Method and apparatus for selectively enforcing network security policies using group identifiers

US 7,249,374 B1
Filed: 01/22/2001
Issued: 07/24/2007
Est. Priority Date: 01/22/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:

receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;

creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource;

receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network;

updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and

permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for selectively enforcing network security policy using group identifiers are disclosed. One or more access controls are created and stored in a policy enforcement point that controls access to the network, wherein each of the access controls specifies that a named group is allowed access to a particular resource. A binding of a network address to an authenticated user of a client, for which the policy enforcement point controls access to the network, is created and stored. The named group is updated to include the network address of the authenticated user at the policy enforcement point. A packet flow originating from the network address is permitted to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network. Accordingly, network security may be implemented in the form of abstract groups that include specific network addresses; as a result, users may be allowed or denied access to network addresses by updating membership of the groups to include or delete the network addresses of the users, rather than by creating or deleting access controls that specifically identify the users.

Citations

18 Claims

1. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:
- receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;
  
  creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource;
  
  receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network;
  
  updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and
  
  permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1, wherein the steps of creating and storing one or more access controls in a policy enforcement point that controls access to the network comprise the steps of:
    - creating and storing one or more definitions of groups in a data store;
      
      creating and storing one or more definitions of resources within a data store;
      
      creating and storing one or more access controls at the policy enforcement point, wherein each of the access controls specifies that a named group is allowed access to a particular resource, and wherein one of the access controls specifies that all other traffic is denied access to the network.
  - 3. A method as recited in claim 1, further comprising the steps of distributing the network address of the authenticated user and information identifying one or more groups of which the authenticated user is a member to all policy enforcement points of a protected network that the user seeks to access.
  - 4. A method as recited in claim 1, further comprising the steps of distributing the network address of the authenticated user and information identifying one or more groups of which the authenticated user is a member to all policy enforcement points that define a security zone that encompasses the user.
  - 5. A method as recited in claim 1, wherein the steps of receiving a binding of a network address to an authenticated user of a client for which the policy enforcement point controls access to the network comprises the steps of receiving an Internet Protocol (IP) address for the user from a network address binding resolution (NABR) process.
  - 6. A method as recited in claim 1, further comprising the steps of determining that the user has discontinued use of the client, and deleting the network address to which the user is bound from each named group of each policy enforcement point of the network.
  - 7. A method as recited in claim 1, wherein the steps of receiving a binding of a network address to an authenticated user of a client for which the policy enforcement point controls access to the network comprises the steps of receiving an Internet Protocol (IP) address for the user from an ASAP protocol process.
  - 8. A method as recited in claim 1, wherein the steps of receiving a binding of a network address to an authenticated user of a client for which the policy enforcement point controls access to the network comprises the steps of receiving an Internet Protocol (IP) address for the user from a DNS process.

9. A computer-readable medium carrying one or more sequences of instructions for selectively enforcing a security policy in a network, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;
  
  creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource;
  
  receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network;
  
  updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and
  
  permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A computer-readable medium as recited in claim 9, wherein the instructions for carrying out the steps of creating and storing one or more access controls in a policy enforcement point that controls access to the network comprise instructions for carrying out the steps of:
    - creating and storing one or more definitions of groups in a data store;
      
      creating and storing one or more definitions of resources within a data store;
      
      creating and storing one or more access controls at the policy enforcement point, wherein each of the access controls specifies that a named group is allowed access to a particular resource, and wherein one of the access controls specifies that all other traffic is denied access to the network.
  - 11. A computer-readable medium as recited in claim 9, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of distributing the network address of the authenticated user and information identifying one or more groups of which the authenticated user is a member to all policy enforcement points of a protected network that the user seeks to access.
  - 12. A computer-readable medium as recited in claim 9, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of distributing the network address of the authenticated user and information identifying one or more groups of which the authenticated user is a member to all policy enforcement points that define a security zone that encompasses the user.
  - 13. A computer-readable medium as recited in claim 9, wherein the instructions for carrying out the steps of receiving a binding of a network address to an authenticated user of a client for which the policy enforcement point controls access to the network comprise instructions for carrying out the steps of performing network address binding resolution for the user.
  - 14. A computer-readable medium as recited in claim 9, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of determining that the user has discontinued use of the client, and deleting the network address to which the user is bound from each named group of each policy enforcement point of the network.

15. An apparatus for selectively enforcing a security policy in a network, comprising:
- means for receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;
  
  means for creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource;
  
  means for receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network;
  
  means for updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and
  
  means for permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.

16. An apparatus for selectively enforcing a security policy in a network, comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;
  
  creating and storing one or more access controls in a policy enforcement point device that controls access of clients to the network, wherein each of the access controls specifies that a named abstract group is allowed access to a particular resource;
  
  receiving, from an external binding process separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the policy enforcement point controls access to the network;
  
  updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and
  
  permitting a packet flow originating from the network address to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.

17. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:
- receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;
  
  creating and storing one or more access control list entries in a network router that acts as a policy enforcement point device and that controls access of clients to the network, wherein each of the access control list entries specifies that a named group of users is allowed or refused access to a particular network resource;
  
  creating and storing one or more definitions of the named groups in a data store that is accessible by the network router;
  
  receiving, from an external process that can bind a user to a specific network address and that is separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the router controls access to the network;
  
  updating the named group to include the bound network address of the authenticated user at the policy enforcement point; and
  
  permitting a packet flow originating from the bound network address to pass from the policy enforcement point into the network only if the bound network address is in the named group identified in one of the access control list entries that specifies that the named group is allowed access to the network.

18. A method of selectively enforcing a security policy in a network, the method comprising the computer-implemented steps of:
- receiving information defining one or more group lists, resource definitions, and definitions of users as members of one or more groups in the group lists, wherein the definitions include network addresses for the users, wherein the network addresses have been assigned by an address server;
  
  creating and storing one or more access control list entries in a network router that acts as a policy enforcement point device and that controls access of clients to the network, wherein each of the access control list entries specifies that a named group of users is allowed or refused access to a particular network resource;
  
  creating and storing one or more definitions of the named groups in a data store that is accessible by the network router;
  
  receiving, from an external process that can bind a user to a specific network address and that is separate from the address server, a binding of a network address to an authenticated user of one of the clients for which the router controls access to the network;
  
  updating the named group to include the bound network address of the authenticated user at the policy enforcement point;
  
  permitting a packet flow originating from the bound network address to pass from the policy enforcement point into the network only if the bound network address is in the named group identified in one of the access control list entries that specifies that the named group is allowed access to the network; and
  
  distributing the network address of the authenticated user and information identifying one or more groups of which the authenticated user is a member to all policy enforcement points that define a security zone that encompasses the user;
  
  determining that the user has discontinued use of the client, and deleting the network address to which the user is bound from each named group of each policy enforcement point of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Lonvick, Christopher M., Lear, Eliot
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
KLIMACH, PAULA W

Application Number

US09/767,284
Time in Patent Office

2,374 Days
Field of Search

713/201, 713/182, 713/200, 713/159, 713/100, 726/13, 726/22, 726/24, 726 4- 6, 709/230, 709/236, 709/203
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

H04L 63/02   for separating internal fro...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

Method and apparatus for selectively enforcing network security policies using group identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for selectively enforcing network security policies using group identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links