US20070127500A1 - System, device, method and software for providing a visitor access to a public network - Google Patents
System, device, method and software for providing a visitor access to a public network Download PDFInfo
- Publication number
- US20070127500A1 US20070127500A1 US11/671,918 US67191807A US2007127500A1 US 20070127500 A1 US20070127500 A1 US 20070127500A1 US 67191807 A US67191807 A US 67191807A US 2007127500 A1 US2007127500 A1 US 2007127500A1
- Authority
- US
- United States
- Prior art keywords
- vvn
- network
- visitor
- module
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000004891 communication Methods 0.000 claims description 23
- 238000010586 diagram Methods 0.000 description 32
- 238000012545 processing Methods 0.000 description 20
- 230000008569 process Effects 0.000 description 19
- 230000008901 benefit Effects 0.000 description 8
- 238000007726 management method Methods 0.000 description 6
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000003211 malignant effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 2
- 101100011863 Arabidopsis thaliana ERD15 gene Proteins 0.000 description 1
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 101100338060 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) GTS1 gene Proteins 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 239000003086 colorant Substances 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/084—Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/086—Access security using security domains
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/088—Access security using filters or firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- the disclosure relates generally to local area networking, and more particularly to a system, device, method and software for providing a visitor access to a public network.
- a virtual visitor enabled local area net work includes a visitor access point operable to provide a visitor access to a public network while connected to a local area network (LAN).
- the visitor access point is operable to protect the LAN using a virtual visitor network established between the visitor access point and a virtual visitor network gateway.
- a device for providing visitor access to a public network via a private local area network includes a visitor access port operable to enable a visitor to access a public network from within a private local area network (LAN) while protecting the private LAN from the visitor.
- the device further includes a communication interface operably coupled to the visitor access port and the private LAN and the communication interface is operable to communicate information between the visitor access port and a selective location within the private LAN.
- a network enabled gateway operable to provide a visitor access to a public network from within a private local area network (LAN)
- the gateway includes a public network access interface operable to communicate processed virtual visitor network data packets to a public network that originate from within a private local area network (LAN).
- the gateway further includes a virtual network processor operable to process public network access data packets to provide virtual visitor network data packets for communication within the private LAN to provide a visitor access to the public network.
- FIG. 1 illustrates a functional block diagram of a local area network incorporating a visitor access point according to one embodiment of the invention
- FIG. 2 illustrates a functional block diagram of a virtual visitor network (VVN) operable to provide a visitor access to a public network via a private local area network according to one embodiment of the invention
- VVN virtual visitor network
- FIG. 3A illustrates a functional block diagram of a virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention
- FIG. 3B illustrates a functional block diagram of a wireless enabled virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention
- FIG. 4 illustrates a functional block diagram of a virtual visitor network gateway according to one embodiment of the invention
- FIG. 5 illustrates a flow diagram of a method for processing data packets using a virtual visitor network module according to one embodiment of the invention
- FIG. 6 illustrates a functional block diagram for encapsulating visitor data packets within a private local area network according to one embodiment of the invention
- FIG. 7 illustrates a functional block diagram of network traffic within a private local area network having an access point for a visitor and an employee according to one embodiment of the invention
- FIG. 8 illustrates a functional block diagram of network for providing visitors and employees access to a public network using a wireless local area network according to one embodiment of the invention
- FIG. 9 illustrates a functional block diagram of a network employing wire line and wireless virtual visitor access points incorporated within an Ethernet based private local area network according to one embodiment of the invention
- FIG. 10 illustrates a flow diagram of a method for processing data packets using a virtual visitor network gateway according to one embodiment of the invention
- FIG. 11 illustrates a functional block diagram of an enterprise network incorporating a virtual visitor network employing a wireless private local area network according to one embodiment of the invention
- FIG. 12 illustrates a functional block diagram of a virtual network gateway operable to provide a virtual private network in the public network and a virtual visitor net work within a private local area network according to one embodiment of the invention
- FIG. 13 illustrates a functional block diagram of a virtual network server for use in association with providing a visitor access to a public network from within a virtual private network enabled private local area network according to one embodiment of the invention
- FIG. 14 illustrates a functional block diagram of a virtual visitor network incorporated within a multi-protocol label switching enabled local area network according to one embodiment of the invention.
- FIG. 15 illustrates a functional block diagram of a single point virtual visitor network module operable to provide a visitor access to a public network from within a private local area network according to one embodiment of the invention.
- FIG. 1 illustrates a functional block diagram of a local area network incorporating a visitor access point according to one embodiment of the invention.
- a local area network (LAN) 102 includes at least one visitor access point 101 provided within local area network (LAN) 102 and operable to allow a user to access a public network 103 such as the Internet.
- Local area network 102 may include any type of network including, but not limited to, an Ethernet, ring network, token ring network, star network, bus network, asynchronous network, and the like.
- Visitor access point 101 allows for a visitor that would normally not have access to LAN 102 to access public network 103 when connected to LAN 102 .
- a visitor may couple a computer system (not expressly shown) to visitor access point 101 and may require accessing public network 103 .
- Visitor access point 101 advantageously allows for protection of LAN 102 while a user accesses public network 103 through encapsulating data packets communicated via visitor access point 101 and LAN 102 .
- other network locations or nodes within LAN 102 may be isolated from inquiries, data requests, snooping, malignant attacks, etc. initiated by a visitor or other agent when a visitor connects to LAN via visitor access point 101 .
- FIG. 2 illustrates a functional block diagram of a virtual visitor network (VVN) operable to provide a visitor access to a public network via a private local area network according to one embodiment of the invention.
- a private local area network illustrated generally at 200 , includes a visitor (visitor's computer) 201 communicatively coupled to private LAN 200 via a virtual visitor network (VVN) module 202 operable to allow a visitor to access a public network 206 via virtual visitor network (VVN) gateway 208 .
- VVN virtual visitor network
- a virtual visitor network (VVN) 207 includes a virtual network provided within private LAN 200 , which facilitates visitor 201 accessing public network 206 .
- Private LAN 200 further includes one or more employee 209 LAN access point(s) 203 providing a user, such as an employee and guest having sufficient access rights, access to private LAN 200 and one or more private LAN node(s) 204 coupling one or more types of network devices such as servers, printers, fax machines, copiers, data storage devices, or any other type of equipment or device that may be coupled to a local area network.
- the public network gateway 205 may include a router, a firewall, and/or a network address translator (NAT) to process traffic between the private LAN 200 and the public network 206 .
- VVN 207 confines packets communicated between visitor 201 and public network 206 to VVN 207 .
- VVN gateway 208 typically does not handle traffic communicated between public network 206 and an employee 209 .
- private local area net work node(s) 204 may include other user or employee systems that may be accessed or networked together. For example, a user coupled to private LAN 200 via a valid user LAN access point 203 may access another user's system via a private LAN node 204 .
- visitor 201 may access public network 206 through connecting to a VVN module 202 .
- VVN module 202 detects that visitor 201 is attempting to access network and initiates a process to isolate visitor 201 from private LAN 200 while all owing visitor 201 to access only public network 206 .
- VVN module 202 processes data packets initiated by a visitor's computer system 201 coupled to VVN module 202 such that other locations within private LAN 200 ignore any unauthorized data or access requests to one or more locations within private LAN 200 .
- VVN gateway 208 identifies data packets communicated by VVN module 202 and as data packets are communicated by VVN module 202 , VVN gateway 208 receives the data packets and processes the data packets prior to communicating the data packets to public network 206 . For example, VVN gateway 208 modifies header information within the data packets to include a source address of VVN gateway 208 . As data packets are received from public network 206 in response to data packets communicated by VVN gateway 208 , VVN gateway 208 processes the data packet to provide a destination or IP address of VVN module 202 and communicates the data packet to VVN module 202 using private LAN 200 .
- each packet is processed to encapsulate or isolate all other network locations within private LAN 200 from the visitor 201 requested data and communicated only to visitor 201 allowing a visitor 201 to access a public network 206 , such as the Internet, from within a private local area network without compromising security of a private local area network or having to manage or create visitor/user access accounts with limited access to network locations within a local area network.
- VVN gateway 208 and the public network gateway 205 may be integrated into a single server or system operable to provide accessing to public network 206 .
- VVN module 202 may be used to allow an employee to access public network 206 via VVN gateway 208 .
- an employee that may not be able to access a private LAN node(s) 204 or an employee LAN access point(s) 203 may access only public network 206 via virtual visitor network 207 when connected to VVN module 202 .
- FIG. 3A illustrates a functional block diagram of a virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention.
- a virtual visitor network module illustrated generally as VVN module 300 , includes an network interface 306 operable to couple VVN module 300 to a private LAN 307 such as an Ethernet network via a wire line connection such as through copper connections, cable or coaxial based connections, fiber optic connections, etc.
- VVN module 300 includes a network address translator (NAT) 305 operable to resolve addresses contained within data packets and a DHCP server 303 operable to assign dynamic IP addresses to visitor computers (not expressly shown).
- NAT network address translator
- a router 302 and network switch 301 provide for routing of information to various wire line visitor access points 308 for one or more visitors connecting to private LAN 307 .
- Router 302 enables connection or coupling of two or more networks and functions as a sorter and interpreter as it resolves addresses and passes data streams or packets to a proper destination.
- Network switch 301 may include a switch (e.g., Ethernet switch) operable to provide dedicated bandwidth or a hub operable to provide shared bandwidth to visitor access points 308 . If network switch 301 includes a hub, visitor access points 308 only share bandwidth between access points without sharing bandwidth with other non-visitor access points that may be connected to network switch 301 .
- VVN module 300 may be configured to accommodate more than one network address within private LAN 307 .
- VVN module 300 further includes a virtual visitor network (VVN) processor 304 operable to process data packets communicated by one or more systems coupled to visitor access points 308 and desiring access to a public network, such as the Internet, via private LAN 307 .
- VVN virtual visitor network
- VVN module 300 dynamically assigns a network IP address when a visitor connects to visitor access points 308 and performs a network address translation using NAT 305 when data is communicated using the assigned IP addresses.
- VVN processor 304 processes data communicated between private LAN 307 and visitor access point(s) 308 to add and remove data packet header information for data packets and provide a unique network IP address that identifies a visitor when connected to one of visitor access point(s) 308 .
- VVN processor 304 encapsulates data communicated via visitor access points 308 through isolating data packets to select or specific network ad dresses within private LAN 307 .
- VVN processor 304 may provide a network destination address for only a network gateway (not expressly shown) provided within or in association with private LAN 307 that allows for access to a public network. In this manner, no other locations or network addresses within private LAN 307 may be accessed by a computer system connected to one of visitor access point(s) 308 .
- network address translator 305 translates the address information for the data packets and VVN processor 304 verifies heading information and detects if data packets having IP addresses for a visitor coupled to one of visitor access point(s) 308 have been received. If a visitor's data packet has been received, VVN processor 304 restore the information and router 302 and network switch 301 processes and communicates the data packet to the appropriate visitor connected to a visitor access point 308 .
- VVN module 300 may allow a visitor to use a network printer (not expressly shown) accessible by VVN module 300 .
- a network printer may be coupled directly to VVN module 300 and VVN module 300 may include a print server (not expressly show) and a network printer connected to VVN module 300 via, for example, one of visitor access point(s) 308 .
- a network printer may be accessed by a visitor coupled to one of visitor access point(s) via private LAN 307 .
- VVN module 300 may include a print server having network IP addresses for one or more network printers and may allow for access to a printer internal to private LAN 307 without using a print server (not expressly shown) located within private LAN 307 . In this manner, visitor originated data may be selectively communicated to a specific destination or IP address within private LAN 307 without jeopardizing network security and allowing a visitor to print a document.
- FIG. 3B illustrates a functional block diagram of a wireless enabled virtual visitor access module for providing a user access to a public network via a private local are a network according to one embodiment of the invention.
- a wireless virtual visitor net work module illustrated generally as wireless VVN module 310 , includes an wireless network interface 316 operable to couple wireless VVN module 310 to a private LAN 317 such as an Ethernet network via a wireless connection operable to communicated via wireless communication such as an 802.11-enabled wireless communication protocol including, but not limited to 802.11a, g, orb.
- wireless communication such as an 802.11-enabled wireless communication protocol including, but not limited to 802.11a, g, orb.
- Other types of wireless communication such as infrared laser communication, mobile or cellular wireless communication, near field communication and the like may also be employed.
- Wireless VVN module 310 includes a network address translator (NAT) 315 operable to translate addresses contained within data packets and a DHCP server 313 operable to assign dynamic IP addresses to visitor computers wirelessly coupled to wireless VVN module 310 via wireless visitor access point(s) 318 .
- a router 312 and wireless hub transceiver 311 provide for routing of information to and from wireless visitor computers connected via wireless visitor access point(s) 318 and further connected to private LAN 317 . Though illustrated as a single access point to private LAN 317 , it should be understood that wireless VVN module 310 may configured to accommodate more than one network address within private LAN 317 .
- Wireless VVN module 310 further includes a virtual visitor network (VVN) processor 314 operable to process data packets communicated from one or more systems coupled to wireless visitor access point(s) 318 and a VVN server (not expressly shown) and desiring access to a public network, such as the Internet, via private LAN 317 .
- VVN virtual visitor network
- a user may access private LAN 317 using a wireless-enabled computer system operable to connect to wireless visitor access point(s) 318 .
- wireless VVN module 310 may be placed proximal to a conference room, visitor center, etc. which may be frequently used by visitors.
- VVN module 310 being wirelessly coupled to private LAN 317 allows for flexible placement of VVN module 310 in various locations such that VVN module 310 may be operational without a user having to physically access wireless VVN module 310 .
- wireless VVN module 310 may include one or more wire line connection ports or visitor access point allowing a user to connect directly to wireless VVN module 310 .
- Wireless VVN module 310 further allows for visitor's to have flexibility in being untethered to wireless VVN module 310 .
- a visitor may access wireless VVN module 310 through performing a search on available wireless networks and, upon identifying a wireless signal or wireless visitor access point 318 communicated by wireless hub transceiver 311 , a user may elect to connect to wireless VVN module 310 to access private LAN 317 .
- FIG. 4 illustrates a functional block diagram of a virtual visitor network gateway according to one embodiment of the invention.
- a virtual visitor network (VVN) gateway illustrated generally at 400 , includes a network interface 401 such as a Ethernet module operable to connect to a private LAN 407 , a public network interface 406 operable to communicate with a public network 403 such as the Internet.
- VVN gateway 400 further includes a VVN processor 404 , a router 402 and a network address translator (NAT) 405 .
- VVN processor 404 is operably associated with one or more virtual visitor network modules having virtual visitor network processors to process data packets communicated by a virtual visitor network provided within private LAN 407 .
- NAT 405 is used to bridge multiple VVN modules using a relatively small number of IP addresses in public network 407 .
- Router 402 routes data packets in a public network 403 such as the Internet.
- VVN gateway 400 provides a visitor access to a public network 403 via a private LAN 407 and manages communication of data between private LAN 407 and public network 403 .
- VVN gateway 400 receives data packets via LAN network interface 401 and translates data packets to determine if the data packets were communicated from a VVN module. If a data packet was communicated from a VVN module, VVN processor 404 converts the data packets into a standard IP data packet having standard IP protocols.
- VVN processor 404 maintains a network address for the VVN module and when requested data packets are received from public network 403 via public network interface 406 , VVN processor 404 identifies the VVN module and converts the public data packets into to encapsulate the data packets and communicate the data packets to only the VVN module. In this manner, a visitor accessing private LAN 407 may access public network 403 through VVN gateway 400 .
- FIG. 5 illustrates a flow diagram of a method of processing data packets using a virtual visitor network module according to one embodiment of the invention.
- the method may be employed within a program of instructions embodied within a computer readable medium, a memory device, encoded logic, or other devices, modules or systems operable to use a portion or all of the method illustrated in FIG. 5 .
- the method begins generally when a virtual visitor module, such as module VVN module 202 illustrated in FIG. 2 , VVN module 300 illustrated in FIG. 3A , VVN module 310 illustrated in FIG. 3B , or any other type of module operable to provide a virtual visitor network for enabling a visitor's computer system to access a public network from within a private LAN is connected to the private LAN.
