Abstract: A system for preventing normal user from being in network address translation(nat)-based web service and a method for controlling the same are disclosed. The system discriminates between an attacker PC and a normal user PC that use the same public IP address in the NAT network, blocks a Web-page request generated from the attacker PC, processes a Web-page request of a normal user PC, and makes an Internet service of the normal user PC possible.

Abstract: Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Media Gateway Control Protocol (MGCP) media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.

Abstract: Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.

Abstract: In one aspect of the invention, a mobile node (MN) participates in a first return routability procedure with a home agent (HA) and a correspondent node (CN), including generating a first binding management key (Kbm). A first proof of knowledge (PoK) is generated by hashing the first Kbm. The MN participates in a second return routability procedure, including generating a second Kbm. A first binding update and binding acknowledgement (BU/BA) key is generated by hashing the second Kbm and the first PoK. A first binding update (BU) message is transmitted to the CN, where the second BU message is transmitted with the first BU/BA key. In response to a first binding acknowledgement (BA) message received from the CN, the MN authenticates the first BA message using the first BU/BA key.

Abstract: An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept.

Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.

Abstract: A network security system comprises a first component that generates an address for identifying a communicating device on a network. A second component receives the address generated by the first component and facilitates transitioning from an existent address to the generated address. Such transitioning is effectuated in order to protect the network against attack while providing seamless communications with respect to the communicating device.

Abstract: A method for processing security communication protocol compliant signed receipts at a mobile communication device linked to a host system is provided. The host system receives an email message linked to a digital signature, and a signed receipt. The host system redirects the signed receipt to the mobile communication device. The host system determines if the email message is available at the mobile communication device, and if not, the host system retrieves the email message and redirects the email message to the mobile communication device. The mobile communication device can then verify the signed receipt based on the email message. Optionally, rather than the email message, the host system retrieves and/or recalculates data elements associated with the email message and required to verify the signed receipt, and redirects these data elements to the mobile communication device.

Abstract: A system and method for performing asynchronous cryptographic operations. A cryptographic toolkit receives requests for cryptographic operations, and initiates the cryptographic operations within a thread of execution. The toolkit detects when the cryptographic operations are complete, retrieves the results, and returns the results to a calling program. The cryptographic operations are performed in an asynchronous manner, without blocking a calling program. The calling program can specify whether the requested operations are to be performed without blocking.

Abstract: A method is provided in one example embodiment that includes intercepting a network flow to a destination node having a network address and sending a discovery query based on a discovery action associated with the network address in a firewall cache. A discovery result may be received and metadata associated with the flow may be sent to a firewall before releasing the network flow. In other embodiments, a discovery query may be received from a source node and a discovery result sent to the source node, wherein the discovery result identifies a firewall for managing a route to a destination node. Metadata may be received from the source node over a metadata channel. A network flow from the source node to the destination node may be intercepted, and the metadata may be correlated with the network flow to apply a network policy to the network flow.

Abstract: A virtual environment firewall receives a message having a request from a virtual environment entity intended for a virtual environment controller. The virtual environment firewall determines whether the request complies with one or more governance rules of the virtual environment controller. If the request does not comply with the one or more governance rules, the virtual environment firewall processes the message to prevent the request from being processed by the virtual environment controller.

Abstract: The disclosure herein provides data security on a parallel computer system using virtual private networks connecting the nodes of the system. A mechanism sets up access control data in the nodes that describes a number of security classes. Each security class is associated with a virtual network. Each user on the system is associated with one of the security classes. Each database object to be protected is given an attribute of a security class. Database objects are loaded into the system nodes that match the security class of the database object. When a query executes on the system, the query is sent to a particular class or set of classes such that the query is only seen by those nodes that are authorized by the equivalent security class. In this way, the network is used to isolate data from users that do not have proper authorization to access the data.

Abstract: Example embodiments herein include a verification process that provides a safe and efficient mechanism for recovering security associations between network devices. More specifically, the verification process transmits a secured message from a first network device to a second network device across a network. Furthermore, the security association includes a parent process and a corresponding child process. The verification process detects, at the first network device, an incompatibility in the security association between the first network device and the second network device. Next, the verification process transmits a status query from the first network device to the second network device in order to determine the status of the security association between the first network device and the second network device. In response, the verification process receives a verifiable reply message that is indicative of the status of the security association between the first network device and the second network device.

