Securing network traffic by distributing policies in a hierarchy over secure tunnels

US 20080016550A1
Filed: 05/25/2007
Published: 01/17/2008
Est. Priority Date: 06/14/2006
Status: Active Grant

First Claim

Patent Images

1. A system for securing Internet Protocol (IP) traffic, the system comprising:

a first location, the first location including;

a communication network;

a first group of end nodes interfacing the communication network, at least some end nodes of the first group defined as a security group;

a first security module interfacing the first communication network and configured to apply a security policy to a network connection, the security policy including at least the definition of the security group;

a first distribution point interfacing the first communication network and configured to store the security policy and to forward the security policy to a first managing module;

the first managing module interfacing the first communication network and configured to a) receive the security policy from the distribution point and to record an association between the security policy and an identifier for the for the first distribution point; and

b) perform a policy linkage when the definition of the security group is updated.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.

98 Citations

View as Search Results

20 Claims

1. A system for securing Internet Protocol (IP) traffic, the system comprising:
- a first location, the first location including;
  
  a communication network;
  
  a first group of end nodes interfacing the communication network, at least some end nodes of the first group defined as a security group;
  
  a first security module interfacing the first communication network and configured to apply a security policy to a network connection, the security policy including at least the definition of the security group;
  
  a first distribution point interfacing the first communication network and configured to store the security policy and to forward the security policy to a first managing module;
  
  the first managing module interfacing the first communication network and configured to a) receive the security policy from the distribution point and to record an association between the security policy and an identifier for the for the first distribution point; and
  
  b) perform a policy linkage when the definition of the security group is updated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the communication network includes an Ethernet, an asynchronous transfer mode (ATM), one or more inter-networking or a wireless communication network.
  - 3. The system of claim 1, wherein the first group of end nodes include any of a personal computer, a workstation, a personal digital assistant, a digital mobile telephone, a wireless network, a server, a video set top boxes and a data processor.
  - 4. The system of claim 1, wherein the first security module is a Policy Enforcement Point.
  - 5. The system of claim 1, wherein the first distribution point is further configured to forward an updated version of the security policy to the first managing module according to a schedule.
  - 6. The system of claim 1, wherein the first managing module is further configured to send first information to a central managing module, wherein:
    - the first information indicates that the first managing module has stored the definition of the security group associated with the first distribution point; and
      
      the central managing module is further configured to generate a security group database entry based on the first information.
  - 7. The system of claim 6, wherein the security group database entry indicates that:
    - a) the security policy is located at the first managing module; and
      
      b) the security policy can be controlled by the first distribution point.
  - 8. The system of claim 6, wherein the first managing module and the central managing module are in a hierarchy, the hierarchy comprising at least a second managing module, wherein:
    - the second managing module is located in a second location and configured to send a message to the central managing module that indicates the second managing module has additional information associated with the definition of the security group.
  - 9. The system of claim 8, wherein the central managing module is further configured to send a message to the first managing module that the second managing module has the additional information.
  - 10. The system of claim 9 further comprising a secure association formed between the first distribution point and the second distribution point for exchanging keys for encryption and decryption of a data packet.
  - 11. The system of claim 10, wherein the first distribution point is further configured to distribute the exchanged keys to additional one or more security modules in the first location.

12. A method for securing message traffic in a data network by distributing security policies comprising the steps of:
- at a first distributing point located at a first location, determining a security policy to be applied to a network connection, the security policy including at least a definition of a security group and a network device that is assigned to the security group;
  
  forwarding the security policy from the first distribution point to a first controlling module, at a first managing module, receiving the security policy from the first distribution point;
  
  recording a first association between the first security policy and an identifier for the first distribution point;
  
  sending a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point, and at the central managing module, receiving the first message; and
  
  generating a security group database entry based on the first message.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12 further comprising the step of:
    - at the central managing module, receiving additional messages associated with definitions of additional security groups from two or more additional managing modules; and
      
      generating additional security group databases entry based on the additional information.
  - 14. The method of claim 13 further comprising:
    - at a second managing module in a second location that includes a second distribution point, recording a second association between the security policy and an identifier for a second distribution point.
  - 15. The method of claim 14 further comprising:
    - at the central managing module, receiving a message from the second managing module indicating that the second managing module has additional information associated with the definition of the security group; and
      
      updating the first security group database.
  - 16. The method of claim 14 further comprising:
    - at the central managing module;
      
      sending a message to the first managing module indicating that the second managing module has the additional information.
  - 17. The method of claim 16, wherein the message sent to the first managing module identifies the second distribution point, the method further comprising:
    - at the first managing module, sending a message to the first distribution point to add the second distributing point to the security group.
  - 18. The method of claim 17 further comprising a step of exchanging keys between the first and second distribution points via one or more secure tunnels.
  - 19. The method of claim 18 further comprising:
    - at the first location that includes one or more additional security components, distributing the exchanged keys to one or more security components in the first location.

20. A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network by distributing security policies, the computer readable medium program codes performing functions comprising:
- a routine for determining a security policy to be applied to a network connection at a first distributing point located at a first location, the security policy including at least a definition of a security group and a network device that is assigned to the security group;
  
  a routine for forwarding the security policy from the first distribution point to a first controlling module;
  
  a routine for receiving at a first managing module the security policy from the first distribution point;
  
  a routine for recording at the first managing module a first association between the first security policy and an identifier for the first distribution point;
  
  a routine for sending a message from the first managing module to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point;
  
  a routine for receiving the first message at the central managing module; and
  
  a routine for generating a security group database entry based on the first message at the central managing module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
McAlister, Donald

Granted Patent

US 7,774,837 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/105   Multiple levels of security

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Securing network traffic by distributing policies in a hierarchy over secure tunnels

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing network traffic by distributing policies in a hierarchy over secure tunnels

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links