WO1989008887A1 - Systeme de securite d'acces pour reseaux de communications commute - Google Patents

Systeme de securite d'acces pour reseaux de communications commute Download PDF

Info

Publication number
WO1989008887A1
WO1989008887A1 PCT/AU1989/000098 AU8900098W WO8908887A1 WO 1989008887 A1 WO1989008887 A1 WO 1989008887A1 AU 8900098 W AU8900098 W AU 8900098W WO 8908887 A1 WO8908887 A1 WO 8908887A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
field
node
nodes
security
Prior art date
Application number
PCT/AU1989/000098
Other languages
English (en)
Inventor
Anthony Lakshman Alles
Original Assignee
Qpsx Communications Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qpsx Communications Ltd. filed Critical Qpsx Communications Ltd.
Publication of WO1989008887A1 publication Critical patent/WO1989008887A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • This invention relates to an access security system for switched communications networks.
  • the security system of the invention prevents unauthorized access to nodes attached or coupled to a switched communications network.
  • NAP Address Network Access Point Addresses
  • An administrative entity is usually responsible for the allocation of NAP Addresses, and, for the purposes of this specification all entities responsible for the administration of a network resource will be referred to by the generic title of "Network Administrator” .
  • the Network Administrator has the capability of communicating with nodes on the network through a particular node, referred to here as the "Network Administration Node”.
  • a switched Communications Network is such as to enable any particular node, the "source node”, , attached to the network to engage in switched communication with any other node, the "destination node” N- j , attached to the network, where the only necessary requirement for communication to take place is the knowledge of a NAP Address of N, by N .
  • Switched Communications Networks include, but are not restricted to, packet switched networks, circuit switched networks and virtual circuit networks. Typically, communication between nodes is through the exchange of blocks of data, for instance, datagrams in packet switched networks and channels in virtual circuit networks..
  • Addressing and other control information is used to ensure that a communication from a node is received only by the intended destination node.
  • a source node prefixes at least the initial block of data with a AP Address associated with tl ⁇ e_ intended destination node and other control information.
  • AP Address associated with tl ⁇ e_ intended destination node and other control information.
  • all datagrams in a packet switched network usually contain addressing and control information, whereas such information may be provided only during the connection phase in a circuit or virtual circuit switched network.
  • One known practice for the operation of such networks described above is for a node to accept all blocks prefixed with a NAP Address associated with that node. There is no need for prior authorization from either the destination node or the Network Administrator, before a source node initiates a communication with- a destination node.
  • a source node appends a NAP Address corresponding to that node to at least the first data block transmitted to the destination node. Then each destination node checks the NAP Address of the source node upon the initiation of a communication, against a list of the NAP Addresses of the nodes from which the node is authorized tQ receive data. The received data block is accepted only if the source node's NAP Address is found in the list of authorized nodes.
  • the list of authorized nodes is programmed either by the destination node or by the Network Administrator.
  • Another proposal is for the system to arrange for the_source node to check the destination node's NAP Address against a list of nodes to which the node is authorized to transmit data. Communication is initiated only if the destination node's NAP Address is found in the list.
  • This approach suffers from similar problems to the technique discussed above, insofar as a destination node cannot have any guarantee that filtering has been performed and the NAP Addresses are subject to duplication or tampering by the Network Administrator.
  • Another,known technique used to provide access security is to prefix at least the first data block of a communication with a "Security Field", which is checked against a pre-programmed field at the receiving node.
  • the Security Field defines :a security level or domain, either that from which the message originated or for which the message is intended. The message is received by a node only if the security level or domain of the message accords- it that of the receiving node.
