WO2009062504A1 - Communication sécurisée entre un client et des dispositifs sur différents réseaux locaux privés utilisant les mêmes adresses de sous-réseau - Google Patents

Communication sécurisée entre un client et des dispositifs sur différents réseaux locaux privés utilisant les mêmes adresses de sous-réseau Download PDF

Info

Publication number
WO2009062504A1
WO2009062504A1 PCT/DK2007/050168 DK2007050168W WO2009062504A1 WO 2009062504 A1 WO2009062504 A1 WO 2009062504A1 DK 2007050168 W DK2007050168 W DK 2007050168W WO 2009062504 A1 WO2009062504 A1 WO 2009062504A1
Authority
WO
WIPO (PCT)
Prior art keywords
devices
addresses
intermediate server
packets
client
Prior art date
Application number
PCT/DK2007/050168
Other languages
English (en)
Inventor
Michael Jacobsen
Original Assignee
Tnm Farmguard Aps
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tnm Farmguard Aps filed Critical Tnm Farmguard Aps
Priority to PCT/DK2007/050168 priority Critical patent/WO2009062504A1/fr
Publication of WO2009062504A1 publication Critical patent/WO2009062504A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2535Multiple local networks, e.g. resolving potential IP address conflicts
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2539Hiding addresses; Keeping addresses anonymous
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to a method and a system for pro- viding secure communication between a client and one or more network devices located on private networks placed behind different gateways, which private networks at least partly use the same local subnet addresses for said network devices.
  • Modern production facilities utilise communication capable de- vices for controlling and monitoring production processes and production equipment used for operating of the production.
  • a computer located in the production facilities typically manages the devices in order to provide an overview of the production and facilitate the operation or the devices themselves can act as computers.
  • each vendor in principle provides a computer with an interface, which can be used for controlling and monitoring the production facilities.
  • a vendor providing devices for a production facility or third parties related to the production may be able to better serve the customer by having remote access to the devices controlling and monitoring the production or for instance inventory levels or orders maintained on a computer located on a customer's private network.
  • computers or devices in such production facilities are configured as private local networks, which can communicate with the Internet in order to provide remote access to the devices or computers managing and controlling several devices.
  • Such private local networks are typically placed behind a router with a firewall, which routes the traffic and protects the networks from intruders.
  • the access to the computers on the networks is typically pro- vided by configuring the router or firewall with a port dedicated to the IP address of the computers on the private network, which then can be accessed via the internet by users knowing of these port and configurations. Even if the access to the computers further more requires login credentials, this approach offers a limited security as the computers are practically directly exposed to everyone on the Internet. It can be crucial if intruders with knowledge of the poor security, be it intended or non- intended, take control of devices controlling and monitoring the production and thereby sabotage the production.
  • a method for accessing resources on a private network via an intermediate server comprises receiving a login request from a user for access to the intermediary server, authenticating the user, subsequently receiving a resource request from the user at the intermediary server, obtaining ac- cess privileges for the user, determining whether the access privileges for the user permit the user to perform the particular operation at the private network and preventing performance of the particular operation if the access privileges for the user do not permit the user to perform the particular operation at the private network.
  • Private networks used at production facilities or in small business networks are typically configured with a standard LAN configuration, which facilitates the installation and configuration.
  • the use of standard LAN configurations makes it even easier for intruders to gain access to the network, but it also poses another problem, because standard configured networks often use the same private local network addresses.
  • a rule is added to the routing table telling the system to use the particular IPsec connection for packets des- tined to local IP subnet addresses on that private network. If the subnet addresses of the private networks overlap, the routing table becomes ambiguous, since the routing table fails to determine which IPsec connection to use for a packet destined for a local subnet address used on more than one private network. This is fatal in order to provide a proper routing when using an intermediate server for providing access to computers on private networks.
