Method and system for secure network policy implementation

US 6,353,886 B1
Filed: 11/24/1998
Issued: 03/05/2002
Est. Priority Date: 02/04/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of providing computer network security between a secured network communicating with a requestor via an unsecured connection, said secured network comprising a resource sought by said requestor, said method comprising:

a) in said secured network, retrieving security information relating to communication rights between said requestor and said resource;

b) in said secured network, verifying said security information to determine authenticity of said security information; and

c) upon positive authentication of said security information, said security information indicating a permitted communication between said requestor and said resource, allowing communications to be sent between said requestor and said resource.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for implementing network policy is described. The method involves storing policy data using certificates using a certificate database server. Upon retrieval, a policy is then validated as properly certified prior to use. When a policy is not validated, it indicates tampering or improper policy data entry. When policy data is successfully validated, the policy is implemented.

334 Citations

27 Claims

1. A method of providing computer network security between a secured network communicating with a requestor via an unsecured connection, said secured network comprising a resource sought by said requestor, said method comprising:
- a) in said secured network, retrieving security information relating to communication rights between said requestor and said resource;
  
  b) in said secured network, verifying said security information to determine authenticity of said security information; and
  
  c) upon positive authentication of said security information, said security information indicating a permitted communication between said requestor and said resource, allowing communications to be sent between said requestor and said resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said step of verifying said security information comprises analysing a digital certificate to determine authenticity of said security information.
  - 3. The method of claim 2 wherein said communications sent between said requestor and said resource are provided via a security gateway associated with said secured network.
  - 4. The method of claim 3 wherein said requestor forms part of a second, other secured computer network.
  - 5. The method of claim 3 wherein said security information includes policy information relating to implementation of network security.
  - 6. The method of claim 5 wherein the network security information includes at least one of access privilege information, security configuration information, communication configuration information, and access monitoring and logging configuration information.
  - 7. The method of claim 1, wherein said step of verifying said security information comprises determining a security level of said requestor by analyzing a type of connection associated with said requester.
  - 8. The method of claim 1, wherein said step of verifying said security information comprises determining a security level of said requestor by analyzing a geographic location associated with said requestor.

9. A method for implementing computer-network security in a computer network having at least one secured network comprising a requestor and a resource, the method comprising the steps of:
- a) retrieving form a digital storage medium to said resource, certified network security information other than an encryption key, the certified network security information certified with a digital certificate and associated with at least one of the requestor and the resource;
  
  b) performing verification analysis by said resource on the digital certificate to determine authenticity of the certified network security information; and
  
  c) configuring security for each of the requester and the resource according to the certified network security information when the certified network security information is determined to be authentic.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method for implementing computer-networking security as defined in claim 9, wherein the certified network security information is certified and stored within the digital certificate.
  - 11. The method for implementing computer-networking security as defined in claim 10, comprising the steps of:
    - certifying the certified network security information; and
      
      storing the certified network security information within the associated digital certificate.
  - 12. The method for implementing computer-networking security as defined in claim 11, comprising the step of storing the digital certificate in a network accessible database.
  - 13. The method for implementing computer-networking security as defined in claim 12 wherein the network accessible database is an X.500 compliant certificate database.
  - 14. The method for implementing computer-networking security as defined in claim 9 comprising the step of:
15. The method for implementing computer-networking security as defined in claim 9, wherein the step of determining authenticity comprises the steps of:
- determining a certificate authority that created the digital certificate;
  
  determining an encryption key associated with the certificate authority;
  
  decrypting the digital certificate using the determined key; and
  
  verifying that the certificate is authentic.
16. The method for implementing computer-networking security as defined in claim 15, comprising the step of, when analysis fails to authenticate the certificate, generating an alarm condition.
17. The method for implementing computer-networking security as defined in claim 9, wherein the network security information also comprises user identity information to validate the identity of a network user and resource identity information to validate the identity of a network resource.
18. The method for implementing computer-networking security as defined in claim 9, wherein the said network security information also comprises visibility information to operatively associate resources existence acknowledgement with specific requestor.