  • This technique has the drawbacks that it requires such security levels or domains to be uniformly applicable f throughout the network, which-may not be appropriate j in particular types of networks (fpr instance, public
  • the general object of the present invention is to overcome the drawbacks of the security techniques defined above.
  • a method of securely transmitting switched signals between nodes which are attached to a communications network said communications network including a network administrator, said method including the steps of transmitting signals in blocks at least some of which include security fields, checking the security fields at the nodes and accepting the received signal at a node only if first and second components of the security field have a particular characteristic, and wherein the security field is established by generating the first component of the security field by the network -administrator and generating the second component of the security field by at least one of the nodes.
  • the invention also provides a security system for a switched communications network which includes a network administrator and to which is attached a plurality of nodes, said system comprising means for transmitting signals between said nodes in signal blocks at least some of which include security fields, checking means at the nodes for checking the security fields to determine whether or not the first and second components thereof have particular characteristics, and wherein said network administrator includes means for generating a first component of the security field and at least one of said nodes includes means for generating a second component of the security field.
  • a closed group of nodes is established having a security field in which the first component is derived from the network administrator and the second component is derived through at least one of the nodes. This enhances the security of the system because unauthorised access cannot be obtained from information available from the network alone.
  • the signals are transmitted in blocks, which expression is used to generically denote signal packets, frames, channels etc. It is preferable, although not essential, that the security field be located at the start of each block.
  • FIGURE 1 is a schematic illustration of a switched communications network
  • FIGURE 2 is a schematic illustration of a QPSX network
  • FIGURE 3 is a diagram of part of the network of Figure 2;
  • FIGURES 4A to E show diagramatically typical signal formats;
  • FIGURE 5 is a block diagram showing essential steps of the technique of the invention.
  • FIGURES 6A to D illustrate a more detailed flow chart of the steps of the invention.
  • FIG. 1- is a schematic illustration of a switched communications network 2 having a plurality of nodes 4 attached thereto.
  • the arrangement includes a Network Administration node 6.
  • the Network Administrator node is generally responsible for administration of the network and performs such tasks as allocating addresses, charging, customer control etc. In the system of the invention, the Network Administrator is also partially involved in the initialization and administration of the security scheme, as will be described hereinafter.
  • FIG 2 shows a packet switched multi-access network 8 of the type disclosed in International Publication No. WO 86/03639, hereinafter referred to as a "QPSX" network.
  • the QPSX network 8 can be considered as a more specific example of a network upon which the system of the invention can operate.
  • the QPSX network 8 includes oppositely directed unidirectional buses 12 and 14 between which is connected a plurality of access units 10.
  • Each of the access units 10 can be considered as a node in the schematic arrangement illustrated in Figure 1.
  • the access units 10 provide access to users 16, as diagramatically illustrated in Figure 3.
  • the user 16 uses the associated access unit 10 in order to receive and transmit data on the buses 12 and 14.
  • each access unit 10 includes signal processing circuitry which accepts data from the user 16, forms the data into data packets and transmits the packets on the QPSX network 8 in order to reach the access unit associated with the destination node.
  • the access security system of the-invention may be implemented by software or hardwired logic at each of the access units 10.
  • One arrangement for implementation of the system of the invention is to arrange for the access units to form the data into data packets 18, of the type diagramatically illustrated in Figure 4A.
  • the packet includes an address field 20, security field 22, and data field 17.