  • a secure IP connection is established between said client and an intermediate server comprising information of accessible gateways and network devices and their corresponding local addresses, a virtual network interface comprising a readable and writable file interface and a plurality of virtual IP subnet addresses configured at said intermediate server, each of said network devices is associ- ated with one of said plurality virtual IP subnet addresses, secure IP settings between the intermediate server and the gateways are negotiated and managed at application level on said intermediate server, packets received at the intermediate server from the client for the network devices are sent from the virtual network interface to the virtual IP ad- dresses associated with the devices and then read from the file interface, the source addresses of packets read from the file interface are replaced with the real IP address of the intermediate server and the destination addresses of said packets from the client are replaced with the actual local subnet addresses of the devices, the packets are encrypted and au- thenticated according to the secure IP settings negotiated for the gateways in order to provide encrypted packets, said encrypted packets
  • encrypted payload packets received from the gateways are authenticated and decrypted by using the secure IP settings negotiated for the gateways, the source addresses of the incoming packets from the gateways are replaced with the associated virtual IP subnet addresses, and the destination addresses are replaced with the virtual network address, and the packets are written to the file interface of the virtual network interface, received at the virtual network interface and sent to the client.
  • the system manages connections and settings for establishing secure connections at the intermediate server where the data streams are linked.
  • each network device is associated with a unique connection identifier. This makes it easier for the user to identify the individual devices and also facilitates the administration of the system.
  • each device furthermore is associated with at least one port number for communication connections, it is possible to differentiate the access to the devices by using different port numbers for different access purposes. This makes it possible to provide a specific access directed at for instance the owner or vendor of a device and another access for standard users of the system such as subcontractors or employees.
  • the checksums of the encrypted payload packets are recomputed after replacing the source addresses and the destination addresses in order to protect against erroneous packets and maintain the robustness of the used protocols.
  • the secure IP settings between the intermediate server and the gateways are negotiated at application level by means of an IKE daemon bypassing the kernel of the in- termediate server and accepting ambiguous routing information, which is managed at application level and thereby enabling the use of IPsec connections to the users without providing the kernel of the operating system with ambiguous routing information.
  • the intermediate server monitors the data streams between the client and the devices in order to manage login credentials required by the devices, by modifying the login credentials comprised in said data streams.
  • This provides for a more secure system because login credentials are removed from the data streams to the computers connecting to the intermediate server.
  • the intermediate server manages the login credentials by answering a challenge comprised in said data streams in order to modify the data streams and to provide the devices with the required login credentials.
  • system comprises a central server for managing the access of clients to the intermediate server, which adds a further security layer to the system.
  • a system comprising a plurality of intermediate servers, which makes it possible to provide redundancy to the system and to balance the load on the system to several intermediate servers.
  • Fig. 1 shows a system according to a preferred embodiment of the invention
  • Fig. 2 shows a system according to another embodiment of the invention
  • Fig. 3 is an exemplified system of an embodiment of the invention
  • Fig. 4 shows a detail of a method according to the invention
  • Fig. 5 illustrates the mapping used in the example shown in Fig. 3,
  • Fig. 6 is another detail from the example of the mapping used in the example in Fig. 3.
  • Fig. 1 shows a system 1 according to the invention comprising a computer client 2 running a client application adapted to connect and communicate with an authentication server 3 and a proxy server 4.
  • the clouds 5a, 5b illustrate a public communication network such as the Internet.
  • the proxy server 4 is adapted to communicate and establish connections with several independent local area networks (LANs) 6a, 6b, 6c, which are located respectively behind gateways 7a, 7b, 7c.
