Enforcing security groups in network of data processors
First Claim
Patent Images
1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:
- at a Management and Policy Server (MAP) within a network, determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
at a Key Authority Point (KAP) within the network, receiving at least one security policy definition from the MAP;
generating one or more keys to be used in securing the traffic according to the policy definition; and
distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and
at a PEP within the network, receiving the security policy definition and the keys from the KAP;
receiving a network traffic packet;
determining if the network traffic packet falls within the definition of traffic to be secured; and
applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
8 Assignments
0 Petitions
Accused Products
Abstract
A technique for securing message traffic in a data network using various methods for distributing security policies and keys, where policy definition is determined in a Management and Policy (MAP) functional layer that is responsible for policy distribution; a separate Key Authority Point (KAP) that is responsible for key generation, key distribution, and policy distribution; and a separate Policy Enforcement Point (PEP) which is responsible for enforcing the policies and applying the keys.
-
Citations
27 Claims
-
1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:
-
at a Management and Policy Server (MAP) within a network, determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
at a Key Authority Point (KAP) within the network,receiving at least one security policy definition from the MAP;
generating one or more keys to be used in securing the traffic according to the policy definition; and
distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and
at a PEP within the network, receiving the security policy definition and the keys from the KAP;
receiving a network traffic packet;
determining if the network traffic packet falls within the definition of traffic to be secured; and
applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for securing message traffic in a data network using a security protocol, comprising:
-
a Management and Policy Server (MAP) within a network, the MAP comprising;
a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
a Key Authority Point (KAP) within the network, the KAP comprising;
means for receiving at least one security policy definition from the MAP;
means for generating one or more keys to be used in securing the traffic according to the policy definition; and
means for distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs); and
a PEP within the network, the PEP comprising;
means for receiving the security policy definition and the keys from the KAP;
means for receiving a network traffic packet;
means for determining if the network traffic packet falls within the definition of traffic to be secured; and
means for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol, the computer readable medium program codes performing functions comprising:
-
a routine for determining, at a Management and Policy Server (MAP) within a network, a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
a routine for receiving, at a Key Authority Point (KAP) within the network, at least one security policy definition from the MAP;
a routine for generating, at the KAP, one or more keys to be used in securing the traffic according to the policy definition;
a routine for distributing the security policy definition and the keys from the KAP to two or more peer Policy Enforcement Points (PEPs);
a routine for receiving, at a PEP within the network, the security policy definition and the keys from the KAP;
a routine for receiving, at the PEP, a network traffic packet;
a routine for determining if the network traffic packet falls within the definition of traffic to be secured; and
a routine for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
-
Specification