This invention relates to communications, and more particularly to virtual private networks implemented over the internet.
In retail sales by vendors having many xe2x80x9cbricks-and-mortarxe2x80x9d retail outlets, it is desirable to centrally manage the inventory and point-of-sale information. In this context, point-of-sale information may include credit card numbers, customer identification, and the like. It would also be advantageous to the vendor if the retail outlets could know the inventory of other retail outlets in the same general area, so that an out-of-stock item at one retail outlet could be procured from a nearby retail outlet having it in stock.
A currently used approach to providing such information is a dedicated point-to-point communication link, such as a dedicated leased communications path between each retail outlet and the vendor""s central or main location. Such dedicated connections are very expensive, and another expense is that of the hardware at the central location required to terminate each of N dedicated communications paths.
One approach to solving the expense problem associated with dedicated communication paths is to use the internet to provide communications. However, the internet is not secure, and it is possible for unscrupulous persons to intercept the data. Since customer information is flowing over these paths, interception is undesirable.
Another possible solution is to scramble or encrypt all of the data passing over the internet between the many remote retail outlets and the vendor""s central location. This is subject to multiple problems. A first problem is that the computational resources at the central site must be capable of encrypting and decrypting the messages for possibly tens of thousands of retail outlets, and this amount of computational power may be expensive and slow. This also leaves open the issue of authenticating each remote site. An additional problem is that the internet communications path between each of the remote retail outlets and the central location is susceptible to interruption. Each interruption requires an entirely new authentication procedure to reestablish communications. Such interruptions occur frequently enough so that an unreasonable amount of computational resources may be necessary to establish and maintain connection. Yet another problem is that on at least some of those occasions in which the connection is broken, the operator at the remote site may be unaware of the loss of connection. Someone at the central location must then communicate with the operator at the remote site, and request that the connection be reestablished. When the operator is also a retail manager or salesperson, they may not be immediately available.
A further solution is currently in use, and that solution is the application of virtual private networks (VPNs). Virtual private networks are essentially an encrypted or secure path extending over the internet between a site and a tunnel terminator server. In a communications system using a VPN, the vendor""s central location has a tunnel terminator server which connects by way of a broadband communication path with the internet. The tunnel terminator server has an internet address. Each of the remote retail outlets has a host computer with a modem. In order to set up a communication path between each remote retail outlet and the vendors central location, an operator at each remote location initiates commands to cause the modem at that site to dial the local internet provider. In response, the modem dials the ISP, and the operator commands a connection, including a user name and password if necessary. The ISP responds, thereby providing a path from the remote retail outlet to the internet. The operator then invokes the VPN client software loaded onto his retail outlet computer. The VPN client software then interacts with the tunnel terminator server, to thereby establish a secure communications path using an encryption standard such as L2TP, PPTP, or IPSec. Nortel Networks, Cisco Systems, and Lucent Technologies, among others, provide software and hardware for such VPN communications.
Improved VPN communications are desired.
A system according to an aspect of the invention is for autonomously establishing, monitoring, and maintaining a secure and persistent internet communication path between one or more interconnected computers located at a first xe2x80x9ccentralxe2x80x9d site and at least one host computer of a plurality of host computers at sites remote from the first site. The system includes a tunnel terminator server at the central site, operating pursuant to a secure tunneling protocol. The tunnel terminator server includes a private port interface and a public port interface. The tunnel terminator initially establishes a clear communications link, by way of the public port interface, with one or more of a plurality of clients calling from the internet, and initially identifies and authenticates each of the clients as being one of the xe2x80x9cauthorizedxe2x80x9d computers at one of the remote sites. For each client so identified and authenticated, the tunnel terminator establishes an encrypted communications link, and, when the encrypted communication link is established, provides a new private IP address to each individual client so identified and authenticated. The system also includes a connection between the private port interface of the tunnel terminator and the one or more interconnected computers. Each host computer(s) at the remote site includes a modem coupled to a public switched telephone system or PSTN. Each host computer further includes
(a) an arrangement for, upon completion of boot-up of the host computer, autonomously causing the associated modem to dial an internet service provider at one or more predetermined telephone numbers, to thereby initiate establishment of an ISP internet connection to the host computer;
(b) an arrangement for, upon successfully establishing the ISP internet connection to the host computer, autonomously invoking the tunnel terminator server to thereby begin a dialogue therewith by way of the internet, and for interacting with the tunnel terminator to establish a secure communications link between the host computer and the tunnel terminator; and
(c) an arrangement for, upon establishing the secure communications link between the host computer and the tunnel terminator, autonomously monitoring the state of both the ISP internet connection and the secure communications link, and for, if one of the ISP internet connection and the secure communications link is lost, autonomously reestablishing the lost one of the ISP internet connection and the secure communications link, so that the ISP internet connection and the secure communications link are persistent.