- Data packets may be received from a visitor computer system (step 500 ) or from a VVN gateway (step 514 ).
- a visitor computer transmits a data packet having an IP header and data to VVN module.
- VVN module receives a visitor's data packet 500 and processes IP header 501 of the data packet and replaces the source address with VVN module address assigned by a network server. For example, if a visitor's IP address is ‘192.16.1.1’and VVN module address is ‘20.1.10.1’, VVN module's address would be provided instead of the visitor's IP address within the IP header.
- the visitor's data packet including the IP header and the data may be processed according to a VVN protocol 502 .
- a VVN protocol may include scrambling the information or data, or applying a security protocol, to make the data contained within the data packet meaningless to other network nodes, hosts, locations, etc. within a private network.
- VVN module then encapsulates the visitor's packet by adding a VVN header to indicate the method used in processing the visitor's packet and then adds a VVN IP header to indicate the VVN gateway address to direct the packets to VVN gateway. Packets are then communicated to the VVN gateway 504 .
- VVN module removes the VVP IP header and VVN header from the packet 513 from the data packet and processes the data packet 512 ac cording to information specified in the VVN header 512 .
- a data packet may be processed using a VVN protocol and may include de-scrambling the information or data, or applying a security protocol to restore data packets processed by VVN gateway.
- the IP header is then processed 511 by replacing the destination address to include the visitor's IP address 511 and then communicates the data packet to the visitor computer 510 .
- FIG. 6 illustrates a functional block diagram for encapsulating visitor data packets within a private local area network according to one embodiment of the invention.
- a public network accessible by a private local area network (LAN) incorporating a virtual visitor network (VVN) is generally illustrated at 600 and includes a visitor's computer or visitor 601 having an Internet Protocol (IP) address of “192.168.1.10” is coupled to a virtual visitor network (VVN) module 602 having an IP address of “10.2.1.20” and virtual visitor network (VVN) gateway 603 having an IP address of “10.2.1.15” within a private local area network (LAN) 604 .
- VVN gateway also has a public IP address such as 69.84.100.1.
- IP addresses within the private LAN 604 are assigned internally and may not be visible from the public network 605 .
- a website 606 having a public IP address of “69.104.84.226” may be accessed using a public network 605 such as the Internet coupled to VVN gateway 603 .
- a visitor IP data packet 611 is communicated between visitor 601 and VVN module 602 as illustrated at “A”.
- a VVN data packet 614 is communicated between VVN module 602 and VVN gateway 603 as illustrated at “B”.
- An IP data packet 619 is communicated between VVN gateway 603 and website 606 as illustrated at “C”.
- a visitor may access a public network 605 via a private LAN 604 through coupling a computer system at 601 having an IP address of “192.168.1.10” to VVN module 602 .
- VVN module 602 detects a connection (either wireless or wire line) and translates the source IP address of visitor data packet 611 to include a new IP address, such as VVN gateway 603 's IP address of “10.2.1.20”.
- VVN module 602 includes a network address translator and VVN processor (not expressly shown) that changes, converts, or appends visitor data packet 611 's IP header 612 to include a VVN IP header 615 having a source (Src) IP address of “10.2.1.20” and a destination (Dst) address of “10.2.1.15”.
- IP header 617 is modified to include a source (Src) IP address of “10.2.1.20” and a destination (Dst) address of “69.104.84.226”. Said another way, source data for visitor data packets are replaced with an IP address of a valid VVN module such as VVN module 602 (e.g.
- VVN gateway 603 e.g. “10.2. 1.15”.
- visitor data packets are confined between VVN gateway 603 and VVN module 602 employing a VVN protocol that isolates visitor data packets 611 when communicated within private LAN 604 using a VVN protocol while retaining original source and destination information for visitor 601 .
- An exemplary VVN data packet 614 may include processing the visitor data packet 611 to include a VVN protocol having a VVN header 616 and a VVN IP header 615 .
- One or more values may be provided within VVN header 616 to indicate a method or type of modification used to process visitor data packets 611 .
- a simple rearrangement of bits or data encryption methods may be used for processing visitor data packets 611 originating from visitor 601 .
- VVN gateway 603 receives VVN packet 614 , it removes VVN IP header 615 and processes VVN packets 614 based on information stored within VVN header 616 .
- a decryption or other bit deciphering process may be used to restore the data packets to determine destination data to create IP data packet 619 .
- VVN gateway 603 may include more than one IP address for use in communicating data packets.
- VVN gateway 603 may include an IP address for internal routing within private LAN 604 (e.g. “10.2.1.15”) and an IP address communicating data via public network 605 (e.g. “69.84.100.1”).
- VVN gateway 603 replaces VVN data packet 614 to include an IP header with having VVN gateway 603 's own IP address resulting in IP data packet 619 .
- VVN gateway 603 and VVN module 602 used stored information maintained by VVN gateway 603 and VVN module 602 in association with a NAT to send a reply or return data packets to visitor 601 .
- Processing of IP data packets 619 returned from website 606 are modified in a reverse sequence to return data to visitor 601 .
- a visitor data packet 611 may be processed by VVN module 602 to include only a VVN IP header 615 without including any additional information within VVN header 616 . In this manner, no additional processing, other then removing VVN IP header, will be required.
- VVN header 616 may not be provided as a part of visitor data packet 611 and as such no additional processing would be required when visitor data packet 611 is communicated to VVN gateway 603 or returned to VVN module 602 .
- processing visitor data packets 611 using a VVN protocol provided by VVN module 602 and VVN gateway 603 renders the visitor data packets 611 useless when communicated to an un-intended device within private LAN 604 .
- VVN gateway 603 and VVN module 602 may be the only devices within private LAN 604 having knowledge of a VVN protocol used and other devices or systems connected to private LAN 604 may not be able to restore VVN packets 614 . As such, devices or systems within private LAN 604 may discard or ignore VVN packets 614 when received.
- visitor data packets 611 that originate from a visitor's system are communicated by visitor 601 and processed by VVN module 602 to generate VVN packets 614 which cannot cause security concerns within private LAN 604 .
- IP data packets 619 that are returned from public network 605 are processed by VVN gateway 603 to produced VVN packets 614 that can only be consumed by VVN module 602 provided within private LAN 604 .
- a security protocol such as IPsec, secure socket layer (SSL), may be used in combination with a VVN protocol.
- a secure socket layer (SSL) protocol may be used prior to or after processing data packets based on a VVN protocol provided by VVN module 602 and/or VVN gateway 603 .
- SSL secure socket layer
- VVN gateway 603 and VVN module 602 may use either a dynamic IP addresses or a static IP addresses.
- a DHCP server (not expressly shown) provided as a part of private LAN 604 may assign a dynamic address to VVN gateway 603 and/or VVN module 602 .
- a DHCP server works in association with a client computer and enables individual computers on a network to obtain their configurations from a DHCP server.
- DHCP allows a network administrator to supervise and distribute IP addresses from a central server (not expressly shown) that automatically sends a new IP address when a computer is connected to private LAN 604 .
- VVN module 602 when VVN module 602 is initialized, VVN module 602 registers with VVN gateway 603 and VVN module 602 and VVN gateway 603 both agree on one or more processing methods or protocols for processing VVN packets 614 to be communicated within private LAN 604 .
- FIG. 7 illustrates a functional block diagram of network traffic within a private local area network having an access point for a visitor and an employee according to one embodiment of the invention.
- a wireless network access point (AP) illustrated generally at 701 includes an embedded virtual visitor network (VVN) module 702 having a DHCP server 703 , a network address translator (NAT) 704 , a router 706 and a VVN processor 705 .
- VVN virtual visitor network
- NAT network address translator
- Ethernet interface 707 provides communication to/from a private LAN (not expressly shown).
- network traffic 711 includes both VVN packets 709 and employee packets 710 communicated through using embedded VVN module 702 .
- a user may select from one or more Service Set Identification (SSID's) transmitted by wireless transceiver 708 for wireless access point 701 .
- SSID's Service Set Identification
- an employee network SSID may be broadcast by wireless transceiver 708 and an employee may enter a valid password to access an employee network within private LAN (not expressly shown).
- wireless transceiver 708 may broadcast a visitor SSID allowing a visitor to connect to wireless access point 701 using a visitor SSID.
- VVN module 702 having NAT 704 and router 706 may then determine the source of a data packet (either employee or visitor) received by wireless transceiver 708 and process based on the SSID a user connects (either employee or visitor) to wireless access point 701 accordingly. For example, all data packets communicated the visitor SSID would be processed by VVN processor 705 to create VVN packets 709 that may be communicated within network traffic 711 of a private LAN. For example, dotted lines illustrated in FIG. 7 generally indicate data packets originating from a visitor are processed using VVN module 702 and provided within network traffic 711 using Ethernet interface 707 .
- employee packets 710 data packets originating from an SSID for an employee are generally illustrated as employee packets 710 as a solid line traversing through VVN module 702 via wireless transceiver 708 and Ethernet interface 707 and included within network traffic 711 .
- Employee packets 710 traverse through wireless access point 701 without having to be processed by VVN processor 705 to generate VVN packets 709
- FIG. 8 illustrates a functional block diagram of network for providing visitors and employees access to a public network using a wireless local area network according to one embodiment of the invention.
- a private local area network employing a wireless access point illustrated generally at 800 , includes a wireless access point 803 having an embedded virtual visitor network module and operable to communicatively couple one or more visitor systems 801 and/or employee systems 802 to a private local area net work (LAN) 805 .
- Private LAN 805 further includes a network printer 808 , server 809 and other types of network nodes.
- Firewall and network address translator (NAT) 807 are coupled to private LAN 805 and provide access to a public network 810 such as the Internet.
- Virtual visitor network (VN) gateway 806 works in association with wireless access point 803 to provide a virtual visitor network (VVN) 804 .
- VVN virtual visitor network
- wireless access point 803 which may be a 802.11-enabled wireless access point employing Service Set Identification (SSID).
- SSID is a 32-character alphanumeric key uniquely identifying a wireless access point such as wireless access point 803 .
- wireless access point 803 may use two or more SSIDs to distinguish visitors from employees, valid users, etc.
- one of the SSIDs may be labeled “VisitorNet” to allow visitors to connect to wireless access point.
- another SSID may be labeled “EmployeeNet” to enable employees to connect to wireless access point 803 .
- a visitor When connecting to wireless access point 803 for the first time, a visitor will need to establish an SSID with a label of “VisitorNet” to access wireless access point 803 .
- An employee may be required to enter use a secret key or Wired Equivalent Privacy WEP to access the “EmployeeNet” provided by wireless access point 803 .
- Other security features for either visitors or employees may also be employed and the “EmployeeNet” usually requires additional validation of a system prior to allowing connection to wireless access point 803 as an employee. In this manner, if a visitor tries to access the “EmployeeNet”, wireless access point 803 will deny access if a visitor does not have valid access.
- a machine access code (MAC) address for employee's system may be used to allow a user to access wireless access point 803 .
- wireless access point 803 may resolve a MAC address of a computer system attempting to connect to “EmployeeNet” and determine if the MAC address is a valid MAC address for an employee. If an invalid MAC address attempting to access “EmployeeNet” is identified (e.g., a visitor), wireless access point 803 will deny access.
- FIG. 9 illustrates a functional block diagram of a network employing wire line and wireless virtual visitor access points incorporated within an Ethernet based private local area network according to one embodiment of the invention.
- a network illustrated generally at 900 , includes an Ethernet—based private local area network 904 connecting several network nodes including a first workstation 910 , second workstation 911 , and third workstation 909 which may include desktop computing systems, laptop computing systems, or any other type of system that may be connected to an Ethernet-based network.
- Network printer 906 , server 907 and other types of network nodes are also connected and accessible via private LAN 904 .
- Network 900 further includes a firewall and virtual private network gateway 903 .
- Server 907 may be a Domain Name Server (DNS), DHCP server, Enterprise Server, network storage or data server, or any other type of server.
- DNS Domain Name Server
- Private LAN 904 further includes a virtual visitor network switch 913 configured as a switch and connectable to virtual visitor network (VVN) gateway 902 operable to establish a first virtual visitor network (VVN) 905 within private LAN 904 and a virtual visitor network hub 914 configured as a hub and connectable to (VVN) gateway 902 and operable to establish a second virtual visitor network (VVN) 912 .
- VVN virtual visitor network
- a network hub or switch may be employed wherein a network hub is a device with shared bandwidth for all users and a network switch provides full bandwidth to individual user coupled to private LAN 904 .
- virtual visitor network switch 913 and/or virtual visitor network hub 914 may be configured to support various communication data rates such as 10 Mbytes/Second, 100 Mbytes/Second, 1 GBytes/Second, etc.
- Virtual visitor network switch 913 allows for wire line access of a first visitor computer system 906 and second visitor computer system 907 .
- a visitor printer 908 is also coupled to virtual visitor network switch 913 and allows first visitor computer system 906 and second visitor computer system 907 to print documents without having to access private LAN 904 .
- Virtual visitor network switch 913 may include logic to provide a print server however other embodiments may include utilizing a network nodes such as a print server located within private LAN 904 .
- virtual visitor network switch 913 may establish a VVN between VVN module 913 and a network printer 906 .
- Network 900 further allows visitors to access private LAN 904 using virtual visitor network hub 914 operable to provide a wireless-enabled network such as an 802.11-based network to connect a first wireless-enabled visitor computer system 916 and second wireless-enabled visitor computer system 915 .
- Virtual visitor network hub 914 is provided in association with virtual visitor network server 902 and provides a visitor wire less access to private LAN 904 through second virtual visitor network 912 .
- first VVN 905 and second VVN 912 protect enterprise network or private LAN 904 from visitors by confining and directing packets between a visitor's computer system to a public network 901 through use of first VVN 905 and second VVN 912 .
- a visitor may connect their computer to a virtual visitor network switch 913 or virtual visitor network hub 914 to access the Internet or public network 901 .
- First VVN 905 and second VVN 912 establish a virtual tunnel between VVN gateway 902 and VVN switch 913 and VVN Hub 914 .
- VVN gateway 902 may have a direct connection to public network 901 (e.g., Internet) or an indirect connection through a security device such as VPN/Firewall 903 as shown in FIG. 8 .
- VPN/Firewall 903 as shown in FIG. 8 .
- VVN gateway 902 may be provided as an integral part of VPN/Firewall 903 , NAT, etc.
- First VVN 905 and second VVN 912 provide several advantages over conventional networks and allow for a simplified visitor access networking solution without having to add an additional private networks to an enterprise network for visitors which may require Information Technology (IT) managers to manage providing visitors access within an exiting enterprise network. For example, network managers will not be required to assign special network outlets or dedicate network ports in a switch, router, wall outlets, etc. for visitors. Such configurations may not guarantee protection of an enterprise network from hacking visitors. Additionally, network outlets are not easily movable and would need to be verified to insure that no visitor is accessing the enterprise network directly.
- IT Information Technology
- VVN switch 913 and/or VVN hub 914 may be provided in various colors, such as bright yellow, red, etc., to be visually identifiable by a visitor.
- VVN switch 913 and/or VVN hub 914 may be provided as modular device that may be connected to any network outlet within private LAN 904 .
- IT managers can provide a visitor a modular device incorporating VVN switch 913 and a visitor can simply plug or connect VVN switch 913 to any available network outlet within private LAN 904 allowing VVN switch 913 to be easily transferred as needed to various rooms, offices, conference rooms, etc. having network connections or ports for private LAN 904 .
- VVN gateway 902 identifies VVN switch 913 , and monitors and controls VVN switch 913 connected to a network outlet of private LAN 904 .
- VVN switch 913 and VVN gateway 902 confine a visitor's packets (not expressly shown) and prevent visitors from accessing other locations, devices, nodes, etc. within private LAN 904 .
- FIG. 10 illustrates a flow diagram of a method for processing data packets using a virtual visitor network gateway according to one embodiment of the invention.
- the method may be employed within a program of instructions embodied within a computer readable medium, a memory device, encoded logic, or other devices, modules or systems operable to use a portion or all of the method illustrated in FIG. 10 .
