System and method for secure group communications
First Claim
1. A system for secure group communications, the system comprising:
- a communication network;
a policy server coupled to the communication network, the policy server havinga secure interface,a first security policy, anda second security policy; and
a plurality of nodes operatively coupled to each other through the communication network, wherein the plurality of nodes includes a plurality of group nodes operatively coupled to the secure interface of the policy server through the communication network, wherein each of the plurality of group nodes includes a host computer connected to a network interface device over a bus interface, wherein;
the host computer includes a memory; and
the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory,wherein each of the group nodes is assigned to one or more virtual private groups,wherein the first security policy includes group membership information for each of the plurality of group nodes,wherein the network interface devices receive a copy of the first security policy, a copy of the second security policy, and a set of encryption keys from the policy server and store the the security policies and the set of encryption keys into memory within each network interface device,wherein each network interface device is configured to use the first security policy, the group membership information and the encryption keys associated with the group membership information to receive information from the host computer and to securely communicate with a network interface device on another group node, andwherein the network interface device detects and blocks unauthorized packets sent to the group node using the packet filter as a function of the first security policy when the packets come from a group node and as a function of the second security policy when the packets come from a node that is not part of a virtual private group.
15 Assignments
0 Petitions
Accused Products
Abstract
A system and method for secure group communications is provided. One embodiment provides a method for implementing a virtual private group network. The method includes creating a virtual private group definition on a policy server, establishing a plurality of secure connections between the policy server and a plurality of group nodes, sending a copy of the virtual private group definition from the policy server to the group nodes, sending a shared traffic encryption key from the policy server to each of the group nodes, and sharing secure communication information among the group nodes using the shared traffic encryption key, wherein each group node is included in the virtual private group definition.
138 Citations
26 Claims
-
1. A system for secure group communications, the system comprising:
-
a communication network; a policy server coupled to the communication network, the policy server having a secure interface, a first security policy, and a second security policy; and a plurality of nodes operatively coupled to each other through the communication network, wherein the plurality of nodes includes a plurality of group nodes operatively coupled to the secure interface of the policy server through the communication network, wherein each of the plurality of group nodes includes a host computer connected to a network interface device over a bus interface, wherein; the host computer includes a memory; and the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory, wherein each of the group nodes is assigned to one or more virtual private groups, wherein the first security policy includes group membership information for each of the plurality of group nodes, wherein the network interface devices receive a copy of the first security policy, a copy of the second security policy, and a set of encryption keys from the policy server and store the the security policies and the set of encryption keys into memory within each network interface device, wherein each network interface device is configured to use the first security policy, the group membership information and the encryption keys associated with the group membership information to receive information from the host computer and to securely communicate with a network interface device on another group node, and wherein the network interface device detects and blocks unauthorized packets sent to the group node using the packet filter as a function of the first security policy when the packets come from a group node and as a function of the second security policy when the packets come from a node that is not part of a virtual private group. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A virtual private group communication system, comprising:
-
a communication network; a plurality of nodes operatively coupled to each other through the communication network; a policy server coupled to the communication network, the policy server having a plurality of key distribution keys; and one or more virtual private groups, wherein each virtual private group includes a plurality of the nodes as virtual private group nodes that are operatively coupled to the policy server through the communication network, wherein; each virtual private group node includes a host computer connected to a network interface device over a bus interface, the host computer includes a memory, the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory, each virtual private group node has virtual private group membership information, a key distribution key, and a shared traffic encryption key stored in the memory of the network interface device, the virtual private group membership information details the group nodes that are members of the virtual private group, the packet filter operates to block packets as a function of a first security policy when the operating as a virtual private group node and as a function of a second security policy when not operating as a virtual private group node, and the virtual private group nodes are adapted to send secure data to the other virtual private group nodes within a particular virtual private group by using the shared traffic encryption keys associated with the virtual private group. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system for secure communications, the system comprising:
-
