System and method for enabling scalable security in a virtual private network
First Claim
1. A method executed in a data processing system for providing communication access between a first process associated with a first node and a second process associated with a second node, the method comprising:
- sending a request from the first node to an administrative machine to verify a first node identification associated with the first process;
in response to the request, receiving security context information at the first node from the administrative machine, the security context information comprising a virtual address for the first node;
appending the security context information for the first process in a process table, the process table listing a first process identifier associated with the first process executing in memory;
opening a socket between the first process and the second process;
transmitting a packet from the first process to the second process through the open socket without passing through the administrative machine, only after determining that the first process and the second process are connected by at least one of (i) a channel and (ii) a plurality of channels linked by a gateway, the packet comprising the security context information for the first process in the process table, each said channel comprising a collection of virtual links through a public network infrastructure; and
receiving the transmitted packet.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems consistent with the present invention provide dynamic security policies that change the granularity of the security at the node level, process level, or socket level. Specifically, a channel number and virtual address are associated with various processes included in a process table. Since a security policy is required for all processes, secure and insecure processes located on the same channel may communicate with one another. Moreover, processes located on different channels may communicate with one another by a gateway that connects both channels. This scalable blanketing security approach provides an institutionalized method for securing any process, node or socket by providing a unique mechanism for policy enforcement at runtime or by changing the security policies.
-
Citations
37 Claims
-
1. A method executed in a data processing system for providing communication access between a first process associated with a first node and a second process associated with a second node, the method comprising:
-
sending a request from the first node to an administrative machine to verify a first node identification associated with the first process; in response to the request, receiving security context information at the first node from the administrative machine, the security context information comprising a virtual address for the first node; appending the security context information for the first process in a process table, the process table listing a first process identifier associated with the first process executing in memory; opening a socket between the first process and the second process; transmitting a packet from the first process to the second process through the open socket without passing through the administrative machine, only after determining that the first process and the second process are connected by at least one of (i) a channel and (ii) a plurality of channels linked by a gateway, the packet comprising the security context information for the first process in the process table, each said channel comprising a collection of virtual links through a public network infrastructure; and receiving the transmitted packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method executed in a data processing system for providing secure communications between a first process associated with a first node and a second process associated with a second node, the method comprising:
-
obtaining a node identification comprising a virtual address from an administrative machine; including the node identification in a field corresponding to the first process in a process table, the process table listing a first process identifier associated with the first process executing in memory; transmitting, only after determining that the first process and the second process are connected by at least one of (i) a channel and (ii) a plurality of channels linked by a gateway, a datagram that contains the node identification from the first process to a socket, each said channel comprising a collection of virtual links through a public network infrastructure; receiving the datagram at the second process that contains the node identification and a second virtual address, without the datagram passing through the administrative machine. - View Dependent Claims (14)
-
-
15. A system for providing communication access between a first process associated with a first node corresponding to a first computer system and a second process associated with a second node corresponding to a second computer system networked via a public network infrastructure to the first computer system, the system including the first computer system and the second computer system, the first computer system comprising:
-
means for sending, across the public network, a request from the first node to an administrative machine associated with a private network to verify a first node identification associated with the first process; means for receiving security context information, in response to the request, at the first node from the administrative machine, the security context information comprising a virtual address for the first node; means for appending the security context information for the first process in a process table, the process table listing a first identifier associated with the first process executing in memory; means for opening a socket between the first process and the second process; means for determining that the first process and the second process are connected by at least one of (i) a channel and (ii) a plurality of channels linked by a gateway, each said channel comprising a collection of virtual links through a public network infrastructure; means for transmitting a packet from the first process to the second process through the open socket without passing through the administrative machine, the packet comprising the security context information for the first process in the process table; and means for receiving the transmitted packet. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A system for placing a process executed in a node in a security context, comprising:
-
an administrative machine; and a sending node comprising; a transmission module that transmits a request to the administrative machine to verify a sending node identification, and receives security context information from the administrative machine in response to the request, wherein the security context information comprises a virtual address for the sending node; memory containing a process and an associated process table, the process table listing a first process identifier associated with the first process executing in memory; an appending module that appends the received security context information and the sending node identification for the process in the process table, wherein the transmission module transmits a packet from the process to a receiving node without passing through the administrative machine, only after determining that the first process and the second process are connected by at least one of (i) a channel and (ii) a plurality of channels linked by a gateway, the packet comprising the security context information for the first process in the process table, each said channel comprising a collection of virtual links through a public network infrastructure; and means for receiving the transmitted packet. - View Dependent Claims (25, 26)
-
-
27. A system for providing secure communications between a first process associated with a first node corresponding to a first computer system and a second process associated with a second node corresponding to a second computer system networked via a public network infrastructure to the first computer system, the system including the first computer system and the second computer system, the first computer system comprising:
-
means for obtaining a node identification comprising a virtual address from an administrative machine connected to the first computer system via the public network infrastructure; means for including the node identification in a field corresponding to the first process in a process table, the process table listing a first process identifier associated with the first process executing in memory; means for transmitting a datagram that contains the node identification from the first process to a socket; means for determining that the first process and the second process are connected by at least one of (i) a channel and (ii) a plurality of channels linked by a gateway, each said channel comprising a collection of virtual links through a public network infrastructure; means for receiving the datagram at the second process that contains the node identification and a second virtual address, without the datagram passing through the administrative machine; and means for accepting the transmitted packet. - View Dependent Claims (28)
-
-
29. A computer readable storage medium installable on a networked computer system in a data processing system, wherein the computer-readable storage medium includes a plurality of modules having a set of instructions which when executed by a processor of the computer system operate to control the data processing system to perform a method for providing communication access between a first process associated with a first node disposed on the computer system and a second process associated with a second node, the modules comprising:
-
a sending module for sending a request from the first node to an administrative machine to verify a first node identification associated with the first process; a receiving module for receiving security context information, in response to the request, at the first node from the administrative machine, the security context information comprising a virtual address for the first node; an appending module for appending security context information for the first process in a process table, the process table listing a first process identifier associated with the first process executing in memory; an opening module for opening a socket between the first process and the second process; a transmitting module for transmitting a packet from the first process to the second process through the open socket without passing through the administrative machine, only after determining that the first process and the second process are connected by at least one of (i) a channel and (ii) a plurality of channels linked by a gateway, the packet comprising the security context information for the first process in the process table, each said channel comprising a collection of virtual links through a public network infrastructure; and a receiving module for receiving the transmitted packet. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37)
-
Specification