Method and apparatus for implementing security policies in a network
First Claim
1. A secured network configured to carry data, comprising a plurality of network bubbles and a plurality of network control points, wherein each network bubble comprises one or more bubble partitions and each bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy, wherein at least one network control point is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble.
3 Assignments
0 Petitions
Accused Products
Abstract
A secured network is disclosed configured to carry data, comprising a plurality of network bubbles and a plurality of network control points, wherein each network bubble comprises one or more bubble partitions and each bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy. At least one network control point, such as a router, is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble.
146 Citations
35 Claims
-
1. A secured network configured to carry data, comprising a plurality of network bubbles and a plurality of network control points,
wherein each network bubble comprises one or more bubble partitions and each bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy, wherein at least one network control point is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble.
-
12. A method of operating a plurality of network control points to secure a network having a plurality of bubbles where each bubble has a plurality of bubble partitions and a plurality of network control points configured to connect the plurality of bubble partitions, the method comprising:
-
marking outgoing packets with a label corresponding to the network bubble from which the packets originate; and
applying a security policy for incoming packets based on the value of the label in the incoming packets. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A network configured to carry data, comprising a plurality of network bubbles and a plurality of network control points coupled to one another via a backbone that is trusted not to permit modification of the packets in transit,
wherein each network bubble comprises one or more bubble partitions and each bubble partition comprises at least one networked device configured to transmit and receive data, and all of the network devices corresponding to at least one of the plurality of network bubbles have a common network security policy, wherein each bubble has a corresponding label value and at least one network control point is provided with a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the at least one network bubble and wherein at least another of the network control point devices is arranged to apply the network security policy of the at least one network bubble to incoming packets based on the value of the label within incoming packets.
- 28. A network control point device for use in secured network configured to carry data, the network comprising a plurality of network bubbles and a plurality of network control points, the network control point device comprising a marker module arranged to mark outgoing packets with a label corresponding to the network bubble from which the packets originate that can be used to enforce the network security policy of the network bubbles and a marking table linking a label to each bubble.
Specification