Abstract: A generic endpoint package includes a generic node configuration, which can be used by all nodes within a network, containing consolidated configuration information regardless of the operating system, the generic node configuration including: node property sets; common information containing rules to apply to nodes while in service mode and prior to authorization; and registration information directing the node to a pre-defined registration servers. A method of using a generic endpoint package includes deploying the generic endpoint package having a generic node configuration, which can be used by all nodes within a network, containing consolidated configuration information regardless of the operating system, the generic node configuration including: node property sets; common information containing rules to apply to nodes while in service mode and prior to authorization; and registration information directing the node to a pre-defined registration servers.

Abstract: A network model includes nodes, node property sets, authorization groups and authorization servers. The node property sets define how the nodes operate and authenticate. The nodes are member of the node property sets. The authorization groups are associated with the node property set. And, authorization servers are member of the authorization groups. In addition, a network model in a secure network environment has at least one community of interest. The network model includes at least one node being a member of a node property set that defines how the node operates and authenticates.

Abstract: In a cryptographically-segmented network, a server establishes a cryptographically-segmented communication channel for use by authorized endpoints in an operationally-deployed configuration. In response to a received endpoint-isolation command to isolate a first endpoint, the server de-authorizes the first endpoint from the channel of the operationally-deployed configuration. In response to the de-authorization, the server issues a configuration instruction to the first endpoint to join a first cryptographically-segmented isolation communication channel that is communicatively coupled with at least one monitoring endpoint configured to monitor operation of the first endpoint via the first cryptographically-segmented isolation communication channel.

Abstract: Methods and systems for monitoring network data packets within a secure network are described. One method includes receiving, at a consumer endpoint, a data packet from a second endpoint, the data packet being encrypted with an encryption key associated with a packet auditing community of interest and having a routing header appended thereto, the routing header identifying the consumer endpoint. The method includes decrypting the data packet using the encryption key associated with the packet auditing community of interest, and removing at least a portion of the routing header identifying the consumer endpoint from the decrypted data packet. The method also includes performing at least one packet auditing operation on the decrypted data packet.

Abstract: Methods of communicatively connecting first and second endpoints are disclosed. One method includes transmitting from a first endpoint to a second endpoint a connection request, the connection request including an IP address of the second endpoint. The method further includes, based at least in part on the IP address of the second endpoint, selecting IPsec from among a plurality of available security protocols to first attempt to use in forming a tunnel between the first and second endpoints, and forming the tunnel between the first and second endpoints based on the connection request.

Abstract: Methods and systems for securing communications with an enterprise from a remote computing system are disclosed. One method includes initiating a secured connection with a VPN appliance associated with an enterprise using service credentials maintained in a secure applet installed on a remote computing device, and initiating communication with an authentication server within an enterprise via the secured connection. The method also includes receiving specific credentials from the authentication server, terminating the secured connection with the VPN appliance, and initiating a second secured connection with the VPN appliance using the specific credentials, the specific credentials providing access to one or more computing devices within the enterprise being within a same community of interest as the remote computing device and obfuscating one or more other computing systems within the enterprise excluded from the community of interest.

Abstract: A method of communicatively connecting first and second endpoints across a NAT and/or PAT router to form an IPSec encrypted tunnel is disclosed. A message is received by the first endpoint from the second endpoint. The message includes an encrypted portion including a source port, a destination port, a source IP address, and a destination IP address. It is determined whether a table entry exists for the message. If Yes, it is determined by the first endpoint whether a NAT router and/or a PAT router is between the first endpoint and the second endpoint based, at least in part, on the table entry and the encrypted portion of the message. If Yes, an IPSec encrypted tunnel is created using IPSec transport mode for further communications between the first and second endpoints. An apparatus and a computer program product are also disclosed.

Abstract: Methods of communicatively connecting first and second endpoints are disclosed. One method includes transmitting from a first endpoint to a second endpoint a connection request, the connection request including an IP address of the second endpoint. The method further includes, based at least in part on the IP address of the second endpoint, selecting IPsec from among a plurality of available security protocols to first attempt to use in forming a tunnel between the first and second endpoints, and forming the tunnel between the first and second endpoints based on the connection request.

Abstract: A method of managing secure communications states in an endpoint within a secure network is disclosed. The method includes, in a disconnected state, transmitting from a first endpoint to a second endpoint a first message including an authorization token. The method further includes, in the pending state, receiving from the second endpoint a second message including a second authorization token at the first endpoint. The method includes, based on the receipt of the second message, entering an open state and initializing a tunnel between the first and second endpoints using an IPsec-based secured connection. The method also includes, upon termination of the tunnel due to a termination or timeout message issued by at least one of the first and second endpoints, entering a closed state.

