Wireless network having multiple security interfaces

US 8,280,058 B2
Filed: 10/23/2009
Issued: 10/02/2012
Est. Priority Date: 02/07/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing, by a network device, a plurality of wireless network sessions between the network device and a plurality of client devices, each of the plurality of client devices transmitting data from one of a plurality of wireless networks, each one of the plurality of wireless networks being associated with one of a plurality of security zones, each of the plurality of security zones being associated with a different one of a plurality of security policies;

receiving, at the network device and from a client device of the plurality of client devices, network traffic destined for a network resource, the network traffic including a source address and a destination address, the source address being associated with a first one of the plurality of wireless networks, the destination address being associated with the network resource;

identifying, at the network device and using the source address and the destination address of the network traffic, a first security zone and a second security zone of the plurality of security zones, the first security zone being associated with the first one of the plurality of wireless networks and the second security zone being associated with a second one of the plurality of wireless networks that is associated with the destination address; and

performing, at the network device, security processing on the network traffic based on security policies, of the plurality of security policies, associated with the identified first security zone and the identified second security zone.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.

Citations

20 Claims

1. A method comprising:
- establishing, by a network device, a plurality of wireless network sessions between the network device and a plurality of client devices, each of the plurality of client devices transmitting data from one of a plurality of wireless networks, each one of the plurality of wireless networks being associated with one of a plurality of security zones, each of the plurality of security zones being associated with a different one of a plurality of security policies;
  
  receiving, at the network device and from a client device of the plurality of client devices, network traffic destined for a network resource, the network traffic including a source address and a destination address, the source address being associated with a first one of the plurality of wireless networks, the destination address being associated with the network resource;
  
  identifying, at the network device and using the source address and the destination address of the network traffic, a first security zone and a second security zone of the plurality of security zones, the first security zone being associated with the first one of the plurality of wireless networks and the second security zone being associated with a second one of the plurality of wireless networks that is associated with the destination address; and
  
  performing, at the network device, security processing on the network traffic based on security policies, of the plurality of security policies, associated with the identified first security zone and the identified second security zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, where each of the plurality of wireless networks is associated with a different one of a plurality of identifiers, each of the plurality of identifiers being associated with a different one of the plurality of security zones, andwhere performing security processing on the network traffic comprises:
    - identifying, by the network device, the security policies based on identifiers, of the plurality of identifiers, associated with the identified first security zone and the identified second security zone.
  - 3. The method of claim 1, further comprising:
    - receiving, at the network device and from another client device of the plurality of client devices, other network traffic destined for the network resource, the other network traffic including another source address and the destination address, the other source address being associated with another one of the plurality of wireless networks;
      
      identifying, at the network device and using the other source address and the destination address of the other network traffic, a third security zone of the plurality of security zones, the third security zone being associated with the other one of the plurality of wireless networks associated with the other source address; and
      
      performing, at the network device, security processing on the other network traffic based on the identified third security zone and the identified second security zone being associated with the other network traffic.
  - 4. The method of claim 3, where performing security processing comprises:
    - identifying, by the network device, the security policies based on the first security zone and the second security zone;
      
      identifying, by the network device, different security policies based on the third security zone and the second security zone;
      
      applying, by the network device, the security policies to the network traffic to determine whether to forward the network traffic to the network resource; and
      
      applying, by the network device, the different security policies to the other network traffic to determine whether to forward the other network traffic to the network resource.
  - 5. The method of claim 1, where performing security processing on the network traffic comprises:
    - selectively transmitting, by the network device, the network traffic to the network resource based on the security policies.
  - 6. The method of claim 1, further comprising:
    - establishing, by the network device and prior to establishing the plurality of network sessions, the plurality of wireless networks.
  - 7. The method of claim 1, further comprising:
    - receiving, at the network device, from each of the plurality of client devices, and prior to establishing the plurality of wireless network sessions, a request to establish a respective one of the plurality of wireless network sessions; and
      
      authenticating, by the network device, each of the plurality of client devices based on a respective one of the requests received from the plurality of client devices.
  - 8. The method of claim 1, further comprising:
    - performing, by the network device and prior to establishing each of the plurality of wireless network sessions, network level authentication on each of the plurality of client devices.

