Method for creating protected virtual networks

FIELD: computer science, possible use for constructing multiple protected virtual networks.

SUBSTANCE: source IP packet of protected virtual network is encoded, network consisting of separately standing computers or portion of computers from local area network or computers of several local networks, output packet is formed including encoded packet (encapsulation), while at each computer, which can be utilized in several protected virtual networks, for each created protected virtual network separate long-term memory block is assigned, wherein separate operation system is recorded, adjusted for current virtual network, and access to long-term memory block and loading of operation system of each protected virtual network is performed after checking user rights, while access to memory blocks of each protected virtual network from other virtual networks is blocked by means of limiting access.

EFFECT: expanded functional capabilities.

2 cl, 11 dwg

 

The invention relates to the field of computer engineering and can be used to build multiple networks for different purposes on the basis of the same fleet of computers. Using it will allow you to obtain the technical result in the creation of multiple virtual networks that use the same computers on the same Park computers - multiple concurrent virtual networks.

There is a method of secure virtual networks, described in detail in the book "information security in corporate networks and systems", the authors Sokolov A.V., Shangin V.F., M.: DMK Press, 2002, chapters 11, 12.

The protection is realized by a software module (software)that performs the following steps:

Encryption of the original IP packet by using a separate plug-in software module or a hardware encoder (in the form of a card or an external device). The encryption may be performed according to different encryption algorithms using symmetric or asymmetric keys.

- Create a new package incorporating the encrypted packet (encapsulation) in accordance with known protocols IpSec, SKIP or Protocol of its own design.

This module encoders can be installed on a single computer, a computer station is camping on the network, on crypto router, firewall. Therefore, a virtual network can be built on the basis of:

- detached protected computers;

- part of the computers on the same local network;

- multiple local area networks protected by routers or firewalls;

- combination of the above methods.

Known for implementing the above method in the ViPNet technology (see Ignatov V.V. Universal environment network security information and resources for the safe operation of corporate networks on any telecommunications. Analytical and information magazine "networks", No. 12, February 2004, p.24-26). This technology is also based on the use of software modules that implement the above steps. The so-called module ViPNet can be installed on each workstation or on the server (the coordinator). When installed on a workstation module protects one PC, when installed on the coordinator is protected, the entire local network or segment. In module installed on the coordinator may perform routing functions. In this approach, virtual protected network may exist within local, virtual network can include a single computer, multiple local and network computers. Module ViPNet provides sirova is their original packages, their conversion (encapsulation and other activities). Encryption is performed programmatically by various encryption algorithms using symmetric and asymmetric keys.

Using identifiers of the source and recipient in the form of labels offered in the article Nikolaev E.V. "Private networks for corporate business", published in analytical and information magazine "networks", No. 12, February 2004, p.12-13. It describes the Multiprotocol label switching. Special thanks to the labels that are assigned to each package, increase control schedule. In addition to addresses, the label may be associated with a path, a virtual network, priority service and other

Known way to create secure virtual networks, presented in the patent RU 2182355 adopted for the prototype. To restrict access to the transmitted information and hiding the address of the encryption of traffic on the local area network, which is part of a virtual enterprise network, the third layer of the OSI model. Encrypted IP packets together with their addresses. Encryption is carried out on isolated from the public network device. Also in the method determines the identity of the source and recipient in the form of labels. Tags define a title is a fixed length, identifying a set of packets on the same path or in accordance with a certain class of service. Many of the packets sent in accordance with certain predetermined criteria, referred to as class routing equivalence. Routers use the principle of label switching. They set the binding of the label to the class of routing equivalence, and then using a standard Protocol to disseminate information about the binding of the label to all routers, for which they will use this tag when sending packets. Virtual protected network in this case is based on the secure routers. The router in this variant will have at least two network interfaces (one for communication with PC internal LAN and the other for communication with the router facing the Internet), device encryption, memory for labels.

You can highlight the main features of this method:

- software security components are installed on the routers;

- convert IP packets includes encryption of the original package together with addresses, encapsulation of encrypted packet in a new IP packet, adding labels to the output packets;

conversion packages are in accordance with their own format shown in the patent.

To insufficient who am above-described method include the fact that that all the computers on the LAN are in the virtual network. Also no remote connectivity to the virtual network one computer without an extra router.

