Enabling secure communication in a clustered or distributed architecture
First Claim
1. A method of enhancing security in a computing network, the computing network comprising a plurality of routing nodes, a cryptographic node, and an end node, the method comprising steps of:
- negotiating a set of security parameters between the end node and the cryptographic node; and
securely distributing the set of security parameters to one or more of the routing nodes.
6 Assignments
0 Petitions
Accused Products
Abstract
Techniques for enhancing security in networking environments, whereby a cryptographic node negotiates a set of security parameters (a “security association”) with an end node, on behalf of a routing node (an “edge router”), and then securely distributes the negotiated security parameters to the edge router and/or to other edge routers in the network. The disclosed negotiation techniques allow the end node to physically move during the negotiation, yet still establish the security association, and the secure distribution enables the end node to move seamlessly through the network yet continue communicating securely. The disclosed techniques may also be used advantageously in other environments, such as clustered server environments, and allow an end node to communicate with multiple routing or server nodes for a variety of reasons (for example, during a hot-swap to a different server during fail-over or as a result of load balancing).
-
Citations
68 Claims
-
1. A method of enhancing security in a computing network, the computing network comprising a plurality of routing nodes, a cryptographic node, and an end node, the method comprising steps of:
-
negotiating a set of security parameters between the end node and the cryptographic node; and
securely distributing the set of security parameters to one or more of the routing nodes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 58, 59, 61)
-
-
16. The method according to claim 16, wherein the network-layer tunnel is established using Internet Protocol Security (“
- IPsec”
).
- IPsec”
-
57. A method for enhancing security in a computing network, the computing network comprising a plurality of routing nodes, a plurality of encryption nodes, a cryptographic node, and an end node, wherein:
at least one of the routing nodes has a packet filter;
the method comprising steps of;
negotiating a set of security parameters between the end node and the cryptographic node;
securely distributing the set of security parameters to one or more of the encryption nodes;
routing, to an encryption node, selected traffic received from the end node at the at least one routing node in accordance with the packet filter; and
performing cryptographic operations on the selected traffic at the encryption node before transmitting the selected traffic to its final destination.
-
60. A system for enhancing security in a computing network, the computing network comprising a plurality of routing nodes, a cryptographic node, and an end node, the system comprising:
-
means for negotiating a set of security parameters between the end node and the cryptographic node; and
means for securely distributing the set of security parameters to one or more of the routing nodes.
-
-
62. A system for enhancing security in a computing network, the computing network comprising a plurality of routing nodes, a plurality of encryption nodes, a cryptographic node, and an end node, wherein:
-
at least one of the routing nodes has a packet filter;
the system comprising;
means for negotiating a set of security parameters between the end node and the cryptographic node;
means for securely distributing the set of security parameters to one or more of the encryption nodes;
means for routing, to an encryption node, selected traffic received from the end node at the at least one routing node in accordance with the packet filter; and
means for performing cryptographic operations on the selected traffic at the encryption node before transmitting the selected traffic to its final destination. - View Dependent Claims (64, 66)
-
-
63. A computer program product for enhancing security in a computing network, the computing network comprising a plurality of routing nodes, a cryptographic node, and an end node, the computer program product embodied on one or more computer-readable media and comprising:
-
computer-readable program code means for negotiating a set of security parameters between the end node and the cryptographic node; and
computer-readable program code means for securely distributing the set of security parameters to one or more of the routing nodes.
-
-
65. A method of enhancing security in a clustered server computing environment, the computing environment comprising a cluster of server nodes, a cryptographic node, and at least one end node, the method comprising steps of:
-
negotiating a set of security parameters between the at least one end node and the cryptographic node; and
securely distributing the set of security parameters to one or more of the server nodes. - View Dependent Claims (67, 68)
-
Specification