Method and system for secure network policy implementation
First Claim
Patent Images
1. A method of providing computer network security between a secured network communicating with a requestor via an unsecured connection, said secured network comprising a resource sought by said requestor, said method comprising:
- a) in said secured network, retrieving security information relating to communication rights between said requestor and said resource;
b) in said secured network, verifying said security information to determine authenticity of said security information; and
c) upon positive authentication of said security information, said security information indicating a permitted communication between said requestor and said resource, allowing communications to be sent between said requestor and said resource.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and system for implementing network policy is described. The method involves storing policy data using certificates using a certificate database server. Upon retrieval, a policy is then validated as properly certified prior to use. When a policy is not validated, it indicates tampering or improper policy data entry. When policy data is successfully validated, the policy is implemented.
334 Citations
27 Claims
-
1. A method of providing computer network security between a secured network communicating with a requestor via an unsecured connection, said secured network comprising a resource sought by said requestor, said method comprising:
-
a) in said secured network, retrieving security information relating to communication rights between said requestor and said resource;
b) in said secured network, verifying said security information to determine authenticity of said security information; and
c) upon positive authentication of said security information, said security information indicating a permitted communication between said requestor and said resource, allowing communications to be sent between said requestor and said resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for implementing computer-network security in a computer network having at least one secured network comprising a requestor and a resource, the method comprising the steps of:
-
a) retrieving form a digital storage medium to said resource, certified network security information other than an encryption key, the certified network security information certified with a digital certificate and associated with at least one of the requestor and the resource;
b) performing verification analysis by said resource on the digital certificate to determine authenticity of the certified network security information; and
c) configuring security for each of the requester and the resource according to the certified network security information when the certified network security information is determined to be authentic. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
d) when the authenticity is not successfully determined performing one of, determining and storing information relating to the unsuccessful determination of authenticity and generating an alarm condition.
-
-
15. The method for implementing computer-networking security as defined in claim 9, wherein the step of determining authenticity comprises the steps of:
-
determining a certificate authority that created the digital certificate;
determining an encryption key associated with the certificate authority;
decrypting the digital certificate using the determined key; and
verifying that the certificate is authentic.
-
-
16. The method for implementing computer-networking security as defined in claim 15, comprising the step of, when analysis fails to authenticate the certificate, generating an alarm condition.
-
17. The method for implementing computer-networking security as defined in claim 9, wherein the network security information also comprises user identity information to validate the identity of a network user and resource identity information to validate the identity of a network resource.
-
18. The method for implementing computer-networking security as defined in claim 9, wherein the said network security information also comprises visibility information to operatively associate resources existence acknowledgement with specific requestor.
-
19. A method for disseminating network security information to a remote workstation forming part of a secure network, the workstation capable of modifying its configuration parameters in response to configuration parameters received from the network, the method comprising the steps of:
-
a) in said secure network, retrieving a digital certificate from a database;
b) providing said digital certificate to said workstation;
c) in said secure network, analysing said digital certificate to provide an authenticity result; and
d) upon said authenticity result indicating said digital certificate is valid, modifying said workstation configuration parameters other than encryption keys used in communication, said modifying said workstation configuration parameters utilizing information in said digital certificate. - View Dependent Claims (20)
e) determining workstation configuration information;
f) certifying the determined workstation configuration information to form a digital certificate; and
,g) storing said digital certificate in the database forming part of the network.
-
-
21. A system for providing a secure network environment comprising:
-
a) a certificate database for coupling to a network, the certificate database for storing digital certificates wherein some digital certificates include network policy data; and
,b) a policy manager for creating and modifying network policy data, for providing the network policy data to a certificate authority for certification, and for providing the certified network policy data to the policy database for storage therein.
-
-
22. A method for implementing computer-networking security in a computer network having at least one secured network coupled with an unsecured network via a security gateway, at least one requestor connected to said unsecured network and at least one resource connected to said at least one secured network, the method comprising the steps of:
-
a) retrieving network security information from an electronic storage medium for indicating communication rights between one of said at least one requestor and one of said at least one resource, the network security information digitally certified with a digital certificate and including at least one of access privilege information, security configuration information, communication configuration information, and access monitoring and logging configuration information;
b) performing verification analysis on said digital certificate to determine authenticity of said network security information; and
,c) allowing communications between said one of said at least one requestor and said one of said at least one resource if said network security information indicating a permitted communication is determined authentic, said communications provided via said security gateway.
-
-
23. A method for implementing computer-networking security in a computer network having at least one secured network comprising a requestor and a resource, the method comprising the steps of:
-
a) retrieving from a digital storage medium certified network security information other than an encryption key, said certified network security information certified with a digital certificate and associated with at least one of said requestor and said resource, said certified network security information comprising visibility information to operatively associate existence acknowledgement of said resource with said requester;
b) performing verification analysis on said digital certificate to determine authenticity of said certified network security information;
c) configuring security for each of said requester and said resource according to said certified network security information when said certified network security information is determined to be authentic.
-
-
24. A computer-networking security system in a computer network having at least one secured network coupled with an unsecured network, at least one requestor connected to said unsecured network and at least one resource connected to said at least one secured network, said system comprising a security gateway associated with said at least one secured network and an electronic storage medium coupled to said computer network for storing network security information indicating communication rights between one of said at least one requestor and one of said at least one resource, wherein said security gateway performs the steps of:
-
a) retrieving said network security information from said electronic storage medium, said network security information digitally certified with a digital certificate;
b) performing verification analysis on said digital certificate to determine authenticity of said network security information; and
,c) allowing communications between said one of said at least one requestor and said one of said at least one resource if said network security information indicating a permitted communication is determined authentic, said communications provided via said security gateway. - View Dependent Claims (25, 26, 27)
-
Specification