- the method may be employed by VVN gateway 208 illustrated in FIG. 2 , VVN gateway 400 illustrate in FIG. 4 , VNS 1300 illustrated in FIG. 13 , or any other system operable to employ the method illustrated in FIG. 10 .
- Data packets may be received from a within a private LAN (step 1100 ) or from a public network (step 1114 ).
- step 1100 data packets are received from a VVN module located within a private LAN and the VVN IP header and VVN header of the data packet are removed 1101 .
- the VVN packet is processed 1102 using a specification provided within the VVN header. Such processing results in providing the same data packet communicated by a visitor system and processed by a VVN module (not expressly shown).
- the IP header is processed 1103 by replacing the source IP address (i.e. VVN module's IP address) with the VVN gateway's IP address 1103 .
- Data packets are then communicated to a public network destination address 1104 .
- a data packet is received by a VVN gateway from a public network source and the data packet is processed 1113 by modifying the IP header by replacing the destination address (e.g. VVN gateway) with the VVN module's address.
- the IP header and data received from a source in the public network are processed 1112 which may include processing to add a security feature or scrambling the data contents of the data packet.
- a VVN header is provided to indicate the method of processing used at step 1112 and a VVN IP header including a destination of address of the VVN module is also provided. Upon adding the VVN header and VVN IP header, data packets are then communicated to the VVN module 1110 .
- FIG. 11 illustrates a functional block diagram of an enterprise network incorporating a virtual visitor network employing a wireless private local area network according to one embodiment of the invention.
- An enterprise network illustrated generally at 1100 , may be coupled to a public network 1115 such as the Internet through a LAN gateway 1102 employing a firewall and/or virtual private network.
- Enterprise network 1100 further includes a virtual visitor network (VVN) gateway 1103 coupled to LAN gateway 1102 and provided in association with a wireless virtual visitor network (VVN) switch 1105 and wireless virtual visitor network (VVN) hub 1110 operable to provide one or more visitors access to public network 1115 .
- VVN virtual visitor network
- first visitor computer system 1108 and second visitor computer system 1109 may be connected to wireless VVN switch 1105 using wire-line connections.
- third visitor computer system 1111 and fourth visitor computer system 1112 may be wirelessly connected to wireless VVN hub 1110 .
- wireless access point 1104 communicates with each 802.11b enabled device operable to provide access to private LAN 1101 via a wireless communications.
- first computer system 1107 and second computer system 1107 may be employee systems and may include embedded 802.11b communication devices operable to communicate with access point wireless 1104 provided as a part of private LAN 1101 .
- Wireless VVN hub 1110 does not include physical ports for visitors and may easily support many visitors relative to wireless VVN switch 1105 having only wire-line connectivity.
- Wireless VVN switch 1105 and wireless VVN Hub 1110 may be wirelessly connected to private LAN 1101 via wireless access point 1104 .
- Private LAN 1101 may be an Ethernet-based network however other communication mediums and protocols, such as fiber, ATM, and the like may also be employed.
- Private LAN 1101 further connects an enterprise server 1114 , network printer 1113 and other network nodes pro viding users access to data storage, applications, etc.
- wireless VVN switch 1105 may be provided as a client-based hub communication as an 802.11b enabled station coupled to wireless access point 1104 .
- wireless access point 1104 need not contain a VVN module to connect communicate data packets within a virtual visitor network.
- a VVN network may be established between wireless VVN switch 1105 and VVN gateway 1103 or wireless VVN hub 1110 and VVN gateway 1103 , respectively.
- Wireless VVN Hub 1110 and wireless VVN switch 1105 are wirelessly coupled to wireless access point 1104 and may be configured to communicate using a different channels to avoid interference and/or conflicts.
- a wireless private LAN 1117 may be provided via wireless access point 1104 through enabling channel one (1) to allow first employee computer system 1106 , second valid computer system 1107 , and wireless VVN switch 1105 and wireless VVN hub 1110 to connect to wireless private LAN 1117 . If a visitor attempts to directly access wireless access point 1104 within private wireless LAN 1117 using channel one (1), wireless access point 1104 will reject the visitor as not being a registered or valid user. Additionally, when wireless VVN hub 1110 is accessing wireless access point 1104 via channel 1 , wireless VVN hub 1110 uses a different channel, e.g., channel 6 , to communicate with visitor computers 1111 and 1112 .
- a different channel e.g., channel 6
- Enterprise network 1100 may also employ various types, configurations, and/or combinations of VVN hubs.
- enterprise network 1100 may employ a wire-line only connection to private LAN 1101 for visitors as illustrated, for example, in FIG. 3 .
- enterprise network 1100 may employ a wire-line connection to private LAN 1101 and wireless connection for visitors to private LAN 1101 as illustrated in FIG. 9 .
- Other embodiments may include providing a wireless connection to private LAN 1101 and wire-line connection for visitors to private LAN 1101 as illustrated by wireless VVN hub 1105 .
- Enterprise network 1100 may also employ a wireless connection for both visitors and valid users or employees as illustrated in FIG. 8 .
- various combinations and levels of wireless and wire-line access to public network 1115 via private LAN 1101 may be provided within enterprise network 1100 while ensuring network integrity, security, and efficient access are provided.
- VVN modules may be communicatively coupled allowing visitors systems to communicate with each other.
- VVN gateway 1103 may manage users connected wireless VVN hub 1110 and/or wireless VVN switch 1105 and may allow multiple users to have access each others system. In this manner, multiple visitors from the same company may be able to communicate within enterprise network 1100 thereby providing a private visitor LAN between visitors.
- FIG. 12 illustrates a functional block diagram of a virtual network gateway operable to provide a virtual private network and a virtual visitor network within a private local area network according to one embodiment of the invention.
- An enterprise network illustrated generally at 1200 , allows for users to access a private LAN 1202 from both a public network 1203 and from within private LAN 1202 .
- Enterprise network 1200 includes a virtual private network (VPN) client 1213 operable to be coupled to a VPN server 1204 which may be provided internal or external to a virtual network server (VNS) 1201 .
- Enterprise network 1200 further includes a virtual visitor network (VVN) module 1206 operably connected to a virtual visitor network (VVN) gateway 1205 which may be provided internal or external to VNS 1201 .
- VPN virtual private network
- VNS virtual network server
- Private LAN 1202 further includes a local area network based on Ethernet 1208 operable to connect multiple nodes such as first LAN node 1209 and a second LAN node 1210 .
- VVN module 1206 may also be connected to private LAN 1202 via Ethernet 1208 .
- enterprise network 1200 may protect employees accessing private LAN 1202 from VPN client 1213 when accessed via public network 1203 .
- VPN server 1204 serves as a gateway that is located between private LAN 1202 and public network 1203 .
- a virtual communication tunnel or VPN tunnel 1215 is created using encryption to exchange data packets between VPN client 1213 and VPN server 1204 .
- VPN tunnel 1215 network attacks that originate from public network 1203 are obviated and VPN data packets may be communicated securely within private LAN 1202 .
- Enterprise network 1203 further includes a VVN tunnel 1216 created to protect private LAN 1202 from network attacks that may originate from inside VVN tunnel 1216 established between VVN gateway 1205 and VVN module 1206 .
- VVN data packets are confined to VVN tunnel 1216 and as such attacks that may originate from within a VVN tunnel 1216 are confined to VVN gateway 1205 and VVN module 1206 and cannot escape VVN tunnel 1216 .
- VPN tunnel 1215 and VVN tunnel 1216 are virtual networks which do not exist as physical entity in the physical network
- FIG. 13 illustrates a functional block diagram of a virtual network server for use in association with providing a visitor access to a public network from within a virtual private network enabled private local area network according to one embodiment of the invention.
- a virtual network server (VNS) is illustrated generally at 1300 and includes several modules and components including a network address translator 1305 , a router 1302 , and a firewall 1301 .
- VNS 1300 further includes a virtual private network (VPN) server 1303 and a virtual visitor network (VVN) gateway 1304 .
- VPN server 1303 and VVN gateway 1304 provide access between private local area network (LAN) 1308 and a public network 1307 and may be used within an enterprise network (not expressly shown).
- LAN local area network
- public network 1307 may be used within an enterprise network (not expressly shown).
- VNS 1300 may only include VVN gateway 1304 and/or VPN server 1303 however in other embodiments VNS 1300 may include each functional module or component illustrated. In some embodiments, other forms of protection may also be provided including a DHCP server, intrusion detection modules, servers or software provided as a part of, or in association with, VNS 1300 .
- VNS 1300 is a comprehensive security device that provides support services for a business protects private LAN 1308 from intruders from public network 1307 , manages privacy within private LAN 1308 , and protects private LAN 1308 while providing visitors and authorized users to access to public network 1307 from within the same network environment.
- a visitor may access private LAN 1308 via a visitor access point within private LAN 1308 .
- Network address translator 1305 and router 1302 resolve network traffic communicated from private LAN 1308 and determine header information and route traffic based on header and other information provided.
- a data packet may include a destination or source address information communicated from a virtual visitor network module or hub (not expressly shown) and may be resolved by NAT 1305 and provided to VVN gateway 1304 for processing.
- VVN gateway 1304 may extract a destination or website being requested within public network 1307 and any other processing information, and process data packets using processing information to restore data packets prior to forwarding to public network 1307 thereby allowing a visitor to access a public network from within private LAN 1308 .
- VNS 1300 determines the computer system requesting the data (i.e. employee, visitor, etc.) and processes the data packets if required.
- VVn gateway or VNS 1300 may include a VVN management application (not expressly shown) for managing or monitoring a visitor network(s) provided within private LAN 1308 .
- a VVN management application may be used to change, alter, or configure a virtual visitor network, add and delete VVN features, modify access rights for a VVN, create a VVN status report, create a VVN public access report, manage VVN modules, manage software versions, etc.
- a VVN management application may keep track of usage within a VVN, monitor for intrusions, and provide alarm notifications when suspicious activities are detected, communicate software upgrades to VVN modules, etc.
- the VVN management function may be an integral part of VNS 1300 or may be provided as a part of a network server within private LAN 1308 .
- FIG. 14 illustrates a functional block diagram of a virtual visitor network incorporated within a multi-protocol label switching enabled local area network according to one embodiment of the invention.
- a Multi-Protocol Label Switching (MPLS) enabled LAN illustrated generally at 1400 , includes a virtual visitor network (VVN) module 1404 which may be used to connect first visitor computer system 1405 , second visitor computer system 1406 , and/or third computer system 1407 to an enterprise network employing a private LAN.
- VVN module 1404 is connected to a virtual visitor network (VVN) gateway 1402 using MPLS enabled LAN 1400 .
- MPLS communication protocol confines data packets between VVN gateway 1402 and VVN module 1404 .
- MPLS is an Internet Engineering Task Force (IETF) standard that utilizes label switching to forward data packets through MPLS enabled network 1400 .
- a label is a small identifier placed within a data packet and inserted at an ingress router or a second label edge router (LER 2 ) 1408 and removed at an egress router or first label edge router (LER 1 ) 1410 .
- a first label switching router (LSR 1 ) 1409 , second label switching router (LSR 2 ) 1411 , and third label switching router (LSR 3 ) 1403 communicate data packets between second label router (LER 2 ) 1408 and first label edge router (LER 1 ) 1410 .
- an LSR is a router provided within an MPLS network that participates in establishing Label Switched Paths (LSPs) using an appropriate label switching.
- LSPs Label Switched Paths
- a LER is a device that operates at the edge of network being accessed and interfaces an MPLS network. LERs support multiple ports and forward network traffic through a MPLS enabled network after establishing LSPs. LERs are used to assign and remove labels as data packets enter or exit an MPLS network.
- LSP Label Information Base
- a LSP includes a sequence of labels that identifies each node or LSR along a communication or transmission path from a source to a destination. An LSP is established either prior to data packets being transmitted or upon detection of a certain flow of data.
- VVN module 1404 may be connected to LER 2 1408 and VVN gateway 1402 may be connected to VVN gateway 1402 using LER 1 1410 .
- LER 2 1408 may establish an LSP for VVN module 1404 to send data packets to VVN gateway 1402 .
- LER 1 1410 may set up an LSP for VVN gateway 1402 to send data packets to VVN module 1404 .
- an LSP for sending data packets to VVN gateway 1402 from VVN module 1404 may be different from an LSP for sending data packets from VVN gateway 1402 to VVN module 1404 .
- VVN gateway 1402 all data packets coming from VVN module 1404 are routed to VVN gateway 1402 within MPLS network and all data packets from VVN gateway 1402 are directed to VVN module 1404 via MPLS enabled private LAN 1400 .
- MPLS enabled private LAN 1400 escorts data packets or ensures a specific destination for visitor data packets may be achieved.
- LER 1 1410 may be incorporated within or provided as a part of VVN gateway 1402 .
- LER 2 1408 may be incorporated within or provided as a part of VVN module 1404 .
- VVN module 1404 and VVN gateway 1402 may establish an LSP for data packets. For example, when data packets are delivered from VVN module 1404 to VVN gateway 1402 , VVN module 1404 may generate labels for data packets to be maintained with an LIB and VVN gateway 1402 may delete labels from the LIB when data packets are received.
- VVN gateway 1402 may create labels within an LIB and VVN module 1404 may remove labels from the LIB.
- one or more portions of an MSLP network may be provided as a part of a virtual visitor network to allow a visitor to access a public network from within a private network without compromising security of an enterprise network.
- FIG. 15 illustrates a functional block diagram of a single point virtual visitor network module operable to provide a visitor access to a public network from within a private local area network according to one embodiment of the invention.
- a private local area network illustrated generally at 1500 , includes a local area network Ethernet access point 1501 , operable to provide access to a visitor computer 1503 using a single port VVN module 1502 operable to be coupled to LAN Ethernet 1501 .
- Single port VVN module 1502 may be implemented to allow a single individual to access private LAN 1500 and may be provided as a standalone module or as an accessory that may be provided as a part of, or incorporated within, visitor computer 1503 .
- VVN module 1502 may use an AC adapter for power and single port VVN module 1502 may include only two communication ports (not expressly shown). One port connects to LAN Ethernet 1501 and a second port to connect to visit or computer 1503 . As such, only a single user may connect to single port VVN module and access LAN Ethernet 1501 .
- Single Port VVN module 1502 may well suited for use within a hotel room or a multiple residential community where single port VVN module 1502 may be located as a permanent device within a specific room.
- single port VVN module 1502 may be a Universal Serial Bus (USB) enabled device that is powered by visitor computer 1503 when plugged into a USB port of visitor computer 1503 .
- USB Universal Serial Bus
- a visitor may plug-in USB enabled single port VVN module 1502 into a USB port of visitor computer 1503 .
- a network cable such as an RJ-45 cable provided in association with, or integrated as a part of, USB enabled single port VVN module 1502 may be coupled to a wall outlet of LAN Ethernet 1501 .
- single port VVN module 1502 may communicate with a VVN server (not expressly shown) without tethering users together to a multi-port VVN module thereby allowing visitors mobility within an enterprise premise and enabling visitors to use any LAN outlet within private LAN 1500 .
Abstract
A system, device, method and software for providing a visitor access to a public network are disclosed. In one form, a virtual visitor enabled local area network includes a visitor access point operable to provide a visitor access to a public network while connected to a local area network (LAN). The visitor access point is operable to protect the LAN using a virtual visitor network established between the visitor access point and a virtual visitor network gateway.
Description
- The disclosure relates generally to local area networking, and more particularly to a system, device, method and software for providing a visitor access to a public network.
- Most enterprises do not allow visitors to access their private local area networks (LANs) due to security concerns creating difficult work environments when visitors need to access the Internet or remote access accounts via public networks. The primary reason enterprise network managers limit access is to protect their network, servers, systems, etc. from direct or indirect malignant attacks. As such, a visitor's productivity can be significantly affected if a visitor cannot access the Internet while visiting an enterprise. For example, consultants may not be able to efficiently advise their clients without having access to a public network while they are working with clients.
- Currently, some conventional solutions are available including creating visitor accounts to provide a visitor access public access with significantly limiting access to the private LAN. Though effective, this usually requires client and server synchronized software to provide access and management of user names, passwords, access levels, etc. Such arrangements may be functional but leave a network vulnerable to outside attacks when a user accesses a public network and provides for continuous management and monitoring of network accounts. As such, there is a need for enterprises to provide visitors access to a public network from within their local area network without compromising the security of their own network or having to maintain user accounts, passwords, custom software, etc.
