Integrated system for network layer security and fine-grained identity-based access control

US 6,986,061 B1
Filed: 11/20/2000
Issued: 01/10/2006
Est. Priority Date: 11/20/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:

establishing a mutually-authenticated connection between a first end device and a second end device using strong cryptographic techniques, wherein the mutually-authenticated connection comprises a first mutually-authenticated network segment between the first end device and a boundary device providing network-layer protection and a second mutually-authenticated network segment between the second end device and the boundary device;

extracting a first authenticated identity associated with the first end device and a second authenticated identity associated with the second end device during the step of establishing the mutually-authenticated connection;

providing secure communications between a security enforcement function operating in the boundary device and an access control function;

providing the extracted first and second authenticated identities, by the security enforcement function, to the access control function;

determining access privileges of the first end device and the second end device, by the access control function, based upon the provided extracted identities;

securely communicating packet-handling directives from the access control function to the security enforcement function, based upon the determined access privileges; and

using the packet-handling directives, by the security enforcement function, to determine whether to forward packets by the first end device on the first network segment to the second end device on the second network segment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method, system, and computer program product for enhancing security within a distributed computing network while enabling fine-grained access control for packets traveling through the network. The disclosed techniques enable this fine-grained access control while simultaneously providing broad-brush application-independent and user-independent security for Internet Protocol (IP) packets that are in transit over both secure networks (such as a corporate intranet) and non-secure networks (such as the public Internet). Access control decisions are delegated to an access control engine, and are based upon mutually authenticated identity information (e.g. of a system user and/or application) that is extracted from information exchanged as part of an underlying security service (such as the Internet Key Exchange of the IP Security Protocol).

291 Citations

33 Claims

1. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:
- establishing a mutually-authenticated connection between a first end device and a second end device using strong cryptographic techniques, wherein the mutually-authenticated connection comprises a first mutually-authenticated network segment between the first end device and a boundary device providing network-layer protection and a second mutually-authenticated network segment between the second end device and the boundary device;
  
  extracting a first authenticated identity associated with the first end device and a second authenticated identity associated with the second end device during the step of establishing the mutually-authenticated connection;
  
  providing secure communications between a security enforcement function operating in the boundary device and an access control function;
  
  providing the extracted first and second authenticated identities, by the security enforcement function, to the access control function;
  
  determining access privileges of the first end device and the second end device, by the access control function, based upon the provided extracted identities;
  
  securely communicating packet-handling directives from the access control function to the security enforcement function, based upon the determined access privileges; and
  
  using the packet-handling directives, by the security enforcement function, to determine whether to forward packets by the first end device on the first network segment to the second end device on the second network segment.

2. A computer program product for providing fine-grained, identity-based access control in a computer networking environment, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for storing, for a security enforcement function operating in a network-layer boundary device, a first authenticated identity associated with a first end device with which the boundary device has established a first mutually-authenticated network-layer security association;
  
  computer-readable program code means for storing, for the security enforcement function, a second authenticated identity associated with a second end device with which the boundary device has established a second mutually-authenticated network-layer security association; and
  
  computer-readable program code means for using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association and the second security association is to be forwarded or discarded upon reaching the boundary device, further comprising;
  
  computer-readable program code means for securely sending the first authenticated identity and the second authenticated identity from the security enforcement function to an access control function, responsive to the data packet reaching the boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon;
  
  computer-readable program code means for securely receiving, by the security enforcement function, the packet-handling directives from the access control function; and
  