In all these ways virtual networks operate on the principle that each computer can only be in one virtual network. Therefore, on the basis of the physical LAN, you can build one virtual protected network or more, provided that they include various computers. In this approach, the workplace cannot be used in different virtual networks. Also in the considered networks are not limited to access to the workplace (personal computer virtual network) unauthorized persons can gain access to information stored on the hard disk or circulating in the virtual network by intercepting keys or the information in the software modification, standing in the workplace.

To access the network in the proposed methods, an outdoor network interface, not encrypting the information. Packet processing is performed in RAM PC. Therefore, the above-described methods for creating virtual networks do not provide requirements for work with information having high secrecy.

The network consists of computers that have one (or more) outputs in the local network. For each new protected virtual network computer, which can be used simultaneously in several protected virtual networks, a separate block long-term memory that is written to a separate OS, with access to block long-term memory and load the OS of each of the secure virtual network is performed after the presentation of the user's authority, that is, identifying and key information, and perform authentication and access to the memory blocks each secured virtual network from other virtual networks is blocked.

Access to blocks long-term memory of each protected virtual network from other virtual networks is blocked by creating a separate encryption key for each block so that when recording information in the block, it is encrypted, and reading - stands.

The proposed method possesses novelty and practical significance and is an invention, which can the be used to build multiple secure virtual networks for different purposes. Its use allows to obtain a technical result in multiple concurrent virtual protected networks that use the same computers and circulates information at various levels of privacy and secrecy.

Distinctive features of the proposed method are as follows.

First, when booting the computer gets your address and network settings of the loaded OS and thus gets access to the same virtual network. When you reboot into another OS computer receives other settings and into another virtual network. Thus, the same computer may be used in different virtual networks, moving from one virtual network to another through a reboot.

Secondly, the OS are isolated from each other, that is, each OS has its space in long-term memory (hard disk or other devices) for your files and data. Separation of access to different parts of the disk is either hardware or software installed in this instance of the OS. Encryption of data transmitted over the network between different computers is either hardware or software installed in this instance of the OS.

In-tert what them each computer user is granted access rights to one or more OS. When the OS is necessarily strict user authentication. Thus, having access to a specific OS, the user gets access to one of the virtual networks. Access rights of users to the various operating systems is implemented in software or provided by the use of hardware. This distinction protects access to information in various secure virtual network.

For example, there are several local networks, which are 30 computers. Currently protected virtual networks are built in such a way that the computer is in the same network. In principle, if there are two interfaces it can be in two virtual networks, but then it is difficult to separate the access to information of these two networks. That is, in these two networks classified information should not significantly vary. Additionally, you will also need a network card and other communications equipment.

The proposed method can be installed on each computer, for example, three OS, and then we can use and see in virtual networks 30 and 90 computers, that is, three times the Park to build virtual networks without additional communication equipment.

Graphics

The figure 1 shows the block structure of a personal computer (PC) with allocation of blocks needed to complete the steps in the method, where:

1 is a Block initial download;

2 - a Device or system restrictions/access control;

3 - System Board;

4 - Program encryption logical drives in the loaded OS.

5 is a Hardware encoder (e.g., cards);

6 - Drivers for network devices, virtual network (VPN drivers) in the loaded OS.

7 - is Built into the motherboard network interface;

8 - Device limit/restrict access to sections of one or more drives on the hard disk.

9 - One or a few separate from the system Board network interfaces;

10 - One or several separate from the system Board cryptographic network interfaces;

11 is One or more drives on the hard disk.

Figure 2 depicts two configurations of the virtual computer (VC) to work in a virtual network with open information. This uses the operating system NUMBER 1 (see figure 1), block 7 network adapter built into the motherboard or made as a separate device (block 9).

In figures 3 and 4 show two configurations of the VC to work in a virtual network with confidential information. Unlike the configuration VK figure 2, figure 3 block 1 is software authentication, block 4 - a soft limit memory access by encrypting and unit 6 - software encryption packages. Figure 4 offers authentication and credentials to conduct a hardware block 2.

In figures 5 and 6 show the configuration options VK for networking with secret information. In both cases, the proposed authentication and credentials to conduct hardware unit 2, the packet encryption conduct hardware unit 5 (see figure 5) or 10 (see Fig.6). Figure 6 encryption blocks of memory are programmable.

The figure 7 presents the configuration of the VC for networking with top secret information. Unlike previous versions, blocking access to the memory blocks requested to perform a hardware block 8 with encryption.

