The present invention relates in general to networked data processing systems, and in particular to virtual private network (VPN) systems and other network systems using tunneling or encapsulating methods.
A virtual private network (VPN) is an extension of a private intranet network across a public network, such as the Internet, creating a secure private connection. This effect is achieved through an encrypted private tunnel, as described below. A VPN securely conveys information across the Internet connecting remote users, branch offices, and business partners into an extended corporate network.
Tunneling, or encapsulation, is a common technique in packet-switched networks. A packet from a first protocol is xe2x80x9cwrappedxe2x80x9d in a second packet from a second protocol. That is, a new header from a second protocol is attached to the first packet. The entire first packet becomes the payload of the second one. Tunneling is frequently used to carry traffic of one protocol over a network that does not support that protocol directly. For example, a Network Basic Input/Output System (NetBIOS) packet or Internet Packet exchange (IPX) packet can be encapsulated in an Internet Protocol (IP) packet to carry it over a Transmission Control Protocol/Internet Protocol (TCP/IP) network. If the encapsulated first packet is encrypted, an intruder or hacker will have difficulty figuring out the true destination address of the first packet and the first packet""s data contents.
The use of VPNs raises several security concerns beyond those that were present in traditional corporate intranet networks. A end-to-end data path might contain several machines not under the control of the corporation, for example, the Internet Service Provider (ISP) access computer, a dial-in segment, and the routers within the Internet. The path may also contain a security gateway, such as a firewall or router, that is located at the boundary between an internal segment and an external segment. The data path may also contain an internal segment which serves as a host or router, carrying a mix of intra-company and inter-company traffic. Commonly, the data path will include external segments, such as the Internet, which will carry traffic not only from the company network but also from other sources.
In this heterogeneous environment, there are many opportunities to eavesdrop, to change a datagram""s contents, to mount denial-of-service (DOS) attacks, or to alter a datagram""s destination address. Current encryption algorithms are not perfect, and even encrypted packets can be read given sufficient time. The use of a VPN within this environment gives a would-be intruder or hacker a fixed target to focus upon in that the end points of the VPN do not change, nor do the encryption methods and keys. Also, the heterogeneous environment is subject to technological breakdowns and corruptions. The instant invention addresses the compromise concerns inherent in this system.
The instant invention is an apparatus and method for manual negotiation of a secondary configuration of a VPN tunnel for use in case the main VPN tunnel is compromised. Configuration features such as the source and destination addresses of the nodes, the source and destination encryption keys, and the encryption algorithm are exchanged by system administrators in order to establish a main VPN tunnel. In the instant invention, one or more secondary sets of this configuration data are exchanged between the nodes by system administrators in anticipation of a compromise of the main VPN tunnel. In an alternate embodiment, one or more secondary sets of configuration data may be exchanged out-of-band (e.g. via secure telephone) following a compromise of the main VPN or tunneled network. The nodes may take advantage of one of these secondary configurations, should a compromise or attempted compromise be detected.
A compromise of the main VPN tunnel may be detected through any one of several means known in the art, such as an alert from a server. A compromise may be a security breach or a technological breakdown. The system administrators are alerted to the main VPN tunnel compromise and can use previously-exchanged secondary configuration data or can communicate out-of-band (e.g. a secure telephone) to agree on the secondary configuration data (IP addresses, encryption method, encryption keys) and other administrative details (such as time to switch). In the instant invention, the secondary configurations exchanged between the nodes can be used to establish a second VPN tunnel. The second VPN may be established concurrently with the main VPN by xe2x80x9caliasingxe2x80x9d multiple IP addresses to the same interface. Alternately, the secondary VPN may replace the main VPN. The main VPN or tunneled network may be abandoned or fed with false data.
The foregoing outlines broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the invention will be described hereinafter which form the subject of the claims of the invention.