  • the gateways are typically a standard combined router/firewall using one of the reserved private networks (subnets) defined in RFC 1918 such as 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 and prevent the networks from being directly accessible from the Internet.
  • the private networks 6a, 6b, 6c are for instance used in production facilities such as a factory with a production line and a stockpile, or they can be used in a farm for breeding animals.
  • the devices 8a-8f on the private networks 6a, 6b, 6c are standard computers or special purpose controlling devices used for monitoring and controlling equipment used in the production having a communication interface such as Ethernet. Such devices can for instance be used for monitoring temperature, inventory levels of animal feed or the ventilation system of a farm. Devices for such special purposes are often vendor specific and customized to the specific use.
  • the invention is used in a system as illustrated in Fig. 1. At a farm comprising a local area network 6a, two different equipment vendors could for instance supply the devices 8a and 8b.
  • the device 8b could be a standard computer only monitoring and controlling a single point in the production.
  • the device 8a is also a standard communication enabled computer but it is not directly controlling or monitoring the production facilities or specific pieces of equipment.
  • the device 8b is gathering information from special purpose devices 9a, 9b, 9c, which can be integrated in the production facilities more easily than a standard computer.
  • the devices 9a, 9b, 9c are controlled by the computer 8a and the main purpose of computer 8a is therefore to gather information from the distributed devices 9a, 9b, 9c in order to make them accessible by means of a standard communication interface such as a web browser and the Internet.
  • a standard communication interface such as a web browser and the Internet.
  • the devices 9a, 9b, 9c can also be standard computers, which are providing the device 8b with the required information and that the devices 9a, 9b, 9c and 8b could be another network within the private local network 6a.
  • a device on the private local networks can be under- stood as standard computers or communication enabled devices connected to such a standard computer, which are hosting one or more services that are needed by the connecting client 2.
  • Fig. 1 illustrates one client 2 connecting to devices on different local private networks. How- ever, the system is designed such that multiple clients may connect to several clients.
  • the proxy server 4 is customized for or even integrated with the firewalls used at the private local networks 6a, 6b, 6c. Thereby all traffic is not sent through a central proxy server and thereby the load on the system is distributed between a larger number of servers, which provides a more stable and robust system. However, there is still a connection between the proxy servers 4 and the central server 3 for authentication the setup of connections between a client 2 and the proxy server 4, which central server 3 provides access to the devices of the private local networks.
  • a plurality of proxy servers are used, which are positioned with respect to the production facilities but still within the infra structure of the Internet for connecting to several private local networks at the production facilities.
  • the client 2 connects to the proxy server 4, which handles the connections to the devices 8a-8f.
  • Fig. 3 is an example showing the routing problems solved by the present invention.
  • a system according to the invention provides its own routing system.
  • the central server 3 is omitted for the sake of simplicity.
  • the gateways 7a, 7b, 7c are IPsec enabled routers assigned with unique IP addresses for interfacing the private local networks 6a, 6b, 6c with the Internet. Since these private local networks are using the same standard IP settings, some of the devices are also using the same local IP addresses. IPsec is a set of cryptographic protocols used to secure packet flow, mutual authentication and to establish cryptographic parameters.
  • an IKE daemon is used to negotiate the IPsec settings such as encryption and authentication keys in order to handle IPsec connections from the proxy server 4 to the devices 8a-8d and in order to keep the routing information away from the kernel of the operating system, which normally handles the routing information contained in the IPsec settings.
  • This is done by using a modified version of an IKE daemon such as the Racoon IKE daemon, which is modified not to fail if it detects possible ambiguous routes, and which provides the negotiated settings to the proxy server running at application level instead of providing it to the kernel of the operating system.
  • the proxy server 4 receives and sends encapsulated security payloads (ESPs) comprising encrypted and authenticated data instead of the operating system.