In figure 8 is presented the option of a corporate network, four local area networks (LANs)interconnected via a public network (Internet). LVS consists of unprotected personal computers (PC) and protected personal computers (CCS) and goes to the corporate network through an unsecured router (M). LVS consists only of protected computers. LVS, on the contrary, consists of an unprotected PC and goes to a public network through a secure routers (MOH). There are also two separate protected personal computer (OPCS).

The figure 9 shows the block structure of a computer for three virtual networks: one open and two reserved.

The figure 10 shows the block structure of a computer for two virtual networks - an open and secure.

The figure 11 shows the block structure of the computer to work with, open, secret and top secret information in the three virtual networks.

Let us consider in more detail the proposed mode of action.

On each computer for each protected virtual network allocated blocks long-term memory (hard drives, hard drive partitions, CD-ROMs, flash memory, floppy disks, etc) block 11 (see figure 1). These units are installed operating systems, one for each virtual network. That is, the number OS corresponds to the number of virtual networks, which the computer has access to.

When booting the computer gets your address and network settings of the loaded OS and thus gets access to the same virtual network. When you reboot into another OS computer receives other settings and into another virtual network. Thus, the same computer may be used in different virtual networks, moving from one virtual network to another through a reboot.

For exceptions, modifications unloaded OS in the process one of them is block 8 (see figure 1) restrictions (blocking) access. Limiting access is provided:

- programmatically (system access control used in the composition of the loaded OS);

- hardware image by blocking access to the memory blocks of different OS in accordance with the powers claimed by each user;

- hardware (box 8) or software (block 4) transparent data encryption (when account information is encrypted, and reading is decrypted by the encryption keys loaded from block 2 access restrictions (see figure 1) or directly in the blocks 8 and 4).

Unit 4 is used for transparent data encryption when writing into logical drives (transparently encrypted logical drives-the files will be called virtual disks). It is included in the form of dry the EPA in the loaded OS. Unit 4 encrypts the information yourself programmatically or uses hardware encryption block 5.

To perform user authentication and verification of his / her powers are blocks of 1 or 2 (see figure 1). Unit 1 is a program written in the computer's BIOS, which requests user authorization and if a positive authentication result decrypts to him the control information of the OS and loads the OS. Unit 2 hardware performs the following steps:

- Holds strong cryptographic authentication of the user.

- Provides access to information. Each user has their own set of powers, which is stored in encrypted form within the block 2 (see figure 1) and is passed to the block 8 or 4.

- Checks the integrity of the loaded OS. If the continuity is broken, the OS is not loaded. This fact is recorded in the log of the security administrator.

- Carries out the loading of encryption keys in blocks 5, 8, and 10.

Conversion package provides the block 6, which performs the following steps:

Encryption of the original IP packet software (alone or with the help of a separate plug-in software module or hardware unit 5 (see Fig 1.) The encryption may be performed according to different encryption algorithms etc the application of symmetric or asymmetric keys.

- Create a new package (encapsulation) to include encrypted packet in accordance with known protocols IPSec, SKIP or Protocol of its own design.

Instead of units 5 and 6 or in conjunction with the block 6 may be used in block 10 of cryptographic network interface that performs or both of the steps above, or only the first (then performs the second action block 6).

Consider the different ways PC configuration, used when working in a secure virtual network with a specific category of information based on the block structure of the PC is shown in figure 1. Let's call these configurations PC virtual computer (VC). In the particular case of each configuration may be the only one on the computer and then the computer will only work in one virtual or public network. Two configurations VK for the open enterprise network with access to the Internet is shown in figure 2. Virtual protected network with confidential information can be built based on the configuration VK 3, 4. To work in a secure virtual network with secret information options the implementation of VK, is shown in Fig 5, 6. And, finally, to work with top secret information is proposed to build a virtual network on the basis of VK presented on Fig.7.

We offer the patterns are Advisory in nature. The user is entitled to collect its configuration VC on the basis of the proposed facilities (see figure 1).

Consider options for the network shown in Fig. There are three LAN confidential information:

- LVS - network administration company. Personal computer PCS belongs to the head of the company. He works in an open network, the Internet, in a secure virtual network accounting SLUSS (PCS, PCS of LVS and all network LVS), a virtual secure network developers SLVS (PCS, PCS of LVS and CCS LVS).

- LVS - developers network, which operates with a secure virtual network and open the virtual network. Developers communicate with each other via the virtual secure network, access the Internet via a public network. Developers have access to the Internet from their PC.