- According to one aspect of the invention, a virtual visitor enabled local area net work includes a visitor access point operable to provide a visitor access to a public network while connected to a local area network (LAN). The visitor access point is operable to protect the LAN using a virtual visitor network established between the visitor access point and a virtual visitor network gateway.
- According to another aspect of the invention, a device for providing visitor access to a public network via a private local area network is provided. The device includes a visitor access port operable to enable a visitor to access a public network from within a private local area network (LAN) while protecting the private LAN from the visitor. The device further includes a communication interface operably coupled to the visitor access port and the private LAN and the communication interface is operable to communicate information between the visitor access port and a selective location within the private LAN.
- According to a further aspect of the invention, a network enabled gateway operable to provide a visitor access to a public network from within a private local area network (LAN) is disclosed. The gateway includes a public network access interface operable to communicate processed virtual visitor network data packets to a public network that originate from within a private local area network (LAN). The gateway further includes a virtual network processor operable to process public network access data packets to provide virtual visitor network data packets for communication within the private LAN to provide a visitor access to the public network.
- Other advantages, features and characteristics of the invention, as well as methods, operation and functions of related elements of structure, and the combinations of parts and economies of manufacture, will become apparent upon consideration of the following description and claims with reference to the accompanying drawings, all of which form a part of the specification, wherein like reference numerals designate corresponding parts in the various figures, and wherein:
-
FIG. 1 illustrates a functional block diagram of a local area network incorporating a visitor access point according to one embodiment of the invention; -
FIG. 2 illustrates a functional block diagram of a virtual visitor network (VVN) operable to provide a visitor access to a public network via a private local area network according to one embodiment of the invention; -
FIG. 3A illustrates a functional block diagram of a virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention; -
FIG. 3B illustrates a functional block diagram of a wireless enabled virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention; -
FIG. 4 illustrates a functional block diagram of a virtual visitor network gateway according to one embodiment of the invention; -
FIG. 5 illustrates a flow diagram of a method for processing data packets using a virtual visitor network module according to one embodiment of the invention; -
FIG. 6 illustrates a functional block diagram for encapsulating visitor data packets within a private local area network according to one embodiment of the invention; -
FIG. 7 illustrates a functional block diagram of network traffic within a private local area network having an access point for a visitor and an employee according to one embodiment of the invention; -
FIG. 8 illustrates a functional block diagram of network for providing visitors and employees access to a public network using a wireless local area network according to one embodiment of the invention; -
FIG. 9 illustrates a functional block diagram of a network employing wire line and wireless virtual visitor access points incorporated within an Ethernet based private local area network according to one embodiment of the invention; -
FIG. 10 illustrates a flow diagram of a method for processing data packets using a virtual visitor network gateway according to one embodiment of the invention; -
FIG. 11 illustrates a functional block diagram of an enterprise network incorporating a virtual visitor network employing a wireless private local area network according to one embodiment of the invention; -
FIG. 12 illustrates a functional block diagram of a virtual network gateway operable to provide a virtual private network in the public network and a virtual visitor net work within a private local area network according to one embodiment of the invention; -
FIG. 13 illustrates a functional block diagram of a virtual network server for use in association with providing a visitor access to a public network from within a virtual private network enabled private local area network according to one embodiment of the invention; -
FIG. 14 illustrates a functional block diagram of a virtual visitor network incorporated within a multi-protocol label switching enabled local area network according to one embodiment of the invention; and -
FIG. 15 illustrates a functional block diagram of a single point virtual visitor network module operable to provide a visitor access to a public network from within a private local area network according to one embodiment of the invention. -
FIG. 1 illustrates a functional block diagram of a local area network incorporating a visitor access point according to one embodiment of the invention. A local area network (LAN) 102 includes at least onevisitor access point 101 provided within local area network (LAN) 102 and operable to allow a user to access apublic network 103 such as the Internet.Local area network 102 may include any type of network including, but not limited to, an Ethernet, ring network, token ring network, star network, bus network, asynchronous network, and the like. -
Visitor access point 101 allows for a visitor that would normally not have access toLAN 102 to accesspublic network 103 when connected toLAN 102. For example, a visitor may couple a computer system (not expressly shown) tovisitor access point 101 and may require accessingpublic network 103.Visitor access point 101 advantageously allows for protection ofLAN 102 while a user accessespublic network 103 through encapsulating data packets communicated viavisitor access point 101 andLAN 102. In this manner, other network locations or nodes within LAN 102 (not expressly shown) may be isolated from inquiries, data requests, snooping, malignant attacks, etc. initiated by a visitor or other agent when a visitor connects to LAN viavisitor access point 101. -
FIG. 2 illustrates a functional block diagram of a virtual visitor network (VVN) operable to provide a visitor access to a public network via a private local area network according to one embodiment of the invention. A private local area network, illustrated generally at 200, includes a visitor (visitor's computer) 201 communicatively coupled toprivate LAN 200 via a virtual visitor network (VVN)module 202 operable to allow a visitor to access apublic network 206 via virtual visitor network (VVN)gateway 208. A virtual visitor network (VVN) 207 includes a virtual network provided withinprivate LAN 200, which facilitatesvisitor 201 accessingpublic network 206.Private LAN 200 further includes one ormore employee 209 LAN access point(s) 203 providing a user, such as an employee and guest having sufficient access rights, access toprivate LAN 200 and one or more private LAN node(s) 204 coupling one or more types of network devices such as servers, printers, fax machines, copiers, data storage devices, or any other type of equipment or device that may be coupled to a local area network. Thepublic network gateway 205 may include a router, a firewall, and/or a network address translator (NAT) to process traffic between theprivate LAN 200 and thepublic network 206. VVN 207 confines packets communicated betweenvisitor 201 andpublic network 206 to VVN 207. VVNgateway 208 typically does not handle traffic communicated betweenpublic network 206 and anemployee 209. In one embodiment, private local area net work node(s) 204 may include other user or employee systems that may be accessed or networked together. For example, a user coupled toprivate LAN 200 via a valid userLAN access point 203 may access another user's system via aprivate LAN node 204. - During operation,
visitor 201 may accesspublic network 206 through connecting to aVVN module 202. VVNmodule 202 detects thatvisitor 201 is attempting to access network and initiates a process to isolatevisitor 201 fromprivate LAN 200 while all owingvisitor 201 to access onlypublic network 206. For example, VVNmodule 202 processes data packets initiated by a visitor'scomputer system 201 coupled to VVNmodule 202 such that other locations withinprivate LAN 200 ignore any unauthorized data or access requests to one or more locations withinprivate LAN 200. VVNgateway 208 identifies data packets communicated by VVNmodule 202 and as data packets are communicated by VVNmodule 202, VVNgateway 208 receives the data packets and processes the data packets prior to communicating the data packets topublic network 206. For example, VVNgateway 208 modifies header information within the data packets to include a source address of VVNgateway 208. As data packets are received frompublic network 206 in response to data packets communicated by VVNgateway 208, VVNgateway 208 processes the data packet to provide a destination or IP address ofVVN module 202 and communicates the data packet toVVN module 202 usingprivate LAN 200. As such, each packet is processed to encapsulate or isolate all other network locations withinprivate LAN 200 from thevisitor 201 requested data and communicated only tovisitor 201 allowing avisitor 201 to access apublic network 206, such as the Internet, from within a private local area network without compromising security of a private local area network or having to manage or create visitor/user access accounts with limited access to network locations within a local area network. In one embodiment, VVNgateway 208 and thepublic network gateway 205 may be integrated into a single server or system operable to provide accessing topublic network 206. - In another embodiment,
VVN module 202 may be used to allow an employee to accesspublic network 206 viaVVN gateway 208. In this manner, an employee that may not be able to access a private LAN node(s) 204 or an employee LAN access point(s) 203 may access onlypublic network 206 viavirtual visitor network 207 when connected toVVN module 202. -
FIG. 3A illustrates a functional block diagram of a virtual visitor network module for providing a user access to a public network via a private local area network according to one embodiment of the invention. A virtual visitor network module (VVN), illustrated generally asVVN module 300, includes annetwork interface 306 operable to coupleVVN module 300 to aprivate LAN 307 such as an Ethernet network via a wire line connection such as through copper connections, cable or coaxial based connections, fiber optic connections, etc.VVN module 300 includes a network address translator (NAT) 305 operable to resolve addresses contained within data packets and aDHCP server 303 operable to assign dynamic IP addresses to visitor computers (not expressly shown). Arouter 302 andnetwork switch 301 provide for routing of information to various wire linevisitor access points 308 for one or more visitors connecting toprivate LAN 307.Router 302 enables connection or coupling of two or more networks and functions as a sorter and interpreter as it resolves addresses and passes data streams or packets to a proper destination.Network switch 301 may include a switch (e.g., Ethernet switch) operable to provide dedicated bandwidth or a hub operable to provide shared bandwidth to visitor access points 308. Ifnetwork switch 301 includes a hub,visitor access points 308 only share bandwidth between access points without sharing bandwidth with other non-visitor access points that may be connected tonetwork switch 301. Thoughnetwork interface 306 is illustrated as a single access point operable to provide access toprivate LAN 307, it should be understood thatVVN module 300 may configured to accommodate more than one network address withinprivate LAN 307.VVN module 300 further includes a virtual visitor network (VVN)processor 304 operable to process data packets communicated by one or more systems coupled tovisitor access points 308 and desiring access to a public network, such as the Internet, viaprivate LAN 307. - During operation,
VVN module 300 dynamically assigns a network IP address when a visitor connects tovisitor access points 308 and performs a network addresstranslation using NAT 305 when data is communicated using the assigned IP addresses.VVN processor 304 processes data communicated betweenprivate LAN 307 and visitor access point(s) 308 to add and remove data packet header information for data packets and provide a unique network IP address that identifies a visitor when connected to one of visitor access point(s) 308.VVN processor 304 encapsulates data communicated viavisitor access points 308 through isolating data packets to select or specific network ad dresses withinprivate LAN 307. For example,VVN processor 304 may provide a network destination address for only a network gateway (not expressly shown) provided within or in association withprivate LAN 307 that allows for access to a public network. In this manner, no other locations or network addresses withinprivate LAN 307 may be accessed by a computer system connected to one of visitor access point(s) 308. As incoming data packets are communicated fromprivate LAN 307 and received bynetwork interface 306,network address translator 305 translates the address information for the data packets andVVN processor 304 verifies heading information and detects if data packets having IP addresses for a visitor coupled to one of visitor access point(s) 308 have been received. If a visitor's data packet has been received,VVN processor 304 restore the information androuter 302 andnetwork switch 301 processes and communicates the data packet to the appropriate visitor connected to avisitor access point 308. - In one embodiment,
VVN module 300 may allow a visitor to use a network printer (not expressly shown) accessible byVVN module 300. For example, a network printer may be coupled directly toVVN module 300 andVVN module 300 may include a print server (not expressly show) and a network printer connected toVVN module 300 via, for example, one of visitor access point(s) 308. In another embodiment, a network printer may be accessed by a visitor coupled to one of visitor access point(s) viaprivate LAN 307. For example,VVN module 300 may include a print server having network IP addresses for one or more network printers and may allow for access to a printer internal toprivate LAN 307 without using a print server (not expressly shown) located withinprivate LAN 307. In this manner, visitor originated data may be selectively communicated to a specific destination or IP address withinprivate LAN 307 without jeopardizing network security and allowing a visitor to print a document. -
FIG. 3B illustrates a functional block diagram of a wireless enabled virtual visitor access module for providing a user access to a public network via a private local are a network according to one embodiment of the invention. A wireless virtual visitor net work module, illustrated generally aswireless VVN module 310, includes anwireless network interface 316 operable to couplewireless VVN module 310 to aprivate LAN 317 such as an Ethernet network via a wireless connection operable to communicated via wireless communication such as an 802.11-enabled wireless communication protocol including, but not limited to 802.11a, g, orb. Other types of wireless communication such as infrared laser communication, mobile or cellular wireless communication, near field communication and the like may also be employed. -
Wireless VVN module 310 includes a network address translator (NAT) 315 operable to translate addresses contained within data packets and aDHCP server 313 operable to assign dynamic IP addresses to visitor computers wirelessly coupled towireless VVN module 310 via wireless visitor access point(s) 318. Arouter 312 andwireless hub transceiver 311 provide for routing of information to and from wireless visitor computers connected via wireless visitor access point(s) 318 and further connected toprivate LAN 317. Though illustrated as a single access point toprivate LAN 317, it should be understood thatwireless VVN module 310 may configured to accommodate more than one network address withinprivate LAN 317.Wireless VVN module 310 further includes a virtual visitor network (VVN)processor 314 operable to process data packets communicated from one or more systems coupled to wireless visitor access point(s) 318 and a VVN server (not expressly shown) and desiring access to a public network, such as the Internet, viaprivate LAN 317. - During operation, a user may access
private LAN 317 using a wireless-enabled computer system operable to connect to wireless visitor access point(s) 318. For example,wireless VVN module 310 may be placed proximal to a conference room, visitor center, etc. which may be frequently used by visitors.VVN module 310 being wirelessly coupled toprivate LAN 317 allows for flexible placement ofVVN module 310 in various locations such thatVVN module 310 may be operational without a user having to physically accesswireless VVN module 310. However, in other embodiments,wireless VVN module 310 may include one or more wire line connection ports or visitor access point allowing a user to connect directly towireless VVN module 310. -
Wireless VVN module 310 further allows for visitor's to have flexibility in being untethered towireless VVN module 310. A visitor may accesswireless VVN module 310 through performing a search on available wireless networks and, upon identifying a wireless signal or wirelessvisitor access point 318 communicated bywireless hub transceiver 311, a user may elect to connect towireless VVN module 310 to accessprivate LAN 317. -
FIG. 4 illustrates a functional block diagram of a virtual visitor network gateway according to one embodiment of the invention. A virtual visitor network (VVN) gateway, illustrated generally at 400, includes anetwork interface 401 such as a Ethernet module operable to connect to aprivate LAN 407, apublic network interface 406 operable to communicate with apublic network 403 such as the Internet.VVN gateway 400 further includes aVVN processor 404, arouter 402 and a network address translator (NAT) 405.VVN processor 404 is operably associated with one or more virtual visitor network modules having virtual visitor network processors to process data packets communicated by a virtual visitor network provided withinprivate LAN 407.NAT 405 is used to bridge multiple VVN modules using a relatively small number of IP addresses inpublic network 407.Router 402 routes data packets in apublic network 403 such as the Internet. - During operation,
VVN gateway 400 provides a visitor access to apublic network 403 via aprivate LAN 407 and manages communication of data betweenprivate LAN 407 andpublic network 403. As data packets are communicated from a VVN module located withinprivate LAN 407,VVN gateway 400 receives data packets viaLAN network interface 401 and translates data packets to determine if the data packets were communicated from a VVN module. If a data packet was communicated from a VVN module,VVN processor 404 converts the data packets into a standard IP data packet having standard IP protocols.VVN processor 404 maintains a network address for the VVN module and when requested data packets are received frompublic network 403 viapublic network interface 406,VVN processor 404 identifies the VVN module and converts the public data packets into to encapsulate the data packets and communicate the data packets to only the VVN module. In this manner, a visitor accessingprivate LAN 407 may accesspublic network 403 throughVVN gateway 400. -
FIG. 5 illustrates a flow diagram of a method of processing data packets using a virtual visitor network module according to one embodiment of the invention. The method may be employed within a program of instructions embodied within a computer readable medium, a memory device, encoded logic, or other devices, modules or systems operable to use a portion or all of the method illustrated inFIG. 5 . - The method begins generally when a virtual visitor module, such as