Abstract: A first packet is received at a network element from an E-UTRAN Node B (eNB) of an E-UTRAN access network via a secured communications tunnel of a secured connection, where the first packet encapsulates a second packet therein. It is determined whether the network element serves both a security gateway functionality and a serving gateway functionality of a core packet network based on the first packet and the second packet. The network element negotiates with the eNB to switch further communications from a tunnel mode to a transport mode of the secured connection if it is determined that the network element serves both the security gateway functionality and the serving gateway functionality. Thereafter, the network element exchanges further packets with the eNB via the transport mode of the secured connection after the eNB switches from the tunnel mode to the transport mode.

Abstract: A managed node executes one or more applications. The applications utilize the resources of the node. A quality-of-service (QoS) agent on the managed node enforces a QoS policy for the node. The QoS agent characterizes an application's usage of the node's resources and predicts its future usage. The QoS agent analyzes the predicted resource usage in view of the QoS policy and generates a QoS envelope for the application. The QoS envelope specifies a ceiling on the level of resources that can be used by the application. The QoS agent queues and meters usage above the ceiling specified by the QoS envelope. A security module determines variations between predicted and actual resource usage and generates security events if warranted.

Abstract: Aspects of a method and system for traffic engineering in an IPSec secured network are provided. In this regard, a node in a network may be authenticated as a trusted third party and that trusted third party may be enabled to acquire security information shared between or among a plurality of network entities. In this manner, the trusted third party may parse, access and operate on IPSec encrypted traffic communicated between or among the plurality of network entities. Shared security information may comprise one or more session keys utilized for encrypting and/or decrypting the IPSec secured traffic. The node may parse IPSec traffic and identify a flow associated with the IPsec traffic. In this manner, the node may generate and/or communicate statistics pertaining to said IPSec secured traffic based on the flow with which the traffic is associated.

Abstract: A method, system, and device for negotiating a security association (SA) on an Internet Protocol version 6 (IPv6) network are disclosed. In this method, the initiator and the responder generate an SA through the interaction of two messages. Compared with the conventional procedure for setting up an SA based on the Internet Key Exchange Protocol (IKE), the interaction procedure in the present invention is simplified significantly. Therefore, the negotiation is faster and more convenient. In addition, with the present invention, cryptographically generated address parameters (CGA Params) are carried in the message and the CGA may be verified so that the invader cannot spoof the address.

Abstract: Embodiments of the present invention provide a method, apparatus and system for selecting a wireless communication device for establishing a connection. The method according to some exemplary embodiments of the invention may include selecting a communication device for establishing a connection by determining whether one or more security-related characteristics of the communication device satisfy a security policy corresponding to a selected security class. Other embodiments are described and claimed.

Abstract: An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively.

Abstract: Authentication requests are redistributed among a plurality of authentication servers and to centrally managing authentication affinities among distributed servers using a secure channels affinity service. A computer system instantiates a secure channel management service configured to manage secure channel connections. The secure channel management service receives state inputs from currently deployed authentication servers. The authentication servers may be configured to queue authentication requests for transmission to authentication servers. The computer system determines that, based on the received state input, at least one of the secure channels is to be remapped to a different authentication server. The computer system also remaps the determined secure channels to distribute future authentication requests among the authentication servers.

Abstract: Methods of automatically populating a secure group list in a key variable loader and of providing keys to a secure group are presented. After a user selects a secure group and encryption algorithm using inputs of the loader, the loader provides a group identifier and corresponding key for the group. The group identifier, encryption algorithm, and key are transmitted to a portable communication device over a physical connection between the two while a device identifier of the communication device is transmitted concurrently to the loader. The key variable loader automatically populates a stored list of subscribers of the group with the device identifier. When it is desired to transmit a new key to all of or fewer than all of the subscribers, one of the subscribers is connected with the loader and used to wirelessly transmit a new key to the remaining subscribers.

Abstract: Aspects of the subject matter described herein relate to tuning detection components of a security system. In aspects, a history of alerts is collected. This history is then used together with knowledge about tunable objects of the system to determine parameters of the tunable objects that can be changed to improve detection of the system. Parameters of tunable objects are adjusted in a simulator that determines an effect on alerts in the history based on the adjusted parameters. A recommendation of one or more tuning actions may be provided together with information regarding the effect of each tuning action.