  • the address field 20 would normally include the destination network access point (NAP) address and the security field 22 would normally include security information hereinafter referred to as a "VPN Identifier" (Virtual Private Network) .
  • NAP network access point
  • VPN Identifier Virtual Private Network
  • each node checks the VPN Identifier received by it at least at the beginning of a communication with a node against a list of VPN Identifiers pre-progxammed into the node, and, only if a match is found, is the communication accepted.
  • those nodes, pre-programmed with a particular VPN Identifier form the closed user group, or Virtual Private Network, associated with that VPN Identifier.
  • the block 24 indicates that the node is waiting receipt of a message.
  • the block 26 indicates that a message has been received from the network.
  • the block 28 indicates extraction of the VPN Identifier from the message.
  • the VPN Identifier is checked to see whether it is the same as that which is stored in the node where the message is received. If yes, the .nodes accepts the message, as indicated by block 32. If there is a mismatch, the node discards the message as indicated by block 34 and returns to the wait block 24.
  • These logical steps are carried out by software in microcomputers at the nodes or in hard wired logic implemented to perform the same logical operations.
  • VPN Number Virtual Private Network Number
  • VPN Key Virtual Private Network Key
  • the nodes in the group agree that Master Nodes have the power to i 1 t provide VPN Keys, and therefore the power to set up closed user groups.
  • Each Master Node provides a single VPN Key, of a particular format agreed upon by all nodes in the closed user group.
  • This arrangement 5. ensures the uniqueness of the VPN Identifier and ensures that the integrity of the scheme is not predicated upon the integrity of any one party.
  • the VPN Number may comprise a multi-bit digital number randomly generated by the Network Administrator 6. 0 For instance a 16-bit number would be quite suitable.
  • the VPN Key may also comprise a sixteen-bit number which is selected by the user at the node by keyboard or the like or alternatively is automatically generated by an access unit 10 when the 5 user at the access unit requires a new VPN Key.
  • a closed user group is initiated by the Master Nodes requesting a VPN Number 0 from the Network Administrator 6.
  • the latter allocates an available VPN Number to the prospective closed user group, by programming the Master Nodes with the VPN Number.
  • the VPN Number need not • necessarily be known to any party other than the Network Administrator.
  • Users, via Master Nodes then program their own nodes with the associated VPN Keys.
  • a particular VPN Key need not necessarily be known to any party other than the particular the user at a Master Node associated with that key.
  • the user, at a node is then admitted in to the closed user group " through a multi-party rendezvous at the Member's node, to program the node with the complete VPN Identifier.
  • a node either Master or Member
  • the Network Administrator supplies the VPN Number and each Master Node supplies the corresponding VPN Key.
  • the node being programmed permits the programming of the node with the appropriate fields (and supplies the appropriate Key if the node is also a Master Node) .
  • the communications with the node being programmed will occur over the network. Alternatively some communications with the node may be made by routes not including the network (out of band) for higher security.
  • the particular field containing the VPN Number or .Key may be associated with a "Field Origin Verifier" (FOV), which is a password distributed beforehand by the originator of the particular VPN Number or VPN Key to the node being programmed.
  • FOV Field Origin Verifier
  • the FOV can be conveyed to a node by secure courier or by other means.
  • the data block carrying the particular VPN Number or Key will also carry the corresponding FOV and this will be checked at the node being programmed against the Field Origin Verifier entered at the node from the out of band source. Only if these match will the VPN Number or Key be accepted thus precluding an unauthorized node from mimicking a Master Node or the Network Administrator.
  • the integrity of the security scheme is dependent upon the integrity of the FOV's and hence these should be distributed in a secure manner.
  • the initialization step 36 indicates that a user at a node wants to establish or join a VPN group.
