Enforcing security groups in network of data processors

US 8,082,574 B2
Filed: 07/23/2007
Issued: 12/20/2011
Est. Priority Date: 08/11/2006
Status: Active Grant

First Claim

Patent Images

1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:

at a Management and Policy Server (MAP) within a network;

determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;

at a Key Authority Point (KAP) within the network;

receiving at least one security policy definition from the MAP;

generating one or more keys to be used in securing the traffic according to the policy definition; and

distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network; and

at a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP;

receiving the security policy definition and the keys from the KAP over the secure tunnels through the network;

receiving a network traffic packet;

determining, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and

applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for securing message traffic in a data network using various methods for distributing security policies and keys, where policy definition is determined in a Management and Policy (MAP) functional layer that is responsible for policy distribution; a separate Key Authority Point (KAP) that is responsible for key generation, key distribution, and policy distribution; and a separate Policy Enforcement Point (PEP) which is responsible for enforcing the policies and applying the keys.

75 Citations

View as Search Results

27 Claims

1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:
- at a Management and Policy Server (MAP) within a network;
  
  determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
  
  at a Key Authority Point (KAP) within the network;
  
  receiving at least one security policy definition from the MAP;
  
  generating one or more keys to be used in securing the traffic according to the policy definition; and
  
  distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network; and
  
  at a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP;
  
  receiving the security policy definition and the keys from the KAP over the secure tunnels through the network;
  
  receiving a network traffic packet;
  
  determining, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and
  
  applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the security policy definition includes a definition of groups/communities of interest.
  - 3. The method of claim 1, wherein the security policy definition includes a definition of membership and permissions of groups.
  - 4. The method of claim 1, further comprising the step of:
    - at the MAP, authenticating each KAP and PEP.
  - 5. The method of claim 1, further comprising the step of:
    - at the MAP, providing a visualization of security groups.
  - 6. The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes distributing the security policy definition and the keys using IPsec.
  - 7. The method of claim 1, wherein distributing the security policy definition and the keys to two or more peer PEPs includes communicating with the peer PEPs via an application programming interface (API).
  - 8. The method of claim 1, wherein the KAP monitors operation of the peer PEPs.
  - 9. The method of claim 1, wherein the MAP and the KAP are centralized on a single physical machine.
  - 10. The method of claim 1, wherein applying security processing to the network traffic packet includes encrypting the packet if it is an outbound packet and decrypting the packet if it is an inbound packet.
  - 11. The method of claim 1, further comprising the step of:
    - at the PEP, storing and processing security packet index (SPI) data associated with the packet.
  - 12. The method of claim 1, wherein the PEP is embedded in a network connected device.
  - 13. The method of claim 1, wherein the PEP is implemented as a process running on a network appliance.

14. A system for securing message traffic in a data network using a security protocol, comprising:
- a Management and Policy Server (MAP) within a network, the MAP including a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
  
  a Key Authority Point (KAP) within the network, the KAP being configured to;
  
  receive at least one security policy definition from the MAP;
  
  generate one or more keys to be used in securing the traffic according to the policy definition; and
  
  distribute the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network; and
  
  a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP, the PEP being configured to;
  
  receive the security policy definition and the keys from the KAP over the secure tunnels through the network;
  
  receive a network traffic packet;
  
  determine, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and
  
  apply security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the security policy definition includes a definition of groups/communities of interest.
  - 16. The system of claim 14, wherein the security policy definition includes a definition of membership and permissions of groups.
  - 17. The system of claim 14, wherein the MAP is further configured to authenticate each KAP and PEP.
  - 18. The system of claim 14, wherein the MAP is further configured to provide a visualization of security groups.
  - 19. The system of claim 14, wherein the KAP is configured to distribute the security policy definition and the keys using IPsec.
  - 20. The system of claim 14, further comprising an application programming interface (API) used for communicating between the KAP and the peer PEPs.
  - 21. The system of claim 14, wherein the KAP is further configured to monitor operation of the peer PEPs.
  - 22. The system of claim 14, wherein the MAP and the KAP are centralized on a single physical machine.
  - 23. The system of claim 14, wherein the PEP is configured to encrypt the packet if it is an outbound packet and decrypt the packet if it is an inbound packet.
  - 24. The system of claim 14, wherein the PEP is further configured to store and process security packet index (SPI) data associated with the packet.
  - 25. The system of claim 14, wherein the PEP is embedded in a network connected device.
  - 26. The system of claim 14, wherein the PEP is implemented as a process running on a network appliance.

27. A non-transitory computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol, the computer readable medium program codes performing functions comprising:
- a routine for determining, at a Management and Policy Server (MAP) within a network, a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
  
  a routine for receiving, at a Key Authority Point (KAP) within the network, at least one security policy definition from the MAP;
  
  a routine for generating, at the KAP, one or more keys to be used in securing the traffic according to the policy definition;
  
  a routine for distributing the security policy definition and the keys from the KAP to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network;
  
  a routine for receiving, at a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP, the security policy definition and the keys from the KAP over the secure tunnels through the network;
  
  a routine for receiving, at the PEP, a network traffic packet;
  
  a routine for determining, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and
  
  a routine for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
McAlister, Donald K., Hoff, Brandon L., Willis, Ronald B., Starrett, Charles R.
Primary Examiner(s)
McNally, Michael S

Application Number

US11/880,890
Publication Number

US 20080040775A1
Time in Patent Office

1,611 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/062   for key distribution, e.g. ...

H04L 63/104   Grouping of entities

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Enforcing security groups in network of data processors

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing security groups in network of data processors

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links