Computer network security system and method having unilateral enforceable security policy provision

US 6,202,157 B1
Filed: 12/08/1997
Issued: 03/13/2001
Est. Priority Date: 12/08/1997
Status: Expired due to Term

First Claim

Patent Images

1. A computer network security system having enforceable security policy provision comprising:

means for providing variable security policy rule data for distribution to at least one network node, wherein the variable policy rule data includes differing policy rule data for a plurality of software applications supported by at least one network node and wherein the at least one network node includes means for facilitating cryptographic processing of data that is accessible by the plurality of software applications;

means, operatively coupled to the means for providing, for associating a digital signature of a central security policy rule data distribution source to the variable security policy rule data;

means for storing the digital signature and the variable policy rule data; and

network node means, operatively coupled to the storage means, for periodically obtaining the digital signature and the variable policy rule data from the means for storing, and for analyzing the variable policy rule data to facilitate unilateral security policy enforcement at a network node level.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network security system and method utilizes digitally signed and centrally assigned policy data, such as password length rules, that is unilaterally enforced at network nodes by node policy enforcement engines. The policy data may be variable on a per client or network node basis through a centralized authority, such as a certification authority. The computer network security system provides variable security policy rule data for distribution to at least one network node through a central security policy rule data distribution source, such as the certification authority. The central security policy rule data distribution source associates a digital signature to the variable security policy rule data to ensure the integrity of the policies in the system. Each network node uses a policy rule data engine and policy rule table to decode policy rule data and enforce the policy rules as selectively determined through the central authority.

Citations

35 Claims

1. A computer network security system having enforceable security policy provision comprising:
- means for providing variable security policy rule data for distribution to at least one network node, wherein the variable policy rule data includes differing policy rule data for a plurality of software applications supported by at least one network node and wherein the at least one network node includes means for facilitating cryptographic processing of data that is accessible by the plurality of software applications;
  
  means, operatively coupled to the means for providing, for associating a digital signature of a central security policy rule data distribution source to the variable security policy rule data;
  
  means for storing the digital signature and the variable policy rule data; and
  
  network node means, operatively coupled to the storage means, for periodically obtaining the digital signature and the variable policy rule data from the means for storing, and for analyzing the variable policy rule data to facilitate unilateral security policy enforcement at a network node level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer network system of claim 1 wherein the means for providing includes user interface means for facilitating selection of variable security policy rule data.
  - 3. The computer network system of claim 1 wherein the means for providing provides the variable security policy rule data from a data file.
  - 4. The computer network system of claim 1 wherein the means for providing variable security policy rule data facilitates selection of variable security policy rule data on a per network node basis for central policy definition for the at least one network node.
  - 5. The computer network system of claim 1 wherein the means for associating a digital signature of a central security policy rule data distribution source includes means for associating a digital signature to the variable policy rule data to create a policy certificate.
  - 6. The computer network system of claim 1 wherein the network node means includes:
7. The computer network system of claim 1 wherein the variable policy rule data includes at least security policy identification data and policy rule setting data.
8. The computer network system of claim 7 wherein the variable policy rule data includes policy rule prioritization data.
9. The computer network system of claim 1 wherein the means for storing the digital signature and the variable policy rule data stores a policy certificate for distribution to the network node under control of the network node.
10. The computer network system of claim 1 wherein the means for storing the digital signature and the variable policy rule data stores a policy certificate for distribution to the network nodes under control of the means for associating.

11. A computer network security system having enforceable security policy provision comprising:
- means for storing variable security policy rule data for use by a network node wherein the variable policy rule data includes differing policy rule data for a plurality of software applications supported by the at least one network node; and
  
  means, operatively coupled to the means for storing, for securely providing the variable security policy rule data for distribution to at least one network node, by at least associating a digital signature of a central security policy rule data distribution source to the variable security policy rule data, to facilitate unilateral security policy enforcement at a network node level.
- View Dependent Claims (12, 13, 14)
- - 12. The computer network system of claim 11 including user interface means for facilitating selection of variable security policy rule data for storage in the storage means.
  - 13. The computer network system of claim 11 wherein the means for providing provides the variable security policy rule data from a data file.
  - 14. The computer network system of claim 11 wherein the means for providing variable security policy rule data facilitates selection of variable security policy rule data on a per network node basis for central policy definition for the at least one network node.

15. A method for providing enforceable security policy provisions comprising:
- providing variable security policy rule data for distribution to at least one network node wherein the variable policy rule data includes differing policy rule data for a plurality of software applications supported by at least one network node and wherein the at least one network node includes means for facilitating cryptographic processing of data that is accessible by the plurality of software applications;
  
  associating a digital signature of a central security policy rule data distribution source to the variable security policy rule data;
  
  storing the digital signature and the variable policy rule data; and
  
  periodically obtaining the digital signature and the variable policy rule data, and analyzing the variable policy rule data to facilitate unilateral security policy enforcement.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The method of claim 15, wherein the step of providing variable security policy rule data includes facilitating selection of variable security policy rule data.
  - 17. The method of claim 15, wherein providing variable security policy rule data includes facilitating selection of variable security policy rule data on a per network node basis for policy definition for at least one network node.
  - 18. The method of claim 15, wherein associating a digital signature of a central security policy rule data distribution source includes associating a digital signature to the variable policy rule data to create a policy certificate.
  - 19. The method of claim 15, wherein the step of obtaining the digital signature and the variable policy rule data includes:
20. The method of claim 15, wherein the variable policy rule data includes at least security policy identification data, policy rule setting data and policy rule prioritization data.
21. The method of claim 15, wherein storing the digital signature and the variable policy rule data includes storing a policy certificate for distribution to the network nodes under control of the network nodes.
22. The method of claim 15, wherein storing the digital signature and the variable policy rule data includes storing a policy certificate for distribution to the network nodes under control of a network server.