  computer-readable program code means, operable at the security enforcement function, for either forwarding or discarding the data packet, depending on the received packet-handling directives.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 3. The computer program product according to claim 2, wherein the computer-readable program code means for using further comprises computer-readable program code means for examining the data packet to determine the first and second authenticated identities, responsive to the data packet reaching the boundary device and prior to operation of the computer-readable program code means for securely sending.
  - 4. The computer program product according to claim 2, wherein the first authenticated identity is obtained for the security enforcement function from the first end device when the boundary device and the first end device establish the first security association and the second authentication identity is obtained for the security enforcement function from the second end device when the boundary device and the second end device establish the second security association.
  - 5. The computer program product according to claim 2, wherein strong cryptographic techniques are used for security association and the second security association and are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
  - 6. The computer program product according to claim 2, wherein the computer-readable program code means for securely sending and the computer-readable program code means for securely receiving further comprise use of a secure channel established between the security enforcement function and the access control function.
  - 7. The computer program product according to claim 2, wherein the first security association specifies only coarse-grained control information.
  - 8. The computer program product according to claim 2, wherein the first authenticated identity associated with the first end device is an identification of a user of the first end device.
  - 9. The computer program product according to claim 2, wherein the first authenticated identity associated with the first end device is an identification of an application executing on the first end device.
  - 10. The computer program product according to claim 2, wherein the second security association specifies only coarse-grained access control information.
  - 11. The computer program product according to claim 2, wherein the second authenticated identity associated with the second end device is an identification of a user of the second end device.
  - 12. The computer program product according to claim 2, wherein the second authenticated identity associated with the second end device is an identification of an application executing on the second end device.

13. A system for providing fine-grained, identity-based access control in a computer networking environment, comprising:
- means for storing, for a security enforcement function operating in a network-layer boundary device, a first authenticated identity associated with a first end device with which the boundary device has established a first mutually-authenticated network-layer security association;
  
  means for storing, for the security enforcement function, a second authenticated identity associated with a second end device with which the boundary device has established a second mutually-authenticated network-layer security association; and
  
  means for using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association and the second security association is to be forwarded or discarded upon reaching the boundary device, further comprising;
  
  means for securely sending the first authenticated identity and the second authenticated identity from the security enforcement function to an access control function, responsive to the data packet reaching the boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon;
  
  means for securely receiving, by the security enforcement function, the packet-handling directives from the access control function; and
  
  means, operable at the security enforcement function, for either forwarding or discarding the data packet, depending on the received packet-handing directives.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system according to claim 13, wherein the means for using further comprises means for examining the data packet to determine the first and second authenticated identities, responsive to the data packet reaching the boundary device and prior to operation of the means for securely sending.
  - 15. The system according to claim 13, wherein the first authenticated identity is obtained for the security enforcement function from the first end device when the boundary device and the first end device establish the first security association and the second authenticated identity is obtained for the security enforcement function from the second end device when the boundary device and the second end device establish the second security association.
  - 16. The system according to claim 13, wherein strong cryptographic techniques are used for the first security association and the second security association and are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
  - 17. The system according to claim 13, wherein the means for securely sending and the means for securely receiving comprise use of a secure channel established between the security enforcement function and the access control function.
  - 18. The system according to claim 13, wherein the security enforcement function also operates in the first end device in the second end device, and further comprising:
    - means for securely communicating between the security enforcement function in the first end device and the access control function to determine whether the first end device can send a particular data packet to the second end device; and
      
      means for securely communicating between the security enforcement function in the second end device and the access control function to determine whether the second end device can receive the particular data packet from the first end device.
  - 19. The system according to claim 13, wherein the first authenticated identity associated with the first end device is an identification of a user of the first end device and/or an application executing on the first end device.
  - 20. The system according to claim 13, wherein the second authenticated identity associated with the second end device is an identification of a user of the second end device and/or an application executing on the second end device.

21. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:
- storing, for a security enforcement function operating in a network-layer boundary device, a first authenticated identity associated with a first end device with which the boundary device has established a first mutually-authenticated network-layer security association;
  
  storing, for the security enforcement function, a second authenticated identity associated with a second end device with which the boundary device has established a second mutually-authenticated network-layer security association; and
  
  using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association and the second security association is to be forwarded or discarded upon reaching the bounding device, further comprising steps of;
  
  securely sending the first authenticated identity and the second authenticated identity from the security enforcement function to an access control function, responsive to the data packet reaching the boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon;
  
  securely receiving, by the security enforcement function, the packet-handling directives from the access control function; and
  