  • the program passes to step 38 which enquires whether or not the node is a Master Node. If the Node is a Master Node, a VPN Key is selected or generated, as indicated by step 40. The program then waits for a received message, as indicated by step 42. If the node is not a Master Node, the program bypasses step 40 and passes directly to Wait Step 42. Once a message has been received at the node, the program determines, in step 44 whether the message has been received either. from the network or out of band, for instance an FOV by secure courier. The program then passes to step 46 which determines whether or not the message which has been received contains an FOV for.a component of the VPN Identifier. If the message does contain an FOV, the program passes to step 48 shown in Figure 6B.
  • Step 48 determines whether or not the VPN Identifier component has already been programmed by virtue of an earlier message. If yes, the received FOV is discarded, as indicated by step 50 and the program returns to Wait Step 42. If the VPN Identifier component has not already been programmed, the program passes to step 52 which determines whether or not the corresponding component of the VPN Identifier i.e. the VPN Number or VPN Key, has already been received from messages from the network. If no, the program stores the FOV, as indicated by step 54 and then returns to a Wait Step 42. If the corresponding component has been received, the program passes to step 56.
  • the VPN Identifier component i.e. the VPN Number or VPN Key
  • step 56 the program determines whether or not the FOV received from the Network is the same as that which has been received out of band. If the FOV received from the network is different, the program discards all stored fields i.e. any stored values for the VPN Number or VPN Key, as indicated by step 58 and then returns to Wait Step 42. If on the other hand the FOV's match, the program passes to step 60 which stores the received VPN Number from the Network Administrator or the received VPN Key from a Master Node. The program also stores a Field Modification Identifier (FMI) which a password associated with either the VPN Number or VPN Key. The FMI password enables authorized changes of the VPN Number or VPN Key-to be made but only if there is a match of FMI's, as described hereinafter.
  • FMI Field Modification Identifier
  • step 62 determines whether all of the components of the VPN Identifier have been received.
  • the programming of the node is complete, as indicated by step 64 from which the program returns to Wait Step 42.
  • the programmed node is then able to wait for receipt of messages having the correctly encoded VPN Identifiers, as indicated by the operating flow chart of Figure 5. If on the other hand the step 62 indicates that the VPN Number or Key has not yet been received, the program returns to ⁇ tfaif..Step 42 to await further messages containing the necessary information.
  • step 46 if the message received does not contain an FOV, the program passes to step 66.
  • the program determines whether the received message contains a component of the VPN Identifier, i.e. the VPN Number or VPN Key and the associated FOV and
  • step 68 the program passes to step 68, shown in Figure 6B.
  • the step 68 determines whether or not the received VPN Number or VPN Key has already been stored (in step 60) in respect of an earlier received message. If yes, the program discards the newly received VPN Identifier component, as indicated by step 70 and then returns to Wait Step 42. If there has not been an earlier storing-of the VPN Identifier component, the program passes to step 72 which determines whether or not the FOV for the corresponding VPN Identifier component has been received out of band. If yes, the program then passes to step 56 to complete the programming as before. If the corresponding FOV has not been received out of band, the program stores the received VPN Identifier component, FOV and FMI, as indicated in step 74 and then returns to Wait Step 42. The step 72 thus holds up programming of the node until the FOV has been received from the out of band source.
  • step 76 enquires whether or not the message ..includes a request for a VPN Key. If yes, the program passes to step 75 shown in Figure 6C.
  • the step 75 determines whether or not the node is a Master Node. If it is not a Master Node, it cannot supply a VPN Key and therefore the program returns to Wait Step 42. If yes, the program generates an FOV and FMI, as indicated by step 78.
  • the step 80 indicates the step of conveying the FOV out of band to the requesting node, for instance by secure courier. The program can then send the VPN Key and its associated FOV and FMI to the requesting node via the network, as indicted by step 90. The program then returns to Wait Step 42.