- LVS network accounting. Internet access from this network is prohibited.

To work in three virtual networks on PCS and PCS installed three operating systems (see Fig.9). The first OS is used to access the Internet, mail exchange. The second OS is configured to access a network of developers, and the third access network accounting. To switch from one virtual network to another is enough to restart the computer.

CCS developers can be equipped with weaker protections, as shown in figure 10. They are two of the C.

To work with an open, secret and top secret information, it is recommended to use the configuration shown figure 11.

On a separate hard drive or one with encrypted partitions are three OS. The first OS (NUMBER 1) works with its sections and configured to use the public interface 9. The second and third OS (NUMBER 2 and OC3) to work through cryptographic interface 10. This open interface 9 is blocked by the device 2 and does not work when working NUMBER 2 and OC3.

The examples show different vozmojnoi practical implementation of the proposed method for building secure virtual network where one computer can go in different virtual networks. For example, the head of the company having one computer PCS (see Fig) on the table can with him to work on the Internet and come in two protected virtual networks: the accounting and network developers. The developers will not be able to log on to the network accounting, but can go online. When working in the Internet use number 1 and prevents access to the memory NUMBER 2 (Fig.10). This prevents the access to information of a virtual network of developers from the Internet. Protected virtual developer network uses encryption keys graphics, non-network-entry bookkeeping. Information to the each of the virtual network when the transmission is encrypted on their keys, so its interception of Internet or other networks operating on the same equipment, it becomes meaningless.

1. The way to create secure virtual networks, including the encryption of the original IP packet is protected virtual network consisting of single computers, or parts of networked computers, or computers of several local networks with firewalls and/or protected routers, using hosted on computers software modules for encryption and encapsulation or hardware encoders, creating an output packet including an encrypted packet (encapsulation) in accordance with the protocols IpSec, SKIP or Protocol of its own design with the inclusion of identifiers of the source and recipient, characterized in that on each computer, which can be used simultaneously in several protected virtual networks for each new protected virtual network is allocated a separate block long-term memory that is written to a separate operating system configured on the virtual network, and the transition from one virtual network to another is done by restarting your computer, and access to block long-term memory and booting the operating system of each protected virtual network is performed after the presentation of user credentials that is, identifying and key information, and perform authentication and access to the memory blocks each secured virtual network from other virtual networks is blocked by the Advisor.

2. The method according to claim 1, characterized in that the additional blocking access to blocks long-term memory of each protected virtual network from other virtual networks is creating a separate encryption key for each block so that when recording information in the block it is transparently encrypted, and reading - stands.



 

Same patents:

FIELD: systems and methods for advancing traffic streams with guaranteed quality of service in network.

SUBSTANCE: proposed method involves use of dispatch network resource managers to execute service function ensuring desired quality of service (QoS) similar to and separated from route choice function for IP bursts in Internet Protocol dispatch networks at transfer channel control level. Upon completion of route choice dispatch network resource managers control routers so as to enable traffic streams to run on the way assigned by resource manager in dispatch network with aid of multilayer label stack technology. Proposed system implements this method.

EFFECT: enhanced reliability of system.

14 cl, 12 dwg

FIELD: mobile electronic commerce.

SUBSTANCE: method includes receipt by operations execution system of request for operation from operation requester, and identification of operation requester. After identification of requester of operation, code of operation is transferred from operations executing system to wireless communication device of requester. After receiving operation code, operation code is optically scanned from video terminal of wireless communication device of requester by the system for executing operations.

EFFECT: improved comfort of commercial operations performed over wireless electronic commerce network while providing for safety of these.

5 cl, 10 dwg

FIELD: engineering of telecommunication equipment.

SUBSTANCE: wireless initialization device is a system for administrating computer data traffic, capable of routing TCP/IP traffic with utilization of 2,4 GHz equipment. Aforementioned wireless initialization device, strategically, is subject to positioning in areas of logical segments of wireless network for facilitation of traffic administration. This device operates to provide for possible connection between wireless access points and main line. Device also may be positioned in client local network, providing possibility of access to global network. Wireless device has authentication means, maintaining operative connection with operation system. Wireless device is capable of filtering IP-addresses, controlling a firewall and/or router and/or bridge.

EFFECT: increased effective TCP/IP traffic capacity for global network or local network, at the same time, realization of safe administration and improved integrity.

