Securing Network Traffic by Distributing Policies in a Hierarchy Over Secure Tunnels
First Claim
Patent Images
1. A system for securing Internet Protocol (IP) traffic, the system comprising:
- a first location, the first location including;
a communication network;
a first group of end nodes interfacing the communication network, at least some end nodes of the first group defined as a security group;
a first security module interfacing the first communication network and configured to apply a security policy to a network connection, the security policy including at least the definition of the security group;
a first distribution point interfacing the first communication network and configured to store the security policy and to forward the security policy to a first managing module;
the first managing module interfacing the first communication network and configured toa) receive the security policy from the distribution point and to record an association between the security policy and an identifier for the for the first distribution point; and
b) perform a policy linkage when the definition of the security group is updated.
2 Assignments
0 Petitions
Accused Products
Abstract
A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.
-
Citations
20 Claims
-
1. A system for securing Internet Protocol (IP) traffic, the system comprising:
a first location, the first location including; a communication network; a first group of end nodes interfacing the communication network, at least some end nodes of the first group defined as a security group; a first security module interfacing the first communication network and configured to apply a security policy to a network connection, the security policy including at least the definition of the security group; a first distribution point interfacing the first communication network and configured to store the security policy and to forward the security policy to a first managing module; the first managing module interfacing the first communication network and configured to a) receive the security policy from the distribution point and to record an association between the security policy and an identifier for the for the first distribution point; and b) perform a policy linkage when the definition of the security group is updated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A method for securing message traffic in a data network by distributing security policies comprising the steps of:
-
at a first distributing point located at a first location, determining a security policy to be applied to a network connection, the security policy including at least a definition of a security group and a network device that is assigned to the security group; forwarding the security policy from the first distribution point to a first controlling module, at a first managing module, receiving the security policy from the first distribution point; recording a first association between the first security policy and an identifier for the first distribution point; sending a message to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point, and at the central managing module, receiving the first message; and generating a security group database entry based on the first message. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network by distributing security policies, the computer readable medium program codes performing functions comprising:
-
a routine for determining a security policy to be applied to a network connection at a first distributing point located at a first location, the security policy including at least a definition of a security group and a network device that is assigned to the security group; a routine for forwarding the security policy from the first distribution point to a first controlling module; a routine for receiving at a first managing module the security policy from the first distribution point; a routine for recording at the first managing module a first association between the first security policy and an identifier for the first distribution point; a routine for sending a message from the first managing module to a central managing module indicating that the first managing module has stored the definition of the security group associated with the first distribution point; a routine for receiving the first message at the central managing module; and a routine for generating a security group database entry based on the first message at the central managing module.
-
Specification