  • ESPs encapsulated security payloads
  • the proxy server 4 comprises a virtual network interface having a private subnet with virtual IP subnet addresses that does not collide with the real network that the proxy server 4 is connected to.
  • a virtual network interface has the same characteristics as a physical network in- terface, such as a network address, a subnet and MTL), but instead of being connected to a physical cable, it is associated with a readable and writeable file. If a virtual network interface sends data, the data can be read from the file, and if data is written to the file, the virtual network interface sees it as incoming data. Data written to the file destined for the virtual network interface will be handled just as if it arrived on a network cable to a physical network interface. In some operating systems, the option of setting up virtual network interfaces is implemented in the kernel and by making a call to the system a virtual network inter- face can be configured. However, the functionality can also be installed as an extra module to the operating system.
  • the private network 192.168.32.0/24 is used and the proxy server 4 is assigned the virtual IP address 192.168.32.1.
  • the aforementioned virtual network interface enables reading and writ- ing of IP packets to the file interface. When a number of bytes are written to the file interface, the network interface sees it as something on its virtual network. If a packet is generated on the virtual network, the bytes can be read from the file interface.
  • the real IP address of the proxy server 4 is 100.100.100.100.
  • the proxy server 4 there is made a mapping between virtual IP addresses and the IPsec connections to the routers negotiating access to the devices.
  • the virtual IP address 192.168.32.2 is mapped to the device with the ID A having the local IP address 192.168.1.50 (cf. Fig. 3) behind the router with IP 77.77.77.77, and correspondingly the virtual IP address 192.168.32.3 is mapped to the device B also having the local IP address 192.168.1.50 (cf. Fig. 3) but behind the router with IP address 88.88.88.88.
  • the virtual IP addresses are also mapped to the IPsec connections from the proxy server 4 to the routers 7a, 7b, 7c.
  • the entries in the table of Fig. 5 correspond to the situation illustrated in Fig. 3
  • Fig. 4 illustrates the mapping of virtual IP addresses to the IPsec connections and the devices associated thereto.
  • Data illustrated with 15, arrives from a client 2 to the proxy server 4.
  • a part of the proxy server 4 denoted 10 receives the data and sends it to the virtual network interface.
  • the data is send to the virtual network at the point 13.
  • connections to the devices 8a, 8b, 8c, 8d can be set up at this point as well.
  • the packets sent to the virtual network interface can then be read from the file interface, which is illus- trated with 14a, 14b.
  • packets read from the file interface are adapted and encrypted before they are sent towards the right hand side of the figure, i.e.
  • the left hand side of the cloud 11 illustrates a network interface adapted to establish connections, send and receive data.
  • the right hand side of the cloud 11 there is a file interface where the data can be read and written as a series of bytes.
  • the operating system is handling the correct linking of data streams and in particular TCP data streams between clients 2 and the proxy server 4 at one side and the proxy server 4 and the devices 8a, 8b, 8c, 8d at the other side.
  • the box 10 is handling the connection from the client 2, where the point 13 in this example refers to the virtual IP 192.168.32.1.
  • the cloud 11 illustrates the virtual network and the boxes 12a, 12b illustrate the mapping of virtual IP addresses to IPsec connections and the devices behind them.
  • the point 14a refers to the virtual IP address 192.168.32.2 and the point 14b refers to the virtual IP address 192.168.32.3.
  • the IP packets can be read at the virtual file interface. If the proxy reads a packet on the virtual network interface destined for the virtual IP address 192.168.32.2 (device A), the following steps are performed.
  • the virtual source IP 192.168.32.1 is changed to 100.100.100.100, which as mentioned above, is the real IP address of the proxy server 4 and the destination IP address 192.168.32.2 is changed to 192.168.1.50, which is the local private IP address used for the device 8a behind the router 7a.
  • the packet is a TCP or L)DP packet
  • the embedded checksums are recomputed as they depend on the changed information.
  • the packet is encrypted and authenticated according to the IP- sec setup for the router 7a in order to create an ESP packet.
  • the packet is sent to the router by means of the operating system.
  • the authentication field is verified and the ESP packet is decrypted by using the IPsec setup for the router 7a.
