The way to protect corporate virtual private computer network from unauthorized exchange of information with the public transport network and system for its implementation

 

(57) Abstract:

The invention relates to the field of computer engineering and can be used when building secure corporate virtual private networks, using as braced infrastructure public access network, in particular the Internet. The technical result is protection that prevents ingress local area network, a corporate virtual private network public access and information retrieval by users of the public access network. The method determines the identity of the source and destination of messages. Encode the data packet and generate an output packet. Convert output package in the format of TCP/IP and transmit it to the Internet, where determine compliance contained Internet addresses and identifiers of the pre-recorded in the memory block addresses and identifiers. At their coincidence transmit the decoded data packet to the destination message. 2 S. p. f-crystals, 2 ill., 3 table.

The invention relates to the field of computer engineering and can be used when building secure corporate virtual private networks, using as tie the t unauthorized exchanges between the first computer network and a second computer network, namely, receiving at the first network motherboard from the first computer network communication message in the first format network Protocol, prevent the transmission of communication service message routing from the first computer network, convert the communication message in the second format network Protocol, resulting in information about the addresses of source and destination is deleted from the communication message, transmit the communication message to the second network motherboard, perform the inverse transform to the second network motherboard communication message in the first format network Protocol, transmitting a communication message after the inverse transform to the second computer network, resulting in preventing the user, connected to said first or second computer network, the service information about the routing and address information, which prevents unauthorized exchanges between computers that are connected to the first and second computer networks (see EN 2152691, G 06 F 12/14, 10.07.2000).

Known security system to prevent unauthorized exchanges between the first computer network, each of the said first and second network motherboard has a network interface adapter for exchange with the specified first and second networks, respectively, each of these network motherboard has an additional adapter, transmission for sharing with adapter transmission to another network motherboard, these adapters transfer are paired and are identical, each of the network motherboard has a network software to prevent the transmission of service information routing between network interface adapters and adapter each transmission from a network of motherboards, each network motherboard further comprises a software Protocol translation, obstructing the path information of the upper layer Protocol and information about the source address and the destination address between the specified network interface adapter and the adapter to the transmission network of the motherboard, moreover, at least one of the network motherboard has an intermediate software application program interface to provide services at the level of application tasks to the computers connected to the said at least one network motherboard.

The disadvantages of the known method and system implements should include the inability to prevent newconstruction traffic of the virtual private network at some point the public network, as well as penetration into the corporate network at the point of connection to a public network and/or breach of its normal functioning. In addition, with the implementation of this method it is impossible to organize a dynamic exchange of routing messages between remote local area networks virtual private network protected by the specified method.

The technical result is to protect, prevent the penetration in the local area network, a corporate virtual private network from a public access network, and information retrieval by users of the public access network. In addition, the technical result provides the ability to dynamically exchange routing messages between local area networks corporate virtual private network, which leads to improved scalability, and manageability of all local area networks virtual private network as a whole.

The technical result is achieved by the fact that connect a local area network, which is part of a virtual private network to the public network is the insulation on the second level, fashion is sportivnoj virtual private network, from routing and messaging between devices connected to a public network on the third layer of the OSI model.

The technical result is also achieved by the fact that the encryption of the graph of the local computer network, which is part of a virtual private network that is isolated on the third layer of the OSI model from the public network device that limits (assuming a secure system of delivery of encryption keys) the possibility to reconstruct the transmitted data from the intercept traffic virtual private network over a public network.

The basic principle of the technical implementation of the described method is based on the idea of switching labels.

The label is a fixed length header followed by identifying a set of packets in a certain way (for example, by one or the same path or in accordance with a certain class of service). The label is local to the router is. Although, often, the label identifies a routing prefix or IP address of the third layer of the OSI model (e.g., address prefix IP), it in no way encodes this information. Many of the packets that are sent in with isatori, using this principle switching, set the binding of the label to the class of routing equivalence, then using a special standard Protocol (LDP RFC 3036) disseminate information about the binding of the label to all routers, for which they will use this tag when sending packets. These routers (which are called "child" for this class), use this label as the index to the hash table switching of incoming traffic. Further, they define the interface of departure of this package, allocate a label that becomes outgoing for this class and distribute (Protocol (LDP) information about the binding among their "downline" routers. Further, switching of traffic is carried out automatically by the values of the incoming and outgoing labels. The change incoming label outgoing. With the package can be associated with more than one label. This router handles so many labels, as the stack. In other words, the router decides the switching of the packet based on information contained in the label on top of the stack. Thus, the tagged packet is associated with a label stack of depth n Apabila noted, the technical result is achieved by the separation of the functions of routing traffic to corporate virtual private networks and routing traffic to the public network.