Abstract: A system, method and program product for managing e-mails from a source suspected of sending spam. The e-mails are received at a firewall or router en route to a mail server. A determination is made whether a source has sent an e-mail which exhibits characteristics of spam. In response, subsequent e-mails from the source destined for the mail server are rate-limiting at the firewall or router such that the firewall or router limits a rate at which the subsequent e-mails are forwarded from the firewall or router to the mail server. The rate is predetermined and less than a maximum rate at which the firewall or router can physically forward e-mails to the mail server absent the rate limit. A determination is made whether another source has sent another e-mail which exhibits more characteristics of spam than the first said e-mail. In response, subsequent e-mails from this other source are blocked at the firewall or router.

Abstract: A system, and method related thereto, for providing a vehicular communications network public-key infrastructure. The system comprises a plurality of communications infrastructure nodes and a plurality of vehicles each having a communications component. The communications component provides vehicle to vehicle (V2V) communications, and communications via infrastructure nodes. A communications security component in each of the plurality of vehicles provides security for the communications between the plurality of vehicles using a plurality of security modules. The security modules include a certificate management module. A public key interface module may include a public key, a private key, an anonymous key and a management key. The system further includes a detection and response module for attack detection and attack mitigation. The communications security component assigns and installs at least one security key, a certificate of operation, and a current certificate revocation list.

Abstract: A system, method and computer program product for an isolated security domain which is a bounded area of the VM for protected objects. The objects are software units (including executable code data), hardware units (e.g., ports) or a combination thereof. The secure units in this area are accessible using secure rules used to ensure that objects are not malware. Authentication for connections to security domain is required and certain areas of the domain are made to be read only.

Abstract: A system and method efficiently deletes a file from secure storage, i.e., a cryptainer, served by a storage system. The cryptainer is configured to store a plurality of files, each of which stores an associated file key within a special metadata portion of the file. Notably, special metadata is created by a security appliance coupled to the storage system and attached to each file to thereby create two portions of the file: the special metadata portion and the main, “file data” portion. The security appliance then stores the file key within the specially-created metadata portion of the file. A cryptainer key is associated with the cryptainer. Each file key is used to encrypt the file data portion within its associated file and the cryptainer key is used to encrypt the part of the special metadata portion of each file. To delete the file from the cryptainer, the file key of the file is deleted and the special metadata portions of all other files stored in the cryptainer are re-keyed using a new cryptainer key.

Abstract: A system and method for dynamically and automatically updating the appropriate fields on the message application screen of an electronic message to show which of the appropriate service book, security encoding or security properties are acceptable or allowed for the message being composed. This updating occurs automatically based on the contents of the fields that are modified during composition of the message, such as, for example, modifications to classification of the message, recipients, keywords, or the like. Thus, the properties in place for a given message is reflected in a dynamic options list provided to the user based on the contents of various fields of the electronic message and the system policies resident on the system. The dynamic updating may provide an updated list of options to the user, or may optionally automatically apply minimum level settings based on security policy and contents of the message.

Abstract: A bidirectional gateway with enhanced security level between a high-security communication network and a low-security communication network. The return pathway from the low-security network to the high-security network comprises a low-speed link. The physical layer of the low-speed link differs from the physical layers involved in the high-security network and the low-security network. The low-speed link having a linking layer according to a protocol differing from the protocols used on the linking layers used on the high-security network and the low-security network. The linking layer of the low-speed link has an authentication protocol to guarantee the data's origin.

Abstract: Systems and methods are described for using a client agent to manage HTTP authentication cookies. One method includes intercepting, by a client agent executing on a client, a connection request from the client; establishing, by the client agent, a transport layer virtual private network connection with a network appliance; transmitting, by the client agent via the established connection, an HTTP request comprising an authentication cookie; and transmitting, by the client agent via the connection, the connection request.

Abstract: The gaming network described herein includes network security features, host security features, audit protocols, and design architecture approaches to reduce the possibility of network attacks. The gaming network provides for traffic confidentiality, encryption, message authentication, secure authentication mechanisms, anti-replay protection of traffic, key management mechanisms, robust network availability, misrouting and redirection protection and prevention, rejection of external traffic, and a high entry-barrier to device addition to the network. The host protection and security includes secure host initialization, disabling unneeded components, download verification, disabling of unused IP ports, discarding traffic, strong passwords, dynamic one-time passwords for remote login, disabling default accounts, and appropriate “least-level” device privileges.

