Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.
Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.
Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.
Abstract: For achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network, the following steps are taken:
the transformations occurring to a packet en route between the sending node and the receiving node are discovered dynamically (1003, 1004),
the discovered transformations are checked (1004) to be acceptable based on the applicable security policy, and
the dynamically discovered, acceptable transformations are compensated for (1004, 1006) before authenticating packets transmitted from the sending node to the receiving node.
Abstract: A network device (100, 300) is connected to a network (102) having also a management station (107) connected thereto. The method for configuring the network device comprises the steps of
transmitting from the management station a configuration packet to the network device (201),
authenticating at the network device the management station as the genuine transmitter of the configuration packet (202) and
decoding the configuration parameters contained in said configuration packet and storing them as the configuration parameters of the network device (203).
Abstract: A method is provided for intercepting network packets in a computer system, where a number of functions are used to communicate network packets between a network adapter and a protocols entity. A first network adapter and a first protocols entity installed in the computer system are identified. A set of replacement functions is provided within a packet interceptor module. At least one function used for transmitting network packets from said first protocols entity to said first network adapter is hooked into a first replacement function. At least one function used for transmitting network packets from said first network adapter to said first protocols entity is hooked into a second replacement function. At least one function used for receiving information about the status of the network interface implemented by said first network adapter is hooked into a third replacement function.
Type:
Grant
Filed:
November 13, 1999
Date of Patent:
January 13, 2004
Assignee:
SSH Communications Security Ltd.
Inventors:
Niko Haatainen, Tero Kivinen, Jussi Kukkonen, Tatu Ylönen
Abstract: Data packets are communicated between a transmitting virtual router in a transmitting computer device and a receiving virtual router in a receiving computer device. A security association is established for the secure transmission of data packets between the transmitting computer device and the receiving computer device. The transmitting virtual router and the receiving virtual router are identified within said security association. In the transmitting computer device, the security association for processing a data packet coming from the transmitting virtual router is selected on the basis of the identification of the transmitting virtual router within the security association. In the receiving computer device, the security association for processing a data packet coming from the transmitting computer device is selected on the basis of values contained within the data packet.
Abstract: A data processing system implements a security protocol based on processing data in packets. The data processing system comprises processing packets for storing filter code and processing data packets according to stored filter code, and a policy managing function for generating filter code and communicating generated filter code for packet processing. The packet processing function is arranged to examine, whether the stored filter code is applicable for processing a certain packet. If the stored filter code is not applicable for the processing of a packet, the packet is communicated to the policy managing function, which generates filter code applicable for the processing of the packet and communicates the generated filter code for packet processing.