Abstract: A secure communications arrangement including an endpoint is disclosed. The endpoint includes a computing system. The computing system includes a user level services component and a kernel level callout driver interfaced to the user level services component and configured to establish an IPsec tunnel with a remote endpoint. The computing system also includes a filter engine storing one or more filters defining endpoints authorized to communicate with the endpoint via the IPsec tunnel. The computing system also includes a second kernel level driver configured to establish a secure tunnel using a second security protocol different from IPsec.

Abstract: Methods and systems for securing communications with an enterprise from a remote computing system are disclosed. One method includes initiating a secured connection with a VPN appliance associated with an enterprise using service credentials maintained in a secure applet installed on a remote computing device, and initiating communication with an authentication server within an enterprise via the secured connection. The method also includes receiving specific credentials from the authentication server, terminating the secured connection with the VPN appliance, and initiating a second secured connection with the VPN appliance using the specific credentials, the specific credentials providing access to one or more computing devices within the enterprise being within a same community of interest as the remote computing device and obfuscating one or more other computing systems within the enterprise excluded from the community of interest.

Abstract: A method and system for establishing secure communications between endpoints includes transmitting a first message including a token having one or more entries each corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint. The method includes receiving a second message including a second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user and including an encryption key and a validation key associated with the second endpoint. The method includes, for each community of interest associated with both users, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint.

Abstract: A method of managing secure communications states in an endpoint within a secure network is disclosed. The method includes, in a disconnected state, transmitting from a first endpoint to a second endpoint a first message including an authorization token. The method further includes, in the pending state, receiving from the second endpoint a second message including a second authorization token at the first endpoint. The method includes, based on the receipt of the second message, entering an open state and initializing a tunnel between the first and second endpoints using an IPsec-based secured connection. The method also includes, upon termination of the tunnel due to a termination or timeout message issued by at least one of the first and second endpoints, entering a closed state.

Abstract: An endpoint, method, and authorization server are disclosed which can be used to allow concurrent secure and clear text communication. An endpoint includes a computing system including a programmable circuit operatively connected to a memory and a communication interface, the communication interface configured to send and receive data packets via a data communications network. The endpoint also includes a filter defined in the memory of the computing system, the filter configured to define one or more access lists, each access list defining a group of access permissions for a community of interest. The community of interest includes one or more users, and an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest. The endpoint also includes a driver executable by the programmable circuit, the driver configured to cooperate with the communication interface to send and receive data packets via the data communications network.

Abstract: An endpoint, method, and authorization server are disclosed which can be used to allow concurrent secure and clear text communication. An endpoint includes a computing system including a programmable circuit operatively connected to a memory and a communication interface, the communication interface configured to send and receive data packets via a data communications network. The endpoint also includes a filter defined in the memory of the computing system, the filter configured to define one or more access lists, each access list defining a group of access permissions for a community of interest. The community of interest includes one or more users, and an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest. The endpoint also includes a driver executable by the programmable circuit, the driver configured to cooperate with the communication interface to send and receive data packets via the data communications network.

Abstract: A gateway computing system includes a memory storing cleartext gateway software and a programmable circuit communicatively connected to the memory. The programmable circuit is configured to execute computer-executable instructions including the cleartext gateway software. Execution of the cleartext gateway software by the programmable circuit causes the gateway computing system to instantiate at the gateway computing system a virtual device router including a cleartext interface configured to send and receive data packets from a cleartext endpoint and a secured interface configured to exchange data packets with one or more secured endpoints within a secured enterprise network, and load the virtual device router with community of interest material from an authentication server, the community of interest material associated with one or more communities of interest configured to allow access to the cleartext endpoint.

Abstract: A method and system for establishing secure communications between endpoints includes transmitting a first message including a token having one or more entries each corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint. The method includes receiving a second message including a second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user and including an encryption key and a validation key associated with the second endpoint. The method includes, for each community of interest associated with both users, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint.

Abstract: Methods of communicatively connecting first and second endpoints are disclosed. One method includes transmitting from a first endpoint to a second endpoint a connection request, the connection request including an IP address of the second endpoint. The method further includes, based at least in part on the IP address of the second endpoint, selecting IPsec from among a plurality of available security protocols to first attempt to use in forming a tunnel between the first and second endpoints, and forming the tunnel between the first and second endpoints based on the connection request.

Abstract: A secure communications arrangement including an endpoint is disclosed. The endpoint includes a computing system. The computing system includes a user level services component and a kernel level callout driver interfaced to the user level services component and configured to establish an IPsec tunnel with a remote endpoint. The computing system also includes a filter engine storing one or more filters defining endpoints authorized to communicate with the endpoint via the IPsec tunnel. The computing system also includes a second kernel level driver configured to establish a secure tunnel using a second security protocol different from IPsec.

Abstract: A distributed computer system comprises an enterprise server and a network server. The distributed computer system utilizes a distributed transmission control protocol (TCP) to establish an off-loaded dialog through the network server. If the off-loaded dialog is interrupted by, e.g., failure of the hosting network server, dialog recovery is performed to move the off-loaded dialog.