In general terms, Virtual Private Networks (VPNs) are secure communication channels that provide data protection using encryption and authentication techniques. VPNs can be implemented, for example, according to an IPSec protocol described in Internet Engineering Task Force Request for Comment 2401 entitled “Security Architecture for the Internet Protocol,” November 1998 (hereinafter referred to as RFC 2401), which is incorporated herein by reference. VPNs have become an important element in enterprise networking for securely interconnecting multiple corporate sites, remote offices, and remote workers. VPN technology helps ensure that only authorized users can access corporate network resources, and that data traffic flowing between two sites cannot be intercepted, decoded, or spoofed.
Current VPN technology allows secure voice communications over the internet via one of several methods, including security gateways, personal computers with IPSec stacks, or personal computers with dedicated secure phone software.
FIG. 1 is a schematic block diagram of a network including conventional IP telephones 10, 12 and PCs 11, 13 transmitting and receiving voice-over-IP (VoIP) packets via security gateways 14, 16. According to this architecture, the security gateways 14, 16 provide secure voice communication over an untrusted wide area network 18 by encoding and decoding VoIP packets. The security gateways also provide other network services such as firewall control and network address translation (NAT). The use of security gateways for IPSec is sometimes referred to as a bump-in-the-wire (BITW), or network-to-network VPN, architecture.
A deficiency with the BITW architecture is that a separate security gateway device having its own hardware and software needs to be purchased in addition to the IP telephone if secure communication is desired. Security gateway devices may be expensive. In addition, having a separate security gateway device implies increase in power consumption and setup complexity.
FIG. 2 is a schematic block diagram of a network providing secure voice communication via a PC 20 without a security gateway device. Instead, the PC 20 includes an IP telephony software application 22 and an IPSec stack 24. The IP telephony software application provides the basic VoIP communication over the Internet. The encoding and decoding of VoIP packets is done via the IPSec stack 24 resident within the PC. Thus, no costs need to be incurred in purchasing and maintaining a separate security gateway.
The use of the IPSec stack may be referred to as a bump-in-the-stack (BITS), or VPN client, implementation. Such an implementation, however, generally provides security only for the PC within which the IPSec stack resides. The IPSec stack may not be shared to provide secure voice communication to other IP telephony devices and/or appliances with which it may be associated.
FIG. 3 is a schematic block diagram of an alternative network configured to provide secure voice communication via a PC 30. The secure voice communication is provided via dedicated secure phone software 32 (or hardware) installed in the PC 30. The software encrypts VoIP packets using encryption techniques, such as based on the Pretty Good Privacy (PGP) technique. Such an architecture may be referred to as a bump-in-the-code (BITC) implementation.
A PC with dedicated secure phone software is susceptible to the same deficiencies as a PC with an IPSec stack. That is, security services cannot be provided to applications other than the PC within which this software resides. In addition, although the secure phone software may provide security for voice transmissions, it does not provide security for data transmission as is provided by security gateways or IPSec stacks. Instead, PCs with secure phone software transmit data in an unsecured manner using a standard IP stack 34 resident in the PC. Furthermore, the dedicated secure phone software is generally not IPSec compliant and therefore generally not interoperable with other VPN devices.
Accordingly, there is a need for a simplified, cost-efficient, all-in-one secure IP telephony device for a remote office worker or application, that provides both secure voice communication and data transmission, both for itself and for additional IP devices and applications associated with it.