Abstract: In a communications network including at least one authentication entity adapted to authenticating a network access requestor in order to conditionally grant thereto access to the communications network, wherein the authenticating is based on public key cryptography, a method for automatically provisioning the network access requestor with service access credentials for accessing an on-line service offered by an on-line service provider accessible through the communications network.

Abstract: A method to control communication traffic in a communication network. The traffic includes application-level messages between a client and a server having a private network address. The method includes the steps of: sending by the client a request message requesting a service to the server using a first public network address associated with the server; processing the request message at an intermediate logic unit logically positioned between the client and the server; and receiving an alert signal at the intermediate unit. Upon receipt of said alert signal, the method provides for: mapping the private network address of the server to a second public network address associated with the server; and instructing the client to send the request message to the second public network address of the server, routing to the server only request messages directed to the second public network address.

Abstract: A method and system for out-of-band authentication of messages transmitted, e.g. as packets, on a communication network, whereby a first stream of data is received by a sender control module from a sender; the first stream of data is transmitted over a first channel, e.g. a non-secure data channel, toward a receiver control module; the sender control module generates authentication data of the first stream of data; the authentication data are transmitted from the sender control module to the receiver control module on a second channel, e.g. a secure data channel, distinct from the first channel; and a stream of data received by the receiver control module is checked using the authentication data. Before sending the authentication data, the sender control module transmits a control message including synchronization data to the receiver control module over the second channel.

Abstract: A method of providing telecommunication services includes generating fictitious contact information univocally associated with a telephone number assigned to a subscriber; and storing the fictitious contact information in a database, like an ENUM database. Responsive to a request, received from a requester, of a contact information corresponding to the telephone number and adapted to allow contacting over the Internet the subscriber assignee of the telephone number, the method includes having the database providing the fictitious contact information; and conditioning a resolution of the fictitious contact information for the provisioning of the contact information to the satisfaction of at least one security rule adapted to assess properties of at least one among the requester and the request. In a case that the request from the requester satisfies the at least one security rule, the method resolves the fictitious contact information and provides the requester with the contact information.

Abstract: A method for security in a passive optical network is disclosed. The method includes, at an optical line termination (OLT): detecting an optical termination device and establishing a connection with the device; generating a first authentication message including a first random number; and transmitting the first authentication message through the established connection. At the optical termination device, the method may include: receiving the first authentication message; calculating a first authentication code by using the first random number and a secret code stored at the device; and generating and transmitting to the OLT a second authentication message including the first authentication code.

Abstract: A system for enforcing security policies on mobile communications devices is adapted to be used in a mobile communications network in operative association with a subscriber identity module. The system having a client-server architecture includes a server operated by a mobile communications network operator and a client resident on a mobile communications device on which security policies are to be enforced. The server is adapted to determine security policies to be applied on said mobile communications device, and to send thereto a security policy to be applied. The client is adapted to receive the security policy to be applied from the server, and to apply the received security policy.

Abstract: For managing denial of service situations at an application level in a communications network receiving message data, the message data are monitored in a sensor that sends an event message when detecting an alarm condition; a control logic detects a first analysis to be performed associated with the received event message and generates a request; an analysis module receives the request of analysis, performs the analysis and sends a result message; the control logic receives the result message and detects an action to be taken associated with the result message, the action being a countermeasure or a further analysis. For determining the analysis to be performed and the action to be taken, the control logic browses rules stored in a memory, each rule including a conditional clause and an associated action to be taken.

Abstract: A method for localizing an optical network termination (ONT) of a passive optical network is disclosed. The passive optical network comprises an optical line terminal (OLT) and an optical distribution network (ODN) having a plurality of optical links. The ONT is connectable to the OLT by a given optical link of the optical distribution network. The method includes the steps of detecting that the ONT has been connected to the OLT by an optical link of the optical distribution network; determining length information indicative of a length of the optical link; comparing the length information with a reference length information indicative of a length of the given optical link; and if the length information matches the reference length information, localizing the ONT by confirming that it is connected to the OLT by the given optical link.

Abstract: A method for localizing an optical network termination (ONT) of a passive optical network is disclosed. The passive optical network comprises an optical line terminal (OLT) and an optical distribution network (ODN) having a plurality of optical links. The ONT is connectable to the OLT by a given optical link of the optical distribution network. The method includes the steps of detecting that the ONT has been connected to the OLT by an optical link of the optical distribution network; determining length information indicative of a length of the optical link; comparing the length information with a reference length information indicative of a length of the given optical link; and if the length information matches the reference length information, localizing the ONT by confirming that it is connected to the OLT by the given optical link.