23. A method for providing enforceable security policy provision comprising:
- storing variable policy rule data for use by a network node wherein the variable policy rule data includes differing policy rule data for a plurality of software applications supported by at least one network node;
  
  facilitating cryptographic processing of data that is accessible by the plurality of software applications; and
  
  securely providing the variable security policy rule data for distribution to at least one network node by at least associating a digital signature of a central security policy rule data distribution source to the variable security policy rule data, to facilitate unilateral security policy enforcement at a network node level.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23 including facilitating selection of variable security policy rule data through a user interface.
  - 25. The method of claim 23 wherein securely providing includes providing the variable security policy rule data from a data file.
  - 26. The method of claim 23 wherein providing variable security policy rule data includes facilitating selection of variable security policy rule data on a per network node basis for central policy definition for the at least one network node.

27. A computer having enforceable security policy provision comprising:
- means for obtaining variable policy rule data from a central security policy rule data distribution source wherein the variable policy rule data includes differing policy rule data for a plurality of software applications supported buy at least one network node and wherein the at least one network node includes means for facilitating cryptographic processing of data that is accessible by the plurality of software applications and wherein the variable policy rule data has a digital signature associated with the central security policy rule data distribution source;
  
  means, operatively coupled to the means for obtaining, for analyzing the variable policy rule data; and
  
  means, responsive to the means for analyzing the variable policy rule data, for facilitating unilateral security policy enforcement at a network node level based on the variable policy rule data.
- View Dependent Claims (28, 29, 30)
- - 28. The computer of claim 27 wherein the means for obtaining includes means for storing variable policy rule data, and wherein the means for analyzing the variable policy rule data includes means for storing policy rule analysis data for evaluating the policy rule data and means, operatively coupled to the means for storing and the means for storing policy rule analysis data, for using the policy rule analysis data to decode the variable policy rule data to facilitate security policy enforcement at a network node level.
  - 29. The computer of claim 27 wherein the variable policy rule data includes at least security policy identification data and policy rule setting data.
  - 30. The computer of claim 27 wherein the variable policy rule data includes policy rule prioritization data and wherein the means for periodically obtaining obtains a digital signature corresponding to the policy rule data.

31. A storage medium for storing programming instructions that, when read by a processing unit, causes the processing unit to provide enforceable security policy provision, the storage medium comprising:
- instructions that facilitate storing variable security policy rule data for use by a network node wherein the variable policy rule data includes differing policy rule data for a plurality of software applications supported by at least one network node and wherein the at least one network node provides cryptographic processing of data that is accessible by the plurality of software applications;
  
  instructions that associate a digital signature of a central security policy rule data distribution source and that facilitate providing the variable security policy rule data for distribution to at least one network node to facilitate unilateral security policy enforcement at a network node level.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The storage medium of claim 31 wherein the first means for storing programming instructions stores programming instructions that, when read by a processing unit, causes the processing unit to facilitate selection of variable security policy rule data.
  - 33. The storage medium of claim 31 wherein the first means for storing programming instructions stores programming instructions that, when read by a processing unit, causes the processing unit to facilitate selection of variable security policy rule data on a per network node basis for policy definition for to at least one network node.
  - 34. The storage medium of claim 31 wherein the first means for storing programming instructions stores programming instructions that, when read by a processing unit, causes the processing unit to associate a digital signature of a central security policy rule data distribution source by associating a digital signature to a policy rule data to create a policy certificate.
  - 35. The storage medium of claim 34 wherein the first means for storing programming instructions stores programming instructions that, when read by a processing unit, causes the processing unit to store the variable policy rule data that includes at least security policy identification data and policy rule setting data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Incorporated (Entrust Corp.), Entrust Technologies Limited
Original Assignee
Entrust Technologies Limited
Inventors
Brownlie, Michael, Hillier, Stephen, Van Oorschot, Paul C.
Primary Examiner(s)
Butler, Dennis M.
Assistant Examiner(s)
Mai, Rijue

Application Number

US08/986,457
Time in Patent Office

1,191 Days
Field of Search

713/201, 713/200, 713/202, 713/155-177, 713/152, 713/180, 380/23, 380/30, 380/25, 380/49, 709/200, 709/227, 709/229, 709/232, 709/237, 705/26
US Class Current

726/1
CPC Class Codes

G06F 21/33   using certificates

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

Computer network security system and method having unilateral enforceable security policy provision

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Computer network security system and method having unilateral enforceable security policy provision

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links