event is selected from active links, inactive application sessions, and termination of communication endpoints. In a method of providing secure communication between a mobility client having a network identifier, a mobility server, and a final communication peer,
(A) establishing at least one IP security session between the mobility server and a final peer;
(B) maintaining an IP security session securely even when the network identifier of the mobility client changes. In a system for maintaining network communication with a mobile or other intermittently connected computing device executing at least one networked application related to at least one network application session,
A detection device that detects the occurrence of an event that affects network communication with the computing device;
A system including a security module that instantiates or reinstantiates an IP security session for use by a computing device while maintaining a network application session in response to the detection.   32. The system of claim 30, wherein the detector detects a change in a connected network point.   32. The system of claim 30, wherein the detector detects that a previous IP security session has been terminated due to a network connection interruption.   32. The system of claim 30, wherein the detector detects that a mobile device's network identifier has changed.   32. The system of claim 30, wherein the detector detects that a mobile device has roamed to various networks or sub-networks.   32. The system of claim 30, wherein the security module negotiates a new IP security session in place of a previously blocked IP security session in a manner that is transparent to networked applications.   32. The system of claim 30, wherein the security module uses IPSec to form a secure session via network communications.   31. The system of claim 30, further comprising a policy manager that applies policy provisions to selectively allow, deny, or delay network communication flows beyond the IP security session. .   32. The system of claim 30, further comprising a central policy management station that centrally manages and distributes policies with respect to forming the IP security session.   32. The system of claim 30, further comprising a mobility server that securely proxies the mobile device communication.   32. The system of claim 30, wherein the security module terminates a previous IP security session based on the detection. An operating environment with at least one software component that uses a transport engine protocol to execute at least one application and further includes computer instructions transparently and selectively injected therein In the environment,
While maintaining the binary compatibility of the operating environment component, transport engine protocol, and application, the injected computer instructions transfer a redirector that transfers the execution path of at least one software component to obtain additional functionality. Containing environment.   42. The environment of claim 41, wherein the redirector forwards an execution path based on a process name. In a mobile computing environment comprising at least one device with at least one network interface for network applications and operating system components,
(A) instructions for selectively and transparently virtualizing at least one network interface, thereby protecting the network application and operating system components from at least some characteristics of the mobile computing environment;
(B) An environment including at least other instructions that allow the other components to recognize connection interruptions and changes to the network points to which they are connected. In an environment including at least one device with at least one network interface for network applications and operating system components,
Instructions to selectively virtualize the at least one network interface to protect network applications and operating system components from at least some adverse events that may interfere with communication;
An environment that includes other structures that use virtualized network interfaces to perform data communications.   45. The environment of claim 44, wherein the adverse event comprises a connecting network point.   45. The environment of claim 44, wherein the adverse event includes a time of network disconnection. In a system for using a plurality of IP security sessions across a plurality of network interfaces related to at least one network point to be connected,
A data distributor that distributes network application communications to flow simultaneously across the plurality of IP security sessions;
(B) A system comprising multiple devices / demultiplex devices that multiplex and demultiplex the distributed communication flow into a corresponding higher layer communication session.   19. The system of claim 18, further applying policy provisions to selectively allow, deny, or delay network communication flow beyond at least one of the IP security sessions.   48. The system of claim 47, further comprising a central office that centrally manages and distributes policies for setting up the plurality of IP security sessions. (A) a security framework that facilitates the creation of multiple IP security sessions;
(B) a policy that selectively allows, denies, and / or delays the flow of network communication beyond at least one of the plurality of IP security sessions based at least in part on the policy specification. A system that includes an agent.   51. The system of claim 50, further comprising a central office that centrally manages and distributes the policy provisions. In a system for secure network connection,
A security framework for setting up an IP security session within a computing network;
A system including a central office that centrally manages and distributes policies for setting the IP security session. A communication structure that sets up communication between the mobile device and its final peer; and
A mobility proxy including a security component that instantiates at least one of a plurality of executable IP security sessions with a final peer on behalf of the mobile device.   54. The system of claim 53, wherein the mobile device includes a client and the mobility proxy includes a server. In a system for proxying mobile communications,
Communication means for establishing at least one IP security session comprising the mobile device and its communication peer;
Means for maintaining an IP security session with a communication peer during periods when the mobile device is not reachable. In a system for managing an IP security session between a mobility server and a final communication peer,
Means for establishing at least one IP security session between the mobility server and a final communication peer;
Means for automatically terminating an IP security session in response to the occurrence of a predetermined event.   57. The system of claim 56, wherein the predetermined event is selected from the group comprising a link activity, an application session in activity, and a communication endpoint termination. In a system for providing secure communication between a mobility client having a network identifier, a mobility server, and a final communication peer,
Means for establishing at least one IP security session between the mobility server, a final peer, a mobility client, and a mobility server;
And a means for maintaining an IP security session securely even when the network identifier of the mobility client changes. In a storage medium storing a first set of instructions and a second set of instructions,
The first set of instructions are instructions for inserting a policy agent hooking runtime linkable module into an operating system having a policy agent and IPSec infrastructure;
The second set of instructions are instructions for inserting a network interface virtualization driver into the operating system,
A storage medium that initiates a mobility server connection while the virtualization driver can virtualize the client module network and continue to selectively notify the IPSec infrastructure about network state changes. In preparing a mobile device for secure communication,
The mobile device has an operating environment including a policy agent and IPSec infrastructure;
Downloading over a computer network to a mobile device, and using the mobile device to execute a first set of instructions for inserting a policy agent hooking runtime linkable module into an operating environment, the hooking module comprising: , To notify the policy agent of changes in the network status,
Downloading across the computer network; and executing a second set of instructions on the mobile device to insert a network interface virtualization driver into the operating environment;
A method for initiating a mobility server connection while the virtualization driver can virtualize the client module network and continue to selectively notify the IPSec infrastructure about network state changes.

Images