Techniques are described to provide efficient protection for a virtual private network. In one example, a method is provided that includes obtaining a packet at a first network entity; determining that the packet is a packet type of an authentication type; determining whether authentication content for the packet matches known good criteria for the packet type of the authentication type; based on determining that the authentication content for the packet does not match the known good criteria, performing at least one of dropping the packet and generating an alarm; and based on determining that the authentication content for the packet does match the known good criteria, processing the packet at the first network entity or forwarding the packet toward a second network entity.

A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The tunnel device is selected based on an attribute, such as IP Geolocation. A tunnel bank server stores a list of available tunnels that may be used, associated with values of various attribute types. The tunnel devices initiate communication with the tunnel bank server, and stays connected to it, for allowing a communication session initiated by the tunnel bank server. Upon receiving a request from a client to a content and for specific attribute types and values, a tunnel is selected by the tunnel bank server, and is used as a tunnel for retrieving the required content from the web server, using standard protocol such as SOCKS, WebSocket or HTTP Proxy. The client only communicates with a super proxy server that manages the content fetching scheme.

Systems and methods for determining network topology by implementing the security parameter index (“SPI”) to map network nodes that are behind a network address translation (“NAT”) address are disclosed.

An electronic control unit (ECU) is coupled to a vehicle network, such as a controller area network (CAN), which network can be either encrypted or non-encrypted. The ECU includes input and output ports (at least one) which provides a non-encrypted access into the vehicle network. The electronic control unit, also referred to as a specialized ECU or as an enhanced gateway module, in one embodiment includes at least one port for configuring the ECU through a personal computer or other computing device. The ECU in one embodiment includes multiple input/output ports which can interface with vehicle subsystems either through or separate from the CAN. The ECU, in one embodiment, includes a non-encrypted serial data port which allows for communication between the ECU and subsystems provided by a third-party for interfacing into an OEM vehicle network, and especially an encrypted network.

Methods and apparatuses for security communication. A method performed by a first communication device includes determining whether a length of an Internet protocol, IP, datagram is larger than a threshold. The method further includes, when the length of the IP datagram is larger than the threshold, fragmenting the IP datagram into two or more IP packets. The length of each of two or more IP packets is not larger than the threshold and each of the two or more IP packets is filled with fragmentation information. The method further includes processing the two or more IP packets to generate two or more corresponding IP security, IPsec, packets. The method further includes sending the two or more corresponding IPsec packets to a second communication device.

Policy enforcement previously available for web proxy access methods is extended and applied to layer 3 packets flowing through VPN channels. With these extensions, a common security policy is possible that is enforceable between VPN proxied access and VPN tunneled access. Equivalent security policy to tunnel based VPN access without comprising the inherent performance, scalability and application compatibility advantages tunnel based VPNs have over their proxy based VPN counterparts.

This application discloses a method for Internet key exchange protocol (IKE) authentication using a certificate. The method includes: A first device parses a certificate to obtain signature information in the certificate. The first device fills an AUTH payload field in an IKE identity authentication (AUTH) message based on the signature information in the certificate, where signature information indicated by the AUTH payload field matches the signature information in the certificate. The first device sends the IKE AUTH message to a second device. In the method for Internet key exchange protocol IKE authentication using a certificate provided in this application, the first device may automatically parse the signature information in the certificate, and fill the related field of the IKE AUTH message based on the signature information. Therefore, user configuration is simplified and product usability is improved.

A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The tunnel device is selected based on an attribute, such as IP Geolocation. A tunnel bank server stores a list of available tunnels that may be used, associated with values of various attribute types. The tunnel devices initiate communication with the tunnel bank server, and stays connected to it, for allowing a communication session initiated by the tunnel bank server. Upon receiving a request from a client to a content and for specific attribute types and values, a tunnel is selected by the tunnel bank server, and is used as a tunnel for retrieving the required content from the web server, using standard protocol such as SOCKS, WebSocket or HTTP Proxy. The client only communicates with a super proxy server that manages the content fetching scheme.

Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus includes a network interface that receives a first authentication message for reauthenticating a remote unit and a processor that verifies a first domain-name. The first domain-name identifies a key management domain name and an associated gateway function holding a reauthentication security context. Here, the first authentication message includes a NAI containing a first username and the first domain-name. The processor validates the first authentication message using at least the first username and generates a second authentication message in response to successfully validating the first authentication message. Via the network interface, the processor responds to the first authentication message by sending the second authentication message.

A method of communicating in a secure communication system, comprises the steps of assembling a message at a sender, then determining a security level, and including an indication of the security level in a header of the message. The message is then sent to a recipient.