Let Ma1, ..., Man - the device that provides routing schedule of local area networks 1..n corporate virtual private network. Let b1, ..., Mbn device performing the functions of routing through the public transport network. However, My limited interacts with b1, ..., Man is limited interacts with Mbn on the second layer of the OSI model.

Router Mak, 1<=k<=n performs the following functions:

- announces the address prefixes remote local area networks corporate virtual private network, or a default route to the local area network virtual private network;

- assigns a label for a route prefix of the local area network, distributes them between routers Ma1, ..., Mak-1 And Mak+1, ..., Man remote local area network virtual private network, together with information about statically configured with the address of the public network Mbk (as a destination public network for a given set of labels) and support the appropriate table lokalnych remote local area networks, and addresses of the public network b1, ..., Mbk -1, Mbk +1,..., Mbn and support the appropriate table, and performs other operations with labels (release, reassign) in accordance with the specification of the Protocol LDP maintains information about the availability of a remote local area network virtual private network;

- performs a process of dynamic or static routing address of the virtual private network;

- encrypts the IP packet received from a local area network, a member of the virtual private network addressed to a remote local area network, is also a part of the same virtual private network, and associating with it the outgoing label of the first level, identifying the class of routing equivalence to a remote local area network and a public network address that identifies the router Mbi, 1<=i<=n destination public network, which is the gateway for the remote local area network;

transmits the encrypted traffic with associated labels router Mbk using a simple Protocol of the second layer of the OSI model (described below);

receives from the router Mbk packet Protocol of the second layer of the OSI model, with an associated label, Inoi private network, determines the local table labels the destination within the local area network, performs decoding of the packet and sending it to the recipient within a local area network;

Router Mbk, 1<=k<=n performs the following functions:

supports routing (static or dynamic) public network announces its own address in Mbk public network (Internet);

receives from Mak encrypted packet traffic of a local area network, which is part of a virtual private network addressed to a remote local area network virtual private network, generates an IP header with its own address source, address, WE, 1<=i<=n, recipient, and sends the packet to the next gateway in the routing table the public network;

Receives from routers b1, ..., Mbk-1, Mbk+1, ..., Mbn IP packets containing encapsulated, encrypted information to a local area network, removes the address of the public network and transmits it to the router Mak using a simple Protocol of the second level.

Dissemination of information about the binding of labels to classes of routing equivalence between routers MA, MA, ..., Map produced using the Protocol distribution metachromatically in the public network). For LDP allocates a fixed value labels from the service range (0-15).

The communication Protocol between routers MA and MB specifies the connection type to point-to-point on the second level interaction models of open systems ISO and is used to transfer frames containing useful information.

To implement the physical layer model of open systems interaction hereof are required to provide full duplex bit-oriented synchronous channel between source and receiver. No restrictions on bandwidth.

The frame format (data structure), see table. 1, where

Flag: this field is one octet and identifies the beginning and end of the frame. This field always contains the binary value 01111110 (OCHA).

Protocol: this field is two octets and contains the ID of the Protocol encapsulated in the field of Information. IDs protocols are defined by the most current version of RFC "Assigned numbers". Some values are given below. The value of the Protocol identifier is transmitted in order of "most significant bit first".

In table. 2 shows some values of the Ident is inoe number of octets. The maximum value is 1500 octets, however, for purposes of implementation can be set to any maximum value.

FCS: this field is two octets and contains the checksum of the frame, which is calculated by the fields of the Protocol and Information, not including the Flag field and FCS field itself.

To determine the connection status of a simple mechanism keepalive messages. For such messages used by the Protocol type field value Protocol) h (REVERSE ARP), as compounds of the type "point to point" there is no need to use the mechanisms of reversible determine the address of the third-level interaction models of open systems IOS. Both systems representing the ends of the connection, send each other keepalive messages through equal to a configurable interval. The recommended interval is 10 seconds. Both systems must use the same value of the interval.

Keepalive message has the following format (see table. 3), where

Type: this field specifies the message type and occupies two octets. The default value of this field is set to 0.

My seguence: this field is four octets, and contains the value of the synchronization sequence, the mo from another system. The starting value of the sequence is set to 0.

