Method and apparatus for selectively enforcing network security policies using group identifiers
First Claim
1. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:
- receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;
creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource;
receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network;
updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and
permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for selectively enforcing network security policy using group identifiers are disclosed. One or more access controls are created and stored in a policy enforcement point that controls access to the network, wherein each of the access controls specifies that a named group is allowed access to a particular resource. A binding of a network address to an authenticated user of a client, for which the policy enforcement point controls access to the network, is created and stored. The named group is updated to include the network address of the authenticated user at the policy enforcement point. A packet flow originating from the network address is permitted to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network. Accordingly, network security may be implemented in the form of abstract groups that include specific network addresses; as a result, users may be allowed or denied access to network addresses by updating membership of the groups to include or delete the network addresses of the users, rather than by creating or deleting access controls that specifically identify the users.
-
Citations
18 Claims
-
1. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:
-
receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server; creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource; receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network; updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable medium carrying one or more sequences of instructions for selectively enforcing a security policy in a network, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server; creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource; receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network; updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. An apparatus for selectively enforcing a security policy in a network, comprising:
-
means for receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server; means for creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource; means for receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network; means for updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and means for permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.
-
-
16. An apparatus for selectively enforcing a security policy in a network, comprising:
-
a network interface that is coupled to the data network for receiving one or more packet flows therefrom; a processor; one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server; creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource; receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network; updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.
-
-
17. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:
-
receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server; creating and storing one or more access control list entries in a network router that acts as a policy enforcement point device and that controls access of clients to the network, wherein each of the access control list entries specifies that a named group of users is allowed or refused access to a particular network resource; creating and storing one or more definitions of the named groups in a data store that is accessible by the network router; receiving, from an external process that can bind a user to a specific network address and that is separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the router controls access to the network; updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and permitting a packet flow originating from the bound network address to pass from the policy enforcement point into the network only if the bound network address is in the named group identified in one of the access control list entries that specifies that the named group is allowed access to the network.
-
-
18. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:
-
receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server; creating and storing one or more access control list entries in a network router that acts as a policy enforcement point device and that controls access of clients to the network, wherein each of the access control list entries specifies that a named group of users is allowed or refused access to a particular network resource; creating and storing one or more definitions of the named groups in a data store that is accessible by the network router; receiving, from an external process that can bind a user to a specific network address and that is separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the router controls access to the network; updating the named group to include the bound network address of the authenticated user at the policy enforcement point; permitting a packet flow originating from the bound network address to pass from the policy enforcement point into the network only if the bound network address is in the named group identified in one of the access control list entries that specifies that the named group is allowed access to the network; and distributing the network address of the authenticated user and information identifying one or more groups of which the authenticated user is a member to all policy enforcement points that define a security zone that encompasses the user; determining that the user has discontinued use of the client, and deleting the network address to which the user is bound from each named group of each policy enforcement point of the network.
-
Specification