System and method for improved network security

US 6,915,437 B2
Filed: 12/20/2000
Issued: 07/05/2005
Est. Priority Date: 12/20/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system of establishing a secure link among multiple users on a single machine with a remote machine, comprising:

a subsystem to filter traffic so that traffic from each user is separate, the subsystem comprising an Internet Key Exchange (IKE) module and a policy module, the IKE module adapted to provide User Mode negotiations in order to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users;

wherein the subsystem generates and associates a Security Association (SA) with at least one fitter corresponding to the user and the traffic and employs the SA to establish the secure link.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

119 Citations

31 Claims

1. A system of establishing a secure link among multiple users on a single machine with a remote machine, comprising:
- a subsystem to filter traffic so that traffic from each user is separate, the subsystem comprising an Internet Key Exchange (IKE) module and a policy module, the IKE module adapted to provide User Mode negotiations in order to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users;
  
  wherein the subsystem generates and associates a Security Association (SA) with at least one fitter corresponding to the user and the traffic and employs the SA to establish the secure link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1 being located on the single machine.
  - 3. The system of claim 1 being located on the remote machine.
  - 4. The system of claim 1, wherein the policy module is configured via Internet Protocol Security (IPSEC).
  - 5. The system of claim 4, wherein filters are provided from the policy module in order to filter traffic associated with the single machine and the remote machine.
  - 6. The system of claim 5, wherein the single machine filter is associated with a communications port on the single machine.
  - 7. The system of claim 6, wherein the remote machine determines filters dynamically to communicate with the filters associated with the single machine.
  - 8. The system of claim 1, wherein the User Mode enables a plurality of Quick Mode negotiations in order to provide the secure link among users.
  - 9. The system of claim 1, wherein the User Mode negotiation further comprises an initiator packet including at least one of a user identification initiator, a security association attribute, a nonce initiator, a proxy source, and a proxy destination.
  - 10. The system of claim 1, wherein the initiator packet further comprises a user identification responds.
  - 11. The system of claim 1, wherein the User Mode negotiation further comprises a responder packet including at least one of a user identification responder, a security association attribute, and a nonce responder.
  - 12. The system of claim 1, wherein the User Mode enables a plurality of authentication packets to be sent to authenticate among users.
  - 13. The system of claim 1, wherein the IKE module is adapted to provide User Mode negotiations in order to establish a secure link between the services.
  - 14. The system of claim 13, wherein the User Mode negotiation further comprises an initiator packet including at least one of a user identification initiator, a security association attribute, a nonce initiator, a proxy source, and a proxy destination.
  - 15. The system of claim 14, wherein multiple services are authenticated on the second machine by utilizing a policy look-up associated with service information relating to the initiator packet.
  - 16. The system of claim 14, wherein if a multiple service authentication fails, the second machine initiates a User Mode negotiation.

17. A system of establishing a secure link between a first machine and multiple services on a second machine, comprising:
- a subsystem to filter traffic so that traffic from each service is separate, the subsystem comprising a policy module and an Internet Key Exchange (IKE) module adapted to provide User Mode negotiations in order to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users;
  
  wherein the subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the service and employs the SA to establish the secure link.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The system of claim 17, wherein the subsystem further comprises an Internet Key Exchange module and a policy module to generate and associate the security association.
  - 19. The system of claim 18, wherein the policy module is configured via Internet Protocol Security (IPSEC).
  - 20. The system of claim 19, wherein filters are provided from the policy module is order to filter traffic associated with the first machine and the second machine.
  - 21. The system of claim 20, wherein the first machine filter is associated with a communications port on the first machine.
  - 22. The system of claim 21, wherein the second machine determines filters dynamically to communicate with the filters associated with the first machine.

23. A method of establishing a secure link among multiple users on a single machine with a remote machine, comprising the steps of:
- filtering traffic so that traffic from each user is separate;
  
  utilizing an Internet Key Exchange (IKE) module and a policy module, the IKE module providing User Mode negotiations to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users;
  
  negotiating and authenticating a Security Association (SA) with at least one filter corresponding to the user and the traffic; and
  
  employing the SA to establish the secure link.