This system thereby establishes and maintains a secure internet data path between the host computer and the tunnel terminator server without intervention by an operator.
A host computer according to another aspect of the invention includes a modem coupled to a public switched telephone system. The host computer is for use in a system for autonomously establishing, monitoring, and maintaining a secure and persistent internet communication path between one or more interconnected computers located at a first site and at least one host computer, out of a plurality of host computers, at sites remote from the first site. The system includes (a) a tunnel terminator server operating pursuant to a secure tunneling protocol. The tunnel terminator server includes a private port interface and a public port interface. The tunnel terminator server initially establishes a clear communications link, by way of the public port interface, with one or more of a plurality of clients calling from the internet, and initially identifies and authenticates each of the clients as being xe2x80x9cauthorized,xe2x80x9d or as being one of the computers at one of the remote sites. For each client so identified and authenticated, the tunnel terminator server establishes an encrypted communications link, and, when the encrypted communication link is established, provides a new private IP address to each individual client so identified and authenticated. The system also includes (b) a connection between the private port interface of the tunnel terminator and the one or more interconnected computers. Each of the host computers includes (i) an arrangement for, upon completion of boot-up of the host computer, autonomously causing the associated modem to dial an internet service provider at one or more predetermined telephone numbers, to thereby initiate establishment of an ISP internet connection to the host computer, (ii) an arrangement for, upon successfully establishing the ISP internet connection to the host computer, autonomously (a) invoking the tunnel terminator server, to thereby begin a dialogue therewith by way of the internet, and (b) for interacting with the tunnel terminator to establish a secure communications link between the host computer and the tunnel terminator, (iii) an arrangement for, upon establishing the secure communications link between the host computer and the tunnel terminator, (a) autonomously monitoring the state of both the ISP internet connection and the secure communications link, and (b), if one of the ISP internet connection and the secure communications link is lost, autonomously reestablishing the lost one of the ISP internet connection and the secure communications link, so that the ISP internet connection and the secure communications link are persistent.
According to a yet further aspect of the invention, a method is provided for autonomously establishing, monitoring, and maintaining a secure virtual private network tunnel between a first site and each of a plurality of host computers at sites remote from the first site, where each of the host computers includes a modem coupled to a public switched telephone system, in a system which includes a tunnel terminator server. The tunnel terminator server according to this aspect of the invention operates pursuant to a secure tunneling protocol. The tunnel terminator server includes a private port interface and a public port interface. The tunnel terminator server initially establishes a clear communications link, by way of the public port interface, with one or more of a plurality of clients calling from the internet, and initially identifies and authenticates each of the clients as being one of the computers at one of the remote sites. For each client so identified and authenticated, the tunnel terminator establishes an encrypted communications link, and, when the encrypted communication link is established, provides a new private IP address to each individual client so identified and authenticated. The system also includes a connection between the private port interface of the tunnel terminator and the one or more interconnected computers. The method comprises the steps, at each host computer, of booting the host computer. Upon completion of booting of the host computer, it autonomously (a) causes the associated modem to dial an internet service provider at one or more predetermined telephone numbers, and (b) initiates establishment of an ISP internet connection to the host computer. Upon successfully establishing the ISP internet connection, the host computer autonomously (a) invokes the tunnel terminator server to thereby begin a dialogue therewith by way of the internet, and (b) interacts with the tunnel terminator to establish a secure communications link between the host computer and the tunnel terminator. The method further includes the step of, upon establishing the secure communications link between the host computer and the tunnel terminator, autonomously monitoring, at the host computer, the state of both the ISP internet connection and the secure communications link. If the step of autonomously monitoring indicates that the ISP internet connection communications link is lost, the host computer autonomously reestablishing the ISP internet connection and the secure communications link, and if the secure communications link is lost, the host computer autonomously reestablishes the secure communications link. As a result, the ISP internet connection and the secure communications link are persistent.