  • step 92 determines whether or not the message contains a modification for a eomponent for the VPN Identifier and the associated FMI (indicated by a message type, for instance), which is transmitted when it is desired to change one or other VPN Identifier components. If the message is not of this type the program returns to Wait Step 42. If the received message does contain a modification to a VPN Identifier component the program passes to step 94 shown in Figure 6D. The step 94 determines whether or not the corresponding component of the VPN Identifier (to the received FMI) has been stored. If it has not, the program discards the message, as indicated by step 96 and returns to Wait Step 42.
  • step 98 determines whether the received FMI matches with that which has been stored in the node, indicating that the proposed change of the VPN Identifier component is authorized. If there is a mismatch, the signal is discarded, as indicated by step 100 and the program again returns to Wait Step 42. If there is a match of FMI's the program passes to step 102 which stores the modified VPN Identifier component in the node.
  • the received message in addition to the modified component of the VPN Identifier, may also include a new FMI. The use of new FMI's decreases the- likelihood that unauthorized modifications of VPN Identifier components can take place.
  • a new FMI is stored in the node, as indicated by step 104.
  • the program then returns to Wait Step 42 to await receipt of further messages from the network. It is possible of course to-have.more, than two VPN Keys, in addition to the VPN Number.
  • FIGs 4A to E illustrate typical packet formats for signals transmitted in the networks of Figures 1 and 2.
  • the packet format 18 shown in Figure 4A is appropriate for transmission of data between nodes in the network once the VPN groups have been established.
  • the VPN Identifier field 22 includes separate fields for the VPN Number and for VPN Key, to VPN Key pertain, which is appropriate for a closed user group with N Master Nodes.
  • the packet formats 19 and 21 are appropriate when there is a request by a node to form or join a closed user group.
  • the packet format " 19 is typical of a packet which is sent by the Network Administrator 6 to a requesting node in order that the requesting node can complete its VPN Identifier.
  • the packet 19 includes the destination NAP Address field 20, FOV field 23, which, as indicated previously, must be matched with the FOV conveyed to the requesting node out of band. It also includes a VPN Number field 25 which contains the VPN Number generated by the Network Administrator 6. Typically the VPN Number could comprise a randomly generated 16-bit number.
  • the signal format also includes an FMI field 27 which is the password enabling subsequent authorized modification of the VPN Number in the field 25.
  • the packet format 21 shown in Figure 4B is appropriate for the signal sent by a Master Node when requesting to join or form a closed user group.
  • the packet format 21 includes the address field 20, " and an FOV field 23, which must match with that of the packet format of Figure 4B in order to establish or join the closed user group.
  • the packet format includes a VPN Key field 29 which contains a coded number generated by the requesting node and which forms the other component of the VPN Identifier for the group. It also includes an FMI field 31 to enable subsequent authorized modification of the VPN Key 29.
  • the packet formats 33 and 35 shown in Figures 4D and 4E are appropriate for sending by the Network Administrator and Master Node respectively when it is desired to modify the VPN " Identifier components.
  • the packet format 33 of Figure 4D includes the address field 20, and a field 37 which contains the old FMI.
  • the password stored in the field 37 must match with the FMI which has been stored in the nodes, in order for new VPN Numbers to be entered.
  • the packet format 33 also includes a field 39 which contains the new VPN Number and a field 41 which contains a new FMI password for subsequent variations of the VPN Number.
  • the packet format 35 shown in Figure 4E includes the address field 20 and a field 43 which contains the old FMI password which must be matched in order for the VPN Key to be changed.
  • the packet format also includes a field 45.which includes the new VPN Key and a field 47 which includes the new FMI. Since VPN Identifier components are generated independently at separate nodes, there is only a small probability, in general, that the corresponding FMI, are equal since the FMI generation processes will in general be independent.
  • the system of the invention has good security characteristics because access to closed groups of users requires security components- from both the Network Administrator and the nodes. This makes the security system less vulnerable to unauthorised access, since the integrity of the system is not predicated upon the integrity of any single party.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