module VVN module 202 illustrated inFIG. 2 ,VVN module 300 illustrated inFIG. 3A ,VVN module 310 illustrated inFIG. 3B , or any other type of module operable to provide a virtual visitor network for enabling a visitor's computer system to access a public network from within a private LAN is connected to the private LAN. Data packets may be received from a visitor computer system (step 500) or from a VVN gateway (step 514). At 500, a visitor computer transmits a data packet having an IP header and data to VVN module. VVN module receives a visitor'sdata packet 500 andprocesses IP header 501 of the data packet and replaces the source address with VVN module address assigned by a network server. For example, if a visitor's IP address is ‘192.16.1.1’and VVN module address is ‘20.1.10.1’, VVN module's address would be provided instead of the visitor's IP address within the IP header. - Upon processing the IP header at 501, the visitor's data packet including the IP header and the data may be processed according to a
VVN protocol 502. For example, a VVN protocol may include scrambling the information or data, or applying a security protocol, to make the data contained within the data packet meaningless to other network nodes, hosts, locations, etc. within a private network. Atstep 503, VVN module then encapsulates the visitor's packet by adding a VVN header to indicate the method used in processing the visitor's packet and then adds a VVN IP header to indicate the VVN gateway address to direct the packets to VVN gateway. Packets are then communicated to theVVN gateway 504. - At
step 514, when a data packet is received fromVVN gateway 514 and operable to be processed by a VVN module, VVN module removes the VVP IP header and VVN header from thepacket 513 from the data packet and processes thedata packet 512 ac cording to information specified in theVVN header 512. For example, a data packet may be processed using a VVN protocol and may include de-scrambling the information or data, or applying a security protocol to restore data packets processed by VVN gateway. The IP header is then processed 511 by replacing the destination address to include the visitor'sIP address 511 and then communicates the data packet to thevisitor computer 510. -
FIG. 6 illustrates a functional block diagram for encapsulating visitor data packets within a private local area network according to one embodiment of the invention. A public network accessible by a private local area network (LAN) incorporating a virtual visitor network (VVN) is generally illustrated at 600 and includes a visitor's computer orvisitor 601 having an Internet Protocol (IP) address of “192.168.1.10” is coupled to a virtual visitor network (VVN)module 602 having an IP address of “10.2.1.20” and virtual visitor network (VVN)gateway 603 having an IP address of “10.2.1.15” within a private local area network (LAN) 604. VVN gateway also has a public IP address such as 69.84.100.1. IP addresses within theprivate LAN 604 are assigned internally and may not be visible from thepublic network 605. Awebsite 606 having a public IP address of “69.104.84.226” may be accessed using apublic network 605 such as the Internet coupled toVVN gateway 603. A visitorIP data packet 611 is communicated betweenvisitor 601 andVVN module 602 as illustrated at “A”. Similarly, aVVN data packet 614 is communicated betweenVVN module 602 andVVN gateway 603 as illustrated at “B”. AnIP data packet 619 is communicated betweenVVN gateway 603 andwebsite 606 as illustrated at “C”. - During operation, a visitor may access a
public network 605 via aprivate LAN 604 through coupling a computer system at 601 having an IP address of “192.168.1.10” toVVN module 602. Anvisitor data packet 611 communicated at “A” fromvisitor 601 contains a source (Src) address=192.168.1.10 identifying the assigned IP address of the visitor's computer system and a destination (Dst) address=69.104.84.226 identifyingweb site 606 requested by the visitor.VVN module 602 detects a connection (either wireless or wire line) and translates the source IP address ofvisitor data packet 611 to include a new IP address, such asVVN gateway 603's IP address of “10.2.1.20”. For example,VVN module 602 includes a network address translator and VVN processor (not expressly shown) that changes, converts, or appendsvisitor data packet 611'sIP header 612 to include aVVN IP header 615 having a source (Src) IP address of “10.2.1.20” and a destination (Dst) address of “10.2.1.15”.IP header 617 is modified to include a source (Src) IP address of “10.2.1.20” and a destination (Dst) address of “69.104.84.226”. Said another way, source data for visitor data packets are replaced with an IP address of a valid VVN module such as VVN module 602 (e.g. “10.2.1.20”) and destination data for visitor data packets are replaced with an IP address of VVN gateway 603 (e.g. “10.2. 1.15”). In this manner, visitor data packets are confined betweenVVN gateway 603 andVVN module 602 employing a VVN protocol that isolatesvisitor data packets 611 when communicated withinprivate LAN 604 using a VVN protocol while retaining original source and destination information forvisitor 601. - An exemplary
VVN data packet 614 may include processing thevisitor data packet 611 to include a VVN protocol having aVVN header 616 and aVVN IP header 615. One or more values may be provided withinVVN header 616 to indicate a method or type of modification used to processvisitor data packets 611. For example, a simple rearrangement of bits or data encryption methods may be used for processingvisitor data packets 611 originating fromvisitor 601. WhenVVN gateway 603 receivesVVN packet 614, it removesVVN IP header 615 andprocesses VVN packets 614 based on information stored withinVVN header 616. For example, a decryption or other bit deciphering process may be used to restore the data packets to determine destination data to createIP data packet 619. - In one embodiment,
VVN gateway 603 may include more than one IP address for use in communicating data packets. For example,VVN gateway 603 may include an IP address for internal routing within private LAN 604 (e.g. “10.2.1.15”) and an IP address communicating data via public network 605 (e.g. “69.84.100.1”). As illustrated above,VVN gateway 603 replacesVVN data packet 614 to include an IP header with havingVVN gateway 603's own IP address resulting inIP data packet 619. When IP data packets are returned fromwebsite 606,VVN gateway 603 andVVN module 602 used stored information maintained byVVN gateway 603 andVVN module 602 in association with a NAT to send a reply or return data packets tovisitor 601. Processing ofIP data packets 619 returned fromwebsite 606 are modified in a reverse sequence to return data tovisitor 601. - In one embodiment, a
visitor data packet 611 may be processed byVVN module 602 to include only aVVN IP header 615 without including any additional information withinVVN header 616. In this manner, no additional processing, other then removing VVN IP header, will be required. In another embodiment,VVN header 616 may not be provided as a part ofvisitor data packet 611 and as such no additional processing would be required whenvisitor data packet 611 is communicated toVVN gateway 603 or returned toVVN module 602. - In one embodiment, processing
visitor data packets 611 using a VVN protocol provided byVVN module 602 andVVN gateway 603 renders thevisitor data packets 611 useless when communicated to an un-intended device withinprivate LAN 604. For example,VVN gateway 603 andVVN module 602 may be the only devices withinprivate LAN 604 having knowledge of a VVN protocol used and other devices or systems connected toprivate LAN 604 may not be able to restoreVVN packets 614. As such, devices or systems withinprivate LAN 604 may discard or ignoreVVN packets 614 when received. In this manner,visitor data packets 611 that originate from a visitor's system are communicated byvisitor 601 and processed byVVN module 602 to generateVVN packets 614 which cannot cause security concerns withinprivate LAN 604. Similarly,IP data packets 619 that are returned frompublic network 605 are processed byVVN gateway 603 to producedVVN packets 614 that can only be consumed byVVN module 602 provided withinprivate LAN 604. - In one embodiment, a security protocol such as IPsec, secure socket layer (SSL), may be used in combination with a VVN protocol. For example, a secure socket layer (SSL) protocol may be used prior to or after processing data packets based on a VVN protocol provided by
VVN module 602 and/orVVN gateway 603. Through providing a security protocol or SSL betweenVVN module 602 andVVN gateway 603,VVN packets 614 are confined to within a SSL-enabled channel established betweenVVN gateway 603 andVVN module 602. - In another embodiment,
VVN gateway 603 andVVN module 602 may use either a dynamic IP addresses or a static IP addresses. For example, a DHCP server (not expressly shown) provided as a part ofprivate LAN 604 may assign a dynamic address toVVN gateway 603 and/orVVN module 602. A DHCP server works in association with a client computer and enables individual computers on a network to obtain their configurations from a DHCP server. DHCP allows a network administrator to supervise and distribute IP addresses from a central server (not expressly shown) that automatically sends a new IP address when a computer is connected toprivate LAN 604. For example, whenVVN module 602 is initialized,VVN module 602 registers withVVN gateway 603 andVVN module 602 andVVN gateway 603 both agree on one or more processing methods or protocols for processingVVN packets 614 to be communicated withinprivate LAN 604. -
FIG. 7 illustrates a functional block diagram of network traffic within a private local area network having an access point for a visitor and an employee according to one embodiment of the invention. A wireless network access point (AP) illustrated generally at 701 includes an embedded virtual visitor network (VVN)module 702 having aDHCP server 703, a network address translator (NAT) 704, arouter 706 and aVVN processor 705. Communication with a visitor's or employee's computer system is provided using awireless transceiver 708 operable to communicate using an 802.11-based protocol. Other wireless transceivers and protocols may also be used.Ethernet interface 707 provides communication to/from a private LAN (not expressly shown). - During use,
network traffic 711 includes bothVVN packets 709 andemployee packets 710 communicated through using embeddedVVN module 702. For example, a user may select from one or more Service Set Identification (SSID's) transmitted bywireless transceiver 708 forwireless access point 701. In one form, an employee network SSID may be broadcast bywireless transceiver 708 and an employee may enter a valid password to access an employee network within private LAN (not expressly shown). Similarly,wireless transceiver 708 may broadcast a visitor SSID allowing a visitor to connect towireless access point 701 using a visitor SSID.VVN module 702 havingNAT 704 androuter 706 may then determine the source of a data packet (either employee or visitor) received bywireless transceiver 708 and process based on the SSID a user connects (either employee or visitor) towireless access point 701 accordingly. For example, all data packets communicated the visitor SSID would be processed byVVN processor 705 to createVVN packets 709 that may be communicated withinnetwork traffic 711 of a private LAN. For example, dotted lines illustrated inFIG. 7 generally indicate data packets originating from a visitor are processed usingVVN module 702 and provided withinnetwork traffic 711 usingEthernet interface 707. Additionally, data packets originating from an SSID for an employee are generally illustrated asemployee packets 710 as a solid line traversing throughVVN module 702 viawireless transceiver 708 andEthernet interface 707 and included withinnetwork traffic 711.Employee packets 710 traverse throughwireless access point 701 without having to be processed byVVN processor 705 to generateVVN packets 709 -
FIG. 8 illustrates a functional block diagram of network for providing visitors and employees access to a public network using a wireless local area network according to one embodiment of the invention. A private local area network employing a wireless access point, illustrated generally at 800, includes awireless access point 803 having an embedded virtual visitor network module and operable to communicatively couple one ormore visitor systems 801 and/oremployee systems 802 to a private local area net work (LAN) 805.Private LAN 805 further includes anetwork printer 808,server 809 and other types of network nodes. Firewall and network address translator (NAT) 807 are coupled toprivate LAN 805 and provide access to apublic network 810 such as the Internet. Virtual visitor network (VVN)gateway 806 works in association withwireless access point 803 to provide a virtual visitor network (VVN) 804. - During use, visitors may connect computers via
wireless access point 803 which may be a 802.11-enabled wireless access point employing Service Set Identification (SSID). SSID is a 32-character alphanumeric key uniquely identifying a wireless access point such aswireless access point 803. In one embodiment,wireless access point 803 may use two or more SSIDs to distinguish visitors from employees, valid users, etc. For example, one of the SSIDs may be labeled “VisitorNet” to allow visitors to connect to wireless access point. Similarly, another SSID may be labeled “EmployeeNet” to enable employees to connect towireless access point 803. - When connecting to
wireless access point 803 for the first time, a visitor will need to establish an SSID with a label of “VisitorNet” to accesswireless access point 803. An employee may be required to enter use a secret key or Wired Equivalent Privacy WEP to access the “EmployeeNet” provided bywireless access point 803. Other security features for either visitors or employees may also be employed and the “EmployeeNet” usually requires additional validation of a system prior to allowing connection towireless access point 803 as an employee. In this manner, if a visitor tries to access the “EmployeeNet”,wireless access point 803 will deny access if a visitor does not have valid access. In one embodiment, a machine access code (MAC) address for employee's system may be used to allow a user to accesswireless access point 803. For example,wireless access point 803 may resolve a MAC address of a computer system attempting to connect to “EmployeeNet” and determine if the MAC address is a valid MAC address for an employee. If an invalid MAC address attempting to access “EmployeeNet” is identified (e.g., a visitor),wireless access point 803 will deny access. -
FIG. 9 illustrates a functional block diagram of a network employing wire line and wireless virtual visitor access points incorporated within an Ethernet based private local area network according to one embodiment of the invention. A network, illustrated generally at 900, includes an Ethernet—based privatelocal area network 904 connecting several network nodes including afirst workstation 910,second workstation 911, andthird workstation 909 which may include desktop computing systems, laptop computing systems, or any other type of system that may be connected to an Ethernet-based network.Network printer 906,server 907 and other types of network nodes are also connected and accessible viaprivate LAN 904.Network 900 further includes a firewall and virtualprivate network gateway 903.Server 907 may be a Domain Name Server (DNS), DHCP server, Enterprise Server, network storage or data server, or any other type of server. -
Private LAN 904 further includes a virtualvisitor network switch 913 configured as a switch and connectable to virtual visitor network (VVN)gateway 902 operable to establish a first virtual visitor network (VVN) 905 withinprivate LAN 904 and a virtualvisitor network hub 914 configured as a hub and connectable to (VVN)gateway 902 and operable to establish a second virtual visitor network (VVN) 912. A network hub or switch may be employed wherein a network hub is a device with shared bandwidth for all users and a network switch provides full bandwidth to individual user coupled toprivate LAN 904. For example, virtualvisitor network switch 913 and/or virtualvisitor network hub 914 may be configured to support various communication data rates such as 10 Mbytes/Second, 100 Mbytes/Second, 1 GBytes/Second, etc. - Virtual
visitor network switch 913 allows for wire line access of a firstvisitor computer system 906 and secondvisitor computer system 907. Avisitor printer 908 is also coupled to virtualvisitor network switch 913 and allows firstvisitor computer system 906 and secondvisitor computer system 907 to print documents without having to accessprivate LAN 904. Virtualvisitor network switch 913 may include logic to provide a print server however other embodiments may include utilizing a network nodes such as a print server located withinprivate LAN 904. For example, virtualvisitor network switch 913 may establish a VVN betweenVVN module 913 and anetwork printer 906. -
Network 900 further allows visitors to accessprivate LAN 904 using virtualvisitor network hub 914 operable to provide a wireless-enabled network such as an 802.11-based network to connect a first wireless-enabledvisitor computer system 916 and second wireless-enabledvisitor computer system 915. Virtualvisitor network hub 914 is provided in association with virtualvisitor network server 902 and provides a visitor wire less access toprivate LAN 904 through secondvirtual visitor network 912. - During operation,
first VVN 905 andsecond VVN 912 protect enterprise network orprivate LAN 904 from visitors by confining and directing packets between a visitor's computer system to apublic network 901 through use offirst VVN 905 andsecond VVN 912. A visitor may connect their computer to a virtualvisitor network switch 913 or virtualvisitor network hub 914 to access the Internet orpublic network 901.First VVN 905 andsecond VVN 912 establish a virtual tunnel betweenVVN gateway 902 andVVN switch 913 andVVN Hub 914.VVN gateway 902 may have a direct connection to public network 901 (e.g., Internet) or an indirect connection through a security device such as VPN/Firewall 903 as shown inFIG. 8 . In one embodiment,VVN gateway 902 may be provided as an integral part of VPN/Firewall 903, NAT, etc. -
First VVN 905 andsecond VVN 912 provide several advantages over conventional networks and allow for a simplified visitor access networking solution without having to add an additional private networks to an enterprise network for visitors which may require Information Technology (IT) managers to manage providing visitors access within an exiting enterprise network. For example, network managers will not be required to assign special network outlets or dedicate network ports in a switch, router, wall outlets, etc. for visitors. Such configurations may not guarantee protection of an enterprise network from hacking visitors. Additionally, network outlets are not easily movable and would need to be verified to insure that no visitor is accessing the enterprise network directly. - Additionally,
VVN switch 913 and/orVVN hub 914 may be provided in various colors, such as bright yellow, red, etc., to be visually identifiable by a visitor. In one embodiment,VVN switch 913 and/orVVN hub 914 may be provided as modular device that may be connected to any network outlet withinprivate LAN 904. For example, IT managers can provide a visitor a modular device incorporatingVVN switch 913 and a visitor can simply plug or connectVVN switch 913 to any available network outlet withinprivate LAN 904 allowingVVN switch 913 to be easily transferred as needed to various rooms, offices, conference rooms, etc. having network connections or ports forprivate LAN 904. In this manner, when a visitor connects a computer, such as firstvisitor computer system 906, tomodular VVN switch 913,VVN gateway 902 identifiesVVN switch 913, and monitors and controlsVVN switch 913 connected to a network outlet ofprivate LAN 904. In this manner,VVN switch 913 andVVN gateway 902 confine a visitor's packets (not expressly shown) and prevent visitors from accessing other locations, devices, nodes, etc. withinprivate LAN 904. -
