1. Field of the Invention
The invention relates to systems and methods for implementing secured IP (internet protocol) networks. Especially, the invention is related to such a method as specified in the preamble of the independent method claim.
2. Description of Related Art
At least the following acronyms are used within this specification:
BOOTPbootstrap protocol [BOOTP]DHCPdynamic host configuration protocol [DHCP]FWFirewallGPRSgeneral radio packet serviceGSMglobal service for mobile telecommunicationsIETFInternet Engineering Task ForceIPInternet Protocol [IP]IPSecIP security protocol [IPSEC]LANlocal area networkNATnetwork address translationPKIpublic key infrastructureRARPreverse address resolution protocol [RARP]SIMsubscriber identity moduleTCPtransmission control protocol [TCP]TFTPtrivial file transfer protocol [TFTP]URLuniform resource locatorVPNVirtual Private NetworkVRRPVirtual Router Redundancy Protocol [VRRP]WLANwireless local area network
A firewall is a device, or more accurately a set of programs protecting resources of a private network or a computing devices from outside users. Firewalls are typically located between a private network of an organization and a public network. A firewall filters the traffic between the networks, allowing certain kinds of traffic to pass and rejecting other types of traffic. A set of rules known as firewall rules determine which types of traffic are allowed in which direction, and which types of traffic are rejected. For maximum security, a firewall is typically installed in a dedicated computer whose only duty is to act as the firewall. Also so called personal firewalls are known, which typically are programs or sets of programs installed on a user's workstation, for protecting the data and programs in that particular workstation against snooping or sabotage. Various examples of firewalls are given for example in the patent U.S. Pat. No. 5,826,014.
A virtual private network (VPN) is a network, which is formed on top of another, typically an untrusted public network by using secured connections between VPN nodes. Virtual private networks are gaining popularity, since a VPN allows the LANs of remote office s of an organization to be connected without requiring a dedicted cable connection between the offices. The LAN of each site is connected to a public network such as the Internet via a VPN node, and the VPN nodes manage the transmission of traffic between the LANs, taking care of encryption and authentication. Typically, a VPN node connecting a LAN to a public network also comprises firewall functionality. Various examples of VPNs are given for example in the document RFC 2764 [Gleeson]. Connections between the VPN nodes are typically encrypted and authenticated according to the IP security protocol.
The IP security protocol [IPSEC] is being standardized by the IETF (Internet Engineering Task Force) for adding security to the well-known and widely used IP protocol. It provides cryptographic authentication and confidentiality of traffic between two communicating network nodes. It can be used in both end-to-end mode, i.e. directly between the communicating nodes or hosts, or in tunnel mode between firewalls or VPN devices. Asymmetric connections, where one end is a host and the other end is a firewall or VPN are also possible.
Conventionally, the construction of a virtual private network (VPN) is a large project for an organization, requiring large efforts in planning and implementation of the VPN. Construction of a VPN according to solutions presented in the prior art require sophisticated professional skill, whereby most organizations need to employ expensive consultants for the project. In a typical case, VP N and firewall functionality is added to existing LANs, for example for connecting local networks of two offices of the organization via the Internet. Typical phases of such a project are the following:    collecting information of the present structure of the affected LANs,    specifying the needed functionality of the VPN and firewall,    planning the structure of the VPN and defining the firewall traffic control rules,    obtaining the necessary equipment and software,    installing and configuring the software,    setting up the equipment in a test environment,    testing the setup and correcting of possible errors,    moving the equipment to production locations,    connecting the equipment to the LANs and the internet,    performing the final test,    taking the VPN into full use.
As can be seen, such a project is complicated, and requires a relatively long time to implement. However, if the organization has several remote offices connecting to a central office, the setup needed at each remote office can be replicated relatively easy after the VPN equipment at the first remote office has been configured and tested—unless the LAN configurations and/or needed functionalities vary a great amount.
