1. Field of the Invention
This invention relates to the security of local networks; for example, in business establishments. Unauthorized access often results in theft of critical data, such as credit card information, personal identification information, business proprietary information and the like. There are many approaches to securing small- to middle-size business networks. However, these approaches often require on-site visits by computer technicians, result in network downtime for periods of time that are detrimental to the business, and are difficult to complete if any step of the installation fails. The present invention is a method and system for remotely securing a network from unauthorized access, and simultaneously creating a virtual private network (VPN) structure, with minimal human intervention at the business establishment allowing for a highly secure, highly scalable solution.
2. Description of Related Art
Known methods of securing a small- to medium-size business via a VPN require that each device at every site on the VPN have a unique Internet Protocol (IP) subnet address. Since sites may have been installed at different times and by different technical staff, most will have been numbered in an arbitrary manner. Re-organizing each site entails renumbering the IP addresses for most, if not all, of the hosts. Changing the end user IP addresses can be expensive to perform, requires the dispatch of at least one highly skilled technical individual to the site, is error prone, can paralyze the end user's system (thus stopping the processing of transactions during the diagnosis and correction of the installation problems), and may require multiple efforts to be successful.
Generally, technical staff are sent to gather information about the devices at a given site. In many cases, it is not possible to set up a firewall with a single site visit because of the myriad devices the technician encounters, some of which may require other vendors for re-programming. If the technician is unable install the firewall during the initial site visit, the information gathered by the technician is used to program an off-site firewall which is then sent to the site for installation by someone at the site.
This process can take significantly more time to perform a firewall installation than the present invention requires, and it may be necessary to shut down the site for an extended period of time, wait for a lull in the site's transaction processing, or possibly require skilled technical personnel to perform the installation overnight. These issues reduce the number of sites that can be set up in a day.
Furthermore, many current methods require that the end-user site use static IP addresses for Internet access so that the firewall may be managed remotely. An Internet connection with a static IP address is significantly more expensive than the dynamic IP addresses allowed by the present invention's method.
Also, current methods may need to alter the Internet router's programming to allow remote access to the firewall from the Internet for programming and maintenance.
Current methods used to prevent unauthorized devices from accessing the Internet or VPN typically use additional hardware, such as a managed layer-2 switch, to ensure only authorized IPs with known Media Access Control (MAC) addresses can communicate on the network. Additional hardware adds cost and labor. Not only does additional hardware incur a cost, but also the maintenance of that additional hardware generates an ongoing support cost. This approach entails additional hardware and labor costs at each site. In addition, there are incremental labor costs associated with managing the device remotely.
Current processes are labor intensive, require network downtime for periods of time that are detrimental to the business, and are prone to installation errors that require the technicians to return the network to its original condition so that it is operational for business, and then start over. Furthermore, firewalls used for security purposes are typically shipped at least twice; first, from the manufacturer to the vendor for customization and, second, from the vendor to the site for installation. If customization errors occur, in addition to rendering the local network inoperative, the firewall may need to be shipped a third time, back to the vendor for correction, and then a fourth time, back to the site for another installation attempt.