FIG. 10 illustrates a flow diagram of a method for processing data packets using a virtual visitor network gateway according to one embodiment of the invention. The method may be employed within a program of instructions embodied within a computer readable medium, a memory device, encoded logic, or other devices, modules or systems operable to use a portion or all of the method illustrated inFIG. 10 . The method may be employed byVVN gateway 208 illustrated inFIG. 2 ,VVN gateway 400 illustrate inFIG. 4 ,VNS 1300 illustrated inFIG. 13 , or any other system operable to employ the method illustrated inFIG. 10 . - Data packets may be received from a within a private LAN (step 1100) or from a public network (step 1114). At
step 1100, data packets are received from a VVN module located within a private LAN and the VVN IP header and VVN header of the data packet are removed 1101. The VVN packet is processed 1102 using a specification provided within the VVN header. Such processing results in providing the same data packet communicated by a visitor system and processed by a VVN module (not expressly shown). The IP header is processed 1103 by replacing the source IP address (i.e. VVN module's IP address) with the VVN gateway'sIP address 1103. Data packets are then communicated to a publicnetwork destination address 1104. - At
step 1114, a data packet is received by a VVN gateway from a public network source and the data packet is processed 1113 by modifying the IP header by replacing the destination address (e.g. VVN gateway) with the VVN module's address. The IP header and data received from a source in the public network are processed 1112 which may include processing to add a security feature or scrambling the data contents of the data packet. Atstep 1111, a VVN header is provided to indicate the method of processing used atstep 1112 and a VVN IP header including a destination of address of the VVN module is also provided. Upon adding the VVN header and VVN IP header, data packets are then communicated to theVVN module 1110. -
FIG. 11 illustrates a functional block diagram of an enterprise network incorporating a virtual visitor network employing a wireless private local area network according to one embodiment of the invention. An enterprise network, illustrated generally at 1100, may be coupled to apublic network 1115 such as the Internet through aLAN gateway 1102 employing a firewall and/or virtual private network.Enterprise network 1100 further includes a virtual visitor network (VVN)gateway 1103 coupled toLAN gateway 1102 and provided in association with a wireless virtual visitor network (VVN)switch 1105 and wireless virtual visitor network (VVN)hub 1110 operable to provide one or more visitors access topublic network 1115. For example, firstvisitor computer system 1108 and secondvisitor computer system 1109 may be connected towireless VVN switch 1105 using wire-line connections. Additionally, thirdvisitor computer system 1111 and fourthvisitor computer system 1112 may be wirelessly connected towireless VVN hub 1110. - During operation,
wireless access point 1104 communicates with each 802.11b enabled device operable to provide access toprivate LAN 1101 via a wireless communications. For example,first computer system 1107 andsecond computer system 1107 may be employee systems and may include embedded 802.11b communication devices operable to communicate withaccess point wireless 1104 provided as a part ofprivate LAN 1101.Wireless VVN hub 1110 does not include physical ports for visitors and may easily support many visitors relative towireless VVN switch 1105 having only wire-line connectivity.Wireless VVN switch 1105 andwireless VVN Hub 1110 may be wirelessly connected toprivate LAN 1101 viawireless access point 1104.Private LAN 1101 may be an Ethernet-based network however other communication mediums and protocols, such as fiber, ATM, and the like may also be employed.Private LAN 1101 further connects anenterprise server 1114,network printer 1113 and other network nodes pro viding users access to data storage, applications, etc. - Wireless devices illustrated in
FIG. 11 may be provided as local wireless area network devices or systems that may operate using an 802.11x wireless standard where x=a, g, or b. Additionally,wireless VVN switch 1105 may be provided as a client-based hub communication as an 802.11b enabled station coupled towireless access point 1104. As such,wireless access point 1104 need not contain a VVN module to connect communicate data packets within a virtual visitor network. For example, a VVN network may be established betweenwireless VVN switch 1105 andVVN gateway 1103 orwireless VVN hub 1110 andVVN gateway 1103, respectively.Wireless VVN Hub 1110 andwireless VVN switch 1105 are wirelessly coupled towireless access point 1104 and may be configured to communicate using a different channels to avoid interference and/or conflicts. For example, a wirelessprivate LAN 1117 may be provided viawireless access point 1104 through enabling channel one (1) to allow firstemployee computer system 1106, secondvalid computer system 1107, andwireless VVN switch 1105 andwireless VVN hub 1110 to connect to wirelessprivate LAN 1117. If a visitor attempts to directly accesswireless access point 1104 withinprivate wireless LAN 1117 using channel one (1),wireless access point 1104 will reject the visitor as not being a registered or valid user. Additionally, whenwireless VVN hub 1110 is accessingwireless access point 1104 viachannel 1,wireless VVN hub 1110 uses a different channel, e.g., channel 6, to communicate withvisitor computers -
Enterprise network 1100 may also employ various types, configurations, and/or combinations of VVN hubs. For example,enterprise network 1100 may employ a wire-line only connection toprivate LAN 1101 for visitors as illustrated, for example, inFIG. 3 . Additionally,enterprise network 1100 may employ a wire-line connection toprivate LAN 1101 and wireless connection for visitors toprivate LAN 1101 as illustrated inFIG. 9 . Other embodiments may include providing a wireless connection toprivate LAN 1101 and wire-line connection for visitors toprivate LAN 1101 as illustrated bywireless VVN hub 1105.Enterprise network 1100 may also employ a wireless connection for both visitors and valid users or employees as illustrated inFIG. 8 . As such, various combinations and levels of wireless and wire-line access topublic network 1115 viaprivate LAN 1101 may be provided withinenterprise network 1100 while ensuring network integrity, security, and efficient access are provided. - In one embodiment, VVN modules may be communicatively coupled allowing visitors systems to communicate with each other. For example,
VVN gateway 1103 may manage users connectedwireless VVN hub 1110 and/orwireless VVN switch 1105 and may allow multiple users to have access each others system. In this manner, multiple visitors from the same company may be able to communicate withinenterprise network 1100 thereby providing a private visitor LAN between visitors. -
FIG. 12 illustrates a functional block diagram of a virtual network gateway operable to provide a virtual private network and a virtual visitor network within a private local area network according to one embodiment of the invention. An enterprise network, illustrated generally at 1200, allows for users to access aprivate LAN 1202 from both a public network 1203 and from withinprivate LAN 1202.Enterprise network 1200 includes a virtual private network (VPN)client 1213 operable to be coupled to aVPN server 1204 which may be provided internal or external to a virtual network server (VNS) 1201.Enterprise network 1200 further includes a virtual visitor network (VVN)module 1206 operably connected to a virtual visitor network (VVN)gateway 1205 which may be provided internal or external toVNS 1201.Private LAN 1202 further includes a local area network based onEthernet 1208 operable to connect multiple nodes such asfirst LAN node 1209 and asecond LAN node 1210.VVN module 1206 may also be connected toprivate LAN 1202 viaEthernet 1208. - During operation,
enterprise network 1200 may protect employees accessingprivate LAN 1202 fromVPN client 1213 when accessed via public network 1203.VPN server 1204 serves as a gateway that is located betweenprivate LAN 1202 and public network 1203. A virtual communication tunnel orVPN tunnel 1215 is created using encryption to exchange data packets betweenVPN client 1213 andVPN server 1204. Through establishing aVPN tunnel 1215, network attacks that originate from public network 1203 are obviated and VPN data packets may be communicated securely withinprivate LAN 1202. Enterprise network 1203 further includes aVVN tunnel 1216 created to protectprivate LAN 1202 from network attacks that may originate from insideVVN tunnel 1216 established betweenVVN gateway 1205 andVVN module 1206. VVN data packets are confined toVVN tunnel 1216 and as such attacks that may originate from within aVVN tunnel 1216 are confined toVVN gateway 1205 andVVN module 1206 and cannot escapeVVN tunnel 1216.VPN tunnel 1215 andVVN tunnel 1216 are virtual networks which do not exist as physical entity in the physical network -
FIG. 13 illustrates a functional block diagram of a virtual network server for use in association with providing a visitor access to a public network from within a virtual private network enabled private local area network according to one embodiment of the invention. A virtual network server (VNS) is illustrated generally at 1300 and includes several modules and components including anetwork address translator 1305, arouter 1302, and afirewall 1301.VNS 1300 further includes a virtual private network (VPN)server 1303 and a virtual visitor network (VVN)gateway 1304.VPN server 1303 andVVN gateway 1304 provide access between private local area network (LAN) 1308 and apublic network 1307 and may be used within an enterprise network (not expressly shown). In some embodiments,VNS 1300 may only includeVVN gateway 1304 and/orVPN server 1303 however in other embodiments VNS 1300 may include each functional module or component illustrated. In some embodiments, other forms of protection may also be provided including a DHCP server, intrusion detection modules, servers or software provided as a part of, or in association with,VNS 1300. -
VNS 1300 is a comprehensive security device that provides support services for a business protectsprivate LAN 1308 from intruders frompublic network 1307, manages privacy withinprivate LAN 1308, and protectsprivate LAN 1308 while providing visitors and authorized users to access topublic network 1307 from within the same network environment. During operation, a visitor may accessprivate LAN 1308 via a visitor access point withinprivate LAN 1308.Network address translator 1305 androuter 1302 resolve network traffic communicated fromprivate LAN 1308 and determine header information and route traffic based on header and other information provided. For example, a data packet may include a destination or source address information communicated from a virtual visitor network module or hub (not expressly shown) and may be resolved byNAT 1305 and provided toVVN gateway 1304 for processing.VVN gateway 1304 may extract a destination or website being requested withinpublic network 1307 and any other processing information, and process data packets using processing information to restore data packets prior to forwarding topublic network 1307 thereby allowing a visitor to access a public network from withinprivate LAN 1308. When data packets are returned frompublic network 1307, VNS 1300 determines the computer system requesting the data (i.e. employee, visitor, etc.) and processes the data packets if required. - In some embodiments, VVn gateway or
VNS 1300 may include a VVN management application (not expressly shown) for managing or monitoring a visitor network(s) provided withinprivate LAN 1308. For example, a VVN management application may be used to change, alter, or configure a virtual visitor network, add and delete VVN features, modify access rights for a VVN, create a VVN status report, create a VVN public access report, manage VVN modules, manage software versions, etc. For example, a VVN management application may keep track of usage within a VVN, monitor for intrusions, and provide alarm notifications when suspicious activities are detected, communicate software upgrades to VVN modules, etc. The VVN management function may be an integral part ofVNS 1300 or may be provided as a part of a network server withinprivate LAN 1308. -
FIG. 14 illustrates a functional block diagram of a virtual visitor network incorporated within a multi-protocol label switching enabled local area network according to one embodiment of the invention. A Multi-Protocol Label Switching (MPLS) enabled LAN, illustrated generally at 1400, includes a virtual visitor network (VVN)module 1404 which may be used to connect firstvisitor computer system 1405, secondvisitor computer system 1406, and/orthird computer system 1407 to an enterprise network employing a private LAN.VVN module 1404 is connected to a virtual visitor network (VVN)gateway 1402 using MPLS enabledLAN 1400. MPLS communication protocol confines data packets betweenVVN gateway 1402 andVVN module 1404. MPLS is an Internet Engineering Task Force (IETF) standard that utilizes label switching to forward data packets through MPLS enablednetwork 1400. A label is a small identifier placed within a data packet and inserted at an ingress router or a second label edge router (LER 2) 1408 and removed at an egress router or first label edge router (LER 1) 1410. A first label switching router (LSR 1) 1409, second label switching router (LSR 2) 1411, and third label switching router (LSR 3) 1403 communicate data packets between second label router (LER 2) 1408 and first label edge router (LER 1) 1410. For example, an LSR is a router provided within an MPLS network that participates in establishing Label Switched Paths (LSPs) using an appropriate label switching. A LER is a device that operates at the edge of network being accessed and interfaces an MPLS network. LERs support multiple ports and forward network traffic through a MPLS enabled network after establishing LSPs. LERs are used to assign and remove labels as data packets enter or exit an MPLS network. - During operation, as data packets transition through MPLS enabled
network 1400, label tables, or a Label Information Base (LIB) is consulted by each component,LER 2 1408,LER 1 1410,LSR1 1409,LSR 2 1411, andLSR 3 1403. For example, an inbound reference maintained by LIB is determined and an outbound interface, communication path or label-switching path (LSP), and outbound label are determined. A LSP includes a sequence of labels that identifies each node or LSR along a communication or transmission path from a source to a destination. An LSP is established either prior to data packets being transmitted or upon detection of a certain flow of data. -
VVN module 1404 may be connected toLER 2 1408 andVVN gateway 1402 may be connected toVVN gateway 1402 usingLER 1 1410.LER 2 1408 may establish an LSP forVVN module 1404 to send data packets toVVN gateway 1402. Similarly, LER1 1410 may set up an LSP forVVN gateway 1402 to send data packets toVVN module 1404. As such, an LSP for sending data packets toVVN gateway 1402 fromVVN module 1404 may be different from an LSP for sending data packets fromVVN gateway 1402 toVVN module 1404. In this manner, all data packets coming fromVVN module 1404 are routed toVVN gateway 1402 within MPLS network and all data packets fromVVN gateway 1402 are directed toVVN module 1404 via MPLS enabledprivate LAN 1400. As such, MPLS enabledprivate LAN 1400 escorts data packets or ensures a specific destination for visitor data packets may be achieved. - In some embodiments,
LER 1 1410 may be incorporated within or provided as a part ofVVN gateway 1402. Similarly,LER 2 1408 may be incorporated within or provided as a part ofVVN module 1404. In this manner,VVN module 1404 andVVN gateway 1402 may establish an LSP for data packets. For example, when data packets are delivered fromVVN module 1404 toVVN gateway 1402,VVN module 1404 may generate labels for data packets to be maintained with an LIB andVVN gateway 1402 may delete labels from the LIB when data packets are received. Likewise, when data packets are communicated fromVVN gateway 1402 toVVN module 1404,VVN gateway 1402 may create labels within an LIB andVVN module 1404 may remove labels from the LIB. In this manner, one or more portions of an MSLP network may be provided as a part of a virtual visitor network to allow a visitor to access a public network from within a private network without compromising security of an enterprise network. -
FIG. 15 illustrates a functional block diagram of a single point virtual visitor network module operable to provide a visitor access to a public network from within a private local area network according to one embodiment of the invention. A private local area network (LAN), illustrated generally at 1500, includes a local area networkEthernet access point 1501, operable to provide access to avisitor computer 1503 using a singleport VVN module 1502 operable to be coupled toLAN Ethernet 1501. Singleport VVN module 1502 may be implemented to allow a single individual to accessprivate LAN 1500 and may be provided as a standalone module or as an accessory that may be provided as a part of, or incorporated within,visitor computer 1503. For example, as a standalone module or device,VVN module 1502 may use an AC adapter for power and singleport VVN module 1502 may include only two communication ports (not expressly shown). One port connects toLAN Ethernet 1501 and a second port to connect to visit orcomputer 1503. As such, only a single user may connect to single port VVN module andaccess LAN Ethernet 1501. - During use, information or data packets communicated from
visitor computer 1 503 may be processed to ensure that a virtual visitor network is maintained withinLAN Ethernet 1501. SinglePort VVN module 1502 may well suited for use within a hotel room or a multiple residential community where singleport VVN module 1502 may be located as a permanent device within a specific room. - In another embodiment, single
port VVN module 1502 may be a Universal Serial Bus (USB) enabled device that is powered byvisitor computer 1503 when plugged into a USB port ofvisitor computer 1503. For example, a visitor may plug-in USB enabled singleport VVN module 1502 into a USB port ofvisitor computer 1503. A network cable such as an RJ-45 cable provided in association with, or integrated as a part of, USB enabled singleport VVN module 1502 may be coupled to a wall outlet ofLAN Ethernet 1501. In this manner, singleport VVN module 1502 may communicate with a VVN server (not expressly shown) without tethering users together to a multi-port VVN module thereby allowing visitors mobility within an enterprise premise and enabling visitors to use any LAN outlet withinprivate LAN 1500. - Note that although an embodiment of the invention has been shown and described in detail herein, along with certain variants thereof, many other varied embodiments that incorporate the teachings of the invention may be easily constructed by those skilled in the art. Benefits, other advantages, and solutions to problems have been described above with regard to specific embodiments. However, the benefits, advantages, solutions to problems, and any element(s) that may cause any benefit, advantage, or solution to occur or become more pronounced are not to be construed as a critical, required, or essential feature or element of any or all the claims. Accordingly, the invention is not intended to be limited to the specific form set forth herein, but on the contrary, it is intended to cover such alternatives, modifications, and equivalents, as can be reasonably included within the spirit and scope of the invention.
