System and method for implementing network security policies on a common network infrastructure

US 7,263,719 B2
Filed: 11/29/2000
Issued: 08/28/2007
Est. Priority Date: 05/15/2000
Status: Expired due to Term

First Claim

Patent Images

1. A secure network configured to carry data, comprising:

a plurality of network bubbles, each network bubble having a plurality of bubble partitions, each bubble partition having at least one network device configured to transmit and receive data, and wherein each of the plurality of bubble partitions is connected to at least two network control point devices to achieve high availability in the case of a failed interface or network control point device;

all of the network devices corresponding to the same respective network bubble having unrestricted network access with each other and the same network security policy that controls data movement between the network devices of different network bubbles;

a network control point having one or more network control point devices, a first network device of a first network bubble being connected to the network control point through at least one network control point device and a second network device of a second network bubble being connected to the network control point through at least one network control point device wherein the network control point applies the security policy of the first network bubble to data for the first network device and the security policy of the second network bubble to data for the second network device, wherein the security policy of the first network bubble is distinct from the security policy of the second network bubble; and

an inter-bubble device connecting the first and second network bubbles to one another and enforcing the network security policy of the first and second network bubbles.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure network is provided which includes a plurality of network bubbles having a plurality of bubble partitions. Each bubble partition has at least one network device configured to transmit and receive data. All the network devices that belong to or correspond to a particular network bubble have the same network security policy. The secure network also includes a plurality of network control points, which has one or more network control point devices having at least one interface. Each bubble partition is connected to at least one network control point. The network control point is used to provide a connection between at least two network devices. Each network control point device is configured to enforce the network security policy of all the network bubbles that are connected to it. During the transmission of data from one network device to another network device, one or more network control points are traversed.

39 Citations

View as Search Results

31 Claims

1. A secure network configured to carry data, comprising:
- a plurality of network bubbles, each network bubble having a plurality of bubble partitions, each bubble partition having at least one network device configured to transmit and receive data, and wherein each of the plurality of bubble partitions is connected to at least two network control point devices to achieve high availability in the case of a failed interface or network control point device;
  
  all of the network devices corresponding to the same respective network bubble having unrestricted network access with each other and the same network security policy that controls data movement between the network devices of different network bubbles;
  
  a network control point having one or more network control point devices, a first network device of a first network bubble being connected to the network control point through at least one network control point device and a second network device of a second network bubble being connected to the network control point through at least one network control point device wherein the network control point applies the security policy of the first network bubble to data for the first network device and the security policy of the second network bubble to data for the second network device, wherein the security policy of the first network bubble is distinct from the security policy of the second network bubble; and
  
  an inter-bubble device connecting the first and second network bubbles to one another and enforcing the network security policy of the first and second network bubbles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A secure network as defined in claim 1, wherein each of the plurality of bubble partitions that belong to the same bubble has the same network security policy applied at each of the plurality of network control points that are connected to the plurality of bubble partitions.
  - 3. A secure network as defined in claim 1, wherein each of the plurality of bubble partitions has unrestricted network connectivity to all other bubble partitions within the same bubble.
  - 4. A secure network as defined in claim 1, wherein each of the plurality of bubble partitions is defined by an address range.
  - 5. A secure network as defined in claim 4, wherein each of the network devices in each of the plurality of bubble partitions has an address contained within the address range.
  - 6. A secure network as defined in claim 5, wherein each address exists in only one of the plurality of bubble partitions.
  - 7. A secure network as defined in claim 1, wherein each of the plurality of network control points ensures source address integrity at each bubble boundary.
  - 8. A secure network as defined in claim 1, wherein data may be transmitted between two network devices in different bubble partitions of the same network bubble without restriction by the network bubble boundaries.
  - 9. A secure network as defined in claim 1, wherein the plurality of network control points are coupled to one another and form a virtual backbone that is external to all of the plurality of network bubbles.
  - 10. A secure network as defined in claim 9, wherein each of the plurality of network control points ensure source address integrity across the virtual backbone.
  - 11. A secure network as defined in claim 1, wherein each network device connects to only one network control point.
  - 12. A secure network as defined in claim 1, wherein the total number of network control points is greater than the number of network control points connected to any one particular bubble partition.
  - 13. A secure network as defined in claim 1, wherein all data transmitted from one network device to another network device traverses only one network control point.
  - 14. A secure network as defined in claim 1, wherein all data transmitted from one network device to another network device traverses only two network control points.
  - 15. The secure network as defined in claim 1 wherein at least two of the plurality of bubble partitions associated with the first network bubble are in different geographic locations, wherein each partition connects to a different network control point device which enforces the security policy of the first network bubble for the devices in the respective partition.
  - 16. The secure network as defined in claim 1 wherein the inter-bubble device applies the network security policy of both the first network bubble and the second network bubble to move data between the first and second network bubbles.