Your seguence: this field is four octets, and contains the last value received from the adjacent system synchronization sequence. Each system should remember the last received from the adjacent system, the value of the synchronization sequence. Before sending the message to the next system, it compares the value of the synchronization sequence, which must be sent in this message last received from the adjacent system value. If the absolute value of the difference between the two values is more than three, then the connection is considered broken and the transfer of information from the higher levels of interaction models of open systems should be terminated to match these values. This architecture does not specify a procedure for handling this situation. However, developers are encouraged to take some steps for testing the physical level of interaction, then set the initial values of the synchronization sequence to resume communication.

Reserved: this field is two octets and satirino).

In Fig. 1 presents the protection system of corporate virtual private computer network from unauthorized exchange of information with the public transport network that implements the proposed method. In Fig. 2 is a diagram of the transmit/receive packets.

Corporate virtual private computer network consists of several (N) local area networks. For simplicity in Fig.1 shows the protection system of corporate virtual private computer network that includes two local area networks.

The system of protection of corporate virtual private computer network from unauthorized exchange of information with the public transport network includes the first processor 1, associated with a local area network 2 protected corporate computer network, the router 3 via the interface 4 is connected to the router 5, connected to a network of 6 Internet, router 3 is connected to the block 7 and memory means 8 encoding and decoding, and router 5 is connected to the block 9 to the memory, the first processor 1 is connected respectively to the router 3, block 7 of the memory means 8 encoding and decoding, the second processor 10, associated with kiteley network 12 protected corporate computer network, the router 13 through the interface 14 is connected to the router 15, connected to a network of 6 Internet, the router 13 is connected to the unit 16 and memory 17 encoding and decoding, and the router 15 is connected to the block 18 to the memory, the third processor 11 connected respectively to the router 13, the memory block 16 and 17 encoding and decoding, the fourth processor 19 that is associated with a network of 6 Internet connected to the router 15 and the block 18 of the memory.

Router 3 and router 13 communicates with all or part of the device (user terminal) local area network, a member of the virtual private network, on the third level interaction models of open systems ISO using TCP/IP. It is for local area network by means of interaction with remote local area networks virtual private computer network, and public network it does not interact. Blocks 7 and 16 memory store information about a local area network virtual private computer network, in particular identifiers (labels) of the message source and the message destination and the source address of the message and poluchateli addresses. Identifier (tag) is a fixed length header followed by identifying the set of packets sent by the router in a certain way (for example, in the same way or in accordance with a certain class of service). The identifier is local to the router is. The identifier identifies a routing prefix or IP address, but it in no way encodes this information and is not in functional compliance with it. Blocks 9 and 18 memory store information about a table of identifiers to addresses in the Internet. It also stores information about which routers that communicate with a public network, delivered the packets to a router that communicates with a local area network, a corporate virtual private network. In the General case, each local area network virtual private computer network can be serviced by one or more as routers that communicate with a local area network corporate computer networks and routers that communicate with the Internet.

The system of protection of corporate virtual cast the proposed method, works as follows.

The package is formed, for example, in one of the user terminals, local area network 2, which in this case is the source of the message is passed to the first processor 1, where from this package addresses the message source and message receiver, and compare them with pre-recorded in the memory block 7. By comparing the results of the first processor 1, using tabular data, selects a pre-recorded in block 7 the IDs of the message source and message receiver, wherein the command of the first processor 1, the data packet through router 3 is passed to the tool 8, which performs the encoding, then the first processor 1 generates an output packet (frame), by appending to the encoded data packet source ID and message ID of the message recipient. The generated output package by command of the first processor 1 via router 3 is passed through the interface 4 in the router 5, which communicates with a public data network at the third level interaction models of open systems ISO and other similar routers, etc is TCP/IP, but does not interact with a local area network, a corporate virtual private network or remote local area networks.

Upon receipt of the output packet to the router 5 second CPU 10 allocates identifiers of source, message and receiver of the message and compares them with pre-recorded in the memory block 9. By comparing the results of the second processor 10 using tabular data, selects a pre-recorded in block 9 of the memory corresponding to these identifiers, the source address of the message and the recipient's messages to the public network and adds them to the accepted output package, and then converts the output package required for transmission in the Internet format, i.e., encapsulate the encoded data packet with the associated identifiers in the packet network is the Internet. The converted output package by the command processor 10 via the router 5 enters the network of 6 Internet. Received from the network 6 Internet packet arrives in the fourth processor 19, which allocates the output packet (frame) containing the encoded data of the original packet, the source address of the message and the recipient of messages in the network of 6 Internet and IDs, and the backgrounds in block 18 of the memory. The coincidence of the compared information, i.e., in the absence of spoofing on the route over the public network b Internet at the fourth processor 19 selected output packet through the router 15 is passed through the interface 14 to the router 13. Upon receipt of this packet in the router 13 third processor 11 selects from it the encoded data packet through the router 13 transmits to the tool 17, where they are decoded. After decoding the data from the source package third-party processor 11 selects the source address of the message and the recipient address of the message and compares them with pre-recorded in the memory block 16. On the comparison of the third processor 11 using tabular data, determines their compliance with the pre-recorded in block 16 the IDs of the source message and the recipient of the message and if there is a match (i.e., in case of successful identification) the command processor 11 via the router 13 and the decoded data of the original packet is passed to the local area network 12, which in this case, the recipient of the message.

