Centralized deployment of IPSec policy information
First Claim
1. A network security system for administration of data transmission security policy comprising:
- a remote source of data transmission security policy information;
a network client couplable to the remote source for receiving data transmission security policy information, the network client having a computer-readable local memory and having therein a local source of data transmission security policy information;
a finite state machine located within the computer-readable local memory of the network client for administration of the network client'"'"'s data transmission security policy, wherein a current state of the finite state machine indicates which of the data transmission security policy information sources is used to supply an active policy of data transmission security policy information applicable to the network client, and wherein the finite state machine transitions between states responsive to the availability of the data transmission security policy information from the remote and local sources.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of network security policy administration for a network client uses a finite state machine to maintain the security policy information of the network client. Security policy information may originate in a remote source such a directory storage as well as, or alternatively, locally in cache and local store locations. The finite state machine has four states, Initial, DS, Cache, and Local, and transitions between states responsive to the availability of security policy information from the various policy information sources. Furthermore, security policy updates occur via a differencing mechanism, wherein only filters that have changed are updated, minimizing impact on unchanged policy filters and the traffic protected by them, and minimizing lulls in policy coverage.
-
Citations
16 Claims
-
1. A network security system for administration of data transmission security policy comprising:
-
a remote source of data transmission security policy information;
a network client couplable to the remote source for receiving data transmission security policy information, the network client having a computer-readable local memory and having therein a local source of data transmission security policy information;
a finite state machine located within the computer-readable local memory of the network client for administration of the network client'"'"'s data transmission security policy, wherein a current state of the finite state machine indicates which of the data transmission security policy information sources is used to supply an active policy of data transmission security policy information applicable to the network client, and wherein the finite state machine transitions between states responsive to the availability of the data transmission security policy information from the remote and local sources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
an Initial state;
a DS state, wherein the active policy has been retrieved from the remote source;
a Cache state wherein the active policy has been retrieved from the local cache source; and
a Local state wherein the active policy has been retrieved from the local storage source.
-
-
4. The system according to claim 3, wherein the remote source is a directory service that supports LDAP.
-
5. The system according to claim 3, wherein the finite state machine further comprises a policy state information block having a current state field usable to store an indication of the current state of the state machine.
-
6. The system according to claim 3, wherein a substitution of an original active policy by a new active policy is associated with a transition from one of the DS, Cache and Local states to another of the DS, Cache and Local states, wherein the substitution comprises changing portions of the original active policy that differ from corresponding portions of the new active policy.
-
7. The system according to claim 3, wherein the finite state machine is administered by a policy agent store module, and wherein when the finite state machine is in the initial state, the policy agent store module firstly attempts to obtain security policy information from the remote source, and secondly attempts to obtain security policy information from the local cache source upon failing to obtain security policy information from the remote source, and thirdly attempts to obtain security policy information from the local storage source upon failing to obtain security policy information from the local cache source.
-
8. The system according to claim 3, wherein the active policy is used to implement the IETF IPSec protocol.
-
9. In a computer network having a network client, a method of administering a data transmission security policy for the network client comprising the steps of:
-
establishing in a computer-readable memory of the network client a finite state machine, wherein the finite state machine has Initial, Remote, Cache, and Local states, and wherein the Remote, Cache, and Local states correspond to remote, local cache, and local storage sources of data transmission security policy information respectively;
placing the finite state machine into the Initial state;
transitioning from the Initial state to the Remote state, wherein data transmission security policy information available from the remote source is used to set the active security policy for the network client, if the network client is able to retrieve the data transmission security policy information from the remote source;
transitioning from the Initial state to the Cache state, wherein data transmission security policy information available from the local cache source is used to set the active security policy for the network client, if the network client is unable to retrieve the data transmission security policy information from the remote source, and if the network client is able to retrieve the data transmission security policy information from the local cache source;
transitioning from the Initial state to the Local state, wherein data transmission security policy information available from the local storage source is used to set the active security policy for the network client, if the network client is unable to retrieve the data transmission security policy information from the remote or local cache sources, and if the network client is able to retrieve the data transmission security policy information from the local storage source; and
remaining in the Initial state if the network client is unable to retrieve the data transmission security policy information from the remote, local cache, and local storage sources. - View Dependent Claims (10, 11, 12)
transitioning from an original state which is one of the Remote, Cache, and Local states, wherein an original active policy is applied, to a new state which is another of the Remote, Cache, and Local states upon receipt of a new active policy; and
updating the active security policy for the network client by;
changing filters within the original active policy that differ from corresponding filters in the new active policy;
deleting filters from the original active policy that have no correspondence to filters in the new active policy; and
adding filters to the original active policy that appear in the new active policy but have no correspondence in the original active policy.
-
-
13. A computer-readable medium having computer-executable instructions for performing a method of administering a data transmission security policy for a network client in a computer network comprising the steps of:
-
establishing in a computer-readable memory of the network client a finite state machine, wherein the finite state machine has Initial, Remote, Cache, and Local states, and wherein the Remote, Cache, and Local states correspond to remote, local cache, and local storage sources of data transmission security policy information respectively;
placing the finite state machine into the Initial state;
transitioning from the Initial state to the Remote state, wherein data transmission security policy information available from the remote source is used to set the active security policy for the network client, if the network client is able to retrieve the data transmission security policy information from the remote source;
transitioning from the Initial state to the Cache state, wherein data transmission security policy information available from the local cache source is used to set the active security policy for the network client, if the network client is unable to retrieve the data transmission security policy information from the remote source, and if the network client is able to retrieve the data transmission security policy information from the local cache source;
transitioning from the Initial state to the Local state, wherein data transmission security policy information available from the local storage source is used to set the active security policy for the network client, if the network client is unable to retrieve the data transmission security policy information from the remote or local cache sources, and if the network client is able to retrieve the data transmission security policy information from the local storage source; and
remaining in the Initial state if the network client is unable to retrieve the data transmission security policy information from the remote, local cache, and local storage sources. - View Dependent Claims (14, 15, 16)
transitioning from an original state which is one of the Remote, Cache, and Local states, wherein an original active policy is applied, to a new state which is another of the Remote, Cache, and Local states upon receipt of a new active policy; and
updating the active security policy for the network client by;
changing filters within the original active policy that differ from corresponding filters in the new active policy;
deleting filters from the original active policy that have no correspondence to filters in the new active policy; and
adding filters to the original active policy that appear in the new active policy but have no correspondence in the original active policy.
-
Specification