Method and apparatus for providing network security using role-based access control

US 7,954,163 B2
Filed: 05/05/2009
Issued: 05/31/2011
Est. Priority Date: 09/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

comparing, using a processor of a network device, a user group of a packet with a user group of a destination of said packet, whereinsaid user group of said packet is a source user group,said user group of said destination is a destination user group,said destination user group is identified by a user group identifier,said destination user group is assigned to said destination based on a role of said destination,said user group identifier is configured to be stored in a forwarding information base, said user group identifier being stored in said forwarding information base as a result of being received in a response from another network device, said response being received in response to a request sent to said another network device by said network device, andsaid user group identifier is further configured to be retrieved from said forwarding information base for use in said comparing for securing access to a network by a user based on a user'"'"'s role.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

78 Citations

View as Search Results

30 Claims

1. A method comprising:
- comparing, using a processor of a network device, a user group of a packet with a user group of a destination of said packet, whereinsaid user group of said packet is a source user group,said user group of said destination is a destination user group,said destination user group is identified by a user group identifier,said destination user group is assigned to said destination based on a role of said destination,said user group identifier is configured to be stored in a forwarding information base, said user group identifier being stored in said forwarding information base as a result of being received in a response from another network device, said response being received in response to a request sent to said another network device by said network device, andsaid user group identifier is further configured to be retrieved from said forwarding information base for use in said comparing for securing access to a network by a user based on a user'"'"'s role.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, whereinsaid user group of said destination of said packet is identified by a user group identifier, andsaid user group identifier is stored in a role-based access control list entry of an access control list.
  - 3. The method of claim 1, whereinsaid user group of said packet is a source user group, andsaid user group of said destination of said packet is a destination user group.
  - 4. The method of claim 3, whereinsaid source user group is assigned to a source of said packet based on a role of said source, andsaid destination user group is assigned to said destination based on a role of said destination.
  - 5. The method of claim 3, further comprising:
    - retrieving said destination user group from said forwarding information base.
  - 6. The method of claim 5, further comprising:
    - storing said destination user group in an access control list.
  - 7. The method of claim 3, whereinsaid source user group is indicated by a source user group identifier stored in said packet, andsaid destination user group is indicated by a destination user group stored in a network device receiving said packet.
  - 8. The method of claim 3, further comprising:
    - determining said source user group; and
      
      determining said destination user group by looking up said destination user group in an access control list.
  - 9. The method of claim 8, whereinsaid destination user group is identified by a destination user group identifier, andsaid destination user group identifier is stored in a role-based access control list entry of said access control list.
  - 10. The method of claim 8, whereinsaid access control list is a role-based access control list.
  - 11. The method of claim 8, wherein said determining said source user group comprises:
    - extracting a source user group identifier from said packet, whereinsaid source user group identifier identifies said source user group.
  - 12. The method of claim 11, further comprising:
    - populating said access control list with a destination user group identifier, whereinsaid destination user group identifier identifies said destination user group.
  - 13. The method of claim 12, whereinsaid destination user group is assigned to said destination based on a role of said destination.
  - 14. The method of claim 12, whereinsaid comparing and said populating are performed by a network device, andsaid populating comprisessending a request to another network device, andreceiving a response from said another network device, whereinsaid response includes a destination user group identifier, andsaid destination user group identifier identifies said destination user group.

15. A computer program product embedded in a non-transitory computer readable storage medium having a computer program recorded therein or thereon, when executed by a processor, results in a machine performing the functions for securing access to a network by a user based on a user'"'"'s role, wherein the computer program product comprising:
- a plurality of instructions, comprisinga first set of instructions, executable on a computer system, configured to compare a user group of a packet with a user group of a destination of said packet, whereinsaid user group of said packet is a source user group,said user group of said destination is a destination user group,said destination user group is identified by a user group identifier,said destination user group is assigned to said destination based on a role of said destination,said user group identifier is configured to be stored in a forwarding information base, said user group identifier being stored in said forwarding information base as a result of being received in a response from another network device, said response being received in response to a request sent to said another network device by said network device, andsaid user group identifier is further configured to be retrieved from said forwarding information base for use by said first set of instructions for use in said comparing for securing access to a network by a user based on a user'"'"'s role; and
  
