METHOD AND APPARATUS FOR PROVIDING NETWORK SECURITY USING ROLE-BASED ACCESS CONTROL

US 20110231907A1
Filed: 05/27/2011
Published: 09/22/2011
Est. Priority Date: 09/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

populating a forwarding table with a user group identifier, whereinsaid user group identifier is a source user group identifier, and so identifies a source user group, anda source of a packet is in said source user group.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

100 Citations

View as Search Results

22 Claims

1. A method comprising:
- populating a forwarding table with a user group identifier, whereinsaid user group identifier is a source user group identifier, and so identifies a source user group, anda source of a packet is in said source user group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - comparing said source user group identifier with a destination user group identifier, whereinsaid destination user group identifier identifies a user group of a destination of said packet.
  - 3. The method of claim 2, whereinsaid populating and said comparing are performed by a network device, andsaid populating comprisesdetermining said source user group.
  - 4. The method of claim 3, whereinsaid source user group is assigned to said source based on a role of said source.
  - 5. The method of claim 3, wherein said populating comprises:
    - determining said source user group.
  - 6. The method of claim 5, wherein said populating is performed by a network device and further comprises:
    - receiving an authentication message from another network device, whereinsaid response includes said source user group identifier.
  - 7. The method of claim 3, whereina destination of said packet is in a destination user group.
  - 8. The method of claim 7, whereinsaid destination user group is assigned to said destination based on a role of said destination.
  - 9. The method of claim 7, further comprising:
    - comparing a source user group of said packet with said destination user group.
  - 10. The method of claim 9, whereinsaid source user group of said packet is indicated by a source user group identifier stored in said packet, andsaid destination user group is indicated by a destination user group stored in a network device performing said comparison.
  - 11. The method of claim 7, further comprising:
    - determining said source user group; and
      
      determining said destination user group by looking up said destination user group in an access control list stored at said network device performing said comparison.
  - 12. The method of claim 11, wherein said determining said source user group comprises:
    - extracting said source user group identifier stored in said packet from said packet, whereinsaid source user group identifier stored in said packet identifies said source user group of said source of said packet.

13. A computer program product comprising:
- a plurality of instructions, comprisinga first set of instructions, executable on a computer system, configured to populate a forwarding table with a user group identifier, whereinsaid user group identifier is a source user group identifier, and so identifies a source user group, anda source of a packet is in said source user group; and
  
  a computer-readable storage medium, wherein said instructions are encoded in said computer-readable storage medium.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13, wherein said first set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to determine said source user group.
  - 15. The computer program product of claim 14, wherein said first set of instructions comprises:
    - a second subset of instructions, executable on said computer system, configured to receive an authentication message from another network device, wherein said response includes said source user group identifier.
  - 16. The computer program product of claim 13, whereina destination of said packet is in a destination user group.
  - 17. The computer program product of claim 16, further comprising:
    - a second set of instructions, executable on said computer system, configured to determine said source user group; and
      
      a third set of instructions, executable on said computer system, configured to determine said destination user group by looking up said destination user group in an access control list stored at said network device performing said comparison.
  - 18. The computer program product of claim 17, wherein said second set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to extracting said source user group identifier stored in said packet from said packet, whereinsaid source user group identifier stored in said packet identifies said source user group of said source of said packet.

19. An apparatus comprising:
- means for extracting a user group identifier from a packet; and
  
  said user group identifier is a source user group identifier, and so identifies a source user group, anda source of said packet is in said source user group; and
  
  means for populating a forwarding table with said user group identifier.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19, wherein said means for populating comprisesmeans for comparing said source user group identifier with a destination user group identifier, whereinsaid destination user group identifier identifies a user group of a destination of said packet.
  - 21. The apparatus of claim 20, wherein said apparatus is a network device and further comprises:
    - means for receiving an authentication message from another network device, wherein said authentication message comprises said source user group identifier.
  - 22. The apparatus of claim 20, further comprising:
    - means for determining said source user group; and
      
      means for determining said destination user group by looking up said destination user group in an access control list stored at said network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Michael D. Smith
Original Assignee
Michael D. Smith
Inventors
Smith, Michael R.

Granted Patent

US 8,661,556 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 12/4645   Details on frame tagging ro...

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/54   Organization of routing tables

H04L 45/7453   using hashing

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

METHOD AND APPARATUS FOR PROVIDING NETWORK SECURITY USING ROLE-BASED ACCESS CONTROL

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR PROVIDING NETWORK SECURITY USING ROLE-BASED ACCESS CONTROL

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links