Using the above method and means saachi users of the public network. The most vulnerable point as in the other systems are routers are directly interacting with the public network. The greatest damage that can be inflicted is the output of a router failure. However, disabling the router's easily compensated for by the presence of bypass routes, i.e. redundant.

1. The way to protect corporate virtual private computer network from unauthorized exchange of information with the public transport network, consisting in forming a package of a local area network, which is the source of the messages in the corporate virtual private computer network, and a packet to the Internet, wherein the source address of the message and the message recipient's address contained in the packet, and pre-recorded in the first memory block lookup table address identifiers of source, message and receiver of the message to determine the source ID and message ID of the message recipient, the package data to encode, and then form the output package, by appending to the encoded data packet of the specified identifiers of source, message and receiver of the message, the content of the deposits and pre-recorded in the second memory block lookup these identifiers to addresses in the Internet transform output package in the format of TCP/IP and transmit it to the Internet, when you receive this package define compliance contained in the Internet addresses of the source message and the recipient of the message and the identity of the message source and the recipient of the message pre-recorded in the third memory block of the Internet addresses of the source message and the recipient of the message and the identity of the message source and message receiver, if the match is separated from the output packet encoded data package and expose them to the decoding after that contained in the decoded data packet to the source address of the message source and the message recipient and pre-recorded in the fourth memory block lookup table addresses the identity of the message source and the message recipient to check their compliance with and at their coincidence transmit the decoded packet data in a local area network, which is a recipient of a message in a corporate virtual private network.

2. The system of protection of corporate virtual private computer network from unauthorized exchange of information with the public transport network, characterized in that the corporate virtual private network on the which is connected respectively with a local area network corporate virtual private computer network, a means of encoding and decoding and the first memory block is designed for recording and storing the lookup of the source address of the message and the message recipient identifiers local area network and a second router connected to the Internet and connected to the second memory block that stores the correspondence table of the identifiers of the source message and recipient addresses of source and destination on the Internet, with the first router, a means of encoding and decoding and the first memory block is connected to the first processor corporate virtual private computer network, which is made with the possibility of determining their identity of origin of a message and the recipient of the message pre-recorded in the lookup table address identifiers, as well as with the ability to control the encoding and decoding of the data packet and the output packet, and the second router and the second memory block is connected to the second processor corporate virtual private computer network that is configured to convert the output packet format TCP/IP on pre-stored data

 

Same patents:

The invention relates to the field of computer engineering and can be used for processing requests based on their priority service

The invention relates to an asynchronous device data processing and more specifically to a technique that enables asynchronous processing unit to operate with improved energy efficiency

The invention relates to data processing systems

The invention relates to data processing systems

The invention relates to data processing systems

The invention relates to the field of computer systems and may be used to execute processor commands floating point and Packed data

The invention relates to computer technology and can be used for priority service requests

The invention relates to computer technology and can be used in radio systems for management phasers discrete-switching antenna arrays

The invention relates to computing, and in particular to information and computer systems and networks, and can be used in part integrity monitoring for protection of information resources in workstations, informational, and functional servers

The invention relates to computing

The invention relates to distributed information and control systems (RIUS), mainly to RIUS, operating in real time, and can be used in various application systems, operating confidential information

The invention relates to distributed information and control systems (RIUS), mainly to RIUS, operating in real time, and can be used in various application systems, operating information of a confidential nature

The invention relates to gain access to resources of a computer system or a computer (computing) network, which is protected by a firewall, in response to requests from objects outside the firewall

The invention relates to communication technology and can be used for input and storage of confidential information, including shirokiya

The invention relates to railway automatics and is used in the management of vehicles

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations, informational, and functional (for example, a dedicated secure server, Proxy server, firewall, and t

The invention relates to computing, and in particular to information and computer systems and networks, and can be used for implementing the principles of distributed resources protection of computer systems and networks

The invention relates to computing, and in particular to information and computer systems and networks, and can be used to protect information resources in workstations and information servers

Processor // 2248608

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

Up!