Claims (19)
1-33. (canceled)
34. A system for escorting packets from a source device to a destination device in a private network comprising:
a processor;
memory in electronic communication with the processor; and
instructions stored in the memory, the instructions being executable to:
receive a packet from the source device;
encapsulate the packet from the source device with a first header and a second header, wherein the first header indicates an encryption method, and wherein the second header includes routing information.
35. The system of claim 34 , wherein the encryption method indicated by the first header comprises proprietary encryption.
36. The system of claim 34 , wherein the encryption method indicated by the first header comprises IPsec.
37. The system of claim 34 , wherein the first header comprises an identifier that indicates no encryption method is used.
38. The system of claim 34 , wherein the second header comprises a source address and a destination address, and wherein the source address is the source device address, and wherein the destination address is the destination device address.
39. The system of claim 34 , wherein the source device is allowing a visitor access to a public network.
40. A method for escorting packets from a source device to a destination device in a private network comprising:
receiving a packet from the source device;
encapsulating the packet from the source device with a first header and a second header, wherein the first header indicates an encryption method, and wherein the second header includes routing information.
41. The method of claim 40 , wherein the encryption method indicated by the first header comprises proprietary encryption.
42. The method of claim 40 , wherein the encryption method indicated by the first header comprises IPsec.
43. The method of claim 40 , wherein the first header comprises an identifier that indicates no encryption method is used.
44. The method of claim 40 , wherein the second header comprises a source address and a destination address, and wherein the source address is the source device address, and wherein the destination address is the destination device address.
45. The method of claim 40 , wherein the source device is allowing a visitor access to a public network.
46. A network for escorting packets from a source device to a destination device comprising:
an access point to provide access to the network;
a processor;
memory in electronic communication with the processor; and
instructions stored in the memory, the instructions being executable to:
receive a packet from the source device;
encapsulate the packet from the source device with a first header and a second header, wherein the first header indicates an encryption method, and wherein the second header includes routing information
47. The network of claim 46 , wherein the encryption method indicated by the first header comprises proprietary encryption.
48. The network of claim 46 , wherein the encryption method indicated by the first header comprises IPsec.
49. The network of claim 46 , wherein the first header comprises an identifier that indicates no encryption method is used.
50. The network of claim 46 , wherein the second header comprises a source address and a destination address, and wherein the source address is the source device address, and wherein the destination address is the destination device address.
51. The network of claim 46 , wherein the source device is allowing a visitor access to a public network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/671,918 US20070127500A1 (en) | 2005-04-14 | 2007-02-06 | System, device, method and software for providing a visitor access to a public network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/105,712 US8041824B1 (en) | 2005-04-14 | 2005-04-14 | System, device, method and software for providing a visitor access to a public network |
US11/671,918 US20070127500A1 (en) | 2005-04-14 | 2007-02-06 | System, device, method and software for providing a visitor access to a public network |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/105,712 Continuation US8041824B1 (en) | 2005-04-14 | 2005-04-14 | System, device, method and software for providing a visitor access to a public network |
Publications (1)
Publication Number | Publication Date |
---|---|
US20070127500A1 true US20070127500A1 (en) | 2007-06-07 |
Family
ID=38118622
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/105,712 Active 2027-11-03 US8041824B1 (en) | 2005-04-14 | 2005-04-14 | System, device, method and software for providing a visitor access to a public network |
US11/671,918 Abandoned US20070127500A1 (en) | 2005-04-14 | 2007-02-06 | System, device, method and software for providing a visitor access to a public network |
US11/671,931 Abandoned US20070127430A1 (en) | 2005-04-14 | 2007-02-06 | System, device, method and software for providing a visitor access to a public network |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/105,712 Active 2027-11-03 US8041824B1 (en) | 2005-04-14 | 2005-04-14 | System, device, method and software for providing a visitor access to a public network |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/671,931 Abandoned US20070127430A1 (en) | 2005-04-14 | 2007-02-06 | System, device, method and software for providing a visitor access to a public network |
Country Status (1)
Country | Link |
---|---|
US (3) | US8041824B1 (en) |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050131997A1 (en) * | 2003-12-16 | 2005-06-16 | Microsoft Corporation | System and methods for providing network quarantine |
US20050267954A1 (en) * | 2004-04-27 | 2005-12-01 | Microsoft Corporation | System and methods for providing network quarantine |
US20060085850A1 (en) * | 2004-10-14 | 2006-04-20 | Microsoft Corporation | System and methods for providing network quarantine using IPsec |
US20070100850A1 (en) * | 2005-10-31 | 2007-05-03 | Microsoft Corporation | Fragility handling |
US20070127430A1 (en) * | 2005-04-14 | 2007-06-07 | Joon Maeng | System, device, method and software for providing a visitor access to a public network |
US20070143392A1 (en) * | 2005-12-15 | 2007-06-21 | Microsoft Corporation | Dynamic remediation |
US20070198525A1 (en) * | 2006-02-13 | 2007-08-23 | Microsoft Corporation | Computer system with update-based quarantine |
US20070234040A1 (en) * | 2006-03-31 | 2007-10-04 | Microsoft Corporation | Network access protection |
US20090113540A1 (en) * | 2007-10-29 | 2009-04-30 | Microsoft Corporatiion | Controlling network access |
US20090207759A1 (en) * | 2008-02-15 | 2009-08-20 | Andreasen Flemming S | System and method for providing a converged wireline and wireless network environment |
US20110317554A1 (en) * | 2010-06-28 | 2011-12-29 | Microsoft Corporation | Distributed and Scalable Network Address Translation |
US20130232564A1 (en) * | 2010-01-26 | 2013-09-05 | Frampton E. Ellis | Method of using a secure private network to actively configure the hardware of a computer or microchip |
CN104104668A (en) * | 2013-04-12 | 2014-10-15 | 友讯科技股份有限公司 | Network Synchronization System and Method for Automatically Setting Through Physical Line |
US20140337965A1 (en) * | 2013-05-08 | 2014-11-13 | Texas Instruments Incorporated | Method and System for Access to Development Environment of Another with Access to Intranet Data |
US8892627B2 (en) | 1996-11-29 | 2014-11-18 | Frampton E. Ellis | Computers or microchips with a primary internal hardware firewall and with multiple internal harware compartments protected by multiple secondary interior hardware firewalls |
US9183410B2 (en) | 1996-11-29 | 2015-11-10 | Frampton E. Ellis | Computer or microchip with an internal hardware firewall and a master controlling device |
US9215588B2 (en) | 2010-04-30 | 2015-12-15 | Cisco Technology, Inc. | System and method for providing selective bearer security in a network environment |
US20170187688A1 (en) * | 2015-12-27 | 2017-06-29 | T-Mobile, Usa, Inc. | Wireless access point security |
US20170310666A1 (en) * | 2014-09-30 | 2017-10-26 | Alcatel Lucent | Method and system for operating a user equipment device in a private network |
US9818133B1 (en) | 2014-10-20 | 2017-11-14 | Sprint Communications Company L.P. | Method for consumer profile consolidation using mobile network identification |
US9836771B1 (en) | 2014-01-21 | 2017-12-05 | Sprint Communications Company L.P. | Client mediation and integration to advertisement gateway |
US9984395B1 (en) * | 2014-01-21 | 2018-05-29 | Sprint Communications Company L.P. | Advertisement mediation of supply-demand communications |
US10013707B1 (en) | 2014-01-21 | 2018-07-03 | Sprint Communications Company L.P. | Address modification for advertisement mediation |
US10055757B1 (en) | 2014-01-21 | 2018-08-21 | Sprint Communications Company L.P. | IP address hashing in advertisement gateway |
US10057928B2 (en) * | 2009-04-20 | 2018-08-21 | Apple Inc. | Handheld device processing for providing data tethering services while maintaining suite of handheld service functions |
US10405173B1 (en) | 2013-06-05 | 2019-09-03 | Sprint Communications Company L.P. | Method and systems of collecting and segmenting device sensor data while in transit via a network |
US10812998B2 (en) * | 2017-04-05 | 2020-10-20 | Sensr Monitoring Technologies Llc | Sensor and monitoring system |
US10893104B2 (en) * | 2016-02-17 | 2021-01-12 | Latticework, Inc. | Implementing a storage system using a personal user device and a data distribution device |
US20210227611A1 (en) * | 2020-01-17 | 2021-07-22 | Canon Kabushiki Kaisha | Communication apparatus, control method, and non-transitory computer-readable storage medium |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8149847B2 (en) | 2005-11-23 | 2012-04-03 | Comcast Cable Holdings, Llc | Initializing, provisioning, and managing devices |
US20100293596A1 (en) * | 2006-09-07 | 2010-11-18 | Cwi | Method of automatically defining and monitoring internal network connections |
US20080255928A1 (en) * | 2007-04-10 | 2008-10-16 | Thomas Joseph Tomeny | Trusted networks of unique identified natural persons |
US8216221B2 (en) | 2007-05-21 | 2012-07-10 | Estech, Inc. | Cardiac ablation systems and methods |
US8108911B2 (en) * | 2007-11-01 | 2012-01-31 | Comcast Cable Holdings, Llc | Method and system for directing user between captive and open domains |
CA2619092C (en) * | 2008-01-29 | 2015-05-19 | Solutioninc Limited | Method of and system for support of user devices roaming between routing realms by a single network server |
FR2955727B1 (en) * | 2010-01-26 | 2012-04-06 | Sagem Defense Securite | SECURE METHOD OF ACCESSING A NETWORK AND NETWORK THUS PROTECTED |
US9992062B1 (en) * | 2012-07-06 | 2018-06-05 | Cradlepoint, Inc. | Implicit traffic engineering |
US10110417B1 (en) | 2012-07-06 | 2018-10-23 | Cradlepoint, Inc. | Private networks overlaid on cloud infrastructure |
US10560343B1 (en) | 2012-07-06 | 2020-02-11 | Cradlepoint, Inc. | People centric management of cloud networks via GUI |
US10135677B1 (en) | 2012-07-06 | 2018-11-20 | Cradlepoint, Inc. | Deployment of network-related features over cloud network |
US10601653B2 (en) * | 2012-07-06 | 2020-03-24 | Cradlepoint, Inc. | Implicit traffic engineering |
US10880162B1 (en) | 2012-07-06 | 2020-12-29 | Cradlepoint, Inc. | Linking logical broadcast domains |
US10177957B1 (en) | 2012-07-06 | 2019-01-08 | Cradlepoint, Inc. | Connecting a cloud network to the internet |
US9641551B1 (en) * | 2013-08-13 | 2017-05-02 | vIPtela Inc. | System and method for traversing a NAT device with IPSEC AH authentication |
KR102019173B1 (en) * | 2016-10-31 | 2019-09-09 | 삼성에스디에스 주식회사 | Method and apparatus for cutting off client session for web application server |
US10594513B2 (en) * | 2018-03-19 | 2020-03-17 | Cisco Technology, Inc. | Packet communications providing packet forwarding efficiencies in a network including using a segment routing and tunnel exchange |
US20210163073A1 (en) * | 2018-04-16 | 2021-06-03 | Tesseract Structural Innovations, Inc. | Uniform deceleration unit |
US10911411B2 (en) | 2018-10-22 | 2021-02-02 | Saudi Arabian Oil Company | Extending public WiFi hotspot to private enterprise network |
Citations (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020009078A1 (en) * | 2000-05-12 | 2002-01-24 | Tim Wilson | Server and method for providing specific network services |
US6377990B1 (en) * | 1998-06-15 | 2002-04-23 | Lodgenet Entertainment Corporation | System for providing internet access from locations different from those for which the user's software was configured |
US20020075844A1 (en) * | 2000-12-15 | 2002-06-20 | Hagen W. Alexander | Integrating public and private network resources for optimized broadband wireless access and method |
US20020191572A1 (en) * | 2001-06-04 | 2002-12-19 | Nec Usa, Inc. | Apparatus for public access mobility lan and method of operation thereof |
US20030030662A1 (en) * | 1999-04-02 | 2003-02-13 | Matthew W. Poisson | Managing a virtual private network |
US20030069915A1 (en) * | 2001-10-09 | 2003-04-10 | James Clough | Method for authenticating mobile printer users |
US6591306B1 (en) * | 1999-04-01 | 2003-07-08 | Nec Corporation | IP network access for portable devices |
US20030212795A1 (en) * | 2002-05-13 | 2003-11-13 | Harris Adam Pierce | Peer to peer network communication |
US6754712B1 (en) * | 2001-07-11 | 2004-06-22 | Cisco Techonology, Inc. | Virtual dial-up protocol for network communication |
US20050073979A1 (en) * | 2002-05-04 | 2005-04-07 | Instant802 Networks, Inc. | Visitor gateway in a wireless network |
US20050086346A1 (en) * | 2003-10-17 | 2005-04-21 | Meyer Jeffrey D. | Access point coupling guests to the internet |
US20050149757A1 (en) * | 2004-01-07 | 2005-07-07 | Microsoft Corporation | System and method for providing secure network access |
US20050193188A1 (en) * | 2004-02-28 | 2005-09-01 | Huang Evan S. | Method and apparatus for operating a host computer from a portable apparatus |
US20050198233A1 (en) * | 2004-01-07 | 2005-09-08 | Microsoft Corporation | Configuring network settings of thin client devices using portable storage media |
US20050216598A1 (en) * | 2004-03-23 | 2005-09-29 | Taiwan Semiconductor Manufacturing Co., Ltd. | Network access system and associated methods |
US6996073B2 (en) * | 1999-02-24 | 2006-02-07 | Ibahn General Holdings Corporation | Methods and apparatus for providing high speed connectivity to a hotel environment |
US20060165103A1 (en) * | 2005-01-26 | 2006-07-27 | Colubris Networks, Inc. | Configurable quality-of-service support per virtual access point (vap) in a wireless lan (wlan) access device |
US7089281B1 (en) * | 2000-12-08 | 2006-08-08 | Sun Microsystems, Inc. | Load balancing in a dynamic session redirector |
US7127524B1 (en) * | 2000-12-29 | 2006-10-24 | Vernier Networks, Inc. | System and method for providing access to a network with selective network address translation |
US20070025302A1 (en) * | 2003-04-15 | 2007-02-01 | Junbiao Zhang | Techniques for offering seamless accesses in enterprise hot spots for both guest users and local users |
US20070127430A1 (en) * | 2005-04-14 | 2007-06-07 | Joon Maeng | System, device, method and software for providing a visitor access to a public network |
US7353280B2 (en) * | 2000-03-17 | 2008-04-01 | Aol Llc, A Delaware Limited Liability Company | Home-networking |
US7389534B1 (en) * | 2003-06-27 | 2008-06-17 | Nortel Networks Ltd | Method and apparatus for establishing virtual private network tunnels in a wireless network |
US20090022102A1 (en) * | 2003-09-05 | 2009-01-22 | Petri Nykanen | Providing address information for reaching a wireless terminal |
US20090040995A1 (en) * | 2003-07-14 | 2009-02-12 | Buddhikot Milind M | Method and system for mobility across heterogeneous address spaces |
US7499438B2 (en) * | 2005-01-13 | 2009-03-03 | 2Wire, Inc. | Controlling wireless access to a network |