On a mis au point un procédé permettant de transmettre avec sécurité des signaux en paquets (18) entre des noeuds (4) dans un réseau (2). Le procédé comprend les étapes consistant à prévoir dans les paquets des champs de sécurité (22) comportant des premiers et des seconds constituants. Un des constituants (numéro VPN de réseau privé virtuel) est produit par l'administrateur de réseau (6), le second constituant (clé VPN) étant produit par au moins un des noeuds.
PCT/AU1989/000098 1988-03-11 1989-03-10 Systeme de securite d'acces pour reseaux de communications commute WO1989008887A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AUPI7205 1988-03-11
AUPI720588 1988-03-11

Publications (1)

Publication Number Publication Date
WO1989008887A1 true WO1989008887A1 (fr) 1989-09-21

Family

ID=3772911

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU1989/000098 WO1989008887A1 (fr) 1988-03-11 1989-03-10 Systeme de securite d'acces pour reseaux de communications commute

Country Status (1)

Country Link
WO (1) WO1989008887A1 (fr)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1992003001A1 (fr) * 1990-08-07 1992-02-20 Concord Communications, Inc. Controleur d'acces pour reseau local
FR2717021A1 (fr) * 1994-03-04 1995-09-08 Sagem Procédé de sécurisation de la transmission de données numériques entre abonnés d'un réseau de transmission par paquets.
US5555244A (en) * 1994-05-19 1996-09-10 Integrated Network Corporation Scalable multimedia network
EP0838933A1 (fr) * 1996-10-24 1998-04-29 International Business Machines Corporation Méthode et dispositif pour contrÔler le niveau d'accès dans un réseau métropolitain
WO1998026556A1 (fr) * 1996-12-13 1998-06-18 3Com Corporation Procede et dispositif assurant des transmissions reseau securisees
WO2001043392A2 (fr) * 1999-12-10 2001-06-14 Sun Microsystems, Inc. Systeme et procede de securisation a geometrie variable d'un reseau prive virtuel
WO2001080489A2 (fr) * 2000-04-12 2001-10-25 Openreach.Com Procedes et systemes permettant l'etablissement d'une communication entre un processeur et un centre d'exploitation de reseau
US6631416B2 (en) 2000-04-12 2003-10-07 Openreach Inc. Methods and systems for enabling a tunnel between two computers on a network
US6798782B1 (en) 1999-12-10 2004-09-28 Sun Microsystems, Inc. Truly anonymous communications using supernets, with the provision of topology hiding
US6870842B1 (en) 1999-12-10 2005-03-22 Sun Microsystems, Inc. Using multicasting to provide ethernet-like communication behavior to selected peers on a network
US6970941B1 (en) 1999-12-10 2005-11-29 Sun Microsystems, Inc. System and method for separating addresses from the delivery scheme in a virtual private network
US6977929B1 (en) 1999-12-10 2005-12-20 Sun Microsystems, Inc. Method and system for facilitating relocation of devices on a network
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
US7028333B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
US7028334B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for using names in virtual networks
US7047424B2 (en) 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US7181766B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
US7336790B1 (en) 1999-12-10 2008-02-26 Sun Microsystems Inc. Decoupling access control from key management in a network
US7395354B2 (en) 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0048903A1 (fr) * 1980-09-30 1982-04-07 Licentia Patent-Verwaltungs-GmbH Système de sécurité pour éviter des manipulations non autorisées loss de la transmission électronique de textes dans des réseaux de données
AU8937982A (en) * 1981-10-15 1983-04-21 National Research Development Corp. Digital computer
AU2195783A (en) * 1982-12-22 1984-06-28 Alcatel N.V. Ring-loop network
AU2412684A (en) * 1983-01-26 1984-08-15 Hyundai Electronics Industries Co. Ltd. Communication bus interface unit
AU5794886A (en) * 1985-05-28 1986-12-04 Siemens Aktiengesellschaft Method and circuit apparatus for checking the authorization of access to a signal processing system
EP0223122A2 (fr) * 1985-11-18 1987-05-27 International Business Machines Corporation Système sécurisé pour la validation de composants
JPS62197850A (ja) * 1986-02-26 1987-09-01 Mitsubishi Electric Corp ロ−カルエリアネツトワ−ク制御装置
AU7618987A (en) * 1986-07-31 1988-02-04 American Telephone And Telegraph Company Selective broadcasting arrangement for local area networks
AU7621487A (en) * 1986-07-28 1988-02-04 Honeywell Bull Inc. A controller for controlling multiple lan types
AU7832287A (en) * 1986-12-19 1988-06-23 Global 360, Inc. Apparatus for distributing data processing across a plurality of loci of control
JPS63212261A (ja) * 1987-02-28 1988-09-05 Bitsugu Sons:Kk ネツトワ−ク通信装置