  either forwarding or discarding the data packet, at the security enforcement function, depending on the received packet-handling directives.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method according to claim 21, wherein the using step further comprises the step of examining the data packet to determine the first and second authenticated identities, responsive to the data packet reaching the boundary device and prior to operation of the securely sending step.
  - 23. The method according to claim 21, wherein the first authenticated identity is obtained for the security enforcement function from the first end device when the boundary device and the first end device establish the first security association and the second authenticated identity is obtained for the security enforcement function from the second end device when the boundary device and the second end device establish the second security association.
  - 24. The method according to claim 21, wherein strong cryptographic techniques are used for the first security association and the second security association and are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
  - 25. The method according to claim 21, wherein the securely sending step and the securely receiving step further comprise use of a secure channel established between the security enforcement function and the access control function.
  - 26. The method according to claim 21, wherein the security enforcement function also operates in the first end device and in the second end device, and further comprising the steps of;
    - securely communicating between the security enforcement function in the first end device and the access control function to determine whether the first end device can send a particular data packet to the second end device; and
      
      securely communication between the security enforcement function in the second end device and the access control function to determine whether the second end device can receive the particular data packet from the first end device.
  - 27. The method according to claim 21, wherein the first authenticated identity associated with the first end device is an identification of a user of the first end device and/or an application executing on the first end device.
  - 28. The method according to claim 21, wherein the second authenticated identity associated with the second end device is an identification of a user of the second end device and/or an application executing on the second end device.

29. A method for providing fine-grained, identity-based access control in a computer networking environment, comprising steps of:
- storing, for a first security enforcement function operating in a first network-layer boundary device, a first authenticated identity associated with a first end device with which the first boundary device has established a first mutually-authenticated network-layer security association;
  
  storing, for a second security enforcement function operating in a second network-layer boundary device, a second authenticated identity associated with a second end device with which the second boundary device has established a second mutually-authenticated network-layer security association;
  
  establishing a third mutually-authenticated security association between the first boundary device and the second boundary device; and
  
  using the first authenticated identity and the second authenticated identity to determine whether a data packet traveling between the first end device and the second end device over the first security association, the third security association, and the second security association is to be forwarded or discarded upon reaching either of the boundary devices, further comprising steps of;
  
  securely sending the first authenticated identity and the second authenticated identity from the first security enforcement function to an access control function, responsive to the data packet reaching the first boundary device, or from the second security enforcement function to the access control function, responsive to the data packet reaching the second boundary device, such that the access control function can use the securely-sent identities to obtain corresponding access privileges and generate packet-handling directives based thereupon;
  
  securely receiving, by the first security enforcement function when the authenticated identities are sent therefrom, or by the second security enforcement function when the authenticated identities are sent therefrom, the packet-handling directives from the access control function; and
  
  either forwarding or discarding the data packet, at the security enforcement function receiving the packet-handling directives, depending on the received packet-handling directives.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The method according to claim 29, wherein strong cryptographic techniques are used for the first security association and the second security association and are provided by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol.
  - 31. The method according to claim 29, wherein:
    - the step of securely sending and the step of securely receiving each further comprise the step of using a first secure channel established between the first security enforcement function and the access control function when the data packet has reached the first boundary device or using;
      
      a second secure channel established between the second security enforcement function and the access control function when the data packet has reached the second boundary device.
  - 32. The method according to claim 29, wherein the first authenticated identity associated with the first end device is an identification of a user of the first end device and/or an application executing on the first end device.
  - 33. The method according to claim 29, wherein the second authenticated identity associated with the second end device is an identification of a user of the second end device and/or an application executing on the second end device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Kunzinger, Charles A.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
KIM, JUNG W

Application Number

US09/718,041
Time in Patent Office

1,877 Days
Field of Search

709/225, 713/150, 713/153, 713/201
US Class Current

713/153
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0869   for achieving mutual authen...

H04L 63/105   Multiple levels of security

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/321   involving a third party or ...

H04L 9/3273   for mutual authentication n...

Integrated system for network layer security and fine-grained identity-based access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

291 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated system for network layer security and fine-grained identity-based access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

291 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links