  • the decrypted packet contains the source IP that is the local IP address of the device 8a, which is device A in Fig. 3. Provided with the IP of the router 7a and the local IP address of the device 8a, the corresponding virtual IP address can be looked up.
  • the source IP address (192.168.1.50) is replaced with the virtual IP address (192.168.32.2) and the destination IP address is changed from the real IP address (100.100.100.100) of the proxy server 4 to the virtual IP address (192.168.32.1).
  • the packet is written to the virtual network at point 14a.
  • the packet then appears at the network interface at point 13 and the subsystem of box 10 receives and connects the packet to the correct data stream to the client having made a request of communication with the device.
  • the proxy server 4 connects the data streams between the client and the proxy server 4 and between the de- vices and the proxy server 4.
  • This procedure effectively maps a virtual IP address to a device behind a IPsec router, and it is possible to connect to several routers using the same subnet addresses because the routing is managed by the proxy server and not by the operating system. All TCP and L)DP ports are transported through the connections. Other protocols such as ICMP can also be supported as long as it is possible to perform network address translation.
  • connection types there may exist a number of connection types for each device.
  • device A is associ- ated with two different connection types denoted by the connection ID Ci and another connection ID C 2 , which are characterized by different port numbers.
  • Connection Ci uses port 80 and is used for ordinary connections and connection C 2 uses port 443 and is used for administrative purposes.
  • connection Ci uses port 80 and is used for ordinary connections
  • connection C 2 uses port 443 and is used for administrative purposes.
  • the proxy server 4 When a user is logged in to the proxy server 4, the user does not have to remember passwords or manually establish access to any devices. Hence, as described in detail in the above, the proxy server 4 establishes the connections to the devices and handles the logon. This makes it possible to remove a user form the system and thereby deny access to the devices. If the user had the password, it would be possible manually to connect to and login to the devices.
  • the proxy server 4 manipulates the content of the data streams comprising the above-mentioned login credentials.
  • http form login the credentials are hidden to the user by creating a logon POST with the appropriate fields.
  • the request is supplied with fake data.
  • the proxy server 4 monitors the stream and when the fake data are observed, they are changed to the correct data, which are then solely sent to the devices. If the devices are using http basic authentication, the proxy server 4 simply adds an extra header field to each http request comprising the login information needed by the service on the device.
  • the VNC protocol allows for logins with and without password where the password login is based on a challenge/response scheme.
  • the process for using VNC for login goes as follows.
  • the proxy server 4 receives an "open request" for a VNC connection from the client 4 and connects to a VNC server (not shown) for exchanging version information and authentication modes. If the VNC server demands password authentication, the proxy server 4 answers the password challenge using the password for the current user requesting the connection. Hence, the proxy server 4 exchanges data to make the connection appear to the application at the client as if the server did not need a password.
  • the challenge/response login has been accepted by the VNC server, the data streams from the client 4 to the proxy server and from the proxy server 4 to the devices are connected and can continue to forward data back and forth without interference.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention porte sur un procédé et un système pour permettre une communication sécurisée entre un client et un ou plusieurs dispositifs de réseau situés sur des réseaux privés placés derrière différentes passerelles. Lesdits réseaux privés utilisent au moins partiellement les mêmes adresses de sous-réseau local pour lesdits dispositifs de réseau, une connexion IP sécurisée étant établie entre ledit client et un serveur intermédiaire comportant des informations de passerelles accessibles et de dispositifs de réseau et leurs adresses locales correspondantes, et les connexions entre clients et dispositifs étant mappées au niveau d'un serveur mandataire au moyen d'une interface de réseau virtuelle et d'un routage au niveau application.
PCT/DK2007/050168 2007-11-13 2007-11-13 Communication sécurisée entre un client et des dispositifs sur différents réseaux locaux privés utilisant les mêmes adresses de sous-réseau WO2009062504A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/DK2007/050168 WO2009062504A1 (fr) 2007-11-13 2007-11-13 Communication sécurisée entre un client et des dispositifs sur différents réseaux locaux privés utilisant les mêmes adresses de sous-réseau

