×

Securing network traffic by distributing policies in a hierarchy over secure tunnels

  • US 7,774,837 B2
  • Filed: 05/25/2007
  • Issued: 08/10/2010
  • Est. Priority Date: 06/14/2006
  • Status: Active Grant
First Claim
Patent Images

1. A method for securing message traffic in a data network by distributing security policies, the method comprising:

  • at a first distribution point located at a first location, (i) determining a first security policy to be applied to a network connection, the first security policy including at least a definition of a security group and a first network device that is assigned to the security group, and (ii) forwarding the first security policy from the first distribution point to a first managing module;

    at the first managing module, (i) recording a first association between the security group and an identifier for the first distribution point, and (ii) sending a first message to a central managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point;

    at the central managing module, generating a first security group database entry based on the first message;

    at a second distribution point located at a second location, (i) determining a second security policy to be applied to a network connection, the second security policy including at least a definition of the security group and a second network device that is assigned to the security group, and (ii) forwarding the second security policy from the second distribution point to a second managing module;

    at the second managing module, (i) recording a second association between the security group and an identifier for the second distribution point, and (ii) sending a second message to the central managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point;

    at the central managing module, (i) generating a second security group database entry based on the second message, (ii) sending a third message to the first managing module indicating that the second managing module has recorded the second association between the security group and an identifier for the second distribution point, and (iii) sending a fourth message to the second managing module indicating that the first managing module has recorded the first association between the security group and an identifier for the first distribution point;

    at the first managing module, sending a fifth message to the first distribution point to add the second distribution point to the security group;

    at the second managing module, sending a sixth message to the second distribution point to add the first distribution point to the security group;

    exchanging keys between the first and second distribution points via one or more secure tunnels;

    at the first distribution point, distributing the exchanged keys to one or more security components in the first location; and

    at the second distribution point, distributing the exchanged keys to one or more security components in the second location.

View all claims
  • 6 Assignments
Timeline View
Assignment View
    ×
    ×