Securing network traffic by distributing policies in a hierarchy over secure tunnels
First Claim
Patent Images
1. A method for securing message traffic in a data network by distributing security policies, the method comprising:
- at a first distribution point located at a first location, (i) determining a first security policy to be applied to a network connection, the first security policy including at least a definition of a security group and a first network device that is assigned to the security group, and (ii) forwarding the first security policy from the first distribution point to a first managing module;
at the first managing module, (i) recording a first association between the security group and an identifier for the first distribution point, and (ii) sending a first message to a central managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point;
at the central managing module, generating a first security group database entry based on the first message;
at a second distribution point located at a second location, (i) determining a second security policy to be applied to a network connection, the second security policy including at least a definition of the security group and a second network device that is assigned to the security group, and (ii) forwarding the second security policy from the second distribution point to a second managing module;
at the second managing module, (i) recording a second association between the security group and an identifier for the second distribution point, and (ii) sending a second message to the central managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point;
at the central managing module, (i) generating a second security group database entry based on the second message, (ii) sending a third message to the first managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point, and (iii) sending a fourth message to the second managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point;
at the first managing module, sending a fifth message to the first distribution point to add the second distribution point to the security group;
at the second managing module, sending a sixth message to the second distribution point to add the first distribution point to the security group;
exchanging keys between the first and second distribution points via one or more secure tunnels;
at the first distribution point, distributing the exchanged keys to one or more security components in the first location; and
at the second distribution point, distributing the exchanged keys to one or more security components in the second location.
6 Assignments
0 Petitions
Accused Products
Abstract
A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.
-
Citations
16 Claims
-
1. A method for securing message traffic in a data network by distributing security policies, the method comprising:
-
at a first distribution point located at a first location, (i) determining a first security policy to be applied to a network connection, the first security policy including at least a definition of a security group and a first network device that is assigned to the security group, and (ii) forwarding the first security policy from the first distribution point to a first managing module; at the first managing module, (i) recording a first association between the security group and an identifier for the first distribution point, and (ii) sending a first message to a central managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point; at the central managing module, generating a first security group database entry based on the first message; at a second distribution point located at a second location, (i) determining a second security policy to be applied to a network connection, the second security policy including at least a definition of the security group and a second network device that is assigned to the security group, and (ii) forwarding the second security policy from the second distribution point to a second managing module; at the second managing module, (i) recording a second association between the security group and an identifier for the second distribution point, and (ii) sending a second message to the central managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point; at the central managing module, (i) generating a second security group database entry based on the second message, (ii) sending a third message to the first managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point, and (iii) sending a fourth message to the second managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point; at the first managing module, sending a fifth message to the first distribution point to add the second distribution point to the security group; at the second managing module, sending a sixth message to the second distribution point to add the first distribution point to the security group; exchanging keys between the first and second distribution points via one or more secure tunnels; at the first distribution point, distributing the exchanged keys to one or more security components in the first location; and at the second distribution point, distributing the exchanged keys to one or more security components in the second location. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for securing message traffic in a data network by distributing security policies, the system comprising:
-
a first distribution point located at a first location; a first managing module; a second distribution point located at a second location; a second managing module; and a central managing module, the first distribution point configured to (i) determine a first security policy to be applied to a network connection, the first security policy including at least a definition of a security group and a first network device that is assigned to the security group, and (ii) forward the first security policy from the first distribution point to the first managing module, the first managing module configured to (i) record a first association between the security group and an identifier for the first distribution point, and (ii) send a first message to the central managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point, the second distribution point configured to (i) determine a second security policy to be applied to a network connection, the second security policy including at least a definition of the security group and a second network device that is assigned to the security group, and (ii) forward the second security policy from the second distribution point to the second managing module, the second managing module configured to (i) record a second association between the security group and an identifier for the second distribution point, and (ii) send a second message to the central managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point, the central managing module configured to (i) generate a first security group database entry based on the first message, (ii) generate a second security group database entry based on the second message, (iii) send a third message to the first managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point, and (iii) send a fourth message to the second managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point, the first and second managing modules further configured to send a fifth and sixth message, respectively, to the first distribution point to add the second distribution point to the security group and to the second distribution point to add the first distribution point to the security group, and the first and second distribution points further configured to exchange keys via one or more secure tunnels and to distribute the exchanged keys to one or more security components in the first and second locations, respectively. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable medium having computer-readable program codes embodied therein for securing message traffic in a data network by distributing security policies, the computer-readable medium program codes performing functions comprising:
-
a routine for determining a first security policy to be applied to a network connection, the first security policy including at least a definition of a security group and a first network device at a first location that is assigned to the security group, and (ii) forwarding the first security policy from a first distribution point at the first location to a first managing module; a routine for (i) recording a first association between the security group and an identifier for the first distribution point, and (ii) sending a first message to a central managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point; a routine for generating a first security group database entry based on the first message; a routine for (i) determining a second security policy to be applied to a network connection, the second security policy including at least a definition of the security group and a second network device at a second location that is assigned to the security group, and (ii) forwarding the second security policy from a second distribution point at the second location to a second managing module; a routine for (i) recording a second association between the security group and an identifier for the second distribution point, and (ii) sending a second message to the central managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point; a routine for (i) generating a second security group database entry based on the second message, (ii) sending a third message to the first managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point, and (iii) sending a fourth message to the second managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point; a routine for sending a fifth message to the first distribution point to add the second distribution point to the security group; a routine for sending a sixth message to the second distribution point to add the first distribution point to the security group; a routine for exchanging keys between the first and second distribution points via one or more secure tunnels; a routine for distributing the exchanged keys to one or more security components in the first location; and a routine for distributing the exchanged keys to one or more security components in the second location.
-
Specification