Integrated system for network layer security and fine-grained identity-based access control
First Claim
1. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:
- establishing a mutually-authenticated connection between a first end device and a second end device using strong cryptographic techniques, wherein the mutually-authenticated connection comprises a first mutually-authenticated network segment between the first end device and a boundary device providing network-layer protection and a second mutually-authenticated network segment between the second end device and the boundary device;
extracting a first authenticated identity associated with the first end device and a second authenticated identity associated with the second end device during the step of establishing the mutually-authenticated connection;
providing secure communications between a security enforcement function operating in the boundary device and an access control function;
providing the extracted first and second authenticated identities, by the security enforcement function, to the access control function;
determining access privileges of the first end device and the second end device, by the access control function, based upon the provided extracted identities;
securely communicating packet-handling directives from the access control function to the security enforcement function, based upon the determined access privileges; and
using the packet-handling directives, by the security enforcement function, to determine whether to forward packets by the first end device on the first network segment to the second end device on the second network segment.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method, system, and computer program product for enhancing security within a distributed computing network while enabling fine-grained access control for packets traveling through the network. The disclosed techniques enable this fine-grained access control while simultaneously providing broad-brush application-independent and user-independent security for Internet Protocol (IP) packets that are in transit over both secure networks (such as a corporate intranet) and non-secure networks (such as the public Internet). Access control decisions are delegated to an access control engine, and are based upon mutually authenticated identity information (e.g. of a system user and/or application) that is extracted from information exchanged as part of an underlying security service (such as the Internet Key Exchange of the IP Security Protocol).
291 Citations
33 Claims
-
1. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:
-
establishing a mutually-authenticated connection between a first end device and a second end device using strong cryptographic techniques, wherein the mutually-authenticated connection comprises a first mutually-authenticated network segment between the first end device and a boundary device providing network-layer protection and a second mutually-authenticated network segment between the second end device and the boundary device; extracting a first authenticated identity associated with the first end device and a second authenticated identity associated with the second end device during the step of establishing the mutually-authenticated connection; providing secure communications between a security enforcement function operating in the boundary device and an access control function; providing the extracted first and second authenticated identities, by the security enforcement function, to the access control function; determining access privileges of the first end device and the second end device, by the access control function, based upon the provided extracted identities; securely communicating packet-handling directives from the access control function to the security enforcement function, based upon the determined access privileges; and using the packet-handling directives, by the security enforcement function, to determine whether to forward packets by the first end device on the first network segment to the second end device on the second network segment.
-
-
2. A computer program product for providing fine-grained, identity-based access control in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:
-
computer-readable program code means for storing, for a security enforcement function operating in a network-layer boundary device, a first authenticated identity associated with a first end device with which the boundary device has established a first mutually-authenticated network-layer security association; computer-readable program code means for storing, for the security enforcement function, a second authenticated identity associated with a second end device with which the boundary device has established a second mutually-authenticated network-layer security association; and computer-readable program code means for using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association and the second security association is to be forwarded or discarded upon reaching the boundary device, further comprising; computer-readable program code means for securely sending the first authenticated identity and the second authenticated identity from the security enforcement function to an access control function, responsive to the data packet reaching the boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon; computer-readable program code means for securely receiving, by the security enforcement function, the packet-handling directives from the access control function; and computer-readable program code means, operable at the security enforcement function, for either forwarding or discarding the data packet, depending on the received packet-handling directives. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for providing fine-grained, identity-based access control in a computer networking environment, comprising:
-
means for storing, for a security enforcement function operating in a network-layer boundary device, a first authenticated identity associated with a first end device with which the boundary device has established a first mutually-authenticated network-layer security association; means for storing, for the security enforcement function, a second authenticated identity associated with a second end device with which the boundary device has established a second mutually-authenticated network-layer security association; and means for using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association and the second security association is to be forwarded or discarded upon reaching the boundary device, further comprising; means for securely sending the first authenticated identity and the second authenticated identity from the security enforcement function to an access control function, responsive to the data packet reaching the boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon; means for securely receiving, by the security enforcement function, the packet-handling directives from the access control function; and means, operable at the security enforcement function, for either forwarding or discarding the data packet, depending on the received packet-handing directives. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:
-
storing, for a security enforcement function operating in a network-layer boundary device, a first authenticated identity associated with a first end device with which the boundary device has established a first mutually-authenticated network-layer security association; storing, for the security enforcement function, a second authenticated identity associated with a second end device with which the boundary device has established a second mutually-authenticated network-layer security association; and using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association and the second security association is to be forwarded or discarded upon reaching the bounding device, further comprising steps of; securely sending the first authenticated identity and the second authenticated identity from the security enforcement function to an access control function, responsive to the data packet reaching the boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon; securely receiving, by the security enforcement function, the packet-handling directives from the access control function; and either forwarding or discarding the data packet, at the security enforcement function, depending on the received packet-handling directives. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:
-
storing, for a first security enforcement function operating in a first network-layer boundary device, a first authenticated identity associated with a first end device with which the first boundary device has established a first mutually-authenticated network-layer security association; storing, for a second security enforcement function operating in a second network-layer boundary device, a second authenticated identity associated with a second end device with which the second boundary device has established a second mutually-authenticated network-layer security association; establishing a third mutually-authenticated security association between the first boundary device and the second boundary device; and using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association, the third security association, and the second security association is to be forwarded or discarded upon reaching either of the boundary devices, further comprising steps of; securely sending the first authenticated identity and the second authenticated identity from the first security enforcement function to an access control function, responsive to the data packet reaching the first boundary device, or from the second security enforcement function to the access control function, responsive to the data packet reaching the second boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon; securely receiving, by the first security enforcement function when the authenticated identities are sent therefrom, or by the second security enforcement function when the authenticated identities are sent therefrom, the packet-handling directives from the access control function; and either forwarding or discarding the data packet, at the security enforcement function receiving the packet-handling directives, depending on the received packet-handling directives. - View Dependent Claims (30, 31, 32, 33)
-
Specification