17. A secure network configured to transmit data, comprising:
- a first and second network bubble, each network bubble having a distinct network security policy and a plurality of bubble partitions, each bubble partition having a plurality of network devices having unrestricted network access with each other and configured to transmit and receive data, wherein each of the plurality of bubble partitions is connected to at least two network control point devices to achieve high availability in the case of a failed interface or network control point device;
  
  a network control point having one or more network control point devices, a first network device of the first network bubble being connected to the network control point to which a second network device of the second bubble is also connected, wherein the network control point device applies the distinct security policy of the first bubble to data for the first network device and the distinct security policy of the second bubble to data for the second network device to control movement of data between the first and a second network bubble; and
  
  an inter-bubble device connecting the first and a second network bubble to one another and enforcing the network security policy of the first and a second network bubble.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 18. A secure network as defined in claim 17, wherein all data transmitted from one network device in the first network bubble to another network device in the second network bubble traverses only one network control point.
  - 19. A secure network as defined in claim 17, wherein all data transmitted from one network device in the first network bubble to another network device in the second network bubble traverses only two network control points.
  - 20. A secure network as defined in claim 17, wherein all data transmitted from one network device in the first network bubble to another network device in the second network bubble traverses more than two network control points.
  - 21. A secure network as defined in claim 17, wherein the network control point enforces source integrity for all bubble partitions that are connected to it.
  - 22. A secure network as defined in claim 17, wherein each bubble partition connects to only one network control point.
  - 23. A secure network as defined in claim 17, wherein each of the plurality of bubble partitions that belong to the same bubble has the same network security policy applied at each of the plurality of network control points that are connected to the plurality of bubble partitions.
  - 24. A secure network us defined in claim 17, wherein each of the plurality of bubble partitions has unrestricted network connectivity to all other bubble partitions within the same network bubble.
  - 25. A secure network as defined in claim 17, wherein each of the plurality of bubble partitions is defined by an address range.
  - 26. A secure network as defined in claim 25, wherein each of the plurality of network devices in each of the plurality of bubble partitions has an address contained within the address range.
  - 27. A secure network as defined in claim 26, wherein each address exists in only one of the plurality of bubble partitions.
  - 28. A secure network as defined in claim 17, wherein data may be transmitted between two network control point devices in different bubble partitions of the same network bubble without restriction by the plurality of network control points.
  - 29. A secure network as defined in claim 17, wherein the plurality of network control points are coupled to one another and form a virtual backbone that is external to the first and the second network bubble.
  - 30. A secure network as defined in claim 29, wherein each of the plurality of network control points ensure source address integrity across the virtual backbone.
  - 31. A secure network as defined in claim 17, wherein the interbubble device is connected to the first network bubble and the second network bubble without being connected to the plurality of network control points and configured to enforce the network security policy of the first and the second network bubble.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company), Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Jemes, Brian, Brawn, John Melvin, Garcia, Joseph, Pape, John M., Milligan, Michael, Hansell, Jeff
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
NGUYEN, MINH DIEU T

Application Number

US09/726,072
Publication Number

US 20010042213A1
Time in Patent Office

2,463 Days
Field of Search

713/201, 713/162, 709200-220, 726 1- 3, 726 11- 12, 726 14- 15
US Class Current

726/12
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 61/5061   Pools of addresses

H04L 63/0227   Filtering policies mail mes...

H04L 63/104   Grouping of entities

H04L 63/1466   Active attacks involving in...

H04L 69/40   for recovering from a failu...

H04L 9/40   Network security protocols

System and method for implementing network security policies on a common network infrastructure

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing network security policies on a common network infrastructure

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links