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0048903A1 (fr) * 1980-09-30 1982-04-07 Licentia Patent-Verwaltungs-GmbH Système de sécurité pour éviter des manipulations non autorisées loss de la transmission électronique de textes dans des réseaux de données
AU8937982A (en) * 1981-10-15 1983-04-21 National Research Development Corp. Digital computer
AU2195783A (en) * 1982-12-22 1984-06-28 Alcatel N.V. Ring-loop network
AU2412684A (en) * 1983-01-26 1984-08-15 Hyundai Electronics Industries Co. Ltd. Communication bus interface unit
AU5794886A (en) * 1985-05-28 1986-12-04 Siemens Aktiengesellschaft Method and circuit apparatus for checking the authorization of access to a signal processing system
EP0223122A2 (fr) * 1985-11-18 1987-05-27 International Business Machines Corporation Système sécurisé pour la validation de composants
JPS62197850A (ja) * 1986-02-26 1987-09-01 Mitsubishi Electric Corp ロ−カルエリアネツトワ−ク制御装置
AU7621487A (en) * 1986-07-28 1988-02-04 Honeywell Bull Inc. A controller for controlling multiple lan types
AU7618987A (en) * 1986-07-31 1988-02-04 American Telephone And Telegraph Company Selective broadcasting arrangement for local area networks
AU7832287A (en) * 1986-12-19 1988-06-23 Global 360, Inc. Apparatus for distributing data processing across a plurality of loci of control
JPS63212261A (ja) * 1987-02-28 1988-09-05 Bitsugu Sons:Kk ネツトワ−ク通信装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
PATENT ABSTRACTS OF JAPAN, E-699, page 165; & JP,A,63 212 261 (BITSUGO SONS K.K.), 27 December 1988. *
PATENT ABSTRACTS OF JAPAN, P-667, page 67; & JP,A,62 197 850 (MITSUBISHI ELECTRIC CORP.), 01.09.87. *

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1992003001A1 (fr) * 1990-08-07 1992-02-20 Concord Communications, Inc. Controleur d'acces pour reseau local
FR2717021A1 (fr) * 1994-03-04 1995-09-08 Sagem Procédé de sécurisation de la transmission de données numériques entre abonnés d'un réseau de transmission par paquets.
US5864542A (en) * 1994-05-19 1999-01-26 Cisco Technology, Inc. Scalable multimedia network
US6272151B1 (en) 1994-05-19 2001-08-07 Cisco Technology, Inc. Scalable multimedia network
US5740176A (en) * 1994-05-19 1998-04-14 Dagaz Technologies, Inc. Scalable multimedia network
US5555244A (en) * 1994-05-19 1996-09-10 Integrated Network Corporation Scalable multimedia network
US5673265A (en) * 1994-05-19 1997-09-30 Integrated Network Corporation Scalable multimedia network
US5799017A (en) * 1994-05-19 1998-08-25 Cisco Technology, Inc. Scalable multimedia network
EP0838933A1 (fr) * 1996-10-24 1998-04-29 International Business Machines Corporation Méthode et dispositif pour contrÔler le niveau d'accès dans un réseau métropolitain
US5935245A (en) * 1996-12-13 1999-08-10 3Com Corporation Method and apparatus for providing secure network communications
WO1998026556A1 (fr) * 1996-12-13 1998-06-18 3Com Corporation Procede et dispositif assurant des transmissions reseau securisees
US6970941B1 (en) 1999-12-10 2005-11-29 Sun Microsystems, Inc. System and method for separating addresses from the delivery scheme in a virtual private network
WO2001043392A2 (fr) * 1999-12-10 2001-06-14 Sun Microsystems, Inc. Systeme et procede de securisation a geometrie variable d'un reseau prive virtuel
US7685309B2 (en) 1999-12-10 2010-03-23 Sun Microsystems, Inc. System and method for separating addresses from the delivery scheme in a virtual private network
WO2001043392A3 (fr) * 1999-12-10 2002-02-21 Sun Microsystems Inc Systeme et procede de securisation a geometrie variable d'un reseau prive virtuel
US7336790B1 (en) 1999-12-10 2008-02-26 Sun Microsystems Inc. Decoupling access control from key management in a network
US6977929B1 (en) 1999-12-10 2005-12-20 Sun Microsystems, Inc. Method and system for facilitating relocation of devices on a network
US6798782B1 (en) 1999-12-10 2004-09-28 Sun Microsystems, Inc. Truly anonymous communications using supernets, with the provision of topology hiding
US6870842B1 (en) 1999-12-10 2005-03-22 Sun Microsystems, Inc. Using multicasting to provide ethernet-like communication behavior to selected peers on a network
WO2001080487A3 (fr) * 2000-04-12 2002-04-25 Openreach Com Procedes et systemes pour associes dans des reseaux virtuels
US6631416B2 (en) 2000-04-12 2003-10-07 Openreach Inc. Methods and systems for enabling a tunnel between two computers on a network
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
US7028333B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
US7028334B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for using names in virtual networks
US7047424B2 (en) 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US7181542B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Method and system for managing and configuring virtual private networks
US7181766B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
WO2001080489A3 (fr) * 2000-04-12 2002-04-25 Openreach Com Procedes et systemes permettant l'etablissement d'une communication entre un processeur et un centre d'exploitation de reseau
WO2001080489A2 (fr) * 2000-04-12 2001-10-25 Openreach.Com Procedes et systemes permettant l'etablissement d'une communication entre un processeur et un centre d'exploitation de reseau
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
US7395354B2 (en) 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information