Abstract: The invention provides a method, system, device and computer program product for setting up a secure session among three or more devices or parties of a communication group, including authenticating a key agreement between the devices or parties of the communication group, wherein the devices of the group start, preferably after a key is computed or agreed, a protocol, preferably a multi-party data integrity protocol, for authenticating the key agreement.

Abstract: A system includes a policy enforcement point that is located within a first network. The policy enforcement point is configured to connect the first network to a second network via a secure connection. The policy enforcement point is configured to receive traffic from a first device via the first network or a second device associated with the second network via the secure connection, determine whether to apply a policy to the received traffic, and discard the received traffic when a policy is determined to apply to the received traffic.

Abstract: There is described a method for transmitting synchronization messages, for example PTP messages of the IEEE 1588 standard, the PTP message being inserted into a data packet in line with the Internet Protocol, the data packet having an IP header, and the data packet having a UDP header. In this case, for the encrypted transmission on the PTP message, the data packet is addressed to a UDP port that is reserved for encrypted PTP messages, the data packet is provided with an additional S-PTP header that is provided for encryption, the PTP message is extended with a pseudo random number, and the PTP message is encrypted together with the pseudo random number.

Abstract: A system that enables network authorization status to be conveyed to the device requesting network services within or outside the scope of an authentication exchange is provided. The authorization status notification or information can be automatically generated or otherwise triggered by a request from the user or device. For instance, a query can be employed to solicit device authorization status related to a particular service or group of services. Additionally, authorization status notification can be automatically triggered based upon a change in the device authorization state.

Abstract: Provides is an apparatus for question answering based on answer trustworthiness including: an answer indexer that indexes documents of which document trustworthiness satisfying a threshold value among documents included in a document collection and stores it in a knowledge Bases; an answer candidate extractor that extracts answer candidate documents for a user's question from the knowledge Bases; an answer source trustworthiness measurement unit; an answer extraction strategy trustworthiness measurement unit; and a trustworthiness integrator that generates an answer candidate trustworthiness list by ranking the answer candidate documents on the basis of the document trustworthiness, the source trustworthiness, and the extraction strategy trustworthiness of the answer candidate documents.

Abstract: A method and a system are disclosed that enable an address at the edge router to be used to establish a multi-pipe virtual private network (MVPN) connecting controllers to multiple web enabled end user devices (EUDs) inside a security protected local area network (LAN). The EUDs connect to a central server (CS) outside the LAN during configuration establishing registration and identity (ID) for each EUD. Once the EUDs establish connection from inside the LAN, the CS is enabled to communicate with the EUDs using the address and ID provided during registration. The CS then acts as a facilitator establishing secure VPN connection between controllers in the cloud and the EUDs inside the LAN. CS further acts as a pass through for those LANs that do not allow direct connections to controllers outside the LAN. The CS continues to monitor the health of the overall system once connectivity is established.

Abstract: One embodiment of the present invention provides a system for facilitating session migration. During operation, the system receives a communication packet from a client destined to a remote server. The system determines whether the communication packet belongs to a pre-existing communication session, and whether session state information associated with the session is available locally. In response to the communication packet belonging to a pre-existing communication session and the session state information being unavailable locally, the system constructs an interest requesting the session state information, disseminates the interest over a network, and receives the session state information.

Abstract: An information processing apparatus includes a storage unit that stores security processing information describing a security processing procedure that is to be executed on data handled by a service providing program and including data written in a structured language; and a security processing unit that executes security processing to encrypt or sign the data handled by the service providing program, with reference to the security processing information stored in the storage unit, so that the service providing program can communicate securely with an external service providing program.

Abstract: Disclosed is a computer implemented method and computer program product to throttle traffic from a source internet protocol address. The reverse firewall inspects payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host. Responsive to detecting purported good content within at least one of the plurality of packets, the reverse firewall forwards packets having the source address. The reverse firewall determines whether a count of packets having the source address exceeds a safe threshold. The reverse firewall requests a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold. The reverse firewall determines whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good.

Abstract: A mail system having high security is realized by mounting TCP2 for mail communication between client apparatuses. The present invention relates to a mail communication system which is connected to a network and exchanges mails between client apparatuses provided with the existing mailers, and each client apparatus is mounted with a TCP2 driver. A TCP2 driver 34 includes a TCP2 core 36 and a mail system core 37 and an e-mail received via the network is processed in this TCP2 driver 34 and thereafter, is supplied to an existing mailer 31 of the client apparatus. In the mail system core 37 of the TCP2 driver 34, control of mail encryption and decryption, deletion of an unnecessary mail and the like is carried out.