19. A method for disseminating network security information to a remote workstation forming part of a secure network, the workstation capable of modifying its configuration parameters in response to configuration parameters received from the network, the method comprising the steps of:
- a) in said secure network, retrieving a digital certificate from a database;
  
  b) providing said digital certificate to said workstation;
  
  c) in said secure network, analysing said digital certificate to provide an authenticity result; and
  
  d) upon said authenticity result indicating said digital certificate is valid, modifying said workstation configuration parameters other than encryption keys used in communication, said modifying said workstation configuration parameters utilizing information in said digital certificate.
- View Dependent Claims (20)
- - 20. The method for disseminating network security information to a remote workstation as defined in claim 19, comprising the steps of:

21. A system for providing a secure network environment comprising:
- a) a certificate database for coupling to a network, the certificate database for storing digital certificates wherein some digital certificates include network policy data; and
  
  , b) a policy manager for creating and modifying network policy data, for providing the network policy data to a certificate authority for certification, and for providing the certified network policy data to the policy database for storage therein.

22. A method for implementing computer-networking security in a computer network having at least one secured network coupled with an unsecured network via a security gateway, at least one requestor connected to said unsecured network and at least one resource connected to said at least one secured network, the method comprising the steps of:
- a) retrieving network security information from an electronic storage medium for indicating communication rights between one of said at least one requestor and one of said at least one resource, the network security information digitally certified with a digital certificate and including at least one of access privilege information, security configuration information, communication configuration information, and access monitoring and logging configuration information;
  
  b) performing verification analysis on said digital certificate to determine authenticity of said network security information; and
  
  , c) allowing communications between said one of said at least one requestor and said one of said at least one resource if said network security information indicating a permitted communication is determined authentic, said communications provided via said security gateway.

23. A method for implementing computer-networking security in a computer network having at least one secured network comprising a requestor and a resource, the method comprising the steps of:
- a) retrieving from a digital storage medium certified network security information other than an encryption key, said certified network security information certified with a digital certificate and associated with at least one of said requestor and said resource, said certified network security information comprising visibility information to operatively associate existence acknowledgement of said resource with said requester;
  
  b) performing verification analysis on said digital certificate to determine authenticity of said certified network security information;
  
  c) configuring security for each of said requester and said resource according to said certified network security information when said certified network security information is determined to be authentic.

24. A computer-networking security system in a computer network having at least one secured network coupled with an unsecured network, at least one requestor connected to said unsecured network and at least one resource connected to said at least one secured network, said system comprising a security gateway associated with said at least one secured network and an electronic storage medium coupled to said computer network for storing network security information indicating communication rights between one of said at least one requestor and one of said at least one resource, wherein said security gateway performs the steps of:
- a) retrieving said network security information from said electronic storage medium, said network security information digitally certified with a digital certificate;
  
  b) performing verification analysis on said digital certificate to determine authenticity of said network security information; and
  
  , c) allowing communications between said one of said at least one requestor and said one of said at least one resource if said network security information indicating a permitted communication is determined authentic, said communications provided via said security gateway.
- View Dependent Claims (25, 26, 27)
- - 25. The computer-networking security system as claimed in claim 24, wherein said one of said at least one requestor forms part of a second other secured computer network.
  - 26. The computer-networking security system as claimed in claim 24, wherein said network security information includes policy information relating to implementation of network security.
  - 27. The computer-networking security system as claimed in claim 26, wherein said network security information includes at least one of access privilege information, security configuration information, communication configuration information, and access monitoring and logging configuration information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IDPA Holdings Incorporated (InterDigital, Inc.)
Original Assignee
Alcatel Canada Inc. (Nokia Corporation)
Inventors
Marcotte, Lucien, Howard, Brett, Robison, Andrew, Pereira, Roy, Kierstead, Paul, Solymar, Gabor
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/198,609
Time in Patent Office

1,197 Days
Field of Search

380/255, 713/100, 713/150, 713/151, 713/153, 713/160, 713/200, 713/201, 713/156
US Class Current

713/156
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 41/40   using virtualisation of net...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

Y10S 370/911   Bridge, e.g. brouter, bus e...

Method and system for secure network policy implementation

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

334 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for secure network policy implementation

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

334 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links