2 cl, 3 dwg

FIELD: mobile communication systems.

SUBSTANCE: proposed method used for Internet protocol (IP) mobile centers in heterogeneous networks with real-time applications includes following procedures: module 134 designed for managing interfaces of mobile center 10 checks mobile center for available network interfaces 14 - 17, generates recoding table with available and configurable interfaces 14 - 17, and communicates with applications 11 of interfaces 14 - 17. Applications 11 of IP mobile center 10 are given access to heterogeneous networks through virtual network IP interface 133 organized in mobile center 10; this IP interface 133 communicates with current network 21 - 24 through interface management module 134. Changing interface 14 - 17 of mobile center 10 updates communications of IP permanent virtual network interface with network 21 - 24 basing on recoding table by means of interface management module 134.

EFFECT: ability of change-over from one network connection to other in heterogeneous networks without interrupting internet protocol applications.

16 cl, 9 dwg

FIELD: computer science.

SUBSTANCE: device has programmable controller with software integrated in random-access and hard memory for functions of gathering and processing of information about peripheral devices of segment, buffer memory, output register, input register, clock generator, power block, buffer output cascade of force outputs ad buffer input cascade for inputs.

EFFECT: higher efficiency, broader functional capabilities.

4 cl, 6 dwg

FIELD: wireless communications.

SUBSTANCE: estimate of time needed for transfer and confirmation of receipt is synchronized by both sides of radio communication line protocol without necessity for three-side synchronization of communication establishing process usually necessary for said synchronization. Method includes procedures used by both sides of communication line to dynamically renew and correct their starting estimates of time needed for transfer and confirmation of receipt.

EFFECT: higher efficiency, broader functional capabilities.

7 cl, 8 dwg

FIELD: wireless interface technology.

SUBSTANCE: one protocol of network messaging is a control protocol for NDIS device. Also, multiple software products for operation in circuit-based, i.e. bus-connected, network, can also be used for any wireless Bluetooth network.

EFFECT: broader functional capabilities.

3 cl, 3 dwg, 1 tbl

The invention relates to the field of computer management remote access networks

The invention relates to a two-way multimedia services

The invention relates to a system for creating messages e-mail

FIELD: cash-memory devices.

SUBSTANCE: method includes stages, on which conflicting calls of data block from multiple one-rank nodes are solved by one-rank node, having trustworthy copy of called data, which is called using conflicting messages, while one-rank node with the copy selects target node from list of nodes which sent conflicting messages, and conflicting calls for data block are solved using base node, appropriate for called data, if a unique, cashed copy is absent, which is stored on one of one-rank nodes, while base node, having trustworthy copy of called data, picks target node from list of nodes, which sent conflicting messages.

EFFECT: higher efficiency.

4 cl, 24 dwg

FIELD: computer science.

SUBSTANCE: method includes recognizing interruption awaiting processing during operation of software of guest; it is determined, whether interruption is controlled by guest software; if guest software does not control interruption, it is determined, whether virtual machines monitor is ready to take control; and control is transferred to virtual machines monitor, of its is; in opposite case, if software of guest controls interruption, it is determines, whether guest software of guest is ready to receiver interruptions, and interruption is transferred to guest software, if guest software is ready.

EFFECT: higher efficiency.

3 cl, 6 dwg

FIELD: computer science.

SUBSTANCE: method includes stages, at which it is detected, that guest operation system tries to access area, which is locked by first portion of virtual machines monitor within limits of first address space, and first portion of virtual machines monitor is moved within limits of first address space to allow guest operation system access to area, previously occupied with first portion of virtual machines monitor.

EFFECT: higher efficiency.

3 cl, 7 dwg

The invention relates to data processing systems

The invention relates to the field of processors and, in particular, to techniques for providing patterns shared cache
The invention relates to computing, and in particular to work on the Internet

The invention relates to communication systems, for example, via the Internet

The invention relates to computer systems, in particular to a method of performing a read operation from the memory symmetric multiprocessor computer systems

FIELD: computer science.

SUBSTANCE: method includes stages, at which it is detected, that guest operation system tries to access area, which is locked by first portion of virtual machines monitor within limits of first address space, and first portion of virtual machines monitor is moved within limits of first address space to allow guest operation system access to area, previously occupied with first portion of virtual machines monitor.

EFFECT: higher efficiency.

3 cl, 7 dwg

Up!