System and method for controlling interactions between networks
First Claim
Patent Images
1. A method of achieving network separation within a computing system having network interfaces connected to form a plurality of physical networks, the method comprising the steps of:
- defining a plurality of regions;
defining a virtual private network;
establishing a set of security policies, wherein the set of security policies defines rules for communicating between each of the plurality of regions;
assigning each physical network to one of the plurality of regions;
assigning the virtual private network to one of the plurality of regions; and
restricting communication between the plurality of regions in accordance with the set of security policies.
13 Assignments
0 Petitions
Accused Products
Abstract
A firewall is used to achieve network separation within a computing system having a plurality of network interfaces. A plurality of regions is defined within the firewall and a set of policies is configured for each of the plurality of regions. The firewall restricts communication to and from each of the plurality of network interfaces in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
-
Citations
32 Claims
-
1. A method of achieving network separation within a computing system having network interfaces connected to form a plurality of physical networks, the method comprising the steps of:
-
defining a plurality of regions;
defining a virtual private network;
establishing a set of security policies, wherein the set of security policies defines rules for communicating between each of the plurality of regions;
assigning each physical network to one of the plurality of regions;
assigning the virtual private network to one of the plurality of regions; and
restricting communication between the plurality of regions in accordance with the set of security policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A secure server, comprising:
-
an operating system kernel;
a plurality of network interfaces, wherein the network interfaces are connected to form a plurality of physical networks and wherein each of the plurality of network interfaces communicates with the operating system kernel;
a virtual private network;
a plurality of regions; and
a security policy, wherein the security policy defines rules for communicating between each of the plurality of regions;
wherein each of the physical networks is assigned to a region;
wherein the virtual private network is assigned to a region; and
wherein communication between the plurality of regions is restricted in accordance with the security policy. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. In a computer system having a plurality of network interfaces, including a first and a second network interface, in which the first and second network interfaces are connected to first and second networks, respectively, a method of processing a packet having a source region and a destination region, the method comprising:
-
defining a plurality of regions, wherein defining includes assigning a first region identifier to the first network and a second region identifier to the second network;
establishing a security policy, wherein the security policy defines rules for communicating between the plurality of regions;
receiving a packet at the first network interface;
assigning the first region identifier to the packet;
reviewing the security policy to determine if transfer of the packet between the source region and the destination region is permitted for packets assigned the first region identifier; and
if so, forwarding the packet to the destination region. - View Dependent Claims (19)
-
-
20. In a computer system having a plurality of network interfaces, including a first and a second network interface, in which the first and second network interfaces are connected to first and second networks, respectively, a method of processing a packet having a source region and a destination region, the method comprising:
-
providing a virtual private network;
defining a plurality of regions, wherein defining includes assigning a first region identifier to the first network, a second region identifier to the second network and a third region identifier to the virtual private network;
establishing a security policy, wherein the security policy defines rules for communicating between the plurality of regions;
receiving a packet at the first network interface;
assigning the first region identifier to the packet;
determining if the packet is encrypted;
if the packet is encrypted, changing the region identifier assigned to the packet, wherein changing the region identifier includes;
retrieving a virtual private network security association for the packet;
decrypting the packet; and
replacing the first region identifier with the third region identifier;
reviewing the security policy to determine if transfer of the packet between the source region and the destination region is permitted when the packet is received from the virtual private network; and
if so, forwarding the packet to the destination. - View Dependent Claims (21)
-
-
22. A method of achieving network separation within a computing system having a plurality of networks, including a virtual private network, the method comprising the steps of:
-
defining a plurality of regions;
configuring a set of security policies, wherein the set of security policies defines rules for communicating between each of the plurality of regions;
assigning each of the plurality of networks to one of the plurality of regions, wherein assigning includes assigning a region identifier to the virtual private network; and
restricting communication between regions in accordance with the set of security policies. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. In a computer network system having a plurality of regions and a plurality of services, including a first service, wherein each service defines a protocol for transferring data between two of the plurality of regions, and wherein each region includes one or more networks, a method of limiting transfers between regions, comprising:
-
defining a to-from set, wherein the to-from set lists a source region and a destination region;
associating the to-from set with the first service;
defining a path, wherein the path includes desired options for limiting transfer from the source region to the destination region via the first service;
storing information regarding the to-from set, the first service and the path as an access control rule;
receiving a request to set up said first service between the source region and the destination region;
comparing the request to the access control rule to determine access; and
if access is allowed, establishing the service between the source and destination regions.
-
-
29. A method of achieving network separation within a computing system having network interfaces connected to form a plurality of physical networks, the method comprising the steps of:
-
defining a plurality of regions;
establishing a set of security policies, wherein the set of security policies defines rules for communicating between each of the plurality of regions;
assigning each physical network to one of the plurality of regions, wherein at least one of the regions is assigned two or more networks; and
restricting communication between the plurality of regions in accordance with the set of security policies. - View Dependent Claims (30)
-
-
31. A secure server, comprising:
-
an operating system kernel;
a plurality of network interfaces, wherein the network interfaces are connected to form a plurality of physical networks and wherein each of the plurality of network interfaces communicates with the operating system kernel;
three or more regions; and
a security policy, wherein the security policy defines rules for communicating between each of the plurality of regions;
wherein each of the physical networks is assigned to a region;
wherein at least one of the regions has two or more networks assigned to that region; and
wherein communication between the plurality of regions is restricted in accordance with the security policy. - View Dependent Claims (32)
-
Specification