Abstract: An apparatus including a microprocessor and a secure non-volatile memory. The microprocessor executes non-secure application programs and a secure application program. The microprocessor has secure execution mode initialization logic and an authorized public key. The secure execution mode initialization logic provides for initialization of a secure execution mode within the microprocessor. The secure execution mode initialization logic employs an asymmetric key algorithm to decrypt an enable parameter directing entry into the secure execution mode. The authorized public key is used to decrypt the enable parameter, the enable parameter having been encrypted according to the asymmetric key algorithm using an authorized private key that corresponds to the authorized public key.

Abstract: Packet sequence number checking through a VPN tunnel may be performed by assigning sequence numbers on a per-priority class basis to packets traversing the VPN tunnel. In one implementation, a network device may receive a packet that is to be transmitted over a VPN tunnel, the packet including control information that includes at least a QoS priority class of the packet. The network device may extract the priority class of the packet from the control information and generate a sequence value that describes an arrival sequence of the packet relative to other received packets of the same priority class as the packet. The network device may additionally generate an IPsec header for the packet, the IPsec header including the sequence value and the priority class of the packet; attach the IPsec header to the packet; and transmit the packet through the VPN tunnel.

Abstract: The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device.

Abstract: A method of enforcing security policies in a mobile ad-hoc network, includes: entrusting at least one first network node along a data traffic route from a data traffic origin node to a data traffic destination node, with the enforcing of predefined security policies on the data traffic; and entrusting at least one second network node, distinct from said first network node, with the control of the enforcement of the security policies by the first network node.

Abstract: Disclosed are systems, methods and computer program products for reducing security risk in a computer network. The system includes an administration server that collect information about one or more computers in the network, including the following information: computer user's external drive usage history, software installation history, and Web browsing history. The server calculates based on the collected information a security rating of the computer user. The server then adjust a security rating of the computer user based on the security rating of at least one other user of another computer connected to the same computer network. The server then selects security policy of the security software based on the adjusted security rating of the computer user. Different security policies provide different network security settings and prohibitions on launching of executable files from external drives.

Abstract: A device management system for managing a device based on management information is presented. The system includes a device monitoring unit for obtaining management information from a device, a relay server coupled to the device monitoring unit over a network, and a management server, coupled to the relay server over a network, configured to manage the device based on the management information. The device monitoring unit obtains the management information from the device and transmits the obtained management information without encryption. Upon receiving the management information, the relay server encrypts and transmits to the management server the received management information.

Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Abstract: Described embodiments provide a network processor that includes a security protocol processor for staged security processing of a packet having a security association (SA). An SA request module computes an address for the SA. The SA is fetched to a local memory. An SA prefetch control word (SPCW) is read from the SA in the local memory. The SPCW identifies one or more regions of the SA and the associated stages for the one or more regions. An SPCW parser generates one or more stage SPCWs (SSPCWs) from the SPCW. Each of the SSPCWs is stored in a corresponding SSPCW register. A prefetch module services each SSPCW register in accordance with a predefined algorithm. The prefetch module fetches a requested SA region and provides the requested SA region to a corresponding stage for the staged security processing of an associated portion of the packet.

Abstract: A method comprises operations for receiving a binary data structure including a portion representing a protocol validation specification expressed in a respective protocol validation specification language and for receiving a security policy rule having an action part specifying that the binary data structure is to be used for verifying that application protocol payload of network packets complies with the protocol validation specification. After receiving the binary data structure and the security policy rule, an operation is performed for verifying that application protocol payload of received network packets complies with the protocol validation specification. Such verifying is initiated in response to determining that the security policy rule applies to the received network packets and such verifying includes validating the application protocol payload of the received network packets against the binary data structure.

Abstract: This invention is to provide a method applied to a network system comprising Internet and at least two private networks each having at least one NAT router and at least one network terminal device. Each network terminal device can link to Internet through an ICE proxy and the NAT router in the corresponding private network. The method allows an ICE proxy in a private network to hijack connection signals sent from a network terminal device, to write a plurality of candidate access points provided by an ICE protocol standard into a SDP packet containing the connection signals, and to transmit the SDP packet to a remote ICE proxy in another private network via Internet. As a result, the ICE proxies of two private networks can selectively use the candidate access points provided by the ICE protocol standard in order to pass through the respective NAT routers and firewalls thereof.