Maintenance of the VPN/firewall system is also a significant source of costs. Configuration of the system must be updated, if a new LAN is to be connected to an existing VPN, or for example if the selection of protocols passed through the firewall to the Internet and back is to be changed. Typically, such configuration changes require an on-site visit of a maintenance engineer. In order to maintain the security of the systems, the software in the VPN/firewall devices need to be periodically updated to cover any faults and holes, which could be abused by malicious or spying third parties. A software update typically requires a visit by a maintenance engineer to update the software on site.
The maintenance is typically a large expense in the long run, and when combined with the expenses related to setting up of the systems in the beginning, these work related costs typically far exceed the costs of the needed equipment. More easily deployable and manageable systems are clearly needed.
Explosive growth of the Internet has strongly increased the importance of making networking equipment easier to install and manage. This is particularly true when implementing security services, such as virtual private networks, on the networks. VPNs involve routing, data encryption, public key infrastructure (PKI), data encryption, network address translation, firewalls, and many other complicated data communications and security technologies. It has become extremely difficult to find enough technical expert skilled in all these areas to configure and build such networks.
Traditionally, single networking devices have been configured using a command-line configuration method from a console port (for example, Cisco routers). Often, the command-line method is used to enable a networking port, and rest of the configuration is then performed by connecting to the networking device from a remotely located management center.
Some known devices permit configuration using a web browser. In this case, the user connects to the device through the network using the Transmission Control Protcol/Intern et Protocol (TCP/IP). Prior art includes devices that are factory-configured to use a pre-defined IP address, as well as devices that will respond to any IP address in the factory configuration. Some wireless LAN access devices will respond to any web-based requests even if the user has not already been authenticated.
There are also devices which are managed through a local area network using protocols that operate in a single ethernet network. For example, HP Color Laserjet printers can be configured using HP's management software from any Windows-based workstation connected to the local network.
Trivial File Transfer Protocol (TFTP), together with Reverse Address Resolution Protocol (RARP), BOOTP, and/or Dynamic Host Configuration Protocol (DHCP) are also used to configure devices. In these systems, the device first obtains an IP address from the network, and then obtains its own configuration information using e.g. DHCP or TFTP. Examples of this kind of devices include diskless Sun Workstations in 1980's, diskless PC workstations, Windows workstations that obtain their IP address and other configuration information from DHCP. Cisco routers can also fetch their configuration file using TFTP from a configured server.
There is some prior art on configuring devices using smartcards. For example, the GSM SIM card contains the subscribers identity number and a cryptographic key for authentication. The SIM card also contains computational logic for executing an authentication an key generation algorithm on the SIM card, avoiding the need to transfer the secret key out from the card. The SIM card is used to authenticate the phone into the GSM network to allow communication. In GPRS, the GSM Packet Radio Systems, each phone can have an IP address. The GSM terminal (cellular phone) uses the SIM card to authenticate itself to the network, and obtains an IP address from the network.
Mobile IP defines a framework for an IP-based registration mechanism, whereby a mobile node can obtain information about foreign agents, can register to a foreign agent, and can obtain limited configuration information, such as a care-of-address from the foreign agent. There is also an authentication mechanism for Mobile IP proposed by Nokia that is based on using GSM SIM cards for authentication.
Security-aware devices for the Internet usually implement IPSEC and PKI functionality. These devices need to be configured with sensitive key material. The addition of security greatly complicates the installation of the network. Security-aware devices usually also need reasonably accurate time information in order to verify timeliness of security credentials such as certificates or digital signatures presented by other network nodes. Furthermore, the whole installation process must be secured, so that an attacker cannot compromise the network at any time. For example power outages are relatively easy to cause maliciously, and a method that can be compromised by causing a short power outage is not acceptable.
VPN devices are usually configured like routers. Typically, a serial port (console port) is used to perform the initial configuration. Some devices can be configured through a web interface.
Usually, after initial configuration networking devices are connected to a management system. The management system can then modify the configuration of the devices, and may in some cases even be able to upgrade the software of the networking device.
The prior art methods suffer from several problems:    they typically do not work if the networking device is separated from the management system by a NAT (Network Address Translation) device or by a firewall,    they usually require that initial configuration is performed manually, and    the communication between the network device and the management system is typically not properly secured.