  a computer readable medium, wherein said instructions are encoded in said computer readable medium.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The computer program product of claim 15, whereinsaid user group of said packet is a source user group, andsaid user group of said destination of said packet is a destination user group.
  - 17. The computer program product of claim 16, further comprising:
    - a second set of instructions, executable on said computer system, configured to retrieve said destination user group from said forwarding information base.
  - 18. The computer program product of claim 17, further comprising:
    - a third set of instructions, executable on said computer system, configured to storing said destination user group in an access control list.
  - 19. The computer program product of claim 16, further comprising:
    - a second set of instructions, executable on said computer system, configured to determine said source user group; and
      
      a third set of instructions, executable on said computer system, configured to determine said destination user group by looking up said destination user group in an access control list.
  - 20. The computer program product of claim 19 wherein said second set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to extract a source user group identifier from said packet, whereinsaid source user group identifier identifies said source user group.
  - 21. The computer program product of claim 20, further comprising:
    - a fourth set of instructions, executable on said computer system, configured to populate said access control list with a destination user group identifier, whereinsaid destination user group identifier identifies said destination user group.
  - 22. The computer program product of claim 15, whereinsaid source user group is indicated by a source user group identifier stored in said packet, andsaid destination user group is indicated by a destination user group stored in a network device receiving said packet.

23. A network device comprising:
- a forwarding information base, whereinsaid forwarding information base is configured to store a user group identifier;
  
  means for storing said user group identifier in said forwarding information base, whereinsaid means for storing is coupled to said forwarding information base,said means for storing is responsive to said user group identifier being received in a response from another network device, andsaid network device is configured to receive said response in response to a request sent to said another network device by said network device;
  
  means for retrieving said user group identifier from said forwarding information base, whereinsaid means for retrieving is coupled to said forwarding information base; and
  
  means for comparing a user group of a packet with a user group of a destination of said packet for securing access to a network by a user based on a user'"'"'s role, whereinsaid means for comparing is coupled to said means for retrieving,said user group of said packet is a source user group,said user group of said destination is a destination user group,said destination user group is identified by said user group identifier, andsaid destination user group is assigned to said destination based on a role of said destination.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The apparatus of claim 23, whereinsaid user group of said packet is a source user group, andsaid user group of said destination of said packet is a destination user group.
  - 25. The apparatus of claim 24, further comprising:
    - means for retrieving said destination user group from said forwarding information base.
  - 26. The apparatus of claim 25, further comprising:
    - means for storing said destination user group in an access control list.
  - 27. The apparatus of claim 24, whereinsaid source user group is indicated by a source user group identifier stored in said packet, andsaid destination user group is indicated by a destination user group stored in a network device receiving said packet.
  - 28. The apparatus of claim 24, further comprising:
    - means for determining said source user group; and
      
      means for determining said destination user group by looking up said destination user group in an access control list.
  - 29. The apparatus of claim 28, wherein said means for determining said source user group comprises:
    - means for extracting a source user group identifier from said packet, wherein said source user group identifier identifies said source user group.
  - 30. The apparatus of claim 29, further comprising:
    - means for populating said access control list with a destination user group identifier, whereinsaid destination user group identifier identifies said destination user group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
Chai; Longbit

Application Number

US12/435,870
Publication Number

US 20090217355A1
Time in Patent Office

756 Days
Field of Search

726/28
US Class Current

726/28
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 12/4645   Details on frame tagging ro...

H04L 12/4675   Dynamic sharing of VLAN inf...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/54   Organization of routing tables

H04L 45/7453   using hashing

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and apparatus for providing network security using role-based access control

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing network security using role-based access control

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links