a network; a policy server system coupled to the network, the policy server system having a security policy database and a filter rule database; and a plurality of nodes, wherein each node is coupled to the network through a network interface device and wherein each node includes a host computer connected to the network interface device over a bus interface, wherein the host computer includes a memory and wherein the network interface device includes a processor, a cryptographic unit and a memory separate from the host computer memory and wherein each network interface device includes a packet filter, wherein the policy server system is configured to use the security policy database and the filter rule database to create security policy rules assigning two or more of the nodes to a virtual private group, wherein the policy server system is configured to transmit the security policy rules to the two or more nodes that are members of the virtual private group, wherein the nodes of the virtual private group are configured to use a common set of encryption keys stored in the memory of the network interface device and to communicate securely with one another by using the security policy rules and the common set of encryption keys to encrypt or decrypt data that is transmitted across the network to other members of the virtual private group, and wherein the nodes of the virtual private group use the packet filter in the network interface device to detect unauthorized packets as a function of a first set of security policy rules when communicating with another virtual private group member and as a function of a second set of security policy rules when communicating with a node that is not a virtual private group member. - View Dependent Claims (12, 13, 14)
-
-
15. A system for secure communications between members of a virtual private group, the system comprising:
-
a communications network; policy management means, coupled to the communications network, for managing the virtual private group and for managing a set of node security keys associated with the virtual private group and for providing security policy rules; group communication means, coupled to the communication network, for storing the set of node security keys and for encrypting data between members of the virtual private group by using the node security keys, wherein; the group communication means includes a host computer connected to the network interface device over a bus interface, wherein the host computer includes a memory, the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory, the set of node security keys are stored in the memory of the network interface device, and the cryptographic unit encrypts data to be transferred between members of the virtual private group using the set of node security keys stored in the memory of the network interface device; wherein the policy management means includes means for determining, at each node, if another node is a member of the virtual private group; wherein the group communication means includes means for sending encrypted data between two or more nodes of the same virtual private group; wherein the packet filter blocks unauthorized packets as a function of a first set of security policy rules when the group communication means is sending or receiving data between members of the same virtual private group and as a function of a second set of security policy rules when the group communication means is sending or receiving data between members of different virtual private groups.
-
-
16. A computer-readable medium having computer-executable instructions thereon for performing a method, the method comprising:
-
managing a plurality of group definitions on a policy server, each group definition including a plurality of group member entries; establishing a secure connection between the policy server and a plurality of group members, wherein; each of the plurality of group members includes a host computer connected to a network interface device over a bus interface, the host computer includes a memory, and the network interface device includes a processor, a cryptographic unit, a packet filter, and a memory separate from the host computer memory; creating a plurality of customized group member policies based on the group member entries in the group definitions; securely sending a group membership key from the policy server to each of the group members; securely sending a traffic encryption key list from the policy server to each of the group members and wherein the traffic encryption key list contains one or more traffic encryption keys; securely sending the customized group member policies from the policy server to each of the corresponding group members; and storing the group membership key, traffic encryption key list and the customized group member policies in memory of the network interface device, wherein the customized group member policies include a first and a second set of group member policies applied by the packet filter of the network interface device to detect and block unauthorized packets, wherein the first set of group member policies are applied when sending or receiving data between group members. - View Dependent Claims (17, 18, 19)
-
-
20. A method for securing communication within a virtual private group, the method comprising:
-
providing a policy server, wherein the policy server includes a security policy database, a filter rule database and a secure interface; providing a plurality of nodes connected across a network, wherein each of the plurality of nodes includes a host computer connected to a network interface device over a bus interface, wherein the host computer includes a memory and wherein the network interface device includes a processor, a cryptographic unit, a packet filter to apply filter rules from the filter rule database, and a memory separate from the host computer memory, wherein the filter rule database includes a set of filter rules for each virtual private group; assigning two or more nodes to a first virtual private group; assigning two or more nodes to a second virtual private group; determining group member data for each virtual private group; establishing a secure connection between the policy server and the nodes of the first virtual private group and the nodes of the second virtual private group; sending the virtual private group member data for the first virtual private group from the policy server to each member of the first virtual private group; storing the virtual private group member data for the first virtual private group in the memory of the network interface device of each member of the first virtual private group; sending the virtual private group member data for the second virtual private group from the policy server to each member of the second virtual private group; storing the virtual private group member data for the second virtual private group in the memory of the network interface device of each member of the first virtual private group; sending a secure communication between two or more members of the first virtual private group utilizing the first virtual private group'"'"'s member data; and sending a second secure communication between two or more members of the second virtual private group utilizing the second virtual private group'"'"'s member data. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
Specification