US7522518B1 (en) * | 2003-06-19 | 2009-04-21 | Sprint Communications Company Lp | Wireless LAN communication system with in-zone user preferences |
US7633909B1 (en) * | 2002-12-20 | 2009-12-15 | Sprint Spectrum L.P. | Method and system for providing multiple connections from a common wireless access point |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030200455A1 (en) * | 2002-04-18 | 2003-10-23 | Chi-Kai Wu | Method applicable to wireless lan for security control and attack detection |
-
2005
- 2005-04-14 US US11/105,712 patent/US8041824B1/en active Active
-
2007
- 2007-02-06 US US11/671,918 patent/US20070127500A1/en not_active Abandoned
- 2007-02-06 US US11/671,931 patent/US20070127430A1/en not_active Abandoned
Patent Citations (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6377990B1 (en) * | 1998-06-15 | 2002-04-23 | Lodgenet Entertainment Corporation | System for providing internet access from locations different from those for which the user's software was configured |
US6996073B2 (en) * | 1999-02-24 | 2006-02-07 | Ibahn General Holdings Corporation | Methods and apparatus for providing high speed connectivity to a hotel environment |
US6591306B1 (en) * | 1999-04-01 | 2003-07-08 | Nec Corporation | IP network access for portable devices |
US20030030662A1 (en) * | 1999-04-02 | 2003-02-13 | Matthew W. Poisson | Managing a virtual private network |
US7353280B2 (en) * | 2000-03-17 | 2008-04-01 | Aol Llc, A Delaware Limited Liability Company | Home-networking |
US20020009078A1 (en) * | 2000-05-12 | 2002-01-24 | Tim Wilson | Server and method for providing specific network services |
US7089281B1 (en) * | 2000-12-08 | 2006-08-08 | Sun Microsystems, Inc. | Load balancing in a dynamic session redirector |
US20020075844A1 (en) * | 2000-12-15 | 2002-06-20 | Hagen W. Alexander | Integrating public and private network resources for optimized broadband wireless access and method |
US7127524B1 (en) * | 2000-12-29 | 2006-10-24 | Vernier Networks, Inc. | System and method for providing access to a network with selective network address translation |
US20020191572A1 (en) * | 2001-06-04 | 2002-12-19 | Nec Usa, Inc. | Apparatus for public access mobility lan and method of operation thereof |
US6754712B1 (en) * | 2001-07-11 | 2004-06-22 | Cisco Techonology, Inc. | Virtual dial-up protocol for network communication |
US20030069915A1 (en) * | 2001-10-09 | 2003-04-10 | James Clough | Method for authenticating mobile printer users |
US20050073979A1 (en) * | 2002-05-04 | 2005-04-07 | Instant802 Networks, Inc. | Visitor gateway in a wireless network |
US7248858B2 (en) * | 2002-05-04 | 2007-07-24 | Broadcom Corporation | Visitor gateway in a wireless network |
US20030212795A1 (en) * | 2002-05-13 | 2003-11-13 | Harris Adam Pierce | Peer to peer network communication |
US7633909B1 (en) * | 2002-12-20 | 2009-12-15 | Sprint Spectrum L.P. | Method and system for providing multiple connections from a common wireless access point |
US20070025302A1 (en) * | 2003-04-15 | 2007-02-01 | Junbiao Zhang | Techniques for offering seamless accesses in enterprise hot spots for both guest users and local users |
US7522518B1 (en) * | 2003-06-19 | 2009-04-21 | Sprint Communications Company Lp | Wireless LAN communication system with in-zone user preferences |
US7389534B1 (en) * | 2003-06-27 | 2008-06-17 | Nortel Networks Ltd | Method and apparatus for establishing virtual private network tunnels in a wireless network |
US20090040995A1 (en) * | 2003-07-14 | 2009-02-12 | Buddhikot Milind M | Method and system for mobility across heterogeneous address spaces |
US20090022102A1 (en) * | 2003-09-05 | 2009-01-22 | Petri Nykanen | Providing address information for reaching a wireless terminal |
US20050086346A1 (en) * | 2003-10-17 | 2005-04-21 | Meyer Jeffrey D. | Access point coupling guests to the internet |
US20050149757A1 (en) * | 2004-01-07 | 2005-07-07 | Microsoft Corporation | System and method for providing secure network access |
US20050198233A1 (en) * | 2004-01-07 | 2005-09-08 | Microsoft Corporation | Configuring network settings of thin client devices using portable storage media |
US20050193188A1 (en) * | 2004-02-28 | 2005-09-01 | Huang Evan S. | Method and apparatus for operating a host computer from a portable apparatus |
US20050216598A1 (en) * | 2004-03-23 | 2005-09-29 | Taiwan Semiconductor Manufacturing Co., Ltd. | Network access system and associated methods |
US7499438B2 (en) * | 2005-01-13 | 2009-03-03 | 2Wire, Inc. | Controlling wireless access to a network |
US20060165103A1 (en) * | 2005-01-26 | 2006-07-27 | Colubris Networks, Inc. | Configurable quality-of-service support per virtual access point (vap) in a wireless lan (wlan) access device |
US20070127430A1 (en) * | 2005-04-14 | 2007-06-07 | Joon Maeng | System, device, method and software for providing a visitor access to a public network |
Cited By (55)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9183410B2 (en) | 1996-11-29 | 2015-11-10 | Frampton E. Ellis | Computer or microchip with an internal hardware firewall and a master controlling device |
US9172676B2 (en) | 1996-11-29 | 2015-10-27 | Frampton E. Ellis | Computer or microchip with its system bios protected by one or more internal hardware firewalls |
US8892627B2 (en) | 1996-11-29 | 2014-11-18 | Frampton E. Ellis | Computers or microchips with a primary internal hardware firewall and with multiple internal harware compartments protected by multiple secondary interior hardware firewalls |
US7533407B2 (en) | 2003-12-16 | 2009-05-12 | Microsoft Corporation | System and methods for providing network quarantine |
US20050131997A1 (en) * | 2003-12-16 | 2005-06-16 | Microsoft Corporation | System and methods for providing network quarantine |
US20050267954A1 (en) * | 2004-04-27 | 2005-12-01 | Microsoft Corporation | System and methods for providing network quarantine |
US20060085850A1 (en) * | 2004-10-14 | 2006-04-20 | Microsoft Corporation | System and methods for providing network quarantine using IPsec |
US20070127430A1 (en) * | 2005-04-14 | 2007-06-07 | Joon Maeng | System, device, method and software for providing a visitor access to a public network |
US8041824B1 (en) | 2005-04-14 | 2011-10-18 | Strauss Acquisitions, L.L.C. | System, device, method and software for providing a visitor access to a public network |
US7526677B2 (en) | 2005-10-31 | 2009-04-28 | Microsoft Corporation | Fragility handling |
US20070100850A1 (en) * | 2005-10-31 | 2007-05-03 | Microsoft Corporation | Fragility handling |
US20070143392A1 (en) * | 2005-12-15 | 2007-06-21 | Microsoft Corporation | Dynamic remediation |
US7827545B2 (en) | 2005-12-15 | 2010-11-02 | Microsoft Corporation | Dynamic remediation of a client computer seeking access to a network with a quarantine enforcement policy |
US20070198525A1 (en) * | 2006-02-13 | 2007-08-23 | Microsoft Corporation | Computer system with update-based quarantine |
US20070234040A1 (en) * | 2006-03-31 | 2007-10-04 | Microsoft Corporation | Network access protection |
US7793096B2 (en) | 2006-03-31 | 2010-09-07 | Microsoft Corporation | Network access protection |
US20090113540A1 (en) * | 2007-10-29 | 2009-04-30 | Microsoft Corporatiion | Controlling network access |
US9225684B2 (en) | 2007-10-29 | 2015-12-29 | Microsoft Technology Licensing, Llc | Controlling network access |
US20090207823A1 (en) * | 2008-02-15 | 2009-08-20 | Andreasen Flemming S | System and method for providing selective mobility invocation in a network environment |
US8711847B2 (en) | 2008-02-15 | 2014-04-29 | Cisco Technology, Inc. | System and method for providing location and access network information support in a network environment |
US20110103266A1 (en) * | 2008-02-15 | 2011-05-05 | Cisco Technology, Inc., A California Corporation | System and method for providing location and access network information support in a network environment |
US20090207843A1 (en) * | 2008-02-15 | 2009-08-20 | Andreasen Flemming S | System and method for providing network address translation control in a network environment |
US8942112B2 (en) | 2008-02-15 | 2015-01-27 | Cisco Technology, Inc. | System and method for providing selective mobility invocation in a network environment |
US20090207759A1 (en) * | 2008-02-15 | 2009-08-20 | Andreasen Flemming S | System and method for providing a converged wireline and wireless network environment |
US10057928B2 (en) * | 2009-04-20 | 2018-08-21 | Apple Inc. | Handheld device processing for providing data tethering services while maintaining suite of handheld service functions |
US10841962B2 (en) | 2009-04-20 | 2020-11-17 | Apple Inc. | Apparatus and method for accessing a remote network concurrently with a tethered device accessing the remote network |
US8898768B2 (en) * | 2010-01-26 | 2014-11-25 | Frampton E. Ellis | Computer or microchip with a secure control bus connecting a central controller to volatile RAM and the volatile RAM to a network-connected microprocessor |
US11683288B2 (en) | 2010-01-26 | 2023-06-20 | Frampton E. Ellis | Computer or microchip with a secure system bios having a separate private network connection to a separate private network |
US20130232564A1 (en) * | 2010-01-26 | 2013-09-05 | Frampton E. Ellis | Method of using a secure private network to actively configure the hardware of a computer or microchip |
US9003510B2 (en) | 2010-01-26 | 2015-04-07 | Frampton E. Ellis | Computer or microchip with a secure system bios having a separate private network connection to a separate private network |
US9009809B2 (en) | 2010-01-26 | 2015-04-14 | Frampton E. Ellis | Computer or microchip with a secure system BIOS and a secure control bus connecting a central controller to many network-connected microprocessors and volatile RAM |
US10375018B2 (en) | 2010-01-26 | 2019-08-06 | Frampton E. Ellis | Method of using a secure private network to actively configure the hardware of a computer or microchip |
US10057212B2 (en) * | 2010-01-26 | 2018-08-21 | Frampton E. Ellis | Personal computer, smartphone, tablet, or server with a buffer zone without circuitry forming a boundary separating zones with circuitry |
US10965645B2 (en) | 2010-01-26 | 2021-03-30 | Frampton E. Ellis | Computer or microchip with a secure system bios having a separate private network connection to a separate private network |
US20140282998A1 (en) * | 2010-01-26 | 2014-09-18 | Frampton E. Ellis | Method of using a secure private network to actively configure the hardware of a computer or microchip |
US9215588B2 (en) | 2010-04-30 | 2015-12-15 | Cisco Technology, Inc. | System and method for providing selective bearer security in a network environment |
US20110317554A1 (en) * | 2010-06-28 | 2011-12-29 | Microsoft Corporation | Distributed and Scalable Network Address Translation |
US8902743B2 (en) * | 2010-06-28 | 2014-12-02 | Microsoft Corporation | Distributed and scalable network address translation |
US9628322B2 (en) * | 2013-04-12 | 2017-04-18 | D-Link Corporation | Network synchronization system and method involving automatic setting via physical line |
CN104104668A (en) * | 2013-04-12 | 2014-10-15 | 友讯科技股份有限公司 | Network Synchronization System and Method for Automatically Setting Through Physical Line |
US20140310383A1 (en) * | 2013-04-12 | 2014-10-16 | D-Link Corporation | Network synchronization system and method involving automatic setting via physical line |
US9130904B2 (en) * | 2013-05-08 | 2015-09-08 | Texas Instruments Incorporated | Externally and internally accessing local NAS data through NSFV3 and 4 interfaces |
US20140337965A1 (en) * | 2013-05-08 | 2014-11-13 | Texas Instruments Incorporated | Method and System for Access to Development Environment of Another with Access to Intranet Data |
US10405173B1 (en) | 2013-06-05 | 2019-09-03 | Sprint Communications Company L.P. | Method and systems of collecting and segmenting device sensor data while in transit via a network |
US10055757B1 (en) | 2014-01-21 | 2018-08-21 | Sprint Communications Company L.P. | IP address hashing in advertisement gateway |
US10013707B1 (en) | 2014-01-21 | 2018-07-03 | Sprint Communications Company L.P. | Address modification for advertisement mediation |
US9984395B1 (en) * | 2014-01-21 | 2018-05-29 | Sprint Communications Company L.P. | Advertisement mediation of supply-demand communications |
US9836771B1 (en) | 2014-01-21 | 2017-12-05 | Sprint Communications Company L.P. | Client mediation and integration to advertisement gateway |
US20170310666A1 (en) * | 2014-09-30 | 2017-10-26 | Alcatel Lucent | Method and system for operating a user equipment device in a private network |
US9818133B1 (en) | 2014-10-20 | 2017-11-14 | Sprint Communications Company L.P. | Method for consumer profile consolidation using mobile network identification |
US10091168B2 (en) * | 2015-12-27 | 2018-10-02 | T-Mobile Usa, Inc. | Wireless access point security |
US20170187688A1 (en) * | 2015-12-27 | 2017-06-29 | T-Mobile, Usa, Inc. | Wireless access point security |
US10893104B2 (en) * | 2016-02-17 | 2021-01-12 | Latticework, Inc. | Implementing a storage system using a personal user device and a data distribution device |
US10812998B2 (en) * | 2017-04-05 | 2020-10-20 | Sensr Monitoring Technologies Llc | Sensor and monitoring system |
US20210227611A1 (en) * | 2020-01-17 | 2021-07-22 | Canon Kabushiki Kaisha | Communication apparatus, control method, and non-transitory computer-readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
US8041824B1 (en) | 2011-10-18 |
US20070127430A1 (en) | 2007-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8041824B1 (en) | System, device, method and software for providing a visitor access to a public network | |
CA2600760C (en) | Security for mobile devices in a wireless network | |
US7797530B2 (en) | Authentication and encryption method and apparatus for a wireless local access network | |
US7231664B2 (en) | System and method for transmitting and receiving secure data in a virtual private group | |
US7379465B2 (en) | Tunneling scheme optimized for use in virtual private networks | |
KR100976750B1 (en) | Encryption device, encryption method, and encryption system | |
EP1304830B1 (en) | Virtual private network management | |
CN100594476C (en) | Method and apparatus for realizing network access control based on port | |
US7395354B2 (en) | Methods and systems for resolving addressing conflicts based on tunnel information | |
JP4064824B2 (en) | Hybrid network | |
US20050114490A1 (en) | Distributed virtual network access system and method | |
US20070121565A1 (en) | Network partitioning using encryption | |
US10159101B2 (en) | Using WLAN connectivity of a wireless device | |
US20020163920A1 (en) | Method and apparatus for providing network security | |
US20020083344A1 (en) | Integrated intelligent inter/intra networking device | |
RU2280333C2 (en) | Safety in networks of undefined localization level | |
US20130182651A1 (en) | Virtual Private Network Client Internet Protocol Conflict Detection | |
JPWO2006120751A1 (en) | Peer-to-peer communication method and system enabling incoming and outgoing calls | |
RU2292118C2 (en) | Protectability in wide-area networks | |
US7869451B2 (en) | Method for operating a local computer network connected to a remote private network by an IPsec tunnel, software module and IPsec gateway | |
US20150381387A1 (en) | System and Method for Facilitating Communication between Multiple Networks | |
Min et al. | RFC 9521: Bidirectional Forwarding Detection (BFD) for Generic Network Virtualization Encapsulation (Geneve) | |
Terada1 et al. | User Access domain management system-ADAMS | |
JPH09331327A (en) | Network security system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: STRAUSS ACQUISITIONS, L.L.C., DELAWARE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MAENG, JOON;REEL/FRAME:019621/0754 Effective date: 20070615 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: INTELLECTUAL VENTURES ASSETS 197 LLC, DELAWARE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CUFER ASSET LTD. L.L.C.;REEL/FRAME:066791/0230 Effective date: 20240315 |