Abstract: A method for security in a passive optical network is disclosed. The method includes, at an optical line termination (OLT): detecting an optical termination device and establishing a connection with the device; generating a first authentication message including a first random number; and transmitting the first authentication message through the established connection. At the optical termination device, the method may include: receiving the first authentication message; calculating a first authentication code by using the first random number and a secret code stored at the device; and generating and transmitting to the OLT a second authentication message including the first authentication code.

Abstract: A system and method for authenticating a subscriber of a first network to access application services through a second network, wherein the second network is a packet data network.

Abstract: A method to control communication traffic in a communication network. The traffic includes application-level messages between a client and a server having a private network address. The method includes the steps of: sending by the client a request message requesting a service to the server using a first public network address associated with the server; processing the request message at an intermediate logic unit logically positioned between the client and the server; and receiving an alert signal at the intermediate unit. Upon receipt of said alert signal, the method provides for: mapping the private network address of the server to a second public network address associated with the server; and instructing the client to send the request message to the second public network address of the server, routing to the server only request messages directed to the second public network address.

Abstract: A method of providing telecommunication services includes generating a fictitious contact information univocally associated with a telephone number assigned to a subscriber; and storing the fictitious contact information in a database, like an ENUM database. Responsive to a request, received from a requester, of a contact information corresponding to the telephone number and adapted to allow contacting over the Internet the subscriber assignee of the telephone number, the method includes having the database providing the fictitious contact information; and conditioning a resolution of the fictitious contact information for the provisioning of the contact information to the satisfaction of at least one security rule adapted to assess properties of at least one among the requester and the request. In a case that the request from the requester satisfies the at least one security rule, the method resolves the fictitious contact information and provides the requester with the contact information.

Abstract: Communication between an administrator device and an administered device in a network is arranged in the form of a chain of digitally signed communication items including messages sent from an originator device to a recipient device. Each message has an associated respective digitally signed receipt, and the originator device is configured not to send a new item toward the recipient device in the absence of a respective digitally signed receipt for a previously sent item. With at least one, and preferably by both of the administrator device and the administered device, there is stored a history record of communication items exchanged therebetween. The history record is agreed upon and signed by both the administrator device and the administered device.

Abstract: A method and system for out-of-band authentication of messages transmitted, e.g. as packets, on a communication network, whereby a first stream of data is received by a sender control module from a sender; the first stream of data is transmitted over a first channel, e.g. a non-secure data channel, toward a receiver control module; the sender control module generates authentication data of the first stream of data; the authentication data are transmitted from the sender control module to the receiver control module on a second channel, e.g. a secure data channel, distinct from the first channel; and a stream of data received by the receiver control module is checked using the authentication data. Before sending the authentication data, the sender control module transmits a control message including synchronization data to the receiver control module over the second channel.

Abstract: In a communications network including at least one authentication entity adapted to authenticating a network access requestor in order to conditionally grant thereto access to the communications network, wherein the authenticating is based on public key cryptography, a method for automatically provisioning the network access requestor with service access credentials for accessing an on-line service offered by an on-line service provider accessible through the communications network.

Abstract: A system and method for authenticating a subscriber of a first network to access application services through a second network, wherein the second network is a packet data network.

Abstract: For managing denial of service situations at an application level in a communications network receiving message data, the message data are monitored in a sensor that sends an event message when detecting an alarm condition; a control logic detects a first analysis to be performed associated with the received event message and generates a request; an analysis module receives the request of analysis, performs the analysis and sends a result message; the control logic receives the result message and detects an action to be taken associated with the result message, the action being a countermeasure or a further analysis. For determining the analysis to be performed and the action to be taken, the control logic browses rules stored in a memory, each rule including a conditional clause and an associated action to be taken.

Abstract: A method and a system for accessing services provided by network resources in communication networks. Access to service capabilities is controlled at the application level by controlling the access through a gateway wherein an object-oriented service architecture based on abstracted application programming interfaces is implemented. Preferably, the service architecture is defined in OSA/Parlay standards. Access control is carried out by means of a logical entity, the service reference monitor, which is linked to the gateway and configured so that it intercepts all the communications passing between the client applications and the gateway. The service reference monitor captures the object reference to the service capability and assigns to the object reference a lifetime. At the expiration of the lifetime, the service reference monitor destroys the service capability. The probability of a malicious attack is lowered by limiting the time window of the life of access to a service.

Abstract: Communication between an administrator device and an administered device in a network is arranged in the form of a chain of digitally signed communication items including messages sent from an originator device to a recipient device. Each message has an associated respective digitally signed receipt, and the originator device is configured not to send a new item toward the recipient device in the absence of a respective digitally signed receipt for a previously sent item. With at least one, and preferably by both of the administrator device and the administered device, there is stored a history record of communication items exchanged therebetween. The history record is agreed upon and signed by both the administrator device and the administered device.