Enforcing security groups in network of data processors
First Claim
Patent Images
1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:
- at a Management and Policy Server (MAP) within a network;
determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic;
at a Key Authority Point (KAP) within the network;
receiving at least one security policy definition from the MAP;
generating one or more keys to be used in securing the traffic according to the policy definition; and
distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network; and
at a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP;
receiving the security policy definition and the keys from the KAP over the secure tunnels through the network;
receiving a network traffic packet;
determining, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and
applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
8 Assignments
0 Petitions
Accused Products
Abstract
A technique for securing message traffic in a data network using various methods for distributing security policies and keys, where policy definition is determined in a Management and Policy (MAP) functional layer that is responsible for policy distribution; a separate Key Authority Point (KAP) that is responsible for key generation, key distribution, and policy distribution; and a separate Policy Enforcement Point (PEP) which is responsible for enforcing the policies and applying the keys.
75 Citations
27 Claims
-
1. A method for securing message traffic in a data network using a security protocol, comprising the steps of:
-
at a Management and Policy Server (MAP) within a network; determining a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; at a Key Authority Point (KAP) within the network; receiving at least one security policy definition from the MAP; generating one or more keys to be used in securing the traffic according to the policy definition; and distributing the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network; and at a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP; receiving the security policy definition and the keys from the KAP over the secure tunnels through the network; receiving a network traffic packet; determining, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for securing message traffic in a data network using a security protocol, comprising:
-
a Management and Policy Server (MAP) within a network, the MAP including a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; a Key Authority Point (KAP) within the network, the KAP being configured to; receive at least one security policy definition from the MAP; generate one or more keys to be used in securing the traffic according to the policy definition; and distribute the security policy definition and the keys to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network; and a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP, the PEP being configured to; receive the security policy definition and the keys from the KAP over the secure tunnels through the network; receive a network traffic packet; determine, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and apply security processing to the network traffic packet according to the keys and the parameters of the security policy definition. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A non-transitory computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol, the computer readable medium program codes performing functions comprising:
-
a routine for determining, at a Management and Policy Server (MAP) within a network, a security policy definition to be applied to traffic in the network, the policy definition including at least a definition of traffic to be secured and parameters to be applied to the secured traffic; a routine for receiving, at a Key Authority Point (KAP) within the network, at least one security policy definition from the MAP; a routine for generating, at the KAP, one or more keys to be used in securing the traffic according to the policy definition; a routine for distributing the security policy definition and the keys from the KAP to two or more peer Policy Enforcement Points (PEPs) over respective secure tunnels through the network; a routine for receiving, at a PEP within the network located at a network node that is separate from both the MAP and the KAP and within a device separate from the MAP and the KAP, the security policy definition and the keys from the KAP over the secure tunnels through the network; a routine for receiving, at the PEP, a network traffic packet; a routine for determining, based on the security policy definition, if the network traffic packet falls within the definition of traffic to be secured; and a routine for applying security processing to the network traffic packet according to the keys and the parameters of the security policy definition.
-
Specification