This invention relates to a method and means permitting migration from in-clear working over a communications link, to encrypted working and in particular, but not exclusively, to migration from in-clear working over a network to encrypted virtual private network (VPN) working.
A VPN is a network of connections between a number of sites that has the appearance of being dedicated and private to these sites but actually can be implemented over a shared network such as the Internet.
According to one aspect of the present invention there is provided a computer system comprising a first node, a second node and a communications link connecting the first node and the second node, and wherein initially the system is capable of working in a plurality of modes, including a first mode corresponding to in-clear working over the link, a second mode corresponding to encrypted working over the link, and a third mode, employed for migration from in-clear to encrypted working over the link, and wherein the third mode provides in-clear working until means required for encrypted working are provided at both the first and the second nodes, when encrypted working is commenced and from which point in time only encrypted working is possible over the link.
According to a second aspect of the present invention there is provided a computer system comprising a first node, a second node and a communications link connecting the first node and the second node, wherein the system is initially capable of operating in a plurality of modes, including a first mode corresponding to in-clear working over the link, a second mode corresponding to encrypted working over the link, and a third mode, employed for migration from in-clear working over the link to encrypted working over the link, in which one said node is set to xe2x80x9cinitiate encryptionxe2x80x9d and the other said node is set to xe2x80x9caccept encryptionxe2x80x9d, and wherein the third mode provides in-clear working until means required for encrypted working are installed at both the first and the second nodes, when encrypted working is provided over the link and from which point in time only encrypted working is possible over the link.
According to another aspect of the present invention there is provided a computer system capable of operation as a virtual private network (VPN) including at least one central server and at least one remote client connectable by a shared network, wherein the or each server and the or each client include respective security policy files with settings of xe2x80x9cin-clearxe2x80x9d, xe2x80x9cinitiate encryptionxe2x80x9d or xe2x80x9caccept encryptionxe2x80x9d, and xe2x80x9cencryptxe2x80x9d for information to be transmitted therebetween, xe2x80x9cin-clearxe2x80x9d corresponding to a mode of operation comprising working in-clear, xe2x80x9cencryptxe2x80x9d corresponding to a mode of operation comprising encrypted VPN working over the network, and xe2x80x9cinitiate encryptionxe2x80x9d or xe2x80x9caccept encryptionxe2x80x9d, being employed for a mode of operation when migration from in-clear to encrypted VPN working is required, which migration mode provides in-clear working until authentication keys required for encrypted working are installed at both ends of a particular server/client link across the network, when encrypted VPN working is provided for said link and from which point in time only encrypted working is possible over said link.
According to yet another aspect of the present invention there is provided a method for use in migrating operation of a computer system from in-clear working to encrypted working, the computer system comprising a first node, a second node and a communications link connecting the first and second nodes, the computer system initially being capable of operating in a plurality of modes including xe2x80x9cin-clearxe2x80x9d mode, migration mode having settings of xe2x80x9cinitiate encryptionxe2x80x9d or xe2x80x9caccept encryptionxe2x80x9d, and xe2x80x9cencryptxe2x80x9d mode, means enabling encrypted working being required to be installed at the first and second nodes before encrypted working can commence, the method including the steps of installing said means at the first node, setting the first node to xe2x80x9cinitiate encryptionxe2x80x9d, setting the second node to xe2x80x9caccept encryptionxe2x80x9d, as a result of which messages transmitted between said nodes are transmitted in-clear, subsequently installing said means at the second node, as a result of which messages between the nodes are transmitted encrypted, and setting the first and second nodes to xe2x80x9cencryptxe2x80x9d mode whereby only encrypted working is subsequently possible over the link.
According to a still further aspect of the present invention there is provided a method for use in migrating operation of a computer system, comprising at least one central server and at least one remote client connectable by a shared network, from in-clear working to virtual private network (VPN) working, including the step of providing the or each server and the or each client with respective security policy files having settings for xe2x80x9cin-clearxe2x80x9d, xe2x80x9cinitiate encryptionxe2x80x9d or xe2x80x9caccept encryptionxe2x80x9d, and xe2x80x9cencryptxe2x80x9d for information to be transmitted therebetween, xe2x80x9cin-clearxe2x80x9d corresponding to a mode of operation comprising working in-clear, xe2x80x9cencryptxe2x80x9d corresponding to a mode of operation comprising encrypted VPN working over the network, and xe2x80x9cinitiate encryptionxe2x80x9d or xe2x80x9caccept encryptionxe2x80x9d corresponding to a mode of operation which is employed when migration from in-clear to encrypted VPN working is required and which provides in-clear working until authentication keys required for encrypted working are installed, and including the steps of setting the policy file on the server of a particular link to xe2x80x9cinitiate encryptionxe2x80x9d and setting the policy file on the client of said particular link to xe2x80x9caccept encryptionxe2x80x9d when migration is required, installing the authentication key at the server of said particular link, messages between the server and the client of the particular link thereby being transmitted in clear, subsequently installing the authentication keys at the client of said particular link whereby encrypted VPN working commences instead of in-clear working, and resetting the security policy files of the server and client of said particular link to xe2x80x9cencryptxe2x80x9d whereby only encrypted working is subsequently possible over said link.