Method and apparatus for passing security configuration information between a client and a security policy server

US 8,261,318 B2
Filed: 09/22/2010
Issued: 09/04/2012
Est. Priority Date: 08/22/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

forming a request of a security policy server for security configuration information;

causing a security gateway to (a) receive the request in an Internet Security Association and Key Management Protocol (ISAKMP) network message, (b) treat the request received in the ISAKMP network message as opaque data, and (c) send the request to the security policy server;

receiving the security configuration information from the security gateway;

using the security configuration information to establish secure network communications;

wherein causing the security gateway to receive the ISAKMP network message comprises sending the ISAKMP network message to the security gateway;

wherein causing the security gateway to treat the request received in the ISAKMP network message as opaque data comprises associating the request with a tag in the ISAKMP network message sent to the security gateway, the tag indicating that the request is to be treated as opaque data; and

wherein the method is performed by a computing device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for passing security configuration information between a security policy server and a client includes the client forming a request for security configuration information that configures the client for secure communications. The client is separated by an untrusted network from a trusted network that includes the security policy sever. A tag is generated that indicates a generic security configuration attribute. An Internet Security Association and Key Management Protocol (ISAKMP) configuration mode request message is sent to a security gateway on an edge of the trusted network connected to the untrusted network. The message includes the request in association with the tag. The gateway sends the request associated with the tag to the security policy server on the trusted network and does not interpret the request. The techniques allow client configuration extensions to be added by modifying the policy server or security client, or both, without modifying the gateway.

8 Citations

View as Search Results

22 Claims

1. A method comprising:
- forming a request of a security policy server for security configuration information;
  
  causing a security gateway to (a) receive the request in an Internet Security Association and Key Management Protocol (ISAKMP) network message, (b) treat the request received in the ISAKMP network message as opaque data, and (c) send the request to the security policy server;
  
  receiving the security configuration information from the security gateway;
  
  using the security configuration information to establish secure network communications;
  
  wherein causing the security gateway to receive the ISAKMP network message comprises sending the ISAKMP network message to the security gateway;
  
  wherein causing the security gateway to treat the request received in the ISAKMP network message as opaque data comprises associating the request with a tag in the ISAKMP network message sent to the security gateway, the tag indicating that the request is to be treated as opaque data; and
  
  wherein the method is performed by a computing device.
- View Dependent Claims (2, 3, 4, 10, 11, 12, 13, 22)
- - 2. A method according to claim 1, wherein receiving the security configuration information from the security gateway comprises receiving the security configuration information from the security gateway in an Internet Security Association and Key Management Protocol (ISAKMP) network message.
  - 3. A method according to claim 1, wherein forming the request of the security policy server for security configuration information comprises forming the request according to a protocol for the security policy server.
  - 4. A method according to claim 1, wherein the method further comprises performing:
    - before forming the request of the security policy server for security configuration information;
      
      forming a security policy server type request of the security policy server for security policy server type information;
      
      causing the security gateway to (a) receive the security policy server type request in an Internet Security Association and Key Management Protocol (ISAKMP) network message, (b) treat the security policy server type request as opaque data, and (c) send the security policy server type request to the security policy server;
      
      receiving the security policy server type information from the security gateway; and
      
      wherein forming the request of the security policy server for security configuration information comprises forming the request based on the security policy server type information.
  - 10. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 1.
  - 11. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 2.
  - 12. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 3.
  - 13. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 4.
  - 22. A method according to claim 1, wherein the tag comprises the value 16528 indicating that the request is to be treated as opaque data.

5. A method comprising:
- receiving, from a client, an Internet Security Association and Key Management Protocol (ISAKMP) network message comprising a request of a security policy server for security configuration information;
  
  wherein the ISAKMP network message comprises the request in association with a tag indicating that the request is to be treated as opaque data;
  
  treating the request received in the ISAKMP network message as opaque data;
  
  sending the request to the security policy server;
  
  receiving the security configuration information from the security policy server;
  
  treating the security configuration information as opaque data;
  
  sending the security configuration information to the client; and
  
  wherein the method is performed by a computing device.
- View Dependent Claims (6, 7, 14, 15, 16)
- - 6. A method according to claim 5, wherein sending the security configuration information to the client comprises sending the security configuration information to the client in an Internet Security Association and Key Management Protocol (ISAKMP) network message.
  - 7. A method according to claim 5, wherein the method further comprises:
    - before receiving, from the client, the Internet Security Association and Key Management Protocol (ISAKMP) network message comprising the request of the security policy server for security configuration information;
      