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/DK2007/050168 WO2009062504A1 (fr) 2007-11-13 2007-11-13 Communication sécurisée entre un client et des dispositifs sur différents réseaux locaux privés utilisant les mêmes adresses de sous-réseau

Publications (1)

Publication Number Publication Date
WO2009062504A1 true WO2009062504A1 (fr) 2009-05-22

Family

ID=39967590

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2007/050168 WO2009062504A1 (fr) 2007-11-13 2007-11-13 Communication sécurisée entre un client et des dispositifs sur différents réseaux locaux privés utilisant les mêmes adresses de sous-réseau

Country Status (1)

Country Link
WO (1) WO2009062504A1 (fr)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105554084A (zh) * 2015-12-10 2016-05-04 杭州古北电子科技有限公司 生成一次性资源地址并与真实资源地址映射的系统及方法
WO2016171382A3 (fr) * 2015-04-20 2016-12-15 한화테크윈 주식회사 Procédé de communication entre au moins un répéteur et au moins un terminal réseau
WO2017111404A1 (fr) * 2015-12-23 2017-06-29 주식회사 케이티 Dispositif, procédé et système de communication pour fournir un service de communication ip de sécurité
KR20170078482A (ko) * 2015-12-29 2017-07-07 주식회사 케이티 Ip 통신 서비스를 제공하기 위한 장치, 방법 및 통신 시스템
KR101821794B1 (ko) * 2015-12-23 2018-03-08 주식회사 케이티 보안 ip 통신 서비스를 제공하기 위한 장치, 방법 및 통신 시스템
US10385135B2 (en) 2015-11-03 2019-08-20 Janssen Biotech, Inc. Subcutaneous formulations of anti-CD38 antibodies and their uses
CN110727499A (zh) * 2019-09-18 2020-01-24 平安科技(深圳)有限公司 资源数据获取的方法、装置、计算机设备和存储介质
US10781261B2 (en) 2015-11-03 2020-09-22 Janssen Biotech, Inc. Subcutaneous formulations of anti-CD38 antibodies and their uses
US10800851B2 (en) 2014-02-28 2020-10-13 Janssen Biotech, Inc. Combination therapies with anti-CD38 antibodies
CN114128234A (zh) * 2020-02-06 2022-03-01 华为云计算技术有限公司 用于在多网络环境中防止冲突的虚拟地址分配
WO2024109262A1 (fr) * 2022-11-22 2024-05-30 京东科技信息技术有限公司 Procédé et appareil de traitement d'informations et support de stockage

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040148439A1 (en) * 2003-01-14 2004-07-29 Motorola, Inc. Apparatus and method for peer to peer network connectivty
US20040193677A1 (en) * 2003-03-24 2004-09-30 Shaul Dar Network service architecture
WO2006084957A1 (fr) * 2005-02-14 2006-08-17 Teliasonera Ab Canal de communication entre au moins deux reseaux prives

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040148439A1 (en) * 2003-01-14 2004-07-29 Motorola, Inc. Apparatus and method for peer to peer network connectivty
US20040193677A1 (en) * 2003-03-24 2004-09-30 Shaul Dar Network service architecture
WO2006084957A1 (fr) * 2005-02-14 2006-08-17 Teliasonera Ab Canal de communication entre au moins deux reseaux prives

