Patents Assigned to Certes Networks, Inc.
  • Patent number: 12113779
    Abstract: A method of establishing one or more secure channels between network devices comprises exchanging a base key pair between a first network device and a second network device, and for each of a plurality of policies, providing a nonce corresponding to that policy to the first and second devices. The method further comprises generating, for each of the plurality of policies, a session key that is a function of the base key pair and the policy nonce. The method comprises determining, at the first device, that a data packet matches a rule associated with a policy, encrypting the data with a session key that corresponds to the policy to produce an encrypted packet, and conveying the encrypted packet to the second device. At the second device, determining that the encrypted packet matches the rule associated with the policy, and decrypting the encrypted packet with the session key.
    Type: Grant
    Filed: March 30, 2022
    Date of Patent: October 8, 2024
    Assignee: Certes Networks, Inc.
    Inventors: Sean D. Everson, Ganesh Murugesan
  • Patent number: 9882714
    Abstract: In many secure communication systems, group keys are updated on a regular basis in order to maintain high security level. Decryption and encryption keys are typically updated simultaneously in policy enforcement points (PEPs). Such approach makes the respective communication system prone to dropping of network traffic. According to at least one embodiment, re-keying is performed by installing, at a first phase, a new decryption key at the PEPs without removing an old decryption key previously installed in the PEPs. At a second phase, a new encryption corresponding to the new decryption key is installed and an old encryption key corresponding to the old decryption is removed. At a third stage, the old decryption key and any other old decryption keys are removed from the PEPs.
    Type: Grant
    Filed: March 10, 2014
    Date of Patent: January 30, 2018
    Assignee: Certes Networks, Inc.
    Inventors: Todd L. Cignetti, Miles S. Krivoshia, Ganesh Murugesan, Timothy J. Megela
  • Patent number: 9294506
    Abstract: A method and corresponding apparatus are provided to security encapsulate an original IP datagram received from a network. It is first determined whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol. Based on this determination, a portion of the IP payload is encrypted resulting in an encrypted payload. A security encapsulated IP packet is then formed with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload. The security encapsulated IP packet is then provided to the network.
    Type: Grant
    Filed: May 17, 2011
    Date of Patent: March 22, 2016
    Assignee: Certes Networks, Inc.
    Inventor: Troy Swartz
  • Publication number: 20140359275
    Abstract: Multi-protocol label switching (MPLS) data is typically sent non-encrypted over MPLS-based networks. If encryption is applied to MPLS data frames and MPLS labels are encrypted, each node receiving any of the MPLS data frame would have to perform decryption in order to direct the data frames to a next node, therefore resulting in extra processing and data latency. According to an example embodiment, encryption and decryption mechanisms for MPLS data include encrypting/decrypting payload data while keeping the MPLS labels in the clear (i.e., unencrypted). A MPLS encryption label is also employed within the MPLS label stack to indicate that encryption is applied. The MPLS encryption label is inserted in the MPLS label stack when encrypting the payload and is removed when decrypting the payload.
    Type: Application
    Filed: April 16, 2014
    Publication date: December 4, 2014
    Applicant: Certes Networks, Inc.
    Inventors: Ganesh Murugesan, Todd L. Cignetti
  • Patent number: 8607301
    Abstract: Group Virtual Private Networks (Group VPNS) are provided for different types of machines in a data processing network. Security groups are defined by a security policy for each member. Security policies and encryption keys are deployed to members of a security group using an IPSec network infrastructure with authentication via VPN mechanisms. The group VPNs provide a trusted IP network that can leverage and co-exist with security access control technologies, such as endpoint security that controls client network access or application security that controls user access to enterprise applications.
    Type: Grant
    Filed: September 27, 2006
    Date of Patent: December 10, 2013
    Assignee: Certes Networks, Inc.
    Inventor: Serge-Paul Carrasco
  • Patent number: 8539547
    Abstract: A method and apparatus for representing policies and searching for polices that match a packet are provided. The policies being represented and searched for include policies that overlap and policies that have “don't care” attributes.
    Type: Grant
    Filed: August 18, 2011
    Date of Patent: September 17, 2013
    Assignee: Certes Networks, Inc.
    Inventor: Mauro Zallocco
  • Patent number: 8379638
    Abstract: A technique for encapsulating data packets at a Data Link Layer to provide security functions. The technique first encrypts a payload to provide an encrypted payload. The encrypted payload is inserted in an output encapsulated frame. Also added to the output encapsulated frame is an encapsulation header that includes security information, such as a security packet index (SPI) value used to identify a security association (SA). Because the output encapsulated frame may now be longer than maximum allowed Ethernet Path Maximum Transmission Unit (PMTU), the encapsulation header also preferably includes a fragmentation field. The fragmentation field supports the ability to fragment the encrypted datagrams into smaller pieces.