Similar Documents

Publication Publication Date Title
WO1989008887A1 (fr) Systeme de securite d'acces pour reseaux de communications commute
US6792474B1 (en) Apparatus and methods for allocating addresses in a network
AU717065B2 (en) Secure network protocol system and method
JP4955181B2 (ja) 安全なコラボレーティブ・トランザクションを管理する方法及び装置
JP4808348B2 (ja) 通信ネットワークにおける配列と方式
EP1897339B1 (fr) Mise en correspondance d'une adresse mac originale d'un terminal avec une adresse mac virtuelle specifique administree localement
US5204961A (en) Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols
US5809140A (en) Session key distribution using smart cards
CN1578215B (zh) 安全协议的自动协商系统和方法
US7340612B1 (en) Method for device registration in a wireless home network
CN100499532C (zh) 公开密钥证书提供装置和方法、连接装置、通信装置和方法
US6813714B1 (en) Multicast conference security architecture
US10142119B2 (en) Communication method and apparatus using changing destination and return destination ID's
US7822982B2 (en) Method and apparatus for automatic and secure distribution of a symmetric key security credential in a utility computing environment
US20030140223A1 (en) Automatic configuration of devices for secure network communication
CN101110847B (zh) 一种获取介质访问控制地址的方法、系统及装置
US7644269B2 (en) Method of controlling access
CN101288063A (zh) 无线设备发现和配置
CN101087236B (zh) Vpn接入方法和设备
US8024466B2 (en) System and method for providing security backup services to a home network
US20230336529A1 (en) Enhanced privacy preserving access to a vpn service
US20050223229A1 (en) Secure information distribution between nodes (network devices)
US20060143701A1 (en) Techniques for authenticating network protocol control messages while changing authentication secrets
WO2021103431A1 (fr) Procédé pour réaliser une authentification de sécurité d'un participant à un domaine dds
CN114884771B (zh) 基于零信任理念的身份化网络构建方法、装置和系统

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AU JP US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE FR GB IT LU NL SE

WWE Wipo information: entry into national phase

Ref document number: 1989903032

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 1989903032

Country of ref document: EP