The present invention relates to the field of data communications. More specifically, the present invention relates to a device for processing communications and a method of configuring such a device to selectively encrypt communications depending upon whether they are being passed between members of a virtual private network.
Organizations rely heavily upon their ability to communicate data electronically between their members, representatives, employees, etc. Such communications typically include electronic mail and some form of file sharing or file transfer. In a centralized, single site organization, these communications are most commonly facilitated by a local area network (LAN) installed and/or operated by the organization.
Preventing unauthorized access to data traversing an enterprise""s single site LAN is relatively straightforward. As long as intelligent network management and adequate physical security are maintained, unauthorized access to the data passing across the LAN can be prevented. It is when the enterprise spans multiple sites that external security threats become a considerable problem.
For distributed enterprises wishing to communicate data electronically, several options exist but each has associated disadvantages. One option is to interconnect the various offices or sites with dedicated, or private, communication connections, often referred to as leased lines. This is a traditional method used by organizations to implement a wide area network (WAN). The disadvantages of implementing an enterprise-owned and controlled WAN are obvious: they are expensive, cumbersome and frequently underutilized if configured to handle the peak capacity requirements of the enterprise. The obvious advantage is that the lines are dedicated for use by the enterprise and are therefore reasonably secure from eavesdropping or tampering by other parties.
One alternative to using dedicated communication lines is to exchange data communications over the emerging public network space. For example, in recent years the Internet has evolved from a tool primarily used by scientists and academics into an efficient mechanism for global communications. The Internet provides electronic communication paths between millions of computers by interconnecting the various networks upon which those computers reside. It has become commonplace, even routine, for enterprises (including those in non-technical fields) to provide Internet access to at least some portion of the computers within the enterprises. For many organizations, Internet access facilitates communications with customers and potential business partners and promotes communications between geographically distributed members of the organization as well.
Distributed enterprises have discovered that the Internet is a convenient mechanism for enabling electronic communications between their geographically-separated members. For example, even remote sites within an enterprise can connect to the Internet through Internet Service Providers (ISP). Once they have access to the Internet, the various members of the enterprise can communicate among the enterprise""s distributed sites and with other Internet sites as well. A significant disadvantage of using this form of intra-enterprise communications is the general lack of security afforded communications traversing public networks such as the Internet. The route by which a data communication travels from one point on the Internet to another point can vary on a per packet basis, and is therefore essentially indeterminate. Furthermore, the data protocols for transmitting information over the constituent networks of the Internet are widely known, thus leaving electronic communications susceptible to interception and eavesdropping, the danger of which increases as packets are replicated at most intermediate hops. Of potentially greater concern is the fact that communications can be modified in transit or even initiated by or routed to an impostor. With these disconcerting risks, most enterprises are unwilling to subject their proprietary and confidential communications to the exposure of the public network space. For many organizations, therefore, it is common to not only have Internet access available at each site, but also to maintain existing dedicated communications paths for internal enterprise communications, with all of the attendant disadvantages described above.
To address the need for means of passing secure communications, xe2x80x9cvirtual private networksxe2x80x9d (VPNs) have been developed. A VPN allows an organization to communicate securely across an underlying public network, such as the Internet, even with remote sites. Virtual private networks typically include one or more virtual private network units, sometimes known as VPN service units or VSUs. VPN service units translate or exchange data packets between the public network and the organization""s private WAN or LAN. Virtual private network units may reside in a number of locations, such as within an ISP or telephone company network or on the WAN or LAN side of a routing apparatus that connects the enterprise""s network to the Internet. Thus, VPN units in known forms of virtual private networks generally receive and process all data traffic passed between an enterprise site (whether local or remote) and the public network. Within one enterprise network, a VSU may serve multiple network segments.
To ensure secure data communications between members of a single VPN, which may comprise one or more VPN groups, a VPN unit operates according to a number of parameters. The parameters include various compression, encryption, decryption and authentication algorithms, as well as parameters concerning security associations and access control. Parameters in effect for one VPN may differ from those used in another VPN, and may also vary between different groups within each VPN.
As described above, known VPN units typically form part of the data path connecting an enterprise""s private LAN to the public network over which secure data communications are to be passed. This mode of operation presents at least two problems, however. First, because it forms part of the path along which all inter-network traffic travels, such a VPN unit constitutes a single point of failure. In other words, if a VPN unit fails all communications between the private and public networks connected to the unit are disrupted, not just the VPN traffic. As a second consequence of being part of the path for all data communications, those communications that need not be secured are still received and processed by the VPN unit, even though they are not VPN traffic. Therefore, current VPN unit configurations cannot help delaying all data communications, including those that are not being passed between members of a VPN.
An additional disadvantage to the current method of configuring VPNs and VPN units is that a VPN unit cannot be xe2x80x9chot-swapped.xe2x80x9d In other words, an installed VPN unit cannot be replaced without disrupting all data communications between the private and public networks. Further, each individual VPN unit is presently capable of processing communications for only a single private network that is connected to a public network through the VPN unit. A separate VPN unit is thus generally required for each private network.
There is, therefore, a need in the art for a VPN unit that can be configured to operate as part of a virtual private network without receiving and processing all data communications passing between the interconnected public and private networks. There also exist requirements for a VPN unit that can be replaced without disrupting all data communications and a VPN unit capable of serving multiple private networks. Methods of operating VPN units such as these, and methods of operating a VPN comprising such VPN units are also needed.
The present invention provides a virtual private network (VPN) unit for selectively processing secure communications for members of a virtual private network. One embodiment of the present invention is used in a VPN operating over a public data network connected to an organization""s private network (e.g., a LAN or WAN). The organization""s private network includes one or more endstations that are members of the VPN. In this first embodiment, a VPN unit serving the VPN member endstations contains a processor, storage memories, and a communication port. A method of configuring the VPN unit is also provided, whereby VPN communications (e.g., communications requiring secure transmission between members of a VPN) are processed by the VPN unit but other communications bypass it.
The VPN unit is linked by a communication port to an interconnection between the public network and the private network. Data communications sent from the private network are received and processed by the VPN unit if they are to be secured for transmission across the VPN (i.e., they constitute VPN traffic). Data communications sent from the private network bypass the VPN unit, however, and pass directly to the public network if they are not VPN traffic. Conversely, communications directed to the private network from the public network are delivered to the VPN unit if they constitute VPN traffic but otherwise pass directly to the private network.
To enable this selective mode of operation in a present embodiment of the invention, the VPN unit is configured to exchange VPN traffic with the public network in tunnel format. VPN data packets adhering to tunnel format comprise a header and a body. The header includes source and destination addresses corresponding to the VPN units serving the origination and destination VPN members, respectively. The body comprises the original data packet generated by the originating VPN member, including the addresses of the origination and destination endstations. The source VPN unit receives the original packet from the originating VPN member, appends the header, and encrypts the body before transmitting the VPN packet toward its destination. The destination VPN unit receives the VPN packet from the public network, removes the header, decrypts the body, and forwards the original packet toward the destination endstation.
A VPN unit operating in this selective mode of operation will not be a single point of failure for all data traffic passing between the organization""s private network and the public network, and can be replaced without disrupting non-VPN traffic. Advantageously, non-VPN traffic bypasses the VPN unit, thereby avoiding any delay that may be imparted by the VPN unit. In an alternative embodiment of the invention, multiple private networks are connected to a single VPN unit.