    Type: Grant
    Filed: September 25, 2006
    Date of Patent: February 19, 2013
    Assignee: Certes Networks, Inc.
    Inventor: Troy A. Swartz
  • Patent number: 8327437
    Abstract: A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.
    Type: Grant
    Filed: August 10, 2010
    Date of Patent: December 4, 2012
    Assignee: Certes Networks, Inc.
    Inventor: Donald K. McAlister
  • Patent number: 8284943
    Abstract: Encryption of Internet Protocol (IP) traffic using IP Security (IPSec) at the edge of the enterprise network, in such a way as to support resilient BGP/MPLS IP VPN network designs. The IP traffic is securely tunneled within IPSec tunnels from the edge to the edge of the enterprise network. The IPSec traffic is also tunneled within MPLS tunnels from the edge to the edge of the service provider network. The enterprise network thus manages its own IPSec site-to-site VPN. The service provider thus independently manages its own MPLS network. The result provides an IP VPN or Layer 3 MPLS VPN to the enterprise; the enterprise IPSec network can thus be considered as an overlay to the MPLS service provider network.
    Type: Grant
    Filed: January 22, 2007
    Date of Patent: October 9, 2012
    Assignee: Certes Networks, Inc.
    Inventor: Serge-Paul Carrasco
  • Publication number: 20120096269
    Abstract: A Virtual Elastic Gateway Appliance (VEGA) that implements all the capability of a security gateway in a set of virtual appliances for operation in a virtualized, cloud environment is provided. The virtual appliances are divided into various components to provide key exchange and data protection in separate virtual appliances allowing each to be scaled elastically and independently. Security management of the virtual gateway is under control of the client while the cloud provider can meter use of virtual resources. Shared state operation and tunneled key exchange ensure robust operation in a dynamic environment.
    Type: Application
    Filed: October 14, 2011
    Publication date: April 19, 2012
    Applicant: Certes Networks, Inc.
    Inventor: Donald K. McAlister
  • Publication number: 20120096512
    Abstract: A method and apparatus for representing policies and searching for polices that matches packet are provided. The policies being represented and searched for include policies that overlap and policies that have “don't care” attributes.
    Type: Application
    Filed: August 18, 2011
    Publication date: April 19, 2012
    Applicant: Certes Networks, Inc.
    Inventor: Mauro Zallocco
  • Patent number: 8104082
    Abstract: In some networking situations, securing an inner packet of a tunnel packet requires an intermediary networking device knowing a destination address of the secured inner packet. Consequently, an identity of a secured network is known to others and presents a security risk. The provided technique addresses this risk by: i) establishing at a first security interface a first secured network connection between a first and second secured network, the connection established for a first packet addressed to a virtual security interface and destined for the second secured network; and ii) responding to a network condition by establishing at a second security interface at least one second secured network connection between the first and second secured network, the connection established for a second packet addressed to the virtual security interface and destined for the second secured network.
    Type: Grant
    Filed: September 29, 2006
    Date of Patent: January 24, 2012
    Assignee: Certes Networks, Inc.
    Inventor: Donald McAlister
  • Publication number: 20110314274
    Abstract: A method and corresponding apparatus are provided to security encapsulate an original IP datagram received from a network. It is first determined whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol. Based on this determination, a portion of the IP payload is encrypted resulting in an encrypted payload. A security encapsulated IP packet is then formed with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload. The security encapsulated IP packet is then provided to the network.
    Type: Application
    Filed: May 17, 2011
    Publication date: December 22, 2011
    Applicant: Certes Networks, Inc.
    Inventor: Troy Swartz
  • Patent number: 8082574
    Abstract: A technique for securing message traffic in a data network using various methods for distributing security policies and keys, where policy definition is determined in a Management and Policy (MAP) functional layer that is responsible for policy distribution; a separate Key Authority Point (KAP) that is responsible for key generation, key distribution, and policy distribution; and a separate Policy Enforcement Point (PEP) which is responsible for enforcing the policies and applying the keys.
    Type: Grant
    Filed: July 23, 2007
    Date of Patent: December 20, 2011
    Assignee: Certes Networks, Inc.
    Inventors: Brandon L. Hoff, Ronald B. Willis, Charles R. Starrett, Donald K. McAlister
  • Patent number: 8046820
    Abstract: A method for providing network security comprising a step of configuring a remote network to engage network security negotiation with a local network. The method includes a step of configuring a first security policy of a security component within the local network to pass through a network security negotiating communication between the local network and the remote network, and a step of establishing a network security negotiation between the remote network and a security parameter generator via the security component. The security parameter generator can be located within the local network and configured to provide secure communication with the remote network.
    Type: Grant
    Filed: September 29, 2006
    Date of Patent: October 25, 2011
    Assignee: Certes Networks, Inc.
    Inventor: Donald McAlister