Browse Prior Art Database

Tunneling and Multiplexing UDP and TCP over SSL/TCP connections to enable full secure communication suite in the absence of a VPN

IP.com Disclosure Number: IPCOM000015380D
Original Publication Date: 2002-Sep-30
Included in the Prior Art Database: 2003-Jun-20
Document File: 4 page(s) / 88K

Publishing Venue

IBM

Abstract

Tunneling and Multiplexing UDP and TCP over SSL/TCP connections to enable full secure communication suite in the absence of a VPN

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 48% of the total text.

Page 1 of 4

  Tunneling and Multiplexing UDP and TCP over SSL/TCP connections to enable full

secure communication suite in the absence of a VPN

Disclosed is a device that is solves the problem of using a cable modem or DSL connection or T1/T3 to securely connect to an enterprise with a full communication suite in the absence of a Virtual Private Network (VPN). Today there is no standard for UDP over SSL. There is also no standard way of enabling a user at home or on the internet to run applications that require a reverse connection without complex IPSEC software. It is true that Secure Shell (SSH) allows a reverse connection - however this is frowned upon by many enterprises because the user would then be using a non enterprise approved method of encryption and would be simply seen as piercing the enterprise's firewall. An example of a restriction on applications would be the use of Xclient and Xserver; this dampens Unix* application suites. Additionally SSH does not permit UDP communication, hence, software applications requiring UDP transmissions are disabled. For example: mapping network drives for Windows** systems is not possible since the SMB protocol relies on UDP communication. These are just examples of applications that were once functional on a VPN and are restricted once DSL or cable modem is in the picture with simple enterprise authenticate SSL connections.

When users use broadband communication like DSL or cable modems, the enterprise that users connect to provides special means by which users access its internal network
(e.g. SSL, etc.) with special authentication schemes - secure key generator and a pin or password. Given that, the user is permitted to establish secure TCP connections using the enterprise approved security scheme. Most technologies used by the enterprises today encrypt the data that traverses the connection using standards e.g. SSL or other schemes. A server within the enterprise then decrypts the data and forwards it to it final destination and vice versa for data that is sent back to the user. Unfortunately, connections initiated from the enterprise outwards are blocked. Additionally UDP communication is blocked entirely due to lack of encryption standards.

Initiation of a connection can be started from the host outside the enterprise to the enterprise following conventional enterprise standards of encryption and authentication. This new secure and enterprise approved connection can now be used as a tunnel with routing engines on both sides to encode and transmit UDP as well as TCP connections and data initiated by the external host OR the internal host to the target application. Conservative enterprises could package this scheme with their secure software that is provided to users. Less conservative enterprises could permit the user to run a copy of this software at home and another on a server (user system) within the enterprise. Configuration files on both of the endpoints of the tunnel can hold additional...