      receiving, from the client, an Internet Security Association and Key Management Protocol (ISAKMP) network message comprising a security policy server type request of the security policy server for security policy server type information;
      
      treating the security policy server type request as opaque data;
      
      sending the security policy server type request to the security policy server;
      
      receiving the security policy server type information from the security policy server;
      
      treating the security policy server type information as opaque data; and
      
      sending the security policy server type information to the client;
      
      wherein the method is performed by a computing device.
  - 14. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 5.
  - 15. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 6.
  - 16. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 7.

8. A method comprising:
- forming a response to a request from a client for security configuration information; and
  
  causing a security gateway to (a) receive the response in an Internet Security Association and Key Management Protocol (ISAKMP) network message, (b) treat the response received in the ISAKMP network message as opaque data, and (c) send the response to the client;
  
  wherein causing the security gateway to receive the ISAKMP network message comprises sending the ISAKMP network message to the security gateway;
  
  wherein causing the security gateway to treat the request received in the ISAKMP network message as opaque data comprises associating the request with a tag in the ISAKMP network message sent to the security gateway, the tag indicating that the request is to be treated as opaque data; and
  
  wherein the method is performed by a computing device.
- View Dependent Claims (9, 17, 18)
- - 9. A method according to claim 8, wherein the method further comprises:
    - before forming the response to the request from the client for security configuration information;
      
      forming a security policy server type response to a security policy server type request from the client for security policy server type information; and
      
      causing a security gateway to (a) receive the security policy server type response, (b) treat the security policy server type response as opaque data, and (c) send the security policy server type response to the client.
  - 17. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 8.
  - 18. A non-transitory computer-readable medium storing processor executable instructions which, when executed by one or more processors, causes the one or more processors to perform a method according to claim 9.

19. A security gateway computing device configured to:
- receive, from a client, an Internet Security Association and Key Management Protocol (ISAKMP) network message comprising a request of a security policy server for security configuration information;
  
  wherein the ISAKMP network message comprises the request in association with a tag indicating that the request is to be treated as opaque data;
  
  treat the request received in the ISAKMP network message as opaque data;
  
  send the request to the security policy server;
  
  receive the security configuration information from the security policy server;
  
  treat the security configuration information as opaque data; and
  
  send the security configuration information to the client.

20. A system comprising:
- a client computing device configured to;
  
  form a request of a security policy server computing device for security configuration information;
  
  send the request to a security gateway computing device in an Internet Security Association and Key Management Protocol (ISAKMP) network message; and
  
  wherein the ISAKMP network message comprises the request in association with a tag indicating that the request is to be treated as opaque data;
  
  the security gateway computing device configured to;
  
  receive the ISAKMP network message from the client computing device;
  
  treat the request received in the ISAKMP network message in the ISAKMP network message as opaque data;
  
  send the request to the security policy server computing device;
  
  receive the security configuration information from the security policy server computing device;
  
  treat the security configuration information as opaque data; and
  
  send the security configuration information to the client computing device.

21. A system comprising:
- a security gateway computing device configured to;
  
  receive, from a client, an Internet Security Association and Key Management Protocol (ISAKMP) network message comprising a request of a security policy server computing device for security configuration information;
  
  wherein the ISAKMP network message comprises the request in association with a tag indicating that the request is to be treated as opaque data;
  
  treat the request received in the ISAKMP network message as opaque data;
  
  send the request to the security policy server computing device;
  
  receive the security configuration information from the security policy server computing device;
  
  treat the security configuration information as opaque data; and
  
  send the security configuration information to the client;
  
  the security policy computing device configured to;
  
  form a response to the request from the client for security configuration information; and
  
  send the response to the security gateway computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Huang, Geoffrey, Vilhuber, Jan
Primary Examiner(s)
Dada, Beemnet

Application Number

US12/888,289
Publication Number

US 20110016509A1
Time in Patent Office

713 Days
Field of Search

726/1, 726 11- 15, 713/153, 713/154, 713/150, 709/221, 709/225, 709/228, 709/238
US Class Current

726/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/062   for key distribution, e.g. ...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/34   involving the movement of s...

Method and apparatus for passing security configuration information between a client and a security policy server

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for passing security configuration information between a client and a security policy server

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others