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10800851B2 (en) 2014-02-28 2020-10-13 Janssen Biotech, Inc. Combination therapies with anti-CD38 antibodies
WO2016171382A3 (fr) * 2015-04-20 2016-12-15 한화테크윈 주식회사 Procédé de communication entre au moins un répéteur et au moins un terminal réseau
US10385135B2 (en) 2015-11-03 2019-08-20 Janssen Biotech, Inc. Subcutaneous formulations of anti-CD38 antibodies and their uses
US10781261B2 (en) 2015-11-03 2020-09-22 Janssen Biotech, Inc. Subcutaneous formulations of anti-CD38 antibodies and their uses
CN105554084B (zh) * 2015-12-10 2018-12-07 杭州古北电子科技有限公司 生成一次性资源地址并与真实资源地址映射的方法
CN105554084A (zh) * 2015-12-10 2016-05-04 杭州古北电子科技有限公司 生成一次性资源地址并与真实资源地址映射的系统及方法
KR101821794B1 (ko) * 2015-12-23 2018-03-08 주식회사 케이티 보안 ip 통신 서비스를 제공하기 위한 장치, 방법 및 통신 시스템
WO2017111404A1 (fr) * 2015-12-23 2017-06-29 주식회사 케이티 Dispositif, procédé et système de communication pour fournir un service de communication ip de sécurité
KR101893209B1 (ko) * 2015-12-29 2018-08-29 주식회사 케이티 Ip 통신 서비스를 제공하기 위한 장치, 방법 및 통신 시스템
KR20170078482A (ko) * 2015-12-29 2017-07-07 주식회사 케이티 Ip 통신 서비스를 제공하기 위한 장치, 방법 및 통신 시스템
CN110727499A (zh) * 2019-09-18 2020-01-24 平安科技(深圳)有限公司 资源数据获取的方法、装置、计算机设备和存储介质
CN110727499B (zh) * 2019-09-18 2024-05-28 平安科技(深圳)有限公司 资源数据获取的方法、装置、计算机设备和存储介质
CN114128234A (zh) * 2020-02-06 2022-03-01 华为云计算技术有限公司 用于在多网络环境中防止冲突的虚拟地址分配
CN114128234B (zh) * 2020-02-06 2023-12-15 华为云计算技术有限公司 用于在多网络环境中防止冲突的虚拟地址分配
WO2024109262A1 (fr) * 2022-11-22 2024-05-30 京东科技信息技术有限公司 Procédé et appareil de traitement d'informations et support de stockage

Similar Documents

Publication Publication Date Title
WO2009062504A1 (fr) Communication sécurisée entre un client et des dispositifs sur différents réseaux locaux privés utilisant les mêmes adresses de sous-réseau
US9667619B1 (en) Systems and methods for utilizing client side authentication to select services available at a given port number
CA3108769C (fr) Tunnellisation de protocole de commande de transmission d'application sur internet public
EP2264956B1 (fr) Procede pour securiser l'acces a distance sur un reseau prive
EP1753180B1 (fr) Serveur pour acheminement de connexion vers dispositif client
US7181542B2 (en) Method and system for managing and configuring virtual private networks
US8340103B2 (en) System and method for creating a secure tunnel for communications over a network
US20080075096A1 (en) Remote access to secure network devices
US20020162026A1 (en) Apparatus and method for providing secure network communication
US20020078379A1 (en) Accessing a private network
FI125972B (fi) Laitejärjestely ja menetelmä kiinteistöjen etähallinnassa käytettävän tiedonsiirtoverkon luomiseksi
US20230006988A1 (en) Method for selectively executing a container, and network arrangement
Hauser et al. P4sec: Automated deployment of 802.1 X, IPsec, and MACsec network protection in P4-based SDN
US20150381387A1 (en) System and Method for Facilitating Communication between Multiple Networks
Cisco Understanding the VPN 3002 Hardware
KR20180099293A (ko) 신뢰 도메인간 통신 방법 및 이를 위한 게이트웨이
EP1413095B1 (fr) Systeme et procede de generation de services dans des reseaux virtuels prives
Vishwakarma Virtual private networks
Zheng RFC 9105: A YANG Data Model for Terminal Access Controller Access-Control System Plus (TACACS+)
Marin-Lopez et al. RFC 9061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)
JP6270383B2 (ja) アクセス制御装置、アクセス制御方法、及びプログラム
WO2022219551A1 (fr) Procédés et systèmes implémentés par ordinateur pour établir et/ou commander une connectivité de réseau
JP5875507B2 (ja) 中継装置、プログラム、情報処理方法、及び情報処理装置
RENNER Low-Budget VPNs
Djin Managing Access Control in Virtual Private Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07817964

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07817964

Country of ref document: EP

Kind code of ref document: A1