24. A method of establishing a secure link between a first machine and multiple services on a second machine, comprising the steps of:
- filtering traffic so that traffic from each service is separate;
  
  employing a policy module and an Internet Key Exchange (IKE) module to provide User Mode negotiations to establish a source link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users;
  
  negotiating and authenticating a Security Association (SA) with at least one filter corresponding to the services and the traffic; and
  
  employing the SA to establish the secure link.

25. A system for establishing a secure link among multiple users on a single machine with a remote machine, comprising:
- means for filtering traffic so that traffic from each user is separate;
  
  means for utilizing a policy module and an Internet Key Exchange (IKE) module adapted to provide User Mode negotiations in establishing a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users;
  
  means for negotiating and authenticating a Security Association (SA) with at least one filter corresponding to the user and the traffic; and
  
  means for employing the SA to establish the secure link.

26. A system of establishing a secure link between a first machine and multiple services on a second machine, comprising:
- means for filtering traffic so that traffic from each service is separate;
  
  means for employing a policy module and an Internet Key Exchange (IKE) module to provide User Mode negotiations to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users;
  
  means for negotiating and authenticating a Security Association (SA) with at least one filter corresponding to the services and the traffic and means for employing the SA to establish the secure link.

27. A computer readable medium having stored thereon computer executable components, comprising:
- a component to filter traffic between a first machine, having multiple users, and a second machine so that traffic for the first machine is separated in accordance with the respective users; and
  
  a component to generate and associate a Security Association (SA) with at least one filter, corresponding to at least one of the user end the respective traffic, and employs the SA to establish a secure link between the first and second machines, the component employing a policy module and an Internet Key Exchange (IKE) module adapted to provide User Mode negotiations in order to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users.

28. A data packet adapted to be transmitted between at least two processes, comprising:
- a first component to filter traffic between a first process, associated with multiple users, and a second process so that traffic for the first process is separated in accordance with the respective users; and
  
  a second component to generate and associate a Security Association (SA) with at least one filter, corresponding to at least one of the users and the respective traffic, and employs the SA to establish a secure link between the first and second processes, the second component utilizing a policy module and an Internet Key Exchange (IKE) module adapted to provide User Mode negotiations in order to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users.

29. A computer readable medium having stored thereon computer executable components, comprising:
- a component to fiber traffic between a first machine, having multiple services, and a second machine so that traffic for the first machine is separated in accordance with the respective services; and
  
  a component to generate and associate a Security Association (SA) with at least one filter, corresponding to at least one of the services and the respective traffic, and employs the SA to establish a secure link between the first and second machines, the component further comprising a policy module and an Internet Key Exchange (IKE) module adapted to provide User Mode negotiations in order to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users.

30. A data packet adapted to be transmitted between at least two processes, comprising:
- a first component to filter traffic between a first process, associated with multiple services, and a second process so that traffic for the first process is separated in accordance with the respective services; and
  
  a second component to generate and associate a Security Association (SA) with at least one filter, corresponding to at least one of the services and the respective traffic, and employs the SA to establish a secure link between the first and second processes, the second component including a policy module and an Internet Key Exchange (IKE) adapted to provide User Mode negotiations in order to establish a secure link among users wherein the User Mode negotiations utilize keying material derived from Main Mode negotiations in order to provide the secure link among users.
- View Dependent Claims (31)
- - 31. The data packet of claim 30, wherein at least one of the processes is executed by a distributed processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Swander, Brian D., Aboba, Bernard D.
Primary Examiner(s)
Caldwell, Andrew
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US09/741,217
Publication Number

US 20050091527A1
Time in Patent Office

1,658 Days
Field of Search

713/151, 713/153, 713/154, 713160-171, 713200-201, 709/217, 709/219, 709/220, 709/223, 709224-226, 709227-230
US Class Current

726/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

System and method for improved network security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for improved network security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links