Wireless network having multiple security interfaces

US 7,627,123 B2
Filed: 02/07/2005
Issued: 12/01/2009
Est. Priority Date: 02/07/2005
Status: Active Grant

First Claim

Patent Images

1. A method, performed by one or more devices of a network device, the method comprising:

mapping, by the one or more devices, wireless network identifiers to security zones;

receiving, by the one or more devices, a request from a client device to access a wireless network using a particular one of the wireless network identifiers;

authenticating, by the one or more devices, the client device;

establishing, by the one or more devices and upon successful authentication of the client device, a wireless network session with the client device;

receiving, by the one or more devices and during the established network session, network traffic from the client device, the network traffic including a destination address;

identifying, by the one or more devices, a destination zone using the destination address;

identifying, by the one or more devices, a particular one of the security zones associated with the client device based on the particular wireless network identifier;

performing, by the one or more devices, security processing on the network traffic based on the identified destination zone and the particular security zone; and

selectively forwarding, based on a result of the security processing, the network traffic to the identified destination zone.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.

Citations

9 Claims

1. A method, performed by one or more devices of a network device, the method comprising:
- mapping, by the one or more devices, wireless network identifiers to security zones;
  
  receiving, by the one or more devices, a request from a client device to access a wireless network using a particular one of the wireless network identifiers;
  
  authenticating, by the one or more devices, the client device;
  
  establishing, by the one or more devices and upon successful authentication of the client device, a wireless network session with the client device;
  
  receiving, by the one or more devices and during the established network session, network traffic from the client device, the network traffic including a destination address;
  
  identifying, by the one or more devices, a destination zone using the destination address;
  
  identifying, by the one or more devices, a particular one of the security zones associated with the client device based on the particular wireless network identifier;
  
  performing, by the one or more devices, security processing on the network traffic based on the identified destination zone and the particular security zone; and
  
  selectively forwarding, based on a result of the security processing, the network traffic to the identified destination zone.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, where the wireless network identifiers are Service Set Identifiers (SSIDs).
  - 3. The method of claim 1, further comprising:
    - segmenting security privileges of a plurality of client devices based on the security zone mapped to the wireless network identifier used to establish wireless network sessions.
  - 4. The method of claim 1, where the performing security processing includes:
    - performing a security policy search to identify applicable security policies, andapplying the identified security policies to data packets in the network traffic.
  - 5. The method of claim 1, where the performing security processing includes:
    - performing uniform resource locator (URL) filtering for disabling access to predefined network resources.
  - 6. The method of claim 1, where the performing security processing includes:
    - performing network address translation and/or port translation to modify information in data packets in the network traffic.

7. A system comprising:
- a network device comprising;
  
  means for providing discrete wireless network interfaces, each discrete wireless network interface having an identifier associated therewith, where each identifier is associated with a discrete Internet Protocol (IP) address range,means for mapping the discrete IP address ranges to security zones,means for authenticating client devices;
  
  means for establishing, via the discrete wireless network interfaces and upon successfully authenticating the client devices, wireless network sessions with the client devices based on the discrete wireless network identifiers,means for receiving, during one of the established wireless network sessions, network traffic from one of the client devices bound for a network resource,means for identifying a source security zone for the network traffic based on an IP address of the one of the client devices and the discrete IP address range with which the IP address of the one of the client devices is associated,means for identifying a destination IP address associated with the network resource, where the destination IP address is associated with a destination security zone,means for performing security processing on the network traffic based on the identified source security zone and the destination security zone, andmeans for determining, based on a result of the security processing, whether to forward the network traffic to the destination zone.
- View Dependent Claims (8)
- - 8. The system of claim 7, where the means for performing security processing includes:
    - means for performing a security policy search to identify applicable security policies, andmeans for applying the identified security policies to data packets in the network traffic.

9. An apparatus, comprising:
- a memory to store instructions, andprocessing logic to execute the instructions to;
  
  provide discrete wireless network interfaces, each discrete wireless network interface having an identifier associated therewith,map the identifiers to a number of security zones,receive, from a client device, a request to access a discrete wireless network interface using the identifier associated with the discrete wireless network interface,perform authentication of the client device,establish, upon successful authentication of the client device, a wireless network session with the client device based on the identifier associated with the discrete wireless network interface via which the wireless network session is established,receive, during the established wireless network session, network traffic from the client device that is destined for a network resource, the network traffic including a source address associated with the client device and a destination address associated with the network resource,identify a source zone, from a number of the security zones, with which the network traffic is associated using the source address,identify a destination zone with which the network traffic is associated using the destination address,perform security processing on the network traffic based on the identified source zone and the identified destination zone, andselectively forward, based on a result of the security processing, the network traffic to the identified destination zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Mo, Ning, Conway, Adam Michael, Klarich, Lee
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
SHAN, APRIL YING

Application Number

US11/051,486
Publication Number

US 20060177063A1
Time in Patent Office

1,758 Days
Field of Search

380/270, 380/247, 455/410, 455/411, 370/235
US Class Current

380/270
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/105   Multiple levels of security

H04L 67/14   Session management for real...

H04W 80/10   adapted for application ses...

Wireless network having multiple security interfaces

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless network having multiple security interfaces

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links