Dynamic Network Identity and Policy management

US 20070150934A1
Filed: 06/22/2006
Published: 06/28/2007
Est. Priority Date: 12/22/2005
Status: Abandoned Application

First Claim

Patent Images

1. Apparatus operable to manage network policies based at least in-part on identity comprising:

an authentication session manager operable to monitor for state change events in user state and related network state, and obtain and validate user credentials; and

a policy manager operable in response to a state change event detected by the authentication session manager to select a policy based in-part on the user identity and related network information and security context obtained by the identity manager, and to prompt application of the selected policy, the policy being indicative of authorization entitlements and restrictions to utilization of certain network resources,whereby the policy is dynamically selected and enforced.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network policies are managed based at least in-part on user/entity identity information with: a state monitor operable to monitor for state change events in user/entity state and related, network state or in traffic pattern and traffic flow state; an identity manager operable to obtain and validate user credentials; and a policy manager operable in response to a state change event detected by the state monitor (either the identity manager or a defense center) to select a policy based in-part on the user identity obtained by the identity manager or security context obtained by the defense center, and to prompt application of the selected policy. The policies are indicative of user/device authorization entitlements and restrictions to utilization of certain network resources, network services or applications. Dynamic policy selection and targeted responses can be used, for example, against a user who gains network access with stolen user ID and password, and subsequently attempts malicious behavior. In particular, the malicious behavior is detected and identified, and the malicious user can then be restricted from abusing network resources without adversely affecting other users, groups, network devices, and other network services.

Citations

14 Claims

1. Apparatus operable to manage network policies based at least in-part on identity comprising:
- an authentication session manager operable to monitor for state change events in user state and related network state, and obtain and validate user credentials; and
  
  a policy manager operable in response to a state change event detected by the authentication session manager to select a policy based in-part on the user identity and related network information and security context obtained by the identity manager, and to prompt application of the selected policy, the policy being indicative of authorization entitlements and restrictions to utilization of certain network resources,whereby the policy is dynamically selected and enforced.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1 wherein the policy manager is further operative to select the corresponding policy and to distribute it to at least one policy enforcement point in the network.
  - 3. The apparatus of claim 1 wherein the defense center is operable in response to detection of a state change event to notify the policy manager, and in response the policy manager (i.e., policy decision function) queries the identity manager for user identity information and security context associated with the event.
  - 4. The apparatus of claim 1 wherein the state change event is indicative of a threat.
  - 5. The apparatus of claim 4 wherein the selected policy is a threat response.
  - 6. The apparatus of claim 1 wherein the state change event is indicative of a change in network resource availability.
  - 7. The apparatus of claim 1 wherein the state change event is indicative of a change in network resource need.

8. A method for managing network policies based at least in-part on identity context, comprising the steps of:
- monitoring for state change events in user state and related network state with an identity manager'"'"'s authentication session manager;
  
  obtaining and validating user credentials with the authentication session manager;
  
  in response to a state change event detected by the identity manager, notifying, a policy manager, and prompting application of the corresponding policy, the policy being indicative of authorization entitlement and restrictions to utilization of certain network resources or network services,whereby the policy is dynamically selected and targeted for the network resource/network service/application.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8 including the further step of distributing the selected policy to at least one policy enforcement point in the network.
  - 10. The method of claim 9 wherein the state change event is indicative of a threat.
  - 11. The method of claim 9 wherein the selected policy is a threat response.
  - 12. The method of claim 8 wherein the state change event is indicative of a change in network resource availability.
  - 13. The method of claim 8 wherein the state change event is indicative of a change in network resource need.

14. A method for managing network policies based at least in-part on state change context, comprising the steps of:
- monitoring for state change events traffic patterns and flows and related network state with either a defense center and threat protection systems/sensors or an environment state change monitor;
  
  notifying with state context to a policy manager, and prompting application of the corresponding policy, the policy being indicative of authorization entitlement and restrictions to utilization of certain network resources or network services,whereby the policy is dynamically selected and targeted for the network resource/network service/application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Koehler, Edwin, Price, David, Fiszman, Sergio

Application Number

US11/425,806
Publication Number

US 20070150934A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Dynamic Network Identity and Policy management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic Network Identity and Policy management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links