9. A device comprising:
- a memory to store instructions; and
  
  logic, implemented at least partially in hardware, to execute the instructions to;
  
  identify a plurality of identifiers, each of the plurality of identifiers being associated with a different wireless network of a plurality of wireless networks,map each of the plurality of identifiers to one of a plurality of security zones, each of the plurality of security zones being associated with a different one of a plurality of security policies,receive, during a wireless network session, network traffic from a client device, the network traffic including one of the plurality of identifiers and a destination address associated with a network resource,identify a destination security zone based on the destination address,identify a source security zone of the plurality of security zones based on the one of the plurality of identifiers included in the network traffic, andperform security processing on the network traffic based on one or more security policies, of the plurality of security policies, associated with the identified source security zone and the identified destination security zone.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The device of claim 9, where the logic is further to execute the instructions to one of:
    - determine that the performed security processing permits the client device to access the network resource, ordetermine that the performed security processing does not permit the client device to access the network resource.
  - 11. The device of claim 9, where, prior to performing security processing on the network traffic, the logic is to execute the instructions to:
    - identify the one or more security policies using the identified source security zone in combination with the identified destination security zone.
  - 12. The device of claim 9, where the logic is further to execute the instructions to:
    - receive, during another wireless network session, additional network traffic from another client device, the additional network traffic including another one of the plurality of identifiers and another destination address, the other wireless network session occurring concurrently with the wireless network session,identify another destination security zone based on the other destination address associated with another network resource,identify another source security zone of the plurality of security zones based on the other one of the plurality of identifiers included in the additional network traffic, andperform security processing on the additional network traffic based on the identified other source security zone and the identified other destination security zone.
  - 13. The device of claim 12, where the logic is further to execute the instructions to:
    - determine whether the security processing performed on the additional network traffic permits the other client device to access the other network resource.

14. A non-transitory computer-readable medium comprising:
- one or more instructions which, when executed by a processor of a network device, cause the processor to establish a plurality of wireless network sessions between the network device and a plurality of client devices, each of the plurality of client devices transmitting data from one of a plurality of wireless networks, each one of the plurality of wireless networks being associated with one of a plurality of security zones, each of the plurality of security zones being associated with a different one of a plurality of security policies;
  
  one or more instructions which, when executed by the processor, cause the processor to receive, from a client device of the plurality of client devices, network traffic destined for a network resource, the network traffic including a source address and a destination address, the source address being associated with a first one of the plurality of wireless networks, the destination address being associated with the network resource;
  
  one or more instructions which, when executed by the processor, cause the processor to identify, using the source address and the destination address of the network traffic, a first security zone and a second security zone of the plurality of security zones, the first security zone being associated with the first one of the plurality of wireless networks and the second security zone being associated with a second one of the plurality of wireless networks that is associated with the destination address; and
  
  one or more instructions which, when executed by the processor, cause the processor to perform security processing on the network traffic based on security policies, of the plurality of security policies, associated with the identified first security zone and the identified second security zone.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, where each of the plurality of wireless networks is associated with a different one of a plurality of identifiers, each of the plurality of identifiers being associated with a different one of the plurality of security zones, andwhere the one or more instructions to perform security processing on the network traffic comprise:
    - one or more instructions to identify the security policies based on identifiers, of the plurality of identifiers, associated with the identified first security zone and the identified second security zone.
  - 16. The non-transitory computer-readable medium of claim 14, further comprising one or more instructions which, when executed by the processor, cause the processor to:
    - receive, from another client device of the plurality of client devices, other network traffic destined for the network resource, the other network traffic including another source address and the destination address, the other source address being associated with another one of the plurality of wireless networks;
      
      identify, using the other source address and the destination address of the other network traffic, a third security zone of the plurality of security zones, the third security zone being associated with the other one of the plurality of wireless networks associated with the other source address; and
      
      perform security processing on the other network traffic based on the identified third security zone and the identified second security zone being associated with the other network traffic.
  - 17. The non-transitory computer-readable medium of claim 16, where the one or more instructions to perform security processing comprise:
    - identify the security policies based on the first security zone and the second security zone;
      
      identify different security policies based on the third security zone and the second security zone;
      
      apply the security policies to the network traffic to determine whether to forward the network traffic to the network resource; and
      
      apply the different security policies to the other network traffic to determine whether to forward the other network traffic to the network resource.
  - 18. The non-transitory computer-readable medium of claim 14, where the one or more instructions to perform security processing on the network traffic comprise:
    - one or more instructions to selectively transmit the network traffic to the network resource based on the security policies.
  - 19. The non-transitory computer-readable medium of claim 14, further comprising:
    - one or more instructions which, when executed by the processor, cause the processor to establish, prior to establishing the plurality of network sessions, the plurality of wireless networks.
  - 20. The non-transitory computer-readable medium of claim 14, further comprising one or more instructions which, when executed by the processor, cause the processor to:
    - receive, from each of the plurality of client devices, and prior to establishing the plurality of wireless network sessions, a request to establish a respective one of the plurality of wireless network sessions; and
      
      authenticate each of the plurality of client devices based on a respective one of the requests received from the plurality of client devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Conway, Adam Michael, Klarich, Lee, Mo, Ning
Primary Examiner(s)
Shan, April

Application Number

US12/604,837
Publication Number

US 20100050240A1
Time in Patent Office

1,075 Days
Field of Search

380/270, 380/247, 455/410, 455/411, 370/235
US Class Current

380/270
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/105   Multiple levels of security

H04L 67/14   Session management for real...

H04W 80/10   adapted for application ses...

Wireless network having